CyberWire Daily - RSA Special: Threat Intelligence [Special Editions]
Episode Date: March 8, 2016Threat intelligence - it's more than just attribution. In fact, unless you carry a gun and wear a badge, it's probably not much about attribution at all. Instead, it's about reducing risk. Special th...anks to our guests who sat down for interviews at RSA: Ryan Trost, Cofounder and CTO at ThreatQuotient Eric Olson, VP of Intelligence Operations at LookingGlass Rick Howard, Chief Security Officer at Palo Alto Networks Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the CyberWire Network, powered by N2K.
Calling all sellers.
Salesforce is hiring account executives to join us on the cutting edge of technology.
Here, innovation isn't a buzzword.
It's a way of life.
You'll be solving customer challenges faster with agents, winning with purpose, and showing
the world what AI was meant to be.
Let's create the agent-first
future together. Head to
salesforce.com slash careers
to learn more.
In a darkly comedic look at
motherhood and society's expectations,
Academy Award-nominated Amy Adams
stars as a passionate artist who puts her career on hold to stay home with her young son.
But her maternal instincts take a wild and surreal turn as she discovers the best yet fiercest part of herself.
Based on the acclaimed novel, Night Bitch is a thought-provoking and wickedly humorous film from Searchlight Pictures.
Stream Night Bitch January 24 only on Disney+.
Threat intelligence.
It's more than just attribution.
In fact, unless you carry a gun and wear a badge, it's probably not much about attribution at all.
Instead, it's all about reducing risk.
reducing risk. I'm Dave Bittner in Baltimore with a CyberWire special podcast on threat intelligence. It's Tuesday, March 8th, 2016, and thanks for joining us. When we think of threat
intelligence, it's natural to think first of attribution. Your enterprise is hit by an attack
and you want to know, well, who did this to us? It's natural, and it's also easy to understand.
There's no shortage of companies who've made a splash by attributing major cyber attacks.
But it's striking how little attribution mattered when we spoke with industry experts about threat intelligence at RSA last week,
and we mean attribution in the sense of calling out the people behind the keyboard.
There's a general conviction that actionable threat intelligence is vital to security,
but also a general sense that much of what is passed for threat intelligence
hasn't, in the end, turned out to be particularly valuable.
A look at the intelligence cycle as it's classically conceived may help explain this.
The intelligence cycle begins with direction, posing the questions to be answered.
Then it runs through collection, processing, analysis, dissemination, and feedback.
So raw data become intelligence only upon analysis.
Data are also collected with some purpose in mind, the direction phase of the cycle,
and this means, above all, that intelligence should be actionable.
Actionable intelligence is seen by those who provide it as not a mass of logs, chattering alarms, or unanalyzed data.
Such data are fatally easy to collect, and in many ways have replaced the famous fog of war with its insufficient information with a glare of war that's equally blinding.
Threat intelligence is valuable insofar as it reveals what an adversary is trying to accomplish and what tactics, techniques, and procedures they're likely to use.
Understanding these can usefully inform the organization of defenses.
As A.J. Shipley of Looking Glass put it in a discussion with us,
quote, actionable intelligence is something that reduces your risk profile.
If it can't reduce your risk profile, then it's not actionable, end quote.
And if it's not actionable, then it's not worth much. Our talks with companies exhibiting at RSA suggest that some of the common themes on people's
minds include the importance of context and actionability in the development of threat
intelligence. Many of the companies specializing in threat intelligence work from unstructured,
open-source data with a view to providing either insight into probable adversary goals
and the tactics, techniques, and procedures they're likely to use in pursuing those goals,
what Palo Alto Network's CSO Rick Howard calls the adversary's playbook, or into ongoing attacks.
The former is useful in establishing defenses and hardening networks,
the latter in detecting, mitigating, and recovering from incidents.
After the break, we'll hear some of the observations we heard in discussion with industry experts at RSA.
