Does Threat Intelligence Need to Evolve?
The first question is when does information become intelligence? The answer is often as the result of a process being applied to the information. Analysis, validation and grading of the information is required to allow an organisation to make sense of the information. This allows an organisation to apply intelligence to its operations resulting in an intelligence led approach to cyber security. Too often I see information based reports in part copied from the Internet or summarised for management levels and labelled threat intelligence but often lacks context and applicability to that organisation.
Threat intelligence as a phrase has been around for quite a while. Threat intelligence focused on vulnerability information and details on viruses. It also covered areas such as exploitation with information such as SPAM or Phishing. Over the years an entire industry grew in this space offering threat information initially to government and over the past few years the number of corporate providers have become more prevalent. Although the phrase referenced the term 'intelligence' it was still just a collection of information with no real ability to gauge its reliability from a source/content perspective or apply that intelligence to business operations.
Today threat intelligence focuses on items as before but also includes malware, including its infrastructure with more and more companies tracking the threat actors as a service. Another question is 'Has Threat Intelligence Already Evolved?' and we simply have not noticed. Some of the threat intelligence is easy to find some is not so obvious but it seems that it all comes down to the will of the individual in asking the right questions and the organisation taking a more proactive view point and thinking outside of a technological context.
For example, SPAM emails are received by companies on a daily basis to the point that a lot of them are ignored either because they are blocked or just because it is 'SPAM' which is concerning in itself in that SPAM emails are seen as normal every day life and not a threat.
Tracking the SPAM and conducting basic checks such as mapping the email address, identifying email server infrastructure and details of the URLs or attachments or even if a read receipt is sent can build up a picture to help identify which of the SPAM emails are wolves dressed up as sheep. Knowing how many emails have been received by an organisation from specific host or domains can help formulate the understanding and the nature of the email. Some are seen as fire and forget emails that are sent to all some are sent to specific organisations but identifying delivery infrastructure will build an image of the resources available to the threat actor.
When considering 'targeted' attacks many organisations in my experience take a very narrow focus on them in that it is only targeted if it focuses only on their organisation. Just because the same malicious emails are received by a few other organisations does not mean it is not targeted, are they the same industrial sector for example and just because there may be an academic institution does not mean it is not associated as universities often do research for industry.
Threat Intelligence is not just about identifying new malware or threats from technical components it is also about finding out everything that surrounds it, who is using it, where is it being used and why, not to mention its capabilities, variants, C&C infrastructure etc. This will often vary based on the intent of the threat actor and what they attempting to achieve.
The term Advanced Persistent Threat has be coined as a high risk low probability item. Granted some organisations may see them more than others but the reality of them APT items is that the organisation would likely be unaware of its presence for some time, that would be due to the 'advanced' part. What most organisations will see is a persistent threat that is continually probing and attempting to compromise the organisation. Some of these my be blocked but if the organisation is only reacting and not adapting with the persistent threat it becomes a war of attrition and eventually they will infiltrate the organisation.This is one of the concepts highlighted by sun tzu in that a commander who is equally as good at offence and defence and knows the enemy then that commander will simply wait for them to make a mistake or engineer the mistake. Every incident I have dealt with had precursor events that were blocked and ignored by the organisation.
When dealing with threats often tools identify the technology. Companies invest heavily in technology to detect and block technology but little is discovered on the intent as intent is something people understand and not technology.
Technology can only asses malicious behaviour, code or signatures in isolation of a single event. Some tools can correlate the events but rely on people to conduct the assessment and the important aspect is that tools operate as configured and only show what they are configured to show indicating this may not be all threats or attacks an organisation faces, just the events the technology thinks are threats or attacks.
An example of this would be reputation based detection on IPS systems. At some point the Source IP address has been listed as suspicious. Depending on how often these reputations are updated can affect what is alerted. If the profile has a reputation score of seventy (70) does this mean that any traffic with a reputation score of sixty nine (69) is not a threat. The difficulty is knowing where to draw the line as the system could be alerting on thousands more items due to a one (1) point reputation difference which could overwhelm the analyst or sensor.
The analyst, the human element will also operate based on a configuration (personality) but also operates with a list of key controls or features based on their knowledge, skills and experience. This element is far more agile than technology in reacting and adapting to the landscape If the personality allows it this is why having the right people in Security operations or incident response teams greatly affects the effectiveness of the process as it is easier to teach TCP/IP protocol stacks than how to think.
A lot of the information an analyst needs can be found on security tools or by conducting research utilising online data mining techniques or by reading a book. It is always important to consider the source of the information as it gives an indication of how reliable or trustworthy the source is. The internet can contain multiple sources of information, some more reliable that others and published works are usually safe items as a process needs to be applied including validation in order to have the work published whereas anyone can publish items on the Internet.
Formally grading the source on a predefined scale allows any other reading the information to understand how much 'faith' they can place in the information source, this also allows protection of sources as the source does not need to be revealed. There may be sources that have been deemed reliable as they have been consistently accurate over a period of time but the key is to try not to assume as information is just that, if the circumstances and context surrounding the events are not know this could lead to an array of conclusions.
As more organisations want to move to an 'intelligence' led approach to information security I feel this is an area that will develop quickly but will also require the industry to reclassify what the organisation means by 'Threat Intelligence'