Posts

What should I look for in a Threat Intelligence Solution?


This blog article is part of a series: Part 1 | Part 2 | Part 3

In this final article in this series, I provide some guidance on what to look for in a CTI solution.

The four important questions when assessing CTI should be:

  1. How current is the Threat Intelligence Provided?
  2. How broad is the coverage?
  3. What contextual information is available to help understand the risk?
  4. Integration and automation

One other consideration on what to look for in a CTI solution is related to the importance of attribution. A lot of time and effort is spent arguing over the importance of attribution, and I don’t believe there is a definitive answer. I believe it depends upon your circumstances, resourcing and the sector in which you work. Attribution, may not matter at all for certain sectors or companies, but it is will certainly be important if you are a specialist manufacturer with process secrets, who is being infiltrated by a lead competitor. Similarly, if you are a large government defence agency, it is probably important to understand if a nation states is behind an intrusion. Cybercriminals, issue motivated groups, hacktivists, disgruntled employees, or some other disenfranchised assortment can certainly cause many problems, but attribution may not be important at all in looking at CTI solutions. If attribution is important to your organisation, then that should be a fifth consideration when assessing CTI solutions.

After going through these questions, you may also find that you have sufficient coverage currently with the Threat feeds you are getting via your existing vendors or via various open source providers.

CTI information currency is all important. Put simply, the more frequent the updates, the smaller the potential threat window is. Frequent, meaningful updates are important to keep your threat intelligence information updated and current over time. Real time, or near real time updates are optimal.

Coverage is the second important assessment criteria. It is impossible to cover all threat sources, and any vendor that promises this should be avoided. Coverage really comes down to being a big data issue. Some useful measures include:

  1. the number of IP addresses monitored.
  2. the number and variety of Threat Intelligence sources. A good cross section is important, and could include: verified existing feeds; anonymised customer data; Internet registries; known Botnets; DNS information; geolocation information (down to the country, state, city and ideally GPS coordinates); deployed honeypots; darknet data; deployed crawlers; anonymous proxy information (including TOR); free DNS services; and wherever financially viable external networks (although this can be costly).
  3. the volume of traffic monitored on a daily basis.
  4. Catch rate improvements, verified by independent and respected test authorities.
  5. The last consideration may be if internal threat information is used from other customers and can this data be broken down based on a particular data categorisation such as industry.

Contextual data should include all the metadata that relates to the threat intelligence, such as the time that the intelligence is collected, the type of threat, the geolocation to enable high risk geographies to be highlighted, and the source of the intelligence (internal, external, free). Probably the most important piece of contextual information, is how the threat intelligence is rated from a risk perspective. Here is where it can get a little tricky, as most CTI vendor will promote their own proprietary algorithm or methodology. The only real way to get to grips with this element is to run a proof of concept before purchasing and take up site references and specifically drill into this element with current clients. Because things change pretty quickly in cyberspace, currency of this contextual information is also very important.

Automation and integration is the last important factor in assessing CTI. Automation makes the intelligence actionable from a technology configuration perspective. Integration is important to ensure that automation is possible within your chosen technology stack. Broad support of common technologies is important, as is an accessible or open API.

In summary the issues to focus on when selecting a CTI solution should therefore come down to speed, reach, accuracy across a seemingly infinite data set, together with the ability to integrate and automate.

I hope that you enjoyed this series on cyber threat intelligence. If you would like to learn more about the subject or would like to talk to me, I can be contacted via email at: slane@shearwater.com.au

Is Cyber Threat Intelligence worth investing in?


This blog article is part of a series: Part 1 | Part 2 | Part 3

In this blog article, I am seeking to address the question of whether CTI is worth investing in.

