Filling the Threat Intelligence Gap in Your Cyber Security Resilience Strategy
Transcript
.svg){kind=icon}
PARTHI SANKAR: So my name is Parthi Sankar.
And I work for Anomali.
I'm really pleased to be here to present on the final day Detect.
I actually started exactly one year ago.
And I flew out to Germany's biggest cybersecurity conference called it-sa.
I've been involved with a company prior to that which allowed me to have familiarity with threat intelligence anomaly in general.
What I noticed when I was at it-sa was I had a lot of attendees coming up to our stand asking very relevant questions about threat intelligence and our threat intelligence platform.
Now that is good in contrast with the previous year, where my colleague actually had to go up to the attendees to tell them about threat intelligence and threat intelligence platforms, had to evangelize it.
So there's a big shift in the uptake of knowledge and threat intelligence in general, which is a very, very good sign.
I actually stem from the same industry.
And in some ways, I see the threat intelligence space as where the SIEM industry was maybe a decade ago.
I was also at INFOSEC, which is Europe's largest cybersecurity conference-- about It happens in June every year.
And I always try to figure out what the theme would be at this conference.
Three years ago, it was GDPR.
So there were a lot of vendors, new vendors, with solutions for GDPR.
Two years ago, machine learning was all the rage.
And we had a lot of vendors highlighting the fact that they had machine learning now in the solutions they offered and new vendors popping up with machine learning.
So I tried to figure out this year what the theme was.
And it wasn't that obvious.
But I did see-- I suppose I picked out two themes.
One was integrations.
So there are a lot of companies now integrating or offering a suite of different solutions to address problems within your environment.
And the other theme was detection.
So I noticed a lot of companies actually using the word "detection" or similar in their advertising of the solutions on offer at this big INFOSEC security.
So I thought that was very, very interesting.
We are sort of moving from preventative towards the detection space more and more as time goes on.
So in my presentation today, I'll be talking about the state of threat detection, best practices in threat intelligence, to share or not to share, and threat detection strategies and threat hunting.
I guess, we all know what threat intelligence is.
At one basic level, it is something as simple as what we see here.
Intelligence, in general, can be thought of as the complex process of understanding meaning in available information.
I think we use intelligence all the time in all different spheres of life and through history.
We take the example of the police.
They often use intelligence to be more proactive in their operations.
There is a spate of burglaries in a neighborhood.
They often will provide an advisory to those living in that neighborhood to give them intelligent information such as the risk-- the days of the week, the time for the attack, the mode of entry so that members can be more vigilant in terms of protecting their asset.
The military use it.
Sports team use it as well.
They use it all the time.
If I take the example of football-- over here you call soccer-- they use intelligence about the opponent to understand their gameplay.
Do they score goals using one or two strikers?
Do they invest a lot of time in passing?
Is it from set pieces?
Is in the first half of the game, in the second half of the game?
Is it bring on substitutes?
All of this is intelligence.
And they use this so that you can form your defense a lot better because you understand the risk areas and how you should utilize effectively your resources to deal with this-- to deal with this threat.
And there is a lot of data as well.
There's tons of data.
And a lot of organizations already have a lot of data.
And they need more data.
So this is the complex problem of threat intelligence, being able to deal with a lot of data because you do need to deal with a lot of data but in a very curated fashion.
And in a way, that helps your efforts.
Intelligence is useful if it answers a lot of questions that you may have-- questions that you've thought up.
How is it going to interact in your environment?
How are you going to use it effectively?
And in terms of consumers, threat intelligence is like the tie that binds.
It involves a lot of different systems and a lot of different departments within an organization.
You have the management executive staff who really want to see the value of threat intelligence, especially because it returns-- it increases the return investment other solution-- other solutions.
Threat intelligence touches so many different solutions within your environment.
The SOC team will often be involved with threat intelligence because threat intelligence integrates with SIEMs, and firewalls, and end point solutions, et cetera.
IT operations, often neglected.
But they're always involved with the remediation efforts from the use of threat intelligence.
I'll give you one example.
So there's a threat actor group called Red Squirrel.
It's attributed to various groups in Eastern Europe.
And they carry out techniques such as-- DNS techniques to poison DNS caches.
Ultimately, what they're doing is setting up a mirror site and redirecting malware to infected victims.
And this mode of entry would be through vulnerable browsers.
So one of the fixes or mitigation strategies here are highlighted also in the MITRE ATT&CK framework is to fix this vulnerable browser.
And who is it that does this fix?
It's the IT operations team.
So they're often involved with threat intelligence even if not directly.
Incident response teams, they're all about investigating an incident and understanding the incident.
There are a lot of incidents that occur in your environment, from a variety of different solutions and tools, providing these alerts, giving these incidents.
So you need to know how to tackle these incidents and how to prioritize.
