teissTalk: Matching intelligence with defence improvements

On 6 December, teissTalk host Thom Langford was joined by Larry Cameron, CISO, Anti-Human-Trafficking Intelligence Initiative; Simon Goldsmith, Director of Information Security, OVO; Sam Flockhart, Cyber Threat Intelligence Manager, Santander UK; Allan Liska, Intelligence Analyst, CSIRT Recorded Future.

 

 

Views on news

 

While the majority of enterprise IT security managers rely on threat intelligence to reduce cybersecurity risk, many still lack the necessary skills and resources to carry out these initiatives fully, according to a Vulcan Cyber report on threat intelligence adoption trends and challenges. Nearly three-quarters (73%) of respondents in the survey indicated that a lack of skills to leverage threat intelligence is a key problem, and the majority (55%) said their threat intelligence data is not predictive enough.

 

Despite challenges with prediction, 56% of respondents said they currently use or plan to use predictive models including the Exploit Prediction Scoring System (EPSS). The most common use cases for threat intelligence are blocking bad IPs (64%), integrating feeds with other security products (63%) and analysing root cause to determine scope (54%). Although threat intelligence has been around for a decade, it hasn’t been operationalised yet.

 

Both context and relevancy are important to leveraging threat intelligence. You may also need a different view of threat intelligence depending on your role and the tool that you’re using.

 

There are different feeds for IP addresses, domains or ransomwares. When vendors pitch their platforms saying they have a billion indicators, it doesn’t mean a lot. What businesses actually need is more contextualised threat intelligence. There are YARA rules and Sigma rules that businesses can use to do threat hunting based on the activity that ransomware and nation-state actors carry out. There are some preventative controls that need to be prioritised, and it’s much more powerful and compelling for non-cyber people if those priorities can be mapped back to a threat.

 

Threat intelligence, however, is not just for mature organisations. Any business can adopt the Mitre ATT&CK Framework or the CIS Security Controls and identify which are the types of attacks that they truly care about. One of the first things that a ransomware actor does is use a Powershell or some other script to disable endpoint protection.

 

However, the majority of companies don’t alert on it. Alternative sources of Intel include the dark web and brand protection monitoring what’s going on about the company on social media. But you need to remember that about 95% of the dark web is of no use at all and you can also get useful information on Twitter or Facebook.

 

Moving from reactive to predictive security

 

Predictive intelligence is about getting a list of active attacks on the internet and automating the blocking of those in real time, while proactive means that you’re digging through everything proactively to get the IOSs (Indicator of Compromise).  This should be seen by businesses as a maturity journey, where they should start out with controlling what they can such as configuration and response, and only then make efforts to anticipate future exploits that they may fall victim to.

 

To anticipate, however, you’ll need  some basic capabilities in place. When responding to Zero Day threats, you can be only reactive, but learning from the lessons of the response can make you proactive. The majority of code leaks are by developers who accidentally publish internal IPs or codes with credentials in them.

 

But the Dark Web is not only about malicious activity either, journalists, for example, use Safedrop for sharing sensitive material. The investment that goes into collecting high quality threat intelligence by providers shouldn’t be underestimated, although for vendors it’s not always easy to articulate that value. Moreover, the tradecraft of a threat intelligence analyst is often left unappreciated by CISOs and security teams, although the value of producing actionable insights as opposed to dumping vulnerability findings on clients should be obvious to everyone. It’s hard to tell how much of your budget should be spent on threat intelligence, as, ironically, threat intelligence is the tool that could provide you with data in order to make an informed decision about that.

 

Allen, however, would go as far as to advise that all your budget should finance threat intelligence as this is the alfa and omega of security.

 

The panel’s advice

 

Threat intelligence feeds are only as good as the context provided.

 

If you want to sell the value of threat intelligence to your organisation, you need to explain where it comes from.

Threat intelligence should be working within your existing workflow rather than changing it.

 

Always add context to raw intelligence.

 

Have good internal threat intelligence about your data flows, network and risk posture before you purchase external intelligence.