Are you using threat intelligence in your enterprise? If so, you've likely noticed a lack of standards -- and cooperation...
-- among organizations and government agencies for such information.
Dating back to some of the early years of InfraGard and subsequently through cybersecurity legislation pushed by politicians, there's been a longtime goal of gathering, analyzing and sharing threat intelligence.
Now, new frameworks and services are emerging to help enterprises better understand those who wish to inflict harm on their networks and businesses. However, the enterprises I have worked with across various industries have little standardization for their threat intelligence. Each one has different approaches, different threat sources and different ways to go about analyzing and actually doing something with the data collected. And just because businesses and government agencies are gathering valuable intelligence, doesn't mean they are utilizing it in the ways they should. In many situations, the IT and security staff reviewing the information may not even know what they're looking at or be able to apply it to their specific situation.
In this tip, I am going to take a look at some of the up-and-coming threat intelligence tools and standards today, and explore how to better evaluate tools and standards for threat intelligence use in the enterprise.
Emerging threat intelligence tools and standards
While some threat intelligence tools and standards never took flight, Gartner Inc. released information on emerging threat intelligence standards that aim to improve this elusive area of security, such as:
- CyboX (Cyber Observable eXpression) is a language/schema run by MITRE Corp. for the specification, capture, characterization and communication of events or stateful properties that are observable in the operational domain.
- OpenIOC (Open Indicators of Compromise) is a framework for sharing threat intelligence created by MANDIANT Corp. It is defined as an XML schema for the description of technical characteristics that identify known threats, an attacker's methodology or other evidence of compromise.
- STIX (Structured Threat Information eXpression) is a language developed by MITRE that uses CyboX for describing threat information in a standardized and structured manner.
- Taxii (Trusted Automated eXchange of Indicator Information), another MITRE creation, defines a set of services and message exchanges that enable the sharing of actionable threat information across organization and product or service boundaries.
Commercial vendors in this space include Cyveillance Inc. and DigitalStakeout Inc. Even Maltego, a tool from Paterva that is popular among information security consultants and penetration testers, has its place in this discussion.
Finding the right threat intelligence tool
There is a lot of theoretical benefit from gaining and sharing threat intelligence using open source and commercial tools such as those listed above. In an ideal world, all businesses, organizations and government agencies would be able to fight the good fight against the threats faced using an open set of threat information tools.
Then there's the trust factor.
Who can be trusted with information gathered about an enterprise's network? What specific intelligence sources can an enterprises trust? Are enterprises willing to act on third-party recommendations? How will organizations pull everything together to create actionable breach responses and risk mitigation strategies and tactics?
The reality is that most businesses don't have the time, money or effort needed to pull this off. It's not all that different than how nations struggle to keep up with terrorism threats. The resources are limited, and the terrorists or other attackers looking to promote their agendas will always be a few steps ahead of the good guys.
Don't just jump on the threat intelligence bandwagon; marketing talk is cheap in the network security space. Instead, look at the bigger picture. Organizations should ask themselves:
- What are we trying to accomplish?
Perhaps an enterprise needs detailed insight into specific threat intelligence on its organization or industry, it's looking to minimize IT risks, or it simply needs to check a box to please its auditors. Should organizations go it alone with open source? Perhaps it's better to go with a commercial vendor? Many people invest in security technologies without ever bothering to consider why they're doing so. Be clear with your intent.
- Should existing network and security technologies be used that can work with, or otherwise support, threat intelligence tools?
Areas for consideration include malware protection, network analysis, social media monitoring, event correlation and security information and event management systems, and even corporate brand protection.
- Can an enterprise subscribe to a threat intelligence source using its existing vendors?
Many vendors, such as Cisco and Dell, integrate this intelligence into their own products and services.
- Who's going to manage it? Every time an organization takes on something new with network security, it has to give up something it's currently working on or hire new resources that can handle it. Will budget allow for that?
- How will an organization measure success?
Network threat intelligence is sexy and cool, but at some point enterprises are going to need to get some tangible results out of it beyond what it is already getting from its existing network security products.
The end goal of all of these threat intelligence resources is to help an organization make more informed decisions in order to minimize its information risks.
I'm of the belief that an organization can invest in the greatest intelligence in the world, have the best technologies for warding off the threats, and look squeaky clean on paper, yet its network can be amazingly vulnerable to the low-hanging fruit that is still being missed in so many IT and security management processes.
Based on what I see in my work -- and based on what we see in the annual data breach reports -- most organizations still have a ways to go in shoring up their own security vulnerabilities before it would make sense to learn more about the threats. Fix the source of the weaknesses and those seeking them out won't stand a chance.
That said, there's certainly a place for threat intelligence, especially for higher-risk industries and federal government agencies.
Enterprises should take a look at CyboX, OpenIOC, STIX and Taxii, as well as their commercial counterparts listed above. Organizations without a threat intelligence strategy would be well-served. Even those that have more mature intelligence programs can benefit -- perhaps even by being able to utilize these emerging standards in conjunction with existing controls.
The important thing is to be thinking about threat intelligence now, before an issue or attack occurs. Many see threat intelligence as an afterthought or something that vendors or government agencies are handling. That's simply not true.
It's still a no man's land out there, so every enterprise needs to be looking for itself.
About the author:
Kevin Beaver is an information security consultant, writer, professional speaker and expert witness with Atlanta-based Principle Logic LLC. With over 26 years of experience in the industry, Kevin specializes in performing independent security vulnerability assessments and penetration tests of network systems, as well as Web and mobile applications. He has authored/co-authored 12 books on information security including the best-selling Hacking For Dummies and The Practical Guide to HIPAA Privacy and Security Compliance. In addition, he's the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. You can reach Kevin through his website and follow him on Twitter at @kevinbeaver.
Join the discussion on threat intelligence standards and tools.