RSA Special: Threat Intelligence
Dave Bittner: [00:00:03] Threat intelligence - it's more than just attribution. In fact, unless you carry a gun and wear a badge, it's probably not much about attribution at all. Instead, it's all about reducing risk.
Dave Bittner: [00:00:17] This podcast is made possible by the Economic Alliance of Greater Baltimore, helping Maryland lead the nation in cybersecurity with a large, highly qualified workforce, twenty thousand job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org.
Dave Bittner: [00:00:37] I'm Dave Bittner in Baltimore with a CyberWire special podcast on threat intelligence. It's Tuesday, March 8, 2016. And thanks for joining us.
Dave Bittner: [00:00:46] When we think of threat intelligence, it's natural to think first of attribution. Your enterprise is hit by an attack, and you want to know, well, who did this to us? It's natural, and it's also easy to understand. There's no shortage of companies who have made a splash by attributing major cyberattacks. But it's striking how little attribution mattered when we spoke with industry experts about threat intelligence at RSA last week, and we mean attribution in the sense of calling out the people behind the keyboard.
Dave Bittner: [00:01:12] There's a general conviction that actionable threat intelligence is vital to security, but also a general sense that much of what is passed for threat intelligence hasn't, in the end, turned out to be particularly valuable. A look at the intelligence cycle as it's classically conceived may help explain this. The intelligence cycle begins with direction, posing the questions to be answered. Then it runs through collection, processing, analysis, dissemination and feedback. So raw data become intelligence only upon analysis. Data are also collected with some purpose in mind - the direction phase of the cycle - and this means, above all, that intelligence should be actionable. Actionable intelligence is seen by those who provide it as not a mass of logs, chattering alarms or unanalyzed data. Such data are fatally easy to collect and, in many ways, have replaced the famous fog of war with its insufficient information with a glare of war that's equally blinding.
Dave Bittner: [00:02:08] Threat intelligence is valuable insofar as it reveals what an adversary is trying to accomplish and what tactics, techniques and procedures they're likely to use. Understanding these can usefully inform the organization of defenses. As AJ Shipley of LookingGlass put it in a discussion with us, quote, "Actionable intelligence is something that reduces your risk profile. If it can't reduce your risk profile, then it's not actionable." And if it's not actionable, then it's not worth much.
Dave Bittner: [00:02:35] Our talks with companies exhibiting at RSA suggest that some of the common themes on people's minds include the importance of context and actionability in the development of threat intelligence. Many of the companies specializing in threat intelligence work from unstructured, open source data, with a view to providing either insight into probable adversary goals and the tactics, techniques and procedures they're likely to use in pursuing those goals - what Palo Alto Networks CSO Rick Howard calls the adversary's playbook - or into ongoing attacks. The former is useful in establishing defenses and hardening networks, the latter in detecting, mitigating and recovering from incidents.
Dave Bittner: [00:03:14] After the break, we'll hear some of the observations we heard in discussion with industry experts at RSA.
Dave Bittner: [00:03:23] This podcast is made possible by the Economic Alliance of Greater Baltimore, helping Maryland lead the nation in cybersecurity with a large, highly qualified workforce, twenty thousand job openings, investment opportunities and proximity to key buyers. Learn more at greaterbaltimore.org.
Dave Bittner: [00:03:48] For a deeper dive into threat intelligence, we turn to three industry experts we met with at RSA. We'll hear from Ryan Trost, co-founder and CTO at ThreatQuotient; Eric Olson, VP of intelligence operations at LookingGlass; and finally, Rick Howard, CSO at Palo Alto. We begin with Ryan Trost.
Ryan Trost: [00:04:06] A lot of threat intelligence boils down to the providers of the threat intelligence and the platforms of the threat intelligence. So the - they ultimately go hand-in-hand. So the providers provide all this threat intelligence, but a lot of them don't provide a tool in which to consolidate and structure and centralize that data. And that's where the platforms come in. The platforms ultimately can consume that threat intelligence and then integrate it with the existing infrastructures so that the analysts who are doing a lot of that work don't have to copy and paste from source to another source.
