As a former security analyst with a government contractor, a lot of the work that Larry Larsen did for federal agencies involved extensive use of threat intelligence in cyberdefense strategies.
"We were seeing so many different attacks from so many different sources against government, it was an operational imperative to know where it was coming from and why," Larsen recalled.
Today, as the chief information security officer at Apple Federal Credit Union in Fairfax, Va., Larsen sees a lot of value in applying similar methods in a threat intelligence program designed for dealing with the multifaceted threats directed against his current employer.
"Cybersecurity is not really a technical venture," he said. "It is a behavioral venture in a technical environment, and that is where the counterintelligence approach comes in."
Most companies have firewalls, antivirus and other IT security tools they can plug into their network infrastructure. But that often doesn't tell security analysts anything about the source of the attack or who is entering through the side door.
"I want to know who is sitting at the keyboard launching these attacks and what they are trying to get," Larsen said. "Is it just financial data? Is it part of a broader information-gathering campaign? Is it something they are collecting to use for a more catastrophic attack?"
Larsen is among a growing number of security officers who have implemented a threat intelligence capability to help steer the technical aspects of their security program. In 2015, the threat intelligence market accounted for a somewhat modest $190 million in revenues, according to analyst firm IT-Harvest. But it is expected to top $460 million this year and over $1.5 billion in 2018.
Larry LarsenCISO, Apple Federal Credit Union
Driving the market is the growing focus on aligning security efforts closer to actual needs and enabling better situational awareness based on the specific nature of threats that an organization faces. Digital Shadows, headquartered in San Francisco and London, provides these types of services -- tailored threat analysis and alerts, dark web searches for stolen data and credentials, and more -- through its SearchLight platform.
It's about "knowing what is going on around you so you can figure out what to do," said Rick Holland, a longtime Forrester Research analyst, who is currently vice president of strategy at Digital Shadows and co-chair of the SANS Cyber Threat Intelligence Summit.
"Situational awareness requires tools that provide visibility both inside and beyond the perimeter of an organization," he said.
Here, according to Larsen and other security experts, are some of the things you need to keep in mind when implementing a cyberthreat intelligence capability.
Tap your internal infrastructure first
A lot of the data that you need to build a robust situational awareness capability resides inside the organization. Data from application logs, intrusion detection and intrusion prevention systems, firewalls, endpoint antivirus systems and other security controls can tell you a lot about what's going on inside your network and the vulnerabilities and exposures you face, noted Bill Podborny, CISO at Alliant Credit Union in Chicago.
It can tell you who's knocking on your network, what's already inside and what normal user and network behavior looks like. Importantly, he added, the data you collect from your internal systems -- using security information and event management (SIEM) or a data collection and analysis tool such as Splunk -- can help you identify gaps and exploitable vulnerabilities in your security controls so you can prioritize your response.
Too often, organizations focus on using outside threat feeds and threat data. They fail to tie the information back to what is going on inside their own network because they don't have enough visibility.
"The best source of intelligence is your own data," said James Carder, CISO at SIEM provider LogRhythm based in Boulder, Colo. The company's Unified Security Intelligence Platform combines log management, endpoint and network monitoring, SIEM and security analytics.
"If you don't have the infrastructure part in place, you can't take intelligence data into your organization. You can't operationalize it if you don't look at your own data," Carder said.
Make use of intrusion data
Any approach to building a threat intelligence program should include processes for collecting and analyzing different malicious behaviors inside the network; threat intelligence data from within your particular industry, be it financial services, healthcare or retail; and, only then, threat data from the broader world beyond your line of business.
"Organizations must gather threat intelligence from the actual intrusions occurring within the environment," Holland noted.
For instance, the security organization should monitor and collect data about exploits and botnet activity, command and control traffic, malware delivery mechanisms and file exfiltration.
You need to be able to gather IP addresses, malicious domain names, file hashes and other indicators of compromise from an attack on your organization and use that information to quickly identify similar attacks targeting your network in the future. The goal must be to have controls for spotting expected and unexpected threats and correlating behavior with identified threats.
"There is no more relevant threat intelligence than what is actually occurring within your organization," Holland said.
It's about quality, not quantity
One common misperception surrounding threat data is that you need a lot of it to be really effective. The reality is that, unless your organization has the staff and the resources to sift through massive data sets looking for the proverbial needle in the haystack, what you need to be focusing on is threat data quality.
"I don't care if you send me 500 TB of data every day," said Larsen of Apple Federal Credit Union. "I would rather have 1,024 KB of information that I actually can use."
Rick Hollandvice president of strategy, Digital Shadows
The key when subscribing to threat feeds is to select those that help you answer the "so what" questions, Larsen added. There are any number of feeds and services that provide information on emerging threats and threat actors but fail to identify why your organization should care about it.
It is not unusual for multiple threat services to use threat feeds from a single source. So a lot of the information coming at your security operation could be duplicate data as well.
"Organizations must stay clear of trying to subscribe to 'all the feeds,'" Holland advised. "Threat intelligence that isn't relevant to your business, to your threat model, is going to overwhelm your security staff and security controls." On the other hand, relevant threat intelligence reduces the noise that security teams must address, freeing them to focus on smaller and more relevant incidents, he added.
