Threat Intelligence Treasure Hunt with Jonathan Huebner
David Moulton: Welcome to Threat Vector, a segment where Unit 42 shares unique threat intelligence insights, new threat actor TTPs, and real-world case studies. Unit 42 has a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. [ Music ] In today's episode, I'm going to speak with Jon Huebner, an XSIAM Consultant for our Cortex Team about finding the needle in the haystack when it comes to threat intelligence feeds. Jon has worked in the healthcare and government sectors and is a Navy veteran, who transitioned his experience with physical security, anti-terrorism, and leadership into the cybersecurity industry. Let's get right into it. Jon, thanks for joining me today on Threat Vector. I wanted to talk to you about threat intelligence. First, how can organizations effectively differentiate between valuable threat intelligence feeds and the noise that often accompanies those feeds and makes it hard to find that -- that proverbial needle in a haystack?
Jon Huebner: So, companies that sign up for all these free feeds really damages their threat intelligence and it puts more work on the analysts and also creates automations that are not that great, which is a huge part in the cyber industry right now. So, finding that valuable intelligence feed is so important. Companies need to start looking at where they are, like what are they, and what do they do. They need to take their risk assessments, which not that many people do and then they need to take that risk assessment team and have them communicate with the threat analyst and tell them "Hey, we have companies that are located in this country and these might be our current threats, and this is going to be something that's constantly changing, it's not just companies and national threats and hackers, you're also looking at what types of servers are going to be attacked, where are you most vulnerable, and you need to assess the risk, because there's always going to be risk. You can only mitigate risk and you need to leverage the intelligence so you have that and there's going to be some feeds that focus more on some things than others, and some of these free feeds will also not be as good and you get more false-positives, but some free feeds may do better for some companies. So, going back to the question, you really got to work with your risk assessment and figure out how you can leverage that and find the right intelligence.
David Moulton: So, talk about what strategies can be employed to cleanup that signal-to-noise ratio and the intelligence feeds.
Jon Huebner: So, a lot of companies have all these free feeds coming in and it's just mass and mass of information, and usually when you're adjusting these speeds you can put a reputation on how trustworthy that verdict will be. Companies need to start working with this and there's a lot of threat-sharing platforms out there now, like MISP. You have a lot of states doing it in their state MISP where one state shares all of their information and IOCs with another state, but some of those aren't going to be valuable. So, companies need to go back those risk assessments that I was just mentioning and really prioritize where it is and sometimes you may just need to find one feed, like one paid good feed and go with that and so then start basically tuning it from there. Threat intelligence is not just adjusting all its data and saying oh here's this data, have fun. Good luck. It's more of pulling the data in and tuning it kind of just like a sim or some of your other security products. So, you need a very active threat intelligence team on there and you really need to start from the beginning, to with this is our plan. We want to do x, y, z and do it from there. So, that would really help clean up a lot of the mess that we're seeing right now.
David Moulton: Jon, talk to me about the risks you've seen from neglecting expired feeds or not tuning intelligence feeds.
Jon Huebner: So, some of these companies are having these indicators adjusted with no expiration; IPs change, domains change, all of these IOCs are changing and some of these domains can change in less than 24 hours. Some of these IPs are also changing in a couple days probably, sometimes even hours as well. And if you don't ever expire these indicators, they could be in your White List, they could be in your Black List. By the way, it could just not end well for you, because sometimes Microsoft will end on that Black List and if you're [inaudible 00:17:54] a Cloud instance of 0365, you're going to start running into trouble and blocking some things that you don't want to block, and even more if it's on that White List that might be a very bad day and you're leaving a wide open hole in your organization's security.
David Moulton: So, think about the context of threat intelligence. What are some of the best practices you see for identifying and prioritizing actionable feeds and indicators?
Jon Huebner: You got to really hash out how you want to move forward, where you want to focus your intelligence, what you want your intelligence to be, and what your main use cases are going to be, along with having a very good threat intelligence team that can tune and treats it as their baby so they can give you a good product and also communicate with the other parts of the organization. [ Music ]
David Moulton: Jon, thanks for taking the time to talk to me about your approaches to optimizing and tuning your threat intel. Like most things, the one and done approach doesn't work. It really sounds more like gardening where you have to tend to the feeds with constant evaluation, and make the effort to weed out any problems. Sometimes it sounds like it's best to just start fresh. If you're looking for well-curated threat intel and threat actor insights, you should check out the "Unit 42" Threat Research Center, and remember, if you think that you're under attack, contact the experts at "Unit 42" to help assess your risk and exposure. We'll be back in the CyberWire Daily in two weeks. Until then, stay secure, stay vigilant. Goodbye for now. [ Music ]