So prioritization is very, very important.
And this is where threat intelligence helps with this as well because it acts as a decision support system to understand which threat you should be dealing with first and which threat you should be dealing with next.
And, of course, intelligence is useful if it comes as a full story package, so not looking at an indicator in isolation but to also look at the connections.
Does it belong to a threat actor group?
Is it part of a bigger infrastructure?
Is there a current campaign against the type of company you work for?
So this would allow you to make that informed judgment on how you deal with this given threat that you see.
The Ponemon Institute released a report.
And in the latest report, they interviewed over 1,000 security professionals primarily in North America and in the UK and asked a bunch of questions to gather the state of security.
And what they found was that APT-based attacks and high-value data theft were the two most worrisome and time-consuming threats to deal with, in some ways not too much of a surprise, APT-based attacks because they're very sophisticated to deal with and will take a lot of time to handle and caused a lot of worry.
The same thing with high-value data theft because, of course, that's what will get you into the news.
Phishing also appeared in the report itself but not as worrisome or time-consuming to deal with.
And this might be because we know that awareness rating, awareness training is important.
And we're getting a little bit better each month, each year at spotting phishing attacks.
And we have a whole host of security solutions to deal with this.
So this is probably the most important slide in my presentation because these are the five sort of takeaways in terms of best practices and threat intelligence.
Establish a formal and dedicated team.
Obtain a budget.
Participate in sharing.
Know your adversaries.
And build integrations.
So if we look at each one in turn, so establish a formal and dedicated team to manage threat intelligence activities.
You may or may not have a threat intelligence platform.
And if you do, you still need a full team to be able to manage it and get the full value out of it.
So in my job, I speak to a lot of clients that may not already have a threat intelligence platform but have an initiative that they've started.
Or they're trying to get better value out of what they already have or acquire different modules to extend the functionality.
And the best teams are the teams that involve different departments.
Because threat intelligence touches a lot of different departments, you should have representation from these departments-- SOC, your role threat analysts, IT operations, executive management, et cetera.
I would also say, I've been impressed where someone with project management skills has been added to the mix because threat intelligence touches a lot of different products, and there's a lot of questions to be asked.
It's very good to include someone in the team that is able to ensure the analysis of this threat intelligence platform is done in a straight line because you have so many different ways to look at threat intelligence.
Obtain budget.
This is probably the single biggest factor that prevents a threat intelligence initiative from actually starting up or being maintained.
It seems-- it seems obvious, but I think it's very relevant threat intelligence.
Other solution sets, such as SIEMs and firewalls, et cetera, they have the added advantage of time compliance and other similar drivers to ensure that a budget is always available.
I've worked with a number of different clients where actually the team that would use the threat intelligence product really want it.
And in the end, they are unable to get it because the relevant stakeholder hasn't been involved early enough.
As I said, without a budget, there will be no Threat Intelligence Platform or threat intelligence initiative.
Participate in threat intelligence sharing.
This is the way to go.
I'm sure we all know that the adversaries, they collaborate with each other in order to form an attack.
They need to do this because no one group has the full skill set or the sharing of tools and tactics on the underground and getting together.
We should be doing the same thing as well.
Sharing is the most valuable information that we can get from threat intelligence, even more than generic or paid-for intelligence feeds.
So that's something of consideration.
Know your adversaries.
So know the full story behind any threat that you're looking at.
And with the threat intelligence platform, you can do this from a top-down approach or a bottom-up approach.
You can look at a specific threat actor group that has a campaign, look at the associated observables, and then look for this in your environment.
Or you might be looking with-- starting with a tactical indicator.
Possibly it's been shared to you from a peer organization.
And then you're looking for this in your environment.
But before you look for this, you look at if it's relevant and how it's going to be seen in the environment if it belongs to a threat actor group that has the right motivations, is it a targeted attack?
And to build, maintain deep integrations, so Threat Intelligence Platform will integrate with a whole number of different solutions-- your SIEM, your firewall, et cetera.
So ensure that these integrations are in place.
And think about the use cases before you do this integration.
We looked-- the report also looked at detection.
And no surprise, more budget is being earmarked for detection strategies and detection technologies.
We see this year-on, a-year.
I noticed this at the INFOSEC conference.
Vendors are understanding that this is the way to go.
And companies also realize [AUDIO OUT] it's not if they get attacked, when [AUDIO OUT] attacked.
Some will need to be invested in detection technologies so that you can stem a breach before it occurs because even if you are attacked, it's not the end of the world.
An attack takes a length of time to occur.
So it's about understanding if you are under attack or if there are communications happening which would eventually lead to that breach to be able to identify that so you can stop that before you get to the end stage.
Organizations that had threat intelligence, threat intelligence platform, found they were more effective in their detection strategy versus organizations that didn't.