Many vendors of Web Proxies, SIEM solutions, IPS, Firewall, UTM’s and email filtering technologies already provide a threat feed. The question that needs to be asked is how effective these feeds and blacklists are. Can they protect and block threats to your organisation? Can these threat feeds be positioned in the right place to stop threat agents/attackers from doing their dirty work? If you restrict your attention solely to the roughly 4 Billion IP addresses within the IPV4 address range, it is estimated that more than 16 M are currently, or have been, put to use for malevolent means. Clearly there are challenges to keeping tabs on all these dubious IP addresses from which threats manifest. I’d challenge you to name more than a handful of organisations globally who have the inclination or capacity to keep track of what is happening within these Internet locations. Sure, vendors and the open source community are trying. However, vendors are somewhat blinkered by the user base they can draw on, and the security function they focus on. At the other extreme, open source offerings are always best effort and in this space regrettably slow to react. IP Addresses are clearly only one part of the picture, when you include URL’s, domain names, known bad hosts and payloads into the items needing to be managed, it is clear that automation and intelligence is required.

The problem with many mainstream accepted security technologies, is that they become less and less effective over time, require superior analytical skills to operate (skills that are hard to find), and can be somewhat reactive. These issues prompt security professionals and business managers to seek out better ways of working and more advanced technologies to increase effectiveness.

Is CTI any different to the traditional security vendors? Unfortunately, only partially. It certainly needs highly skilled people to operate, and it is likely to be less effective over time, as hackers develop countermeasures to hide their tracks from specific CTI tool sets. The one ray of light, is that CTI does try and avoid the old paradigm of waiting for something to arrive that is known to be bad and then blocking it. Cyber professionals are trying to get ahead of this preventative mindset and become agile with threat detection and response. Any approach that can offer the potential of reaching out into the dark web, blending in, uncovering what is happening in real time and then giving you actionable intelligence, ideally coupled with workflow and automation is a significant benefit.

The business problem that CTI attempts to solve is still dependent on skilled people. By investing in CTI, you may be able to uplift your internal capability, but to deliver real results you do need a team there to start with. If you do have a specialist team in place, CTI has potential to act as a multiplier effect and save you money. CTI is categorically not an appropriate or intelligent security investment for organisations that do not have adequate skills in place and are looking at new technology as a cure all. There must also be clarity about what you are seeking to achieve from CTI. Without a clear vision of what it is that you wish to achieve, then delivering results may be difficult. This vision may of course change over time as you start to leverage CTI and assess the benefits produced.

As with all security investments, context is all important in evaluating new technologies. With the right prerequisites, CTI should appear on your investment radar. So, in summary, is CTI worth investing in? conceptually yes, provided you have the highly skilled people needed to make this effective. If you don’t have these people, then the answer becomes a very clear no. CTI should not be considered until you have an appropriate internal resource capability available, or a suitable managed service provider capable of bringing to bear the right skills, technology, business insight to effectively manage risk.

In my last blog in this series, I will endeavour to round out this series with a third and final post that will focus on what to look out for in a Threat Intelligence Solution.

What business problem does Cyber Threat Intelligence (promise to) solve?



This blog article is part of a series: Part 1 | Part 2 | Part 3

The cyber industry is certainly excited by CTI, and I don’t want to make any predictions on whether the excitement will blow over any time soon. The Threat Intelligence approach, does provide some hope, yes hope, of lessening a really difficult issue of knowing what to trust and what not to trust on the Internet. Even slowing down malevolent Internet based threats should be treated as a success. Is that the whole picture though, what business problem does CTI solve?

I’m not planning to run through all of the potential impact that stem from cybercriminals, hacktivists, nation states, malicious insiders and careless users, other than to say that recent history demonstrates that the impacts from these threat actors can be significant. In fact, they can send businesses out of business. The accessibility and prevalence of hacking tools, malware, bots, darknets and hacking services for hire, should help to crystallise these risks.

So CTI provides the promise of:

  1. Prevention – by pre-emptively blocking attacks from hitting and hurting your organisation. Prevention is achieved through the ingestion of CTI feeds within existing security infrastructure such as firewalls, IPS and SIEM and configuration of automated responses based on pre-set rules.
  2. Increasing visibility – of emerging threats that could be an issue now or in the future. Increased visibility can be delivered via simple manual searches conducted by an analyst within a CTI platform.
  3. Detection and reaction – to compromises that are happening now. Detection and reaction can be a combination of both methods, coupled with intervention or as part of an integrated incident response process.

