One of the key shifts threat intelligence allows an organization to accomplish is moving from a reactive to proactive security mindset. However, that shift doesn’t happen overnight — it takes a months-long overhaul of an organization’s strategy. Nonetheless, once it’s done, threat intel can become the tie that binds your strategy together as your security team looks to stop threats before it’s too late.
Bryan Geraldo, Anomali’s Director of Customer Success, talks with CyberScoop’s Greg Otto on how organizations can shift that mindset in order to get the most out of the threat intel they collect on a daily basis.
Geraldo looks at threat intel the same way police harness data to learn behaviors that eventually thwart crimes. By using threat data to understand what information criminals are looking for, what they attack and how they attack it.
Hello, everyone, and welcome to another edition of Cyberscoop Radio. I am your host , Greg Otto. We're here with another chapter of our Threat Intelligent series sponsored by Anomali. In this series, we've talked a lot about threat intel and how it can vastly improve your organization's security practices. One of the key things threat intelligence allows an organization to do is shift their posture from a reactive mindset to one that is proactive. However that switch doesn't happen overnight. It takes a shift in organizational thinking in order to switch that stance. However once it's done, threat intel can be the tie that binds a strategy together as the security team looks to stop threats before it's too late. I talked with Bryan Geraldo, Anomali's director of customer success, on how organizations can shift that mindset and what their mindset needs to be in order to get the most out of the threat Intel they collect on a daily basis. OK Bryan, thank you for joining us today to talk a little bit about threat intelligence. First, I know that you have been doing this for a long time. Can you give our listeners a little bit of background into how long that you've been working in the threat intel field? Yeah. So I've been working in IT since 1996. I started working specifically in security around 1998. Came from a computer background and went to school for that, just worked in a bunch of different areas. A little bit of development, network and systems, infrastructure in management and operations. And eventually for the past, I don't know, 18 years, I have focused heavily on information security. And then more recently, on threat intelligence as a new discipline and spent a lot of time actually doing penetration testing and ethical hacking work as far back as when the internet was still the Wild West and people barely had firewalls and really barely understood what cyber security was as a discipline. And so given your background, what do you think organizations can do to be more effective with their own threat intelligence tools? I think organizations should be using their tools to help them really derive the most value from threat intelligence as a decision support function. They don't really see the forest from the trees, in the sense that they think that threat intelligence should be doing several different things for them. And really, the core need or the core thrust of what threat intelligence should be used for is as a decision support function to help make timely decisions on threats and to allow somebody that's part of a TI functional component within an organization to make a good judgment on how to proceed. Because sometimes this involves including other parties, sometimes this involves quite a bit of time in terms of extending an incident response, group's time to actually address a potential incident. And so that is how these tools should be used. What I've been seeing is I think that there's a lot of tools out there. A lot of people have quite a few different tools and a lot of companies out there are touting quite a few different tools. I think it behooves everybody to try to consolidate and narrow the tools down to the things that provide the most value for them in the sense that maybe you focus on five or six different tools that are really sort of core components of your job. And the reason I state that is you have to use your job as really a function of figuring out what tools work best for you, because threat intelligence as we're seeing it-- and this is something that my organization has spent time researching it is-- most organizations don't have the ability to have just a pure threat intelligent team. Mind you, there are cases of that. A lot of times, you have organizations where it's a functional component of somebody else's job. And whether that's working in a stock or some other team. And so those practitioners have a good understanding of the tool sets that they already have in place. And so what they should be doing is looking at leveraging the tools that they have with an eye towards this discipline and the core component that you're trying to address. So I think they went with that mindset. I think that they would potentially be more effective in doing their job. And at the same time, I think that it would also allow these other organizations to really-- it would allow some cross-pollination. What you want is more people to look at things from a different lens as somebody else's perspective. By doing that, it will make practitioners more well-rounded and it will hopefully make it so that they are not so overwhelmed with the current tool sets and the people pushing a bunch more tools on them. Does that make sense? Absolutely. And you talk about effectiveness there, being effective inside a SOC and making sure that organizations are not overwhelmed. And so much of what cyber security operations teams carry out is reactive. So how can practitioners be more proactive and how can threat intelligence help them move toward that mindset? The thing is with threat intelligence as a supporting function within a security practice and how SOC should be involved or how organizations should be involved, the end goal for threat intelligence is threat intelligence, as a