Dave Bittner: [00:04:41] We asked Trost, when does intel become actionable?
Ryan Trost: [00:04:45] Once I have enough information and context around an indicator or an adversary and I can actually start to look at my infrastructure and look at my detection solutions and make decisions based on that, that's what I deem - my personal philosophy - that's what I deem as actionable threat intelligence. So whether it's an indicator with some context - and I can say, put that into the firewall, or, put that into the IPS - I've taken action. I've operationalized that information to better defend myself.
Dave Bittner: [00:05:13] Ryan Trost tells us that organizations of all sizes are looking for help in trying to sort through the torrent of data.
Ryan Trost: [00:05:20] We even have high schools coming to us, saying, we have so many kind of false positives. We have so much information out there. How do we boil that down? We don't want to continue to throw the kitchen sink at it. We want to kind of teach the students and teach the administrators - let's focus on the high-fidelity stuff. Let's try to block out the white noise that inevitably is out there because there's so much threat intelligence. So it's across spectrums.
Dave Bittner: [00:05:45] He also warns against embracing a one-size-fits-all approach to threat intelligence.
Ryan Trost: [00:05:50] There's a lot of threat intelligence out there. Let's try to find the source of threat intelligence that best benefits you. So whether that's - and it gets into a lot of the self-reflection. What does your team look like? What's the taxonomy of your detection tools? What's your budget? Let's look at all of these factors and then apply that to all of the different threat intelligence providers. And let's see which one bubbles to the top. And a lot of customers unfortunately - they're still trying to understand threat intelligence. So a lot of them kind of think, oh, I'll buy a commercial provider, and that'll be the silver bullet. I'll be completely defended. I'll be bulletproof. And that's only half the battle. You got to take that intelligence, and you got to do something with it. And that's where kind of the rubber meets the road with a lot of organizations.
Dave Bittner: [00:06:38] Trost told us that one of the challenges of a commercial approach to threat intelligence is that this is a relatively new area of interest.
Ryan Trost: [00:06:44] It's a concept and it's an approach very much in its infancy in the commercial space. Like, law enforcement and the government have been doing it forever. Military branch has been doing it forever. But it's relatively new. So they're starting to really kind of define what that should look like within the organizational structure of commercial branding and commercial industries and verticals. For example, a lot of the larger organizations have started to kind of really embrace this new hunter role. So before, your typical SOC - your secure operation center - was comprised of security analysts, malware engineers, intelligence analysts, signature engineers. But now there's this hunter role where the differentiation is the security analysts usually triage a lot of the SIM alerts. The hunter's is - we want you to find malicious activity without an alert. We want you to basically know the environment, know what the logs look at, look for kind of distinguishing patterns. Find the adversary without that breadcrumb of an alert. And it's usually kind of the seasoned guys that have been doing this for 20 or 30 years that know where the secrets are hidden and the adversaries themself.
Dave Bittner: [00:07:53] Ryan Trost also emphasized the importance of a proactive approach.
Ryan Trost: [00:07:57] It's very easy to sit back and kind of react. And by definition, the second I have an alert, I'm reacting to that alert. The goal, the utopia of threat intelligence is actually to try to get ahead of the adversary. Now, previously, I ran the SOC at General Dynamics. And one of the big things that we did was, let's study the adversary. Over the course of time, let's build a profile for that adversary. And what we started to boil down were - and we did it very systematically. We said, OK, let's look at each attack. Let's break it down by Lockheed Martin's kill chain. And let's ultimately start to really compare notes.
