WASHINGTON -- As if it's not hard enough to discover, analyze and deliver reliable cyberthreat intelligence, industry analysts said a harder task is getting organizations to utilize actionable intelligence to protect their networks against increasingly sophisticated attacks, including those from nation-state adversaries.
What's the point of collecting intelligence if you're not going to use it?
cybersecurity analyst, Lockheed Martin
Threat analysts from General Electric Co., Google Inc. and Lockheed Martin Corp. provided a look inside their cyber-intelligence operations last week during the 2013 Cyber Threat Intelligence Summit, sponsored by the SANS Institute. The panel discussion explored a range of issues faced by both producers and users of cyberthreat intelligence, including the advisability of letting a network attack proceed in order to gain more intelligence about attackers.
Underscoring the issues of dissemination and use, summit moderator Michael Cloppert, chief analyst of Lockheed Martin's computer incident response team, polled the audience to see how many actually "digest" threat analyses. A scattering of hands were raised.
"Computer security is not a computer problem," Cloppert said. "Computer security is a people problem."
Aaron Wade, senior team leader for General Electric's (GE) cyber-intelligence unit, said users are often faced with the problem of prioritizing cyber-intelligence from different sources. In the process, they may overlook that "they are their own best source" because they "know the threat profiles."
For a multinational holding company like GE, a key question is deciding what company assets require the greatest protection from cyberattacks. Hence, Wade said users must identify their "crown jewels"; those products and processes that underpin a company's existence. The next step is to "hit [corporate] decision makers where they live and make the threat of cyberattacks real."
While GE makes everything from jet engines to appliances, data-driven Google relies on secure networks to deliver a growing range of services on the Web. Shane Huntley of Google's threat analysis group told the summit that the Internet ad giant treats cyberthreat intelligence as another data set it uses to defend against attacks and protect its more than 1 billion global users.
Huntley said his unit analyzes the "kill chain" or succession of targets attackers attempt to compromise in the wake of unsuccessful attacks to help block future attacks. He stressed that Google seeks to leverage actionable intelligence to ensure its vital networks aren't crippled by attacks.
"There's no point to sitting on this treasure trove of information" about cyberthreats, Huntley said. "You need to take the initiative and block attacks and defend users."
MORE FROM 2013 SANS CYBER THREAT INTEL SUMMIT
'Internet underground' fight demands better cybersecurity intelligence
Former U.S. national security adviser Greg Rattray believes better cybersecurity intelligence is needed to combat a growing "Internet underground."
"What's the point of collecting intelligence if you're not going to use it?" said Chris Sperry, a Lockheed Martin cybersecurity analyst who also participated in the panel discussion. Users should be "trying to take the fight back to the adversary." That approach, he added, includes creating threat profiles on each attack to gain a better understanding of how attackers operate.
Sperry also advocated for a "pivot analyst approach" that would allow users to leverage threat intelligence to shift gears as new threats emerge. Quickly evaluating sources is critical as deployment of cyberthreat intelligence becomes more automated. "Timeliness," Sperry stressed, "is really important."
"What is your appetite for risk?" moderator Cloppert asked the panelists. Google's Huntley said his unit considers how long to let an attack play out to collect more intelligence about individual attacks. But the Internet giant stops short of placing users at risk.
Wade said GE zeroes in on each threat and how to defend against it. Most organizations are risk-averse, he added, though they may not be willing to admit it.
Sperry said avoiding a knee-jerk reaction to a cyberattack might allow analysts to determine if an individual threat is "just the tip of the iceberg."
Putting actionable threat intelligence to good use also means placing it in the proper context. Wade said consumers of cyberthreat intelligence must identify trusted sources facing similar types of attacks. Users need to "reach back and get context" to effectively block increasingly sophisticated threats, he continued. "Intelligence without context is just data."