The Threat Intelligence Cycle
Lately I have been seeing more people coming to the realization that all of this threat intelligence for sale out there from vendors may or may not be what they claim it is. I for one have been thinking that much of what is out there today is either of poor quality or mostly not relevant to the users who are buying the data. It’s that last sentence though that most of the time I try to get across to people through this blog and elsewhere. To wit, most of the time what you are being offered by these threat intelligence firms is data, not necessarily intelligence and this is a nomenclature issue that I think is important.
Intelligence by the very definition is this;
Often what you get from an intelligence portal is data and analysis of actors that you may never have to deal with and who are not targeting you. Data that comes from honeypots and perhaps incidents from other clients but those clients and that data may not be in your vertical as well so what bearing do they have on you? Another question to ask at this time is whether or not the intelligence analysis was carried out by a trained intelligence analyst or not. Often times today we see intelligence output that is flawed due to poor data and or suppositions made from bad attribution and other factors. So really how much can you trust that intelligence report to start with and secondly does that information even have relevance to your organization or network infrastructure?
Once again the militarization of the internet and the information security field has led us astray with nomenclature that sounds cool but may not really fit the needs of INFOSEC outside of a military or government sphere of influence. So now that you have some idea of the nomenclature issues around all of this I would like to take up the notion that what most of you now get from so called threat intelligence outfits is really just data and not so much intelligence.
Data Versus Intelligence:
When you buy into a threat intel feed you most of the time get emails with data. Command and control IP’s, malware hashes, and things like that. You may have a portal where you can look up specific actors (Crowdstrike for example) and get a sense of who they may be and how they operate but really, do most of you out there really digest that data and use it to inform your management or the direction of your security program? On average I would say that the bulk of what companies do today is take C&C data or bad actor data and then place that into their own IDS or firewall rules to attempt to stop those types of attacks. This is not intelligence consumption, this is data consumption.
A yara rule or other TTP data is just that, data. You could very well throw away the rest of the report (which I assume many do) and just move on. Intelligence has consumers and that intelligence has to be created for that consumer. If you are a financial institution and your threat intelligence feed does not cover crimeware that steals credit card data how much good is it to you? Don’t get me wrong, having that data to put into your IDS/Firewall as a proactive prophylaxis is great. Yet still it is not intelligence. Thus I say again most of what you guys are buying is not true intelligence unless you get a tailored report for your company that covers data from your environment as well as information about actors who would wish to or have attacked it. This direct information would help the management and the staff make decisions on the direction of security and the overall threats to the environment that need to be addressed.
Good Intelligence Versus Bad Intelligence:
Next I would like to tackle the idea of when intelligence is bad and when it’s good. Intelligence analysis is never easy and it is never one hundred percent accurate. A simple example of this idea would be the conversation between former CIA director George Tenet and former President G.W. Bush regarding Saddam’s WMD’s.
“George, how confident are you?” the president asked Tenet, in an exchange depicted in Bob Woodward’s book “Plan of Attack.”
“Don’t worry, it’s a slam-dunk,” Tenet said.
Well, there were no WMD’s and the intelligence came from the WHIG (White House Iraq Group) which was run by and lorded over by Vice President Dick Cheney. Intelligence can be misguided or it can be deliberately led astray to be used to influence decision makers and it is the same with threat intelligence in the Infosec world. Within this blog post though we are talking about intelligence on actors who may only be known from very small bits of data in code or IP addresses that were used in the attacks. This attributional data is what many of the threat intelligence firms hang their hats on and the reality of it all is that IP attribution is highly dubious given the nature of the internet to start. There are no slam dunks here no matter what a provider may tell you about a specific actor that they have been watching.
So when you buy into a program for intelligence you have to look at it from the following perspectives;
- Does the threat intelligence firm have a feed from your systems? (i.e. log correlation)
- Do they know your business?
- Do they know how you operate day to day technically?
- Do they cover more than just APT actors? (i.e. teh sexy)
- Do they give you a report every month on actors that specifically would be interested in your business?
- Do they give you a report that is tailored to your environment with your vulnerabilities?
If your threat intelligence vendor does not give these things to you then I would say that you are not getting “Threat Intelligence” at least none that you could use really. What you may be getting in fact is “data” that you can use as a tactical tool to be proactive and block certain attacks and maybe some actors. Mostly what I want to say to you is that I have a little aphorism that I love and it is this;
“A fool with a tool is still a fool”
There are many tools out there that call themselves threat intelligence firms and there are many fools out there who gladly use those tools without any real effect in securing their environments. I am planning on a post later on about the issues around intelligence gathering and analysis. This is a large topic and I think it best be something stand alone for you all to look at. I just wanted to give you all the main idea here that what you are all buying isn’t really intelligence.