Ryan Trost: [00:08:36] And what that allowed us to do is that allowed us to learn our enemy. That allowed us to learn the cadence of the enemy, whether it was revolving around a vulnerability that was recently released or - a lot of them kind of based - really did quotas based on kind of holiday season. A lot of people are - kind of get their guard down. So they'll open up email and spear phishing attacks so much easier. And so we started to really kind of apply that in business decisions, almost to the point where our security awareness - or excuse me - our spear phish awareness training was ultimately given when we knew the adversary was going to start to see an uptick of spear phish. So we started to make these business decisions, which were very small and finite, but they were very empowering and really kind of helped out.
Dave Bittner: [00:09:24] And of course, it can be challenging to find the intelligence that has value to you.
Ryan Trost: [00:09:28] You can't try to boil the ocean. You have to be very disciplined and very precise on what threat intelligence you want to make actionable. And I think that's a very important key 'cause bad intelligence lives forever. It's the good intelligence - you've got to find the sources that provide you the most value for threat intelligence.
Dave Bittner: [00:09:48] Our thanks to Ryan Trost from ThreatQuotient for joining us. You can learn more at threatq.com.
Dave Bittner: [00:10:03] Eric Olson is vice president of intelligence operations at LookingGlass. He told us his customers' requirements are quite simple. They want it all.
Eric Olson: [00:10:11] For the 15 years that I've been in this cybersecurity or cyberintelligence business, customers essentially had a disparate set of problems that they were trying to bring together. And to sum up how that has evolved over time, what they really want is this - structured third-party threat data, internal network telemetry or net flow, internet topology and the unstructured open source content. They want that unstructured web, social media, search engine, IRC, darknet data all fused with the structured threat data, their own network telemetry, the internet topology. And they want it all in one pane of glass that both suits, ideally, the investigative analyst, the threat analyst or intelligence analyst, and serves as a console to create rules and policies to drive network fabric line speed defense on the cyber side of the business - that is, the logical threats.
Eric Olson: [00:11:06] That holistic solution - that, I want it all in one fused place where I can search it and visualize it and report it to management - to some degree, it really is the hole in the market that the customers have been talking to me about. And many of the large enterprises are building it themselves because they haven't found a solution off the shelf. And I think with the assembly of the component parts of what is now the larger LookingGlass organization, I think we really do have all the parts to put together.
Dave Bittner: [00:11:33] Olson shared his belief that one of the keys to managing threat intelligence is automation.
Eric Olson: [00:11:38] I think I can summarize the problem this way. When it comes to the internet - not just as a source of logical threats, malware viruses and so forth, but as a source of intelligence, of information about threats to the business as a whole - brand, reputation, revenue and losses to it from fraud, your physical security, assets executives, infrastructure - the internet is a very rich source of potentially valuable security data. The problem is that more and more threats or indications and warnings are present, and they are present in ever more places and languages. The back-end systems that I run, which deliver data either to our customers or to the nearly 80 analysts - threat analysts - that work for us, is to relieve the human analysts of the low-value portions of the job. You should not spend a scarce, valuable, educated human analyst running searches.
Eric Olson: [00:12:34] We should automate the collection management from multiple sources and formats and languages. There's no value in having someone pounding on Google and Twitter and so forth. Normalizing the data so that it can be compared, correlated, visualized and linked - that is a low-value activity. That needs to be automated out. That is not a good use of that scarce human talent. And by the way, a very shallow talent pool compared to the need in the market is a real issue. So what we're trying to do, essentially, is to take as much of the right-hand side of the intelligence cycle, where there is lots of work and very little value, and automate it so that the analysts can focus on the valuable part of their job - what they were trained for, hired for and paid for - which is to analyze things and make something useful out of it.
Dave Bittner: [00:13:18] We spoke earlier about that glare of war. Olson believes it's a real problem.