The key point in this slide is that threat intelligence and the Threat Intelligence Platform gives you the edge in your detection ability.
Talked about it.
Knowing your adversaries.
And I've come across a lot of organizations that did not have a Threat Intelligence Platform and then had a Threat Intelligence Platform and understood how useful it was to be able to really understand any given indicator and using a platform to be able to quickly identify the full story, rather than going to multiple sites and trying to work it out yourself.
So having this information provided so that you could be the detective in your environment.
There's open-source intelligence.
That's paid for intelligence available.
And they're both of use because in the world of threat intelligence, quantity and quality matters.
Quantity matters because then you avoid the blind spots.
If you rely on one or two feeds, even if they are valuable, they're still looking only at specific attack vectors and not the full picture.
So you need to have a lot of information and in a way to curate that so that you can pick out what's relevant to your organization, what you're going to integrate-- what relevant threat intelligence you're going to integrate with your security tools.
Open-source intelligence, of course, has the problem where it's not curated.
So you might be looking at a malicious indicator which at one point in time was malicious but no longer is.
And if you're consuming that without a curation process, confidence scoring, you might end up investigating an alert which ends up being a false positive.
And you've then wasted time and resource on doing that.
Paid for threat intelligence, obviously, has the advantage where you have more of a human element behind it to get the intelligence.
Some of you are Anomali customers already.
So you understand that we already come with a lot of threat intelligence into the system and the ability to collect further sources as well.
The user tips are on the rise as well.
So high-performing organizations that found they were better at detection had a tip program in place.
And, again, the difference here is the edge.
So having a proper Threat Intelligence Program and platform will give you the edge in your environment, in your detection strategy.
It's central to your security stack.
It'd s interesting to know if anyone here in the audience has experience of a particular security stack that they find useful to integrate threat intelligence.
Well, we find SIEM is definitely the number one.
And I'd like you to think beyond the SIEM.
The SIEM obviously can do real-time correlation.
Makes very good use of threat intelligence, taking it in, looking at the incoming log sets, and looking for the communications, and then pivoting back into Threat Intelligence Platform to understand if the alert is something that's worth spending time and resource to mitigate.
But your IDS, your IPS can take it, your firewalls, your endpoint detection tools, instant incident management solutions.
In fact, working with one client that uses an incident management solution, which is central to their security stack, and they have a feed-in from their SIEM and various other sources.
And they enrich the threats that they see within this incident management solution using a Threat Intelligence Platform.
Sharing is very important.
And, again, organizations that choose to share threat intelligence find that their detection capability is a lot higher than those that don't.
So the automation is what's important, providing in a timely manner so things don't go missed as well.
And that's what a Threat Intelligence Platform-- one of the key principles behind it is to do.
It's not just the consumption of information.
But it's how it's also shared and how it's integrated with your existing security stack as well.
And this is obviously a big challenge these days.
But it is the way to go.
We asked a poll in a previous conference.
And the question was, how large is your threat intelligence team?
And quite often, the answer was just one person.
And that one person wasn't even a full-time-- in threat intelligence.
They had multiple hats, and threat intelligence was one of their activities.
So we do have some way to go.
And again, this comes down to the budgetary problem.
The budget often isn't there which is needed to acquire a platform but also to acquire resources-- the skill sets as well to be able to make use of this Threat Intelligence Platform.
Is anyone here, they're part of a threat intelligence team with over five in the team?
OK.
That's good.
So as we can see, it's-- it's a minority.
And, of course, large companies will tend to have the resources to do that.
But we all need to invest more in the threat intelligence effort.
I mean there's a huge return on investment for threat intelligence as well because it touches a lot of different solution sets and drives up their value as well.
Having a dedicated threat hunting team, obviously, allowed organizations to be better at their detection capabilities.
We found this as well from the questionnaire in the Ponemon Institute report.
And if you don't have a dedicated threat hunting team, it's something that should be looked at.
And it comes down to forming a team, ensuring that there's budget, and working out the use cases, and how that team will be used in your environment to carry out threat hunting.
We asked another question and what was the biggest obstacle to implementing a threat intelligence program?
And the budget was the issue over here.
As I mentioned, there is no compliance.
It is a relatively new field in many, many sectors, in many regions.
And we're still trying to have the adoption rate go up.
So one way to try and increase this adoption rate is to get the right level of management who have the power to sign [INAUDIBLE] the budgets involved in the process a lot quicker at the start and during your threat intelligence program.
Invite them to shows.
For example, at Anomali, we have something called Threat Days which has got nothing to do with the solutions that we have.
And we invite threat analysts to come and speak about the state of current threat detection, maybe specific vector threats, et cetera.
So try and involve those in the right positions into these conferences.
We don't have time to research and implement TIP.
Do reach out to the threat intelligence platform providers.
We don't really have any competition.