decision support function within the organization, oftentimes is being used to allow somebody to react and make a quick decision on something that's been identified. Where I think threat intelligence should be going, in terms of being more proactive, is we need to move from the idea of just using tactical IOCs and information that's associated with those IOCs to react and make a decision on to actually start researching things like TTPs and what potential actors are doing to create temporal distance between when an attacker is going to attack you, when you're going to actually receive that attack. By creating that temporal distance, what we're doing is we're going to be able to identify things that are potentially going to happen to us and mitigate them before they occur. So I'll give you an example, right? A perfect example is this. If you have somebody that's breaking into houses in your neighborhood and, essentially, you know that somebody has been breaking into houses at a certain time. So maybe you'll have a couple of cops that you're putting in the neighborhood to actually react, to be able to try to stop and catch them. But if you really want to go a step further in this process, what you would do is you would look and really try to profile and understand, then it can get better ideas about the TTPs that these criminals are doing. They only work between the hours of 2:00 to 4:00. They drive nondescript certain types of cars. They target houses that are on corners. So by creating an understanding of the profile of what they're doing, then what you could do is instead of being where you're reacting to something, you're actively looking for individuals of that type so that you can question them, maybe, or you can pull them over before they actually go and break into a house. And the same thing works for threat intelligence. What you should be doing is looking at your internal environment, looking at what you have. So say, for instance, you know you're an organization that has a certain type of operating system and a certain set of applications that you're using. When you're doing threat intelligence externally, you use the internal information about your environment as a means to distill down the type of information that you're looking at externally in terms of TTP. And maybe what you do as a result of, say for instance, finding a potential attack vector that somebody has posted on a blog that affects this certain type of operating system and this certain set of applications that you have. You know that maybe this is something that you should patch. Or if you can't patch it, maybe it's something that you should put a little bit more effort into monitoring. And so that allows you, you're creating that temporal distance to essentially get ahead of the game. We can shift people to ring functions of threat intelligence as part of their work. It shifts them from being reactive to proactive. Never going to be a one-size-fits-all model in the sense that you're always going to be proactive. If you can mix the two together, you have a, obviously, a greater chance, a larger percentage that you're going to be able to stop evil from occurring within your infrastructure. So you talked about mixing the different tools that you have there. So I would love for you to elaborate a little bit more on that angle. How do you see threat intelligence supporting other security practices taking place inside a SOC? A classic way that I see this occurring is somebody looks at a, say, a set of indicators. And they add information to those indicators. Maybe they decide that these indicators, we think with a high level of confidence that there's something that could potentially be malicious based on something that we're looking at. Maybe you're using a tool to look at different pieces, discrete pieces of information about that indicator. It could be things such as if it's a domain, maybe you're looking at whether or not-- half the DNS entries are potentially associated with domain. What exactly does that mean? Are pieces of the infrastructure that you're looking at, have you looked to see whether or not there is-- based on the ASN-- whether or not there's been a lot more activity coming from infrastructure within that same ASN environment. And so by doing that, what you're able to do is you're able to curate, from a tactical IOC perspective, the information that then you push down to your tools. And then those tools should then correlate against those curated indicators. That's one way. The other way is that if you start looking at it in terms of TTPs, tactics, techniques, and procedures, what you're doing is you will use TTPs and information around TTPs to push down behavioral patterns that attackers are using and then have any IOCs associated with that. So what will that do? So if you start building a library of TTPs-- and obviously having a library of TTPs, you can associate those with factors, right? Having a library of TTPs and a profile of the associated actors will allow you to do things like create signatures that you can use. And then you can use those signatures to help further validate whether or not your assumptions-- or the research, not assumptions-- but the research that you've identified is accurate. And you'll know because, obviously, those signatures for the tools that you're using. So [INAUDIBLE] and [? Bro ?] will start firing. And so then as a result of that, you can actually evaluate how effective your research is. So we've gone into detail about how threat intel feeds really do help move a SOC into a more modern mindset when it comes to their overall cyber security practice. But how do you see a SOC leveraging intel beyond just discovering indicators of compromise? Do you think that threat intel feeds can support the tools in the tool box? They can, in a way. But the way they can is through the associations. If you have IOCs and those IOCs show that over time, more IOCs are added to information around behaviors and patterns that are associated with a TTP, that's further proof that you're going down the right path. That's