The Cost of Bad Threat Intelligence

There is no doubt that threat intelligence is now “a thing.” At RSA 2015 I couldn’t help but notice how many vendor booths were hawking their relevance to threat intelligence.  I hear about a threat intelligence start-up almost weekly.  That is not surprising given venture capital is flowing and C-suite customers are now investing in “threat intelligence.”  Everyone wants a piece of the pie.

While market growth for threat intelligence produces innovations it also produces negative by-products (welcome to capitalism).  The most concerning by-product is the reduction in threat intelligence quality.

A growing number of published threat intelligence reports contain inaccuracies and poor analysis.  A growing number of indicators across a variety of producers are either stale, irrelevant, or generate so many false positives to be useless.

What so many fail to realize is the cost of poor quality intelligence.  Here are some of the costs:

  • If a single threat intelligence-sourced alert generates $1000 worth of time to investigate a false positive, it is easy to see how that relatively small amount can multiple within an organization and across enterprises worldwide.
  • If an intelligence producer reports incorrectly categorizes a threat as APT (say instead of cyber crime) an organization’s security response to the threat will be (and should be) different likely involving a deeper investigation.  Again, this additional, and likely unnecessarily deep, investigation is costly in both time and resources.
  • Every poor quality report costs time to read and digest.  Time that could be spent understanding a high-quality report.
  • Every poor association or correlation derails an analytic effort at an organization.

Because organizational security resources are finite and already stretched thin these mistakes, errors, and poor practices consume critical resources which could be spent on other problems and reduces the security of an organization.

Two market elements have caused this quality reduction:

  • A need to garner attention in the growing cacophony of the threat intelligence market feeding a “first to publish” mentality which usually results in a “rush to publish.”
  • A lack of customer education resulting in a poor evaluation of providers thereby incentivizing the wrong aspects of threat intelligence – such as volume of indicators over their quality or relevance

Obviously, only threat intelligence providers can solve the problem, but what pressures can help drive effective change?  Here are some:

  • Threat intelligence customers armed with evaluation criteria (particularly quality metrics) which helps them leverage threat intelligence effectively without generating unnecessary costs – this will help create market drivers for higher quality
  • Industry must self-police bad intelligence by being honest with ourselves and each other.
  • Threat intelligence aggregation platforms should have quality assessment capabilities informing the intelligence consumer of potential problems (likewise they are also be in a position to highlight timely, relevant, and unique intelligence of great value)
  • Threat intelligence analysts trained in analytic tradecraft stressing quality and accepting an ethical duty

Security professionals practicing threat intelligence must understand the implications of mistakes and poor analysis.  Bad intelligence can and does decrease the security effectiveness of an organization. Therefore it is an ethical duty of the threat intelligence practitioner to reduce errors. Threat intelligence is difficult – intelligence by definition attempts to illuminate the unknown and works by making judgments with imperfect data – errors are natural to the domain.  But, with proper practices and procedures bad intelligence can, and must, be minimized.

Please click here to find the source.



Week 5: Indicators of Compromise

As a security analyst, much of your day-to-day operational work involves tracking perimeter defense alerts, responding to end-point alerts, and running down user reports of suspicious activity. While these tasks are important, you know that there’s probably malicious activity on your network beyond the alerts. So how do you find it? Click here for more…

Week 4: Selecting Threat Intelligence Service

IT managers can’t maintain a strong security posture if they’re not aware of the latest attack vectors, which is why organizations are increasingly adding cyberthreat intelligence to their defense arsenals.

Threat intelligence provides information about the characteristics of current and recent security threats, such as the IP addresses, domain names and URLs used to perform attacks. Various security vendors create and maintain subscription-based online threat intelligence feeds.

These feeds supply the latest intelligence to threat detection products such as security information and event management (SIEM) systems, intrusion prevention systems (IPSs) and next-generation firewalls (NGFWs). By utilizing threat intelligence, security controls can detect threats more quickly and accurately, enabling organizations to mitigate them faster and reduce damage.

Commercial threat intelligence services include McAfee Global Threat Intelligence, Symantec DeepSight Intelligence and Webroot BrightCloud, among other offerings. There are also open-source and community-based threat intelligence feeds. For example, some Information Sharing and Analysis Centers (ISACs) offer threat intelligence feeds that are specific to the industries or sectors that they serve.

With so many options available, government IT managers might be overwhelmed when trying to choose the best threat intelligence services for their environments and use them most effectively. Keep the following advice in mind when evaluating these feeds and planning their integration and use.

Always Evaluate Quality

Because enterprise security controls use threat intelligence to identify attacks and prioritize attack responses, threat intelligence must be as accurate, timely and comprehensive as possible. Ask these questions of providers:

  • What methods are used to generate the threat intelligence? A rich combination of methods generally provides a more complete picture of threats. Full coverage is unrealistic, but it is reasonable to expect a major vendor to monitor most of the Internet through global deployment of sensors.
  • How often is threat intelligence updated, how do vendors deliver these updates to customers, and how much of a lag is there between discovery and threat intelligence dissemination? Each of these should be a few minutes at most.
  • What metadata is provided with the intelligence? Examples include scores for judging the relative seriousness of each threat, and threat categories for differentiating different types of threats from each other for prioritization. Metadata can be incredibly important for getting more value from threat intelligence services.

Score and Prioritize Threats

States and localities can use threat intelligence services in several ways besides improving attack detection. For example, threat intelligence can be extremely helpful for prioritizing incident handling for detected attacks, if the service provides a robust scoring capability.

There’s no standard convention for threat scoring, so every service is different. Scoring can be done in many ways, but typically involves a numeric score (such as 1 to 5 or 0 to 100). More granular scores are generally preferable because they afford more flexibility when it comes to decision-making. For example, an agency that uses a 0-to-100 scale can decide to automatically block all threats with a score of 95 or higher. If that’s too broad, the agency can adjust the threshold to 96 or 97. This level of granularity is simply not possible with a smaller scoring scale.

Another important aspect of scoring is how often scores are updated. The severity of threats changes over time, particularly in the early days after a threat is first observed. Many threats come and go quickly; for example, a phishing attack may be viable only for a few hours because attackers know it will be detected and blocked quickly. A threat involving a phishing attack might initially merit a very high score, but after 12 hours, odds are that the threat is over.

The process of updating scores over time to account for changes in threats is known as aging. Without aging, scores will rapidly become inaccurate, potentially blocking benign activity and causing a partial denial of service for users.

Integrate Threat Intelligence and Security Controls

Threat intelligence feeds aren’t helpful unless the organization’s existing enterprise security controls can take advantage of them. Some legacy security controls don’t support threat intelligence feeds at all, while others offer limited support. Limited support may be no better than no support at all because it can seriously impair the use of threat intelligence. For instance, a firewall might not have the storage or processing power to retain a large volume of threat intelligence, so it can only have information on hand for a small percentage of threats.

IT departments may need to replace their legacy security controls before adopting threat intelligence, but odds are that these products will need to be replaced anyway because they lack the sophisticated new features offered by the current generation of enterprise security controls.


Week 3: Hacker Forum Traffic Analysis

I came across an informative article where cyber security analyst can detect patterns in timing, forum participant product and vulnerability, etc. and use this knowledge to determine whether forum participants are a threat. Further, such insights can be used to set up appropriate alerting based on forum activity and help network defenders keep pace with developments around vulnerabilities and exploits.

Click here for detail information.