This podcast is made possible by the Economic Alliance of Greater Baltimore,
helping Maryland lead the nation in cybersecurity with a large, highly qualified workforce,
20,000 job openings, investment opportunities, and proximity to key buyers.
Learn more at greaterbaltimore.org.
For a deeper dive into threat intelligence, we turn to three industry experts we met with at RSA. We'll hear from Ryan
Trost, co-founder and CTO at Threat Quotient, Eric Olson, VP of Intelligence Operations at
Looking Glass, and finally, Rick Howard, CSO at Palo Alto. We begin with Ryan Trost.
A lot of threat intelligence boils down to the providers of the threat intelligence
and the platforms of the threat intelligence. So they ultimately go hand in hand.
and the platforms of the threat intelligence. So they ultimately go hand in hand.
So the providers provide all this threat intelligence,
but a lot of them don't provide a tool in which to consolidate and structure and centralize that data.
And that's where the platforms come in.
The platforms ultimately can consume that threat intelligence
and then integrate it with the existing infrastructures
so that the
analysts who are doing a lot of that work don't have to copy and paste from source to another
source. We asked Trost, when does Intel become actionable? Once I have enough information and
context around an indicator or an adversary and I can actually start to look at my infrastructure
and look at my detection solutions and make decisions based on that. That's what I deem, my personal philosophy,
that's what I deem as actionable threat intelligence. So whether it's an indicator
with some context, and I can say put that into the firewall or put that into the IPS,
I've taken action, I've operationalized that information to better defend myself.
Ryan Trost tells us that organizations of all sizes are looking for help in trying to
sort through the torrent of data.
We even have high schools coming to us saying, we have so many kind of false positives.
We have so much information out there.
How do we boil that down?
We don't want to continue to throw the kitchen sink at it.
We want to kind of teach the students and teach the administrators,
let's focus on the high-fidelity stuff.
Let's try to block out the white noise that inevitably is out there
because there's so much threat intelligence.
So it's across spectrums.
He also warns against embracing a one-size-fits-all approach to threat intelligence.
There's a lot of threat intelligence out there.
Let's try to find the source of threat intelligence that best benefits you. So whether that's, and it gets into a lot of the self
reflection. What does your team look like? What's the taxonomy of your detection tools? What's your
budget? Let's look at all of these factors and then apply that to all of the different threat
intelligence providers. And let's see which one bubbles to the top.
And a lot of customers, unfortunately, they're still trying to understand threat intelligence.
So a lot of them kind of think, oh, I'll buy a commercial provider, and that'll be the silver bullet.
I'll be completely defended. I'll be bulletproof.
And that's only half the battle.
You've got to take that intelligence, and you've got to do something with it.
And that's where kind of the rubber meets the road with a lot of organizations.
Trost told us that one of the challenges of a commercial approach to threat intelligence is that this is a relatively new area of interest.
It's a concept and it's an approach very much in its infancy in the commercial space.
Like law enforcement and the government have been doing it forever.
Military branch has been doing it forever.
But it's relatively new.
So they're starting to really kind of define what that should look like within the organizational structure of commercial branding and commercial industries and verticals.
For example, a lot of the larger organizations have started to kind of really embrace this new hunter role. So before your typical SOC, your security operation center was comprised of
security analysts, malware engineers, intelligence analysts, signature engineers. But now there's
this hunter role where the differentiation is the security analysts usually triage a lot of the
SIM alerts. The hunters is, we want you to find malicious activity without an alert. We want
you to basically know the environment, know what the logs look at, look for kind of distinguishing
patterns, find the adversary without that breadcrumb of an alert. And it's usually kind
of the seasoned guys that have been doing this for 20 or 30 years that know where the secrets
are hidden and the adversaries themselves. Ryan Trost also emphasized the importance of a proactive approach.
It's very easy to sit back and kind of react.
And by definition, the second I have an alert, I'm reacting to that alert.
The goal, the utopia of threat intelligence is actually to try to get ahead of the adversary.
Now, previously, I ran the SOC at General Dynamics.