“Caveat Emptor” people.
The Intelligence Cycle:
Let’s talk about the intelligence cycle for a bit now that we have gone over some of the misapprehensions out there today over threat intelligence. You the consumer of this information should have a goal or benefit in mind for paying for this service right? Well unless you have a team that can digest the information or alternatively a vendor who creates reports that execs can read and understand on the threats out there for their companies you will find that it all just means Greek to you. So to understand all of this better you need to understand the intelligence cycle itself.
Below are the precepts of intelligence as a cyclical practice to first understand the problems you have, then collect data, analyse it, and then report on the threats.
- Setting Objectives
- Information Collection
- Data Analysis
- Analysis and Reporting
- Threat Assessment (aka) A Threat Intelligence Assessment
Can you in fact count on your vendor to be using this cycle to identify the threats to you? I find that usually this is not what they do as I said above. This means that you and your org have to create your own team or buy into a vendor who will do all of these things for you. Without this all of the data being thrown at you is just data without real context and that certainly would be the case without people in your environment making sense of the data and responding to it appropriately for your organization.
Next Generation Threat Intelligence:
Well, I have explained the nature of intelligence and the cycle as well as touched on what bad intelligence is as well as just plain old data. Now though I would like to cover the idea of what I see as the next generation of threat intelligence. As I said above, unless a firm is selling the full package and has a lot of insight into your business and infrastructure you need to create your own intelligence function inside your Information Security infrastructure.
What this really means is that you will have to get some people and some resources to collect the data on your environment and what you are seeing. You will then be able to perhaps augment this with feeds from outside vendors and use it all to synthesize an analysis that is tailored to your org. Once you do this and you have a functioning intelligence organ you can be proactive to threats that are seen in the wild as well as those that you are seeing coming directly at you.
Carry out the following functions:
- In House Data Collection
- Augmentation With Outside Data and Intelligence Analysis
- True Threat Intelligence Using YOUR Data and Shared Resources
- Identifying Threats To YOUR Environment
In some cases such as some large banks (BofA) have their own intelligence wings that purportedly not only take feeds from the Crowdstrikes of the world but also use other OSINT techniques. These groups also use human assets and behavioural modelling to generate reports of threats out in the real world that may directly affect them. This is another level of intelligence gathering that you may also want to take up later on. First though, if you are going to say you are using threat intelligence then you had better have one of the two scenarios above. Otherwise you are not using threat intelligence at all. You are just floundering in a sea of data that may or may not pertain to you at all.
My recommendation to you all is that you consider setting up a group that does this. If you have feeds then have people in that portal looking at all of the data that they have. Look at how actors operate and who they target. Perhaps there are things you can intuit from their reports. However, the big goal here is to work with YOUR environment. The phrase “Know Thyself” comes to mind here and it would be a true statement on what you should be working towards in threat intelligence.
Well there you have it. I have had this running around my mind for a while now and lacked the motivation to post until today. I hope this is helpful to some of you and I am sure there are some people out there who may take issue with some of what I said (mostly vendors I am assuming) but it had to be said. While it all may sound sexy and full of intrigue there is also a lot of snake oil as well. Unless you understand the goals of what you are buying into you just end up wasting your time and money.
Frankly I have seen so many orgs out there who lack even the capacity to have effective security awareness programs so I have little hope that any of them would be able to cobble together a real intelligence function. All too many places just want the check box of “YUP! I HAVE A THREAT INTELLIGENCE FEED! I AM SOOPER COOL” and it saddens me. Ok, no, wait.. It really enrages me most of the time as many of you may already see in my Twitter feed daily. I guess maybe that’s all well and good for them but for me this is just wasting time and money. If you want to protect your org then you should be doing things that make more sense than buying bad intel and a yara feed.
Don’t even get me started on all the vendor’s super cute names for all their actors and how they don’t share intel with each other. That will only make me even more rage filled I am sure. Of late I have been told I need to start a service to teach the intelligence cycle and all of the things that pertain to running a good program. It is something I am considering but there has to be a desire out there. On average I am not seeing too many orgs outside of the big defense base types who care enough to do it right. Don’t get me wrong though, I don’t think this has to be a big spend either. In fact I think many places could just drop their very expensive threat intelligence feeds and buy an IDS, set up a team, and do all this work more effectively themselves.
Think about it. More later on the pitfalls of intelligence analysis and cognitive bias.