certainly very helpful. Another way is if you look at the information associated with indicators, indicators oftentimes have a very short shelf life, in a lot of cases, depending on the type of indicator. But you can use the information associated with indicators and correlated events, whether it's to your proxy, a web proxy, or to a SIM, to be able to see, OK, that this information that we're receiving, it's a rich source of information that's actually helping us block or at least detect something that's going on within the environment. The way it should work is that is a constant evaluation effort. You're constantly evaluating the feeds that you're receiving, so that you can adjust and modify the information that you're getting, provide the greatest value for you and your organization. What that should translate to over time is that that should translate where the SOC will start seeing threat intelligence as the fabric of cyber security. At the end of the day, one of the greatest things that threat intelligence should do for your organization, if it's done correctly and used with the right tools, threat intelligence should be the tie that binds. Threat intelligence should be that connective tissue that allows various teams to work together and to collaborate. Because if you find something, say something that you've researched gets identified by an IR team as part of something else they're working on but they have the ability to go look at a single repository of threat intelligence and look and see, OK, well this has been identified as something that's really interesting by our threat intelligence team. We can now tell them that this actually has been identified in our environment. That information will go to the threat intelligence team. And then in addition to that, that same information should be going to the SOC. And so the SOC can then take steps to create signatures and to do more monitoring around that specific potential attack or the research that was identified. If it's found in other parts of the environment, then again, that further reinforces this process in the organization. So what I try to stress is that threat intelligence should not be used or in a vacuum, in the sense that people are creating threat intelligence and then just throwing it over the fence to other parts of the organization to evaluate its effectiveness. It needs to be a collaborative effort. And as such, it requires that you create those alliances and the collaboration between the various organizations. So let's elaborate a little bit more on that collaborative effort and not using threat intelligence in a vacuum. We've hit on a couple of points here, but what more can organizations do to leverage threat intel and help it raise the maturity level of their operations? And this is something that I've seen organizations do that I think is, essentially, I've seen it a couple of times, and it's essentially been a detriment. And that's this idea that organizations-- and this is, I think, part of the cultural shift that needs to occur, where upper management truly need to understand threat intelligence. Because what happens is that sometimes, they mandate or make some type of pronounced manner decision that they need to receive new Intel about news and external threats on a daily basis. I've seen certain threat intelligence teams that have taken that route, where they've gone and they've created daily threat briefings or bulletins or situational reports for upper management around what's going on every single day. What happens is when you go down that route, as an example, is that oftentimes, the same management who asked you to do this then stops paying attention to you, because you become chicken little. You know, the sky is going to always be falling. You want to avoid that. What you want to do is you want to be able to use threat intelligence as a means to-- one, it has to be pushed as a top down effort. So it needs to include upper management, it needs to include the business requirements that align with the company's intelligence requirements, which then align with how you're using those intelligence requirements to push down threat intelligence in a way that gives value to you. Because again, when you're doing this daily sit reps, what happens is also is that you also get seen by other parts of the organization, like the SOC, as the boy who cried wolf. And so you don't want that. The other thing that I think is really important, I think, from a SOC and threat intelligence perspective, is if you do have different functions and different teams. And the whole idea of a functional threat intelligence model is one that we're proselytizing to our clients, because we really don't see a lot of organizations have a classic, gigantic threat intelligence team. What they have are different people within different parts of the organization, that threat intelligence is part of their job function. What occurs is that if you do have sort of a more classic model, the SOC and the threat intelligence analyst should actually be sitting in the same room, to help bridge that divide between those two different organizations. I want to thank you for joining us and giving us a little bit more insight into how organizations can leverage threat intelligence for their entire security operations. Because threat intelligence is still a discipline where people don't fully understand the discipline and what it's supposed to help them achieve within the organization, I think it behooves us all to really push the message out to the industry that people need to really learn and understand threat intelligence and what it is and what it isn't. And then, they should be able to look at that and see how that's going to help the organization. Thanks to Bryan for telling us how threat intel can really change the way an organization conducts its security operations. And thank you again to our sponsor, Anomali, who sponsored our entire Threat Intel series. For more on that series and all things cyber security, check out Cyberscoop.com. I'm Greg Otto, thanks for listening.