Eric Olson: [00:13:23] I believe that a lot of what is being marketed as threat intelligence isn't. It's threat data, and there is a world of difference between data and intelligence. Overwhelming quantities of data do not make the analysts' life any better, nor do they make the network any more secure. I believe to get to that actionable relevant state, you have to do a couple of things. First, it must be relevant to the organization you are trying to protect. I'll give a very simple example. Here's a feed of Windows vulnerabilities. We run only max. Nice reading - not intelligence because I can't do anything with it. So it has to be relevant to, and ideally, targeted at or responding to something targeted at the organization.
Dave Bittner: [00:14:04] Eric Olson also believes that the value of this data extends beyond the traditional cybersecurity world.
Eric Olson: [00:14:10] There is a huge amount of valuable information out there of concern not to the information security professional alone, but physical security, executive protection, brand, trademark, reputation, the fraud department, right? Cybercrime and cyberthreats are not the same thing, right? Some people just want to steal money because it's profitable. Those are other business functions not directly related to your traditional cyber view of the world. And those functional personas are starting to see cyberthreat intelligence as a source of valuable information in their functional areas. You know, we've seen some examples. One of the big gaming networks was being hacked, and the CEO was commenting about it on social media, the result being that one of the threat actors tweeted a bomb threat and had his plane grounded to ruin his day. Well-known security journalist was DDoS'd and had his door kicked in through a swatting attack on the same afternoon. My point is, actors who wish to cause harm, trouble, embarrassment or real damage - they are seeing an opportunity to hit in both the physical and cyber realms and often will coordinate those attacks.
Dave Bittner: [00:15:19] Our thanks to Eric Olson from LookingGlass for joining us. You can learn more at lgscout.com.
Dave Bittner: [00:15:34] And finally, Rick Howard, chief security officer at Palo Alto Networks, shares their internal organizational system for threat intelligence. They have CIRs, PIRs and IRs. Here's Rick Howard.
Rick Howard: [00:15:47] We call them CIRs, the CEO's information requirements, right? We have PIRs, our priority information requirements. And we have general purpose IRs, information requirements. Those CIRs are kind of longstanding things that the boss wants us to be good at, right? They don't change that much - maybe once every year or so. And we review them with him every year to make sure he's OK with what we're doing. They're broad. They're big-picture things that he wants us to be smart at. Then our Unit 42 guys - they start picking that apart. They break the problem down into PIRs, priority information requirements. On the third CIR, that thing might break into 20 PIRs - OK - that we're trying to solve at any given time, right? And then those PIRs break into smaller pieces, too, and you can just keep going. And you get down to the bottom, and you work your way back up - is the way it works.
Dave Bittner: [00:16:37] Rick Howard also leads Palo Alto's efforts with the Cyber Threat Alliance information sharing group and strongly advocates for others to get on board.
Rick Howard: [00:16:45] The Cyber Threat Alliance is a group of security vendors who've decided that we're going to share threat intelligence with each other and work on big problems. There's a point when the alliance gets big enough that we'll reach a tipping point that everybody on the Internet connected to the Internet will have at least one of us in their networks protecting them, receiving real-time protections from every playbook out there. That's a game changer, and that's what the Cyber Threat Alliance is trying to do, right? My message to your audience is, when vendors come talk to you about what they have, ask them why they're not a member of the Cyber Threat Alliance and watch them stumble through that answer because people are uncomfortable with the idea that a vendor might share threat intelligence. I think that's the way it's going to be, right? It should - needs to be - intelligence should be a commodity. Everybody should have the same intelligence so all of us - the vendors - can make better products with it. And that's kind of the vision of the Cyber Threat Alliance.
Dave Bittner: [00:17:36] Our thanks to Rick Howard for joining us. You can learn more at paloaltonetworks.com.
Dave Bittner: [00:17:45] And that's our CyberWire special RSA retrospective. For more discussion of cyberthreat intelligence, visit thecyberwire.com. We'll have another RSA retrospective tomorrow covering emerging technology, in addition to our daily podcast.
Dave Bittner: [00:17:59] The CyberWire is a production of CyberPoint International. The editor is John Petrik. I'm Dave Bittner. Thanks for listening.