CTI can help to more fully inform the risk assessment process by providing real time actionable intelligence about the types of threats that are relevant to an organisation and the frequency and severity of these threats. Information on threat actors, frequency and severity of threats are vital inputs into the risk assessment process.

At a very high level, there are three broad categories of CTI available within the market at the moment. the differences could be the subject of a separate series of articles, so this high level view is anything but comprehensive. The three broad categories are:

  1. Open Source CTI – provides some pretty handy threat intelligence data, but like all open source efforts, it relies on community involvement and may lack the necessary contextual information that makes CTI actionable for specific organisations and sectors. There may be a lot of noise to be sifted within the data to derive truly useful intelligence.
  2. Vendor Provided CTI – has the advantage of providing more contextual data. Many vendors have sharing arrangements in place and their own research and analysis teams that leverage these sharing arrangements and the open source feeds available. They also draw from their client community. You do need to be a little careful in selecting vendors, as some draw heavily from open source information only. The only real advantage that you get here is the convenience of not having to collect and sift available open source information yourself.
  3. CTI Vendor solutions – have the benefit of generally being the sole commercial focus of these CTI vendors. CTI vendors have their own research and analysis teams, leverage other feeds and often possess big data driven infrastructure to contextualise the intelligence. Such feeds can be very granular and can stem from application intelligence and social media. As a consequence, these vendors can provide flexible and highly customised CTI feeds to clients.

Additionally, CTI feeds can be produced by internal systems within an organisation, via Government entities or independent groups such as the Internet Storm Centre within SANS. Irrespective of whether you chose to deploy open source , vendor bundled, or stand-alone commercial CTI vendor solutions, other benefits can be delivered by a CTI approach. One important potential improvement delivered by dedicated threat intelligence equipment (CTI appliance) is the freeing up of other technology resources and traditional tools to operate more efficiently. Reducing the load on your existing security stack, in particular firewalls and IDS/IPS, which can potentially extend the working life of your infrastructure and hence save money. For appliance based CTI that sits in front of existing security infrastructure, whereby CTI can identify threats before reaching firewalls and IDS/IPS, then configuration complexity and processing loads on these technologies can be reduced. Dynamically blocking is happening, but the reality is that people need to invest time in support of CTI. Without smart people constantly tuning, then you run the risk of blocking legitimate traffic or wasting your money on the investment.

The promise of Threat Intelligence is that it will increase your agility of response, guiding your operational security decisions and optimising the efficiency of your existing security stack. The Ultimate aim being to reduce the number of annual security incidents.

In the next blog in this series, I will discuss whether CTI is worth investing in.

What is Cyber Threat Intelligence? And when do you need it?


Cyber Threat Intelligence (CTI) appears to be one of the hot topics in information security at the moment. Almost every vendor as well as the open source community has their unique take on what is, and what is not important in the CTI arena. I have been asked a number of questions by clients and colleagues alike about CTI. Many questions focus on whether threat intelligence is worth investing in right now, or budgeting for. It is a good question, but to be honest I am probably the wrong person to ask. After close to twenty years in the information security industry, I am always a little sceptical of the next big thing, given the long line of next big things I have seen during my career. My scepticism is exacerbated when vendors claim that their method or technology is better or more robust than those of their competitors. My scepticism is magnified when vendors keep their approach secret or don’t provide any data or evidence to back up their claims. A good recent example is that of Norse Corporation, who had a rapid, well publicised and complete unravelling, when it was revealed that their secret CTI methods and products proved little more than highly polished marketing claims.

Perhaps a better question would be, ‘what business problem will CTI actually solve for me and my organisation?’ or ‘how long until CTI is mature enough to justify investment?’ or even, ‘What do I need to consider before investing?’

In this post series, I’ll be answering these three questions in turn:

  1. What business problem does CTI actually solve?
  2. Is CTI worth investing in now?
  3. What do I need to consider before investing?