Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Threat Intelligence: The Blame Game

with 2 comments

maximus-decimus-meridius_02

//BEGIN MANIFESTO

Lately I have been sitting and thinking about TI and Attribution as well as the state of the state as the year comes to a close. I sit, I ponder, and then I get all kinds of rage filled with the shit I see happening out there. So, after a particular sit down I had over the weekend I decided to post this manifesto on the Internet’s front door. For what it’s worth I am not trying to be a so called “thought leader” here as much as I have just had fucking enough of the insanity and would like to see a little sense shoved down everyone’s collective cyber throats.

Open wide kids! Uncle bastard has a few words for you!

Threat Intelligence:

What is Threat Intelligence? Well, ask random people and you will get random answers. Ask vendors and you will get super buzz wordy speak offering many APT’s and IOC’s and TTP’s along with a host of other jargon. The reality is that Threat Intelligence has been co-opted as an idea from the military (one again in our business like so many other things) and kluged into our business process in IT and Security.

Strictly speaking though, threat intelligence should be informatics that can be used to determine the threat to your environment. It is most of the time data in the form of IP’s, ports, protocols, and actions that are being seen in the wild being used against other companies, governments, and people. As such it can be useful if you are a like entity or you have the same vulnerabilities that are being leveraged. You can take that feed of data and put in firewall rules to block C&C’s etc to prevent them being used on you. Along with this, you should be getting informatics on patches that are available for 0day’s being used as well as perhaps the types of information the hackers are targeting most often.

With all of this data one can formulate a plan and put in some rules in your own environment to perhaps detect or prevent it happening on your digital soil. Unfortunately though, much of the time the feeds and “intelligence” being sold to companies is just data. The company may lack the comprehension levels needed to understand the data or “intelligence” because they lack a person or group to analyse it all and rationalize it for their organization. This is where much of the fail happens in our business where Threat Intelligence is concerned if you ask me. Companies pay a lot of money for a data feed and then they fail to leverage it. It is also a fail on the part of the companies selling TI because they often just sell you the feed and pretty shiny reports on APT actors because they are cool and leave the end user struggling with the meanings. I mean, it’s an extra fee for comprehension right? So we have a fundamental failure on the part of the business to serve the clients in my opinion.

Attribution:

Ah yes, attribution, the word itself sends a shiver of fuckery up and down the spine. This is the hook that all TI firms are selling their shit on. Detecting attacks and then attributing them to sophisticated actors. All of these firms are the new cool right? Seems like every month we see a new and shiny report dumped on the internet alleging that some or other group of APT actors is hacking up a storm and stealing things. This may in fact be the case, that there are actors out there stealing shit left and right, but the attribution thing? Well, that is notional at best. I have to say though lately I have been surprised to see some of these reports start to use the words “may be” which is a good thing. You see, attribution is a lot like guessing you are holding a tree trunk while blind while in fact is is an elephant’s trunk.

Attribution should be in my opinion removed from the equation altogether from these threat intelligence firms business cycle. Here’s what they should do;

  1. Determine what the actor is doing and how
  2. To whom
  3. Then report on those actions and how to stop them by their modus operadi (C&C’s TTP’s IOC’s Hashes etc)

That’s it. That is all they should be doing. By colouring it with all the Spy vs. Spy shit they may think that they are super cool but in reality they are just muddying the waters for anyone trying to do real work. All of these swank reports on bad guys is just marketing and a certain desire to sell shit to the government. The regular Joe in the trenches working in security, it does nothing for.

So cut it out. I have little hope that will happen though.

Oh and one last word on attribution… It’s never that easy. Let’s see us go to war over your attribution…

Intelligence Cycle:

Back in 2013 I did a presentation on the intelligence cycle at BsidesLV. I would like to point you all at it again and once again say take a look. My premise is that any company that is looking to perform Threat Intelligence needs to not just have a feed without a real person or group who can analyse the data and report back to the company on the threats. If you strip out all the attribution crapola you may or may not have useful information depending on your position. The crux of the matter is comprehending what is being given to you and using that information to make better security decisions in your environment.

All too often now it’s all just shiny blinky appliances, reports, and language from so called thought leaders and vendors while Rome burns. If you are going to be serious about doing threat intelligence drop all the “ain’t it cool” crap and get down to brass tacks about securing your environment by knowing your weaknesses. You do this by leveraging threat intelligence where you can and introspection and action on where your environment has weaknesses.

K.

The Threat Intelligence Cycle

//END MANIFESTO

Written by Krypt3ia

2014/12/15 at 15:11

2 Responses

Subscribe to comments with RSS.

  1. Great thoughts. I would like to mention that despite being abused and imitated, TI should be a vital part of a company’s detection and response process. In my current position, like many others, we rely on “operational” TI to determine low priority or high priority response actions. I wish we had the resources to treat every incident (including phish) with the same DFIR diligence but in a Fortune 100 environment we have to prioritize. Without tracking IOCs and TTPs, it would be very difficult to make that call. Paying for an TI feed could possibly help IF the organization has robust detection and response processes. Every organization should collect and track their own TI from event analysis.

    Do we make the wrong call? Absolutely. It’s a daily struggle to determine if our TI and assumptions are correct. Validating our TI requires in-depth analysis and rigorous process adherence (a challenge every IR team must face).

    I agree completely with your thoughts on attribution. As a responder, I want to know basic motivation such as small financial gain (non-targeted) or if an actor was trying to steal IP, gain a foothold into our network or something more malicious. While attribution should help with these efforts, it’s not an exact science and it should not be treated like one. Furthermore, it’s very easy to make attribution calls based on assumptions which were based on other assumptions which were straight up wrong. Again, TI validation is key but difficult at best.

    Leadership seams to love the spy-v-spy shit and I would be lying if I told you it hasn’t resulted in more money for our department. The issue comes when leadership doesn’t understand the complexity of security operations and believes that blindly throwing money the problem will make it go away. I think the challenge is convincing leadership serious IP loss and brand damage is possible from non-state actors and we don’t need to be 100% convinced that a state-actor is our network before investing in security (not just money but with talent and leadership).

    Mike Schladt

    2014/12/15 at 17:43

  2. Agreed.

    Krypt3ia

    2014/12/15 at 18:36


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: