Threat Intelligence: The Blame Game
Lately I have been sitting and thinking about TI and Attribution as well as the state of the state as the year comes to a close. I sit, I ponder, and then I get all kinds of rage filled with the shit I see happening out there. So, after a particular sit down I had over the weekend I decided to post this manifesto on the Internet’s front door. For what it’s worth I am not trying to be a so called “thought leader” here as much as I have just had fucking enough of the insanity and would like to see a little sense shoved down everyone’s collective cyber throats.
Open wide kids! Uncle bastard has a few words for you!
What is Threat Intelligence? Well, ask random people and you will get random answers. Ask vendors and you will get super buzz wordy speak offering many APT’s and IOC’s and TTP’s along with a host of other jargon. The reality is that Threat Intelligence has been co-opted as an idea from the military (one again in our business like so many other things) and kluged into our business process in IT and Security.
Strictly speaking though, threat intelligence should be informatics that can be used to determine the threat to your environment. It is most of the time data in the form of IP’s, ports, protocols, and actions that are being seen in the wild being used against other companies, governments, and people. As such it can be useful if you are a like entity or you have the same vulnerabilities that are being leveraged. You can take that feed of data and put in firewall rules to block C&C’s etc to prevent them being used on you. Along with this, you should be getting informatics on patches that are available for 0day’s being used as well as perhaps the types of information the hackers are targeting most often.
With all of this data one can formulate a plan and put in some rules in your own environment to perhaps detect or prevent it happening on your digital soil. Unfortunately though, much of the time the feeds and “intelligence” being sold to companies is just data. The company may lack the comprehension levels needed to understand the data or “intelligence” because they lack a person or group to analyse it all and rationalize it for their organization. This is where much of the fail happens in our business where Threat Intelligence is concerned if you ask me. Companies pay a lot of money for a data feed and then they fail to leverage it. It is also a fail on the part of the companies selling TI because they often just sell you the feed and pretty shiny reports on APT actors because they are cool and leave the end user struggling with the meanings. I mean, it’s an extra fee for comprehension right? So we have a fundamental failure on the part of the business to serve the clients in my opinion.
Ah yes, attribution, the word itself sends a shiver of fuckery up and down the spine. This is the hook that all TI firms are selling their shit on. Detecting attacks and then attributing them to sophisticated actors. All of these firms are the new cool right? Seems like every month we see a new and shiny report dumped on the internet alleging that some or other group of APT actors is hacking up a storm and stealing things. This may in fact be the case, that there are actors out there stealing shit left and right, but the attribution thing? Well, that is notional at best. I have to say though lately I have been surprised to see some of these reports start to use the words “may be” which is a good thing. You see, attribution is a lot like guessing you are holding a tree trunk while blind while in fact is is an elephant’s trunk.
Attribution should be in my opinion removed from the equation altogether from these threat intelligence firms business cycle. Here’s what they should do;
- Determine what the actor is doing and how
- To whom
- Then report on those actions and how to stop them by their modus operadi (C&C’s TTP’s IOC’s Hashes etc)
That’s it. That is all they should be doing. By colouring it with all the Spy vs. Spy shit they may think that they are super cool but in reality they are just muddying the waters for anyone trying to do real work. All of these swank reports on bad guys is just marketing and a certain desire to sell shit to the government. The regular Joe in the trenches working in security, it does nothing for.
So cut it out. I have little hope that will happen though.
Oh and one last word on attribution… It’s never that easy. Let’s see us go to war over your attribution…
Back in 2013 I did a presentation on the intelligence cycle at BsidesLV. I would like to point you all at it again and once again say take a look. My premise is that any company that is looking to perform Threat Intelligence needs to not just have a feed without a real person or group who can analyse the data and report back to the company on the threats. If you strip out all the attribution crapola you may or may not have useful information depending on your position. The crux of the matter is comprehending what is being given to you and using that information to make better security decisions in your environment.
All too often now it’s all just shiny blinky appliances, reports, and language from so called thought leaders and vendors while Rome burns. If you are going to be serious about doing threat intelligence drop all the “ain’t it cool” crap and get down to brass tacks about securing your environment by knowing your weaknesses. You do this by leveraging threat intelligence where you can and introspection and action on where your environment has weaknesses.