And one of the big things that we did was let's study the adversary. Now, previously, I ran the SOC at General Dynamics. And one of the big things that
we did was, let's study the adversary. Over the course of time, let's build a profile for that
adversary. And what we started to boil down were, and we did it very systematically. We said, okay,
let's look at each attack. Let's break it down by Lockheed Martin's kill chain. And let's ultimately
start to really compare
notes.
And what that allowed us to do is that allowed us to learn our enemy.
That allowed us to learn the cadence of the enemy, whether it was revolving around a vulnerability
that was recently released, or a lot of them kind of based, really did quotas based on
kind of holiday season.
A lot of people are kind of get their guard down,
so they'll open up email and spear phishing attacks so much easier.
And so we started to really kind of apply that in business decisions,
almost to the point where our security awareness,
or excuse me, our spear phish awareness training was ultimately given
when we knew the adversary was going to start to see an uptick of spearfish.
So we started to make these business decisions, which were very small and finite, but they
were very empowering and really kind of helped out.
And of course, it can be challenging to find the intelligence that has value to you.
You can't try to boil the ocean.
You have to be very disciplined and very precise on what threat intelligence you want to make
actionable.
And I think that's a very important key because bad intelligence lives forever.
It's the good intelligence.
You've got to find the sources that provide you the most value for threat intelligence.
Our thanks to Ryan Trost from ThreatQuotient for joining us.
You can learn more at ThreatQotient for joining us. You can learn more at threatq.com.
Eric Olson is Vice President of Intelligence Operations at Looking Glass.
He told us his customers' requirements are quite simple. They want it all.
For the 15 years that I've been in this cyber security or cyber intelligence business, customers essentially had a disparate set of problems that they were trying
to bring together. And to sum up how that has evolved over time, what they really want is this
structured third party threat data, internal network telemetry or net flow, internet topology,
and the unstructured open source content. They want that unstructured web,
social media, search engine, IRC, darknet data, all fused with the structured threat data,
their own network telemetry, the internet topology, and they want it all in one pane of glass
that both suits, ideally, the investigative analyst, the threat analyst or
intelligence analyst, and serves as a console to create rules and policies to drive network fabric
line speed defense on the cyber side of the business, that is the logical threats.
That holistic solution that I want it all in one fused place where I can search it and visualize
it and report it to management, to some degree, it really is the hole in the market that the customers have been talking to me about. And
many of the large enterprises are building it themselves because they haven't found a solution
off the shelf. And I think with the assembly of the component parts of what is now the larger
looking glass organization, I think we really do have all the parts to put together.
Olson shared his belief that one of the keys to managing threat intelligence is automation.
I think I can summarize the problem this way.
When it comes to the Internet, not just as a source of logical threats, malware, viruses, and so forth,
but as a source of intelligence, of information about threats to the business as a whole,
brand, reputation, revenue and losses to it from fraud,
your physical security, assets, executives, infrastructure.
The Internet is a very rich source of potentially valuable security data.
The problem is that more and more threats or indications and warnings are present,
and they are present in ever more places and languages.
The back-end systems that I run,
which deliver data either to our customers or to the nearly 80 analysts, threat analysts that work
for us, is to relieve the human analysts of the low value portions of the job. You should not
spend a scarce, valuable, educated human analyst running searches. We should automate the collection management from
multiple sources and formats and languages. There's no value in having someone pounding
on Google and Twitter and so forth. Normalizing the data so that it can be compared, correlated,
visualized, and linked. That is a low-value activity. That needs to be automated out.
That is not a good use of that scarce human talent.
And by the way, a very shallow talent pool compared to the need in the market is a real issue. So what
we're trying to do essentially is to take as much of the right-hand side of the intelligence cycle
where there is lots of work and very little value and automate it so that the analysts can focus on
the valuable part of their job, what they were trained for, hired for, and paid for,
which is to analyze things and make something useful out of it.
We spoke earlier about that glare of war.
Olson believes it's a real problem.
I believe that a lot of what is being marketed as threat intelligence isn't.
