A Role for Threat Intelligence
How does a cyber intelligence company see the threat landscape changing? In keeping with Black Hat’s announced theme of “speed,” A.J. Shipley, vice president of product management at LookingGlass Cyber Solutions, told us that they’re seeing a striking increase in the rate at which the adversary changes tactics. They’ve also seen a marked increase in the sheer number and size of the breach packages they’re finding. “It’s gone from roughly a hundred million username and password combinations we've been able to curate from underground forums,” he said, “to just over a billion in less than a year.”
Shipley offered an example of how data are developed into intelligence. Every day some fifty million infections hit the sinkhole associated with the company’s VirusTracker. These will be de-duplicated into around two to three million infections, which are available as a data feed. But “that's not intelligence. Information that's actionable is intelligence. A billion credentials on the dark web, that's data, not intelligence,” Shipley explained. “The fifty new ones that showed up today on a customer's network—that’s intelligence: an enterprise can tell employees to change their passwords, be on the lookout for phishing emails, and so on.” Taking the very large data set and distilling it into something actionable and timely is what, Shipley says, makes threat intelligence.
Leon Ward, Senior Director, Product Management, at ThreatQuotient, also drew a sharp distinction between data and intelligence. “A lot of intelligence providers are really just providing threat data. What turns data into intelligence is concepts around it: accuracy, timeliness, and relevance,” he said. The goal of an intelligence platform is to turn data into intelligence.
Handling a large volume of data is, of course, a challenge. “Classic security technologies,” Ward explained, “are very much based on security detection events. Inside a large organization, the volume of such detection is too huge for any really meaningful analysis to be done.” Knowing where to invest analytical and security resources has always been a challenge, and Ward sees intelligence-driven security as offering a different approach that can help compensate for overtaxed resources, especially resources that critically depend upon scarce human expertise. “If you know about the adversary, you can look for the things that indicate their presence in your environment. And you can react to them in the context of your environment and the threat.” To take an example, company in the Defense Industrial Base that knows an espionage service is after system designs will react differently to similar security events than will a financial institution that understands it’s the target of a criminal carding gang. The ability to deploy your assets against a threat whose goals and tactics you understand is one of the benefits of threat intelligence.
The data an enterprise mills into actionable intelligence can come from a variety of sources. Ward said that ThreatQuotient believes that “a true platform needs to be open and extensible to enable analysts to work with it, interact with it in ways that make sense for their organization.” It’s important to capture the information an organization is already collecting, from its sandbox, its intrusion response teams, its SIEM, etc.
LookingGlass’s Shipley also emphasized the importance of an intelligence platform’s ability to integrate data feed with customers’ web proxies, firewalls, and SIEMs. He also sees an important role for open source intelligence (OSINT, not to be confused with open-source software). “One of our acquisitions at the end of last year was Cyveillance, one of the largest open-source collection and monitoring capabilities in the world. It's been built over the last fifteen years to increase human analyst capability from the open source web and distill it down into something an analyst can make sense of for their customer.” The technology Cyveillance brought in “has enabled us to scale,” Shipley said. “It's enabled us to pinpoint what a set of indicators is saying about a specific organization by being able to carve up a company's network presence and provide context to the threat.”