Why Most End-User Threat Intelligence Isn’t Helpful
Here’s how to make your organization’s cybersecurity threat intelligence strategies more effective.
Organizations, school districts and campuses know to set up firewalls or install antivirus software, but there are still many that are not taking the next step in adding threat intelligence into their security stack. There may be a good reason for this.
Threat intelligence is a collection of data containing known-dangerous and suspicious IP addresses, domains, email addresses, file hashes and attacker groups. Similar to a police blotter, threat intelligence can tell you that an incident has occurred, but those incidents may be completely irrelevant to an organization. Essentially, threat intelligence is a police blotter from a city you don’t live in.
Whether consuming threat intelligence from open-source feeds, U.S. Government Automated Indicator Sharing (AIS) feeds, or paid commercial feeds, it is designed to help organizations avoid danger. However, none provide more than basic, rudimentary value to an enterprise in this capacity. Although most contain encyclopedic reference material on types of attacks and attackers, this information is only useful after an organization has been attacked and needing to evaluate the extent of the damage.
When the cybersecurity industry was younger, threat intelligence comprised lists of “bad” IP addresses. You put these into a firewall with an “always block these” rule. As the use of the internet expanded, IP addresses shifted among providers, masked, and attackers began using “good-guy” computers to launch their attacks. At that point, simply blocking “bad” IP addresses caused more problems than it solved.
Threat intelligence companies sought to solve this emerging problem. Their value was built on widespread collectors, distributed around various internet access points, to collect data that was more valid and more reliably up to date than the static lists delivered.
Teams of security researchers matured and improved this data, curating and refining the feeds these threat intelligence companies offered. File hashes, identifying the exact size and composition of a known-bad file, were included. But attackers evolve and innovate so rapidly that threat intelligence fails to deliver actionable value.
As a practitioner, CISOs are advised to connect threat intelligence to firewalls to ensure the network security system actively and quickly blocks TI-identified attackers. In practice, however, there have been incidents where threat intelligence decides Microsoft’s IP addresses, for example, are malicious and cuts off access to email. With just one errant identification, partner connections are mistakenly severed.
On top of this, the U.S. government’s attempt to deliver threat intelligence to the private sector is notoriously ineffective. Their AIS feeds arrive late and contain insufficient detail to provide reference value. How late? AIS indicators for a given threat arrive long after the threat has been detailed in the Wall Street Journal and actively eradicated by commercial entities.
The situation is identical to the transition from antivirus to endpoint detection and response (EDR). For years, Symantec and McAfee antivirus managers ensured workstations were connected to the network to receive their signature updates. These signature files, from the vendor, sent the installed antivirus software an updated list of bad files.
Cylance first broke this model with its heuristic-based, list-free approach to identifying viruses. While Cylance identified malware by its behavior, other antivirus companies were still hunting based on wanted posters. Vendors have mimicked this innovation and, as a result, threat intelligence delivers little value here having been superseded by behavior-based systems with their sensors in the customer’s network.
Take These Steps to Improve Your Threat Intelligence Efforts
Threat intelligence feeds play a small, rudimentary role in a security strategy. However, the outcome you seek from threat intelligence is knowing danger and acting before it arrives. More effective than knowing danger is knowing your risks. Identifying your attack surface, its risk, and how it ought to be managed is primary – this is cyber-attack surface management or CAASM.
First, know everything about everything you’re responsible for. Know all of the organization’s assets, what they do, what kind of data they store, transmit and process, and who uses them. Assess their risk then apply appropriate controls. This “basic” layer exceeds the grasp of most enterprises but delivers better than world-class security.
Once complete, the best threat intelligence is customized. What are the threats to the end-user organization? This is best identified through threat hunting: the evaluation of normal traffic and processing behavior, identification of outliers, and analysis of the potential for malicious activity. Once CAASM is solid and threat hunting has begun, the next layer is deception and honey pots.
Through these deception tools, organizations can watch attackers in action on segregated systems, and not only distract them but identify the behaviors and tools which are the actual threats. These three layers, in order, deliver true, effective threat intelligence.
Joel Fulton is co-founder and CEO of Lucidum, an AI-enabled asset discovery platform. He is also the co-founder of Silicon Valley CISO Investments, a leading group of chief information security officers that operate as an angel investor syndicate. This article originally appeared in CS sister publication Security Sales & Integration and has been edited.