It's threat data.
And there is a world of difference between data and intelligence.
Overwhelming quantities of data do not make the analyst's life any better,
nor do they make the network any more secure.
I believe to get to that actionable, relevant state, you have to do a couple of things.
First, it must be relevant to the organization you are trying to protect.
I'll give a very simple example.
Here's a feed of Windows vulnerabilities.
We run only Macs.
Nice reading, not intelligence
because I can't do anything with it. So it has to be relevant to and ideally targeted at or
responding to something targeted at the organization. Eric Olson also believes that the value of this
data extends beyond the traditional cybersecurity world. There is a huge amount of valuable
information out there of concern not to the
information security professional alone, but physical security, executive protection, brand,
trademark, reputation, the fraud department, right? Cyber crime and cyber threats are not the same
thing, right? Some people just want to steal money because it's profitable. Those are other business functions,
not directly related to your traditional cyber view of the world. And those functional personas
are starting to see cyber threat intelligence as a source of valuable information in their
functional areas. You know, we've seen some examples. One of the big gaming networks was
being hacked and the CEO was commenting about it on social media. The result being that one of the big gaming networks was being hacked and the CEO was commenting about it on social media.
The result being that one of the threat actors tweeted a bomb threat and had his plane grounded to ruin his day.
A well-known security journalist was DDoSed and had his door kicked in through a swatting attack on the same afternoon.
My point is, actors who wish to cause harm, trouble, embarrassment, or real damage,
they are seeing an opportunity to hit in both the physical and
cyber realms and often will coordinate those attacks. Our thanks to Eric Olson from Looking
Glass for joining us. You can learn more at lgscout.com.
And finally, Rick Howard, Chief Security Officer at Palo Alto Networks,
shares their internal organizational system for threat intelligence.
They have CIRs, PIRs, and IRs.
Here's Rick Howard.
We call them CIRs, the CEO's information requirements, right?
We have PIRs, our priority information requirements, and we have general purpose IRs, information requirements. Those CIRs are kind of longstanding things that the boss
wants us to be good at, right? They don't change that much, maybe once every year or so. And we
review them with him every year to make sure he's okay with what we're doing. They're broad,
they're big picture things that he wants us to be smart at.
Then our Unit 42 guys, they start picking that apart.
They break the problem down into PIRs, priority information requirements.
On the third CIR, that thing might break into 20 PIRs, okay,
that we're trying to solve at any given time, right? And then those PIRs break into smaller pieces, too,
and you can just keep going.
And you get down to the bottom and you work your way back up is the way it works.
Rick Howard also leads Palo Alto's efforts with the Cyber Threat Alliance Information Sharing Group
and strongly advocates for others to get on board.
The Cyber Threat Alliance is a group of security vendors who've decided that we're going to share threat intelligence with each other
and work on big problems.
There's a point when the alliance gets big enough that we'll reach a tipping point that
everybody on the internet connected to the internet will have at least one of us in their
networks protecting them, receiving real-time protections from every playbook out there.
That's a game changer and that's what the Cyber Threat Alliance is trying to do.
My message to your audience is when vendors come talk to you about what they have,
ask them why they're not a member of the Cyber Threat Alliance and watch them stumble through that answer because people are uncomfortable with the idea that a vendor might share threat
intelligence. I think that's the way it's going to be, right? It needs to be. Intelligence should
be a commodity. Everybody should have the same intelligence so all of us, the vendors,
can make better products with it. And that's kind of the vision of the Cyber Threat Alliance. Our thanks to Rick Howard for joining us.
You can learn more at paloaltonetworks.com.
And that's our Cyber Wire special RSA retrospective. For more discussion of cyber
threat intelligence, visit thecyberwire.com. We'll have another RSA retrospective tomorrow
covering emerging technology in addition to our daily podcast. The Cyber Wire is a production
of CyberPoint International. The editor is John Petrick. I'm Dave Bittner. Thanks for listening.
Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default-deny approach can keep your company safe and compliant.