The Threat Intelligence Cycle and YOU
The Cost Benefit Analysis of Threat Intelligence:
Over the weekend I got a call from @packetknife who began to question me on some of the finer points on the threat intelligence post I put up recently. The primary thing of it all kind of boiled down to “So what’s the cost benefit analysis here” which was not meant in money but really in overall efficacy. What real good would come from having a threat intelligence capability that really could be more broadly expanded to such things as competitive intelligence and the like.
It was a good question and it is something that I had talked about before in my BsidesLV presentation on this subject. To cut to the chase here the point is that if you create a capacity and you generate intelligence from analysis of the “data” being given to you as well as what you are seeing in your own logs, then you have analysis and information that can be used to inform management. Management may not be really aware of these things and they should by all rights be in today’s age of the weekly compromise announcements. Business decisions are made every day concerning the security of a company and all too often as we have seen lately those decisions may not have been the best for the security of the companies found to be compromised and losing data. A for instance would be Home Depot using SEP 11 as their primary means of protection against malware or, even at a lower scale, the use of MalwareBytes by the heating and cooling company that was the launch point for the attack on Target.
There is a cost benefit to having your own program of looking at the data as well as the so called intelligence you can get from a portal and that benefit lies in not only technical means (i.e. blocks in firewalls and sigs in SIEM’s) but also awareness on the part of the org and it’s leaders as to what is happening in the world and how that may effect your organization. Of course your leaders have to be available to this kind of thing and they have to have it spoon fed most of the time but if you get those things squared away you will make your life a little easier in trying to defend the organization as they might have some clue as to why you are warning about something.
Rubber Meeting Road:
Some *cough Ali cough* might question whether or not this is something that anyone other than a government or perhaps a defense base corporation would care about. I agree, it may be a tough sell at times but I have no doubt that there is a benefit to some form of this program being in any corporation that has a security presence. I am not saying you need to get more bodies and form a group solely dedicated to this function (though that would be nice) but instead are saying that the function at least has to exist in some working fashion to make your security program work as a whole. Without these insights you are pretty much going to be only reactive and not proactive and this is bad.
If you really look at this you are not just reporting on what is going on in the world but also enlightening your management about your environment as well. If you say run a scan on your network and locate five NT machines that run rather important functions within your business you should generate intelligence that your network is at risk from NT being there as an outdated and unpatched system. Additionally you would be able to add context through analysis that those very important systems, were they to fall down and go boom or be hacked. could cause major issues for the company. Now, do you get that in vuln scans? Yes, you do. However, I would ask whether or not those scans ever make it to management in the first place? Secondly, do they actually have analysis as to WHY this is a rather important issue?
See where I am going here? The scan is DATA but the analysis is INTELLIGENCE…
Adding more analysis by marrying what you have that is vulnerable in your environment as well as analysis as to why it is there now and what the potential problems are in it remaining so as well as current attacks out there that may be going after such things is “Threat Intelligence” Am I making any sense here to you? Threat Intelligence (now TI in the vernacular as I see in my Twitter feed) is the sum total of all your scans, your feeds, and your intelligence gathering internally and externally to inform your business. It is up to them after you have informed them to accept the vulnerabilities after they comprehend them. That comprehension delivery is what you are doing in the form of TI.
Whether or not companies and management guys will buy into it is really the key part of the problem. I personally found that I had to take a page out of Jayson Street’s book and just did it. I created reports and I sent them to the management. Once they got the spoon fed fifth grade reading level informatics of what was going on the light-bulb got turned on. Does this mean that they react on larger issues that should be taken care of? No, it doesn’t. However, I have informed them and keep them up to date on what their overall security posture is like and that at the end of the day is all I can ask. It is after all their business. I only inform…
Your mileage may very.