Why Most End-User Threat Intelligence Is Horrible (And What To Do Instead)
Threat Intelligence is a collection of data containing IP addresses, domains, email addresses, file hashes, and groups of known and dangerous attackers.
End-user companies know how to configure firewalls or install anti-virus software, but many are not yet taking the next step of adding threat intelligence to their security stack, and that may be be for a good reason.
Threat Intelligence is a collection of data containing IP addresses, domains, email addresses, file hashes, and groups of known dangerous and suspicious attackers. Similar to a police blotter, threat intelligence can tell you that an incident has occurred, but those incidents can be completely unrelated to an organization. Essentially, threat intelligence is a police blotter from a city you don’t live in.
Whether consuming threat intelligence from open source feeds, U.S. government Automated Indicator Sharing (AIS) feeds, or paid commercial feeds, it’s designed to help organizations avoid threats. hazards. However, none add more than basic, rudimentary value to a business in this capacity. Although most contain encyclopedic reference material on types of attacks and attackers, this information is only useful after an organization has been attacked and needs to assess the extent of the damage.
When the cybersecurity industry was younger, threat intelligence included lists of “bad” IP addresses. You put them in a firewall with an “always block them” rule. As Internet usage expanded, IP addresses moved between providers, masked, and attackers began to use “good-type” computers to launch their attacks. At this point, simply blocking “bad” IP addresses was causing more problems than it solved.
Threat intelligence firms have sought to address this emerging problem. Their value was based on widespread collectors, distributed around various Internet access points, to collect more valid and up-to-date data more reliably than the static lists provided.
Teams of security researchers have matured and enhanced this data, curating and refining the feeds offered by these threat intelligence companies. File hashes, identifying the exact size and composition of a known bad file, have been included. But attackers evolve and innovate so quickly that threat intelligence fails to deliver actionable value.
As a practitioner, CISOs are advised to connect threat intelligence to firewalls to ensure that the network security system actively and quickly blocks attackers identified by TI. In practice, however, there have been incidents where threat intelligence decides that Microsoft’s IP addresses, for example, are malicious and cuts off email access. With just one misidentification, relationships between partners are broken by mistake.
On top of that, the US government’s attempt to provide threat intelligence to the private sector is notoriously ineffective. Their AIS feeds arrive late and do not contain enough detail to provide a benchmark. How late? AIS indicators for a given threat come long after the threat has been detailed in the Wall Street Journal and actively eradicated by commercial entities.
The situation is identical to the transition from antivirus to endpoint detection and response (EDR). For years, antivirus makers Symantec and McAfee ensured that workstations were connected to the network to receive their signature updates. These signature files, sourced from the vendor, sent the installed anti-virus software an updated list of faulty files.
Cylance first broke this pattern with its heuristic, listless approach to identifying viruses. While Cylance identified malware by its behavior, other antivirus vendors were still searching based on wanted notices. Vendors have emulated this innovation, and as a result threat intelligence offers little value here, having been replaced by behavior-based systems with their sensors in the customer’s network.
Act before the threat arrives
Threat intelligence feeds play a small, rudimentary role in a security strategy. However, the outcome you expect from threat intelligence is to know the danger and act before it happens. Knowing your risks is more effective than knowing the danger. Identifying your attack surface, its risk and how it needs to be managed is paramount – this is Cyber Attack Surface Management or CAASM.
First, know everything about everything you are responsible for. Know all of the organization’s assets, what they do, what kind of data they store, transmit and process, and who uses it. Assess their risk and then apply the appropriate controls. This “base” layer is beyond the reach of most companies, but provides superior world-class security.
Once completed, the best threat intelligence is personalized. What are the threats to the end user organization? This is best identified through threat hunting: assessing normal traffic and processing behavior, identifying outliers, and analyzing the potential for malicious activity. Once the CAASM is solid and threat hunting has begun, the next layer is deception and honeypots.
With these deception tools, organizations can observe attackers in action on separate systems, and not only distract them, but identify the behaviors and tools that constitute the real threats. These three layers, in order, provide true and effective threat intelligence.
Joel Fulton is co-founder and CEO of Lucidum, an AI-powered asset discovery platform. He is also a co-founder of Silicon Valley CISO Investments, a leading group of information security executives that operate as a syndicate of angel investors.