Think like the enemy
Take a risk-based approach when implementing a cyberthreat intelligence practice. That means understanding potential targets -- where your most valuable resources are -- and how they are protected. And, sometimes, the best approach for doing that is to think like the enemy, according to Larsen. "If I'm a bad guy, what would I steal and how would I steal it?"
The importance of finished intelligence
When subscribing to a threat intelligence service, choose a provider who can customize the service to your specific requirements, advised Josh Zelonis, senior analyst with Forrester Research. "It would be irresponsible for someone to recommend a threat feed without an understanding of your specific organization and the motivations of threat actors who would target you," he said.
According to Larry Larsen, CISO at Apple Federal Credit Union, the goal should be to try and get "finished intelligence" to the extent possible from your service provider. "There's a difference between finished intelligence and just information," said Larsen, whose company has subscribed to a customized threat intelligence service from SurfWatch Labs. Finished intelligence is information you can take, digest and act upon immediately.
For instance, it's one thing to get intelligence that a threat actor was identified on the dark web offering Yahoo accounts for sale. It's another thing entirely to know that Yahoo accounts belonging to 48 people in your organization were available in that data dump.
"Threat intelligence needs to be tailored for your organization in a manner that it informs strategic and tactical decision-making," Zelonis said.
"Anything that has not been enriched to this level is just data and should be avoided if you do not have the capabilities in house to perform this enrichment."
It's important to know the main threat actors and the different technologies, techniques and processes they have used or are using to target similar organizations. What attack vectors do they usually exploit? What data are they after and why?
Do your main threats come from malicious insiders, external threat actors, state-sponsored entities or criminal gangs? Or are they from users who inadvertently click on attachments in email they receive from strangers?
"I tell my folks they have to maintain a sense of healthy paranoia," Larsen said. "You really have to bombard your employees, especially those close to the cyberdefense mission, with recurrent awareness training."
Take a risk-based approach
For threat intelligence to be really useful, you need to have a keen understanding of the risks that your organization faces from these threats, stated Ryan Stolte, co-founder and CTO of Bay Dynamics, a San Francisco-based security vendor that offers Risk Fabric, an automated platform that incorporates user and entities behavior analytics.
"You need to have a threat and vulnerability -- and some value at risk," Stolte said. Some threats are not relevant because your data or other assets are not at risk, he added. "If you just have a threat and there is nothing to lose, who cares?"
The goal of a threat intelligence program should be about protecting the confidentiality, integrity and availability of your critical assets whether it is a website, a payment system, a database or intellectual property. You need to understand where your important assets are and what would happen if they become unavailable.
Is your biggest risk the loss of intellectual property, reputational damage or loss of customer confidence?
"At the end of the day, I am trying to understand: If I were to fix one thing today, what would I do that reduces risk the most?" Stolte said. "If I were to fix 100 hundred things today, what would those be and why?"
When implementing a cyberthreat intelligence practice, it is easy to get overwhelmed, Podborny observed. Dealing with threat intelligence data can be like drinking from a fire hose unless you have a good process in place for consuming and acting upon the information that is pouring in from internal and external sources.
"Try to get some wins and successes first," he said. Figure out how you are going to bring in threat data and what you are going to do with it so you can learn from the process and then build from there.
"A win would be: You are able to be proactive about any specific event that could have happened to you, or where you can prove it could have happened to you, if the event never occurred," Podborny said.
The key to implementing a cyberthreat intelligence program is not to let great come in the way of good, Stolte noted.
"Don't get ahead of yourself," he said. "Plan for what you are going to do. Turn on some data first. Make sure you are getting results and you are able to take action on those results," he added, before rolling out the program enterprise-wide.
Stick with standards
Pay attention to emerging technologies and standards. The success of your threat intelligence program depends on your ability to ingest data and act upon it either in an automated fashion or through manual sorting.
You need to be able to parse out the data to a point where you are able to see if it is enough to be actionable or if it just an FYI, Podborny noted. A big piece of threat intelligence is about correlating data and trying to take proper action against it.
Threat feeds and services that support information sharing specifications, such as Structured Threat Information eXpression (STIX) and Trusted Automated eXchange of Indicator Information (TAXII), represent information in a standard format and are easier to automate and share than nonstandardized data.
Enterprises are learning that technology alone isn't enough when it comes to a successful threat intelligence program, according to Digital Shadows' Holland. Technology must enable and expedite the analysis of humans.
"We are starting to see more traction with standards like Structured Threat Information eXpression, which is pushing threat intelligence players to all speak the same language," he said. This will enable defenders to prevent, detect and respond to adversaries with more agility.
About the author:
Jaikumar Vijayan is a freelance writer with over 20 years of experience covering the information technology industry. He is a frequent contributor to Christian Science Monitor Passcode, eWEEK, Dark Reading and several other publications.
A Buyer's' Guide to threat intelligence services
How to evaluate tools and standards for threat intelligence
Steps to integrate threat intelligence into a security program