We're still having to deal with the problem of having to evangelize threat intelligence and having more and more organizations adopt it.
So we often work together Threat Intelligence Platform vendors.
If we look here at the conference, we have a whole host of different threat intel vendors-- Intel 471, Flashpoint, et cetera-- with us.
So do reach out to us.
Come and speak to us.
We're not here just to try and sell if you like.
We often have a lot of good contacts within the threat intelligence industry willing to come and speak about threat intelligence and educate you about different platforms, et cetera.
There are concerns to share.
But there's been an evolution of Threat Intelligence Platform to address this issue.
So sharing threat intelligence is sharing information about external entities.
So it's not really any to do with assets within your company or your company data.
But even then, you're sharing information.
And you may not want the sharing partners to understand that you've shared it.
So Threat Intelligence Platform allows us anonymity as well so you can protect the privacy of the data that's being shared.
And this is very important as ISACs that you can get involved with.
You can create your own trusted circles, your own sharing mechanisms.
I spoke to a football team in Europe the other week that are interested in getting a Threat Intelligence Platform.
And they were very interested in the idea of actually spearheading the sharing mechanism with other football teams and sports institutions in their area and beyond.
And, of course, they were worried about the privacy aspects.
And I explained, both strategically and technically, how a Threat Intelligence Platform deals with that.
So I don't believe there's any real excuse now not to be able to share based on privacy concerns.
This formalizes some of the statements of sharing.
Let me pick out-- yeah, takes advantage of different tool sets and expertise.
That's another big advantage of sharing information.
A new piece of malware, a new threat might be detected by another organization that has the right tool sets, the right expertise to be able to detect that.
And having that information shared to you means you leverage this expertise.
Trying to do this in isolation would be very difficult.
So that's one of the advantages.
It's a force multiplier.
Think about sharing not just to others in your industry but beyond that as well.
It comes down to unity.
So the more organizations in different verticals that are able to detect threats and protect themselves better, it is better for every organization.
If you think about it, a threat actor group wanting to target-- let's say, I'm a bank.
I've got good defenses.
I've got good sharing mechanisms with other banks.
They want to try and target us.
They may go and target another institution that has sort of weaker defenses, less of a detection budget.
If you're able to share what you have with this other organization, even if they weren't a bank, they're better equipped to deal with new threats, thereby slowing the progress of the threat actor groups in whatever they're developing.
So this is a summary slide, if you like.
I'm going quite quickly.
So establish a formal and dedicated team to manage threat intelligence activities.
I can't emphasize that enough.
And the organizations I've worked with very, very well have involved a lot of different members from different departments in their organization from the start.
Allocate enough budget.
And this is a difficult one, right?
So you may or may not be part of that budgeting process.
If not, you need to try and find out who is, which level of management.
And get them involved from the start.
There's been a few proof of value exercises I've done where the threat intelligence team really want the platform.
And they've spent a lot of time and effort to understand the use cases to run the PoV with full effort.
We've run it.
They've liked it.
They've seen the value.
They've involved different departments-- the SOC, et cetera.
And in the end, there's no budget earmarked.
And that's a bit of a shame because they've actually for a few weeks understood how they can use it effectively.
And the only thing I can say there is to get the right level of management involved right from the start because there is no compliance.
There is no other driver in place to drive-- to help the adoption here.
Start sharing and give back as well.
So this is very important.
If you don't already share, think about how you can share.
There are different ways to do that even without a Threat Intelligence Platform in the first place.
But think about the evolution of that.
Here, at Anomali, we have sharing mechanisms called trusted circles which makes it easy to be able to share information to other organizations that have the Anomali platform.
You can use APIs.
You can create files of different formats and share it that way as well.
Don't just take information but also share information as well.
This actually helps your security department because you have to now think about what you're sharing and spend time and effort to curate that information.
Increase the security team's knowledge about your adversaries.
Understand the full story-- the bottom-up approach or the top-down approach because that's what's going to be helpful because, ultimately, threat intelligence is a decision-support system.
It's there to help you decide with what threats to deal with because you will have a deluge of threats from a whole manner of different security solutions in-house.
And it's there to tell you which is going to probably affect you more so you can look at threats at a risk point of view.
And integrate it with different solutions that you have in-house.
Don't just stick with the SIEM.
Think about the other types of solutions that you have.
Speak to the team over there.
See where they have a deficit in their detection capability and how threat intelligence can-- threat intelligence can help them with that.
Do we have any questions or any thoughts about this?
Do you recognize any of these issues?
Or do you feel as though you have this in place and you have other issues which are not highlighted?
If you have Anomali, obviously, the best example is sharing through this feature called trusted circles with other Anomali customers.
But they may not have Anomali.
So I'm working with one client actually in the UK.
And they have a lot of different members associated to them.
And they want this very use case of being able to share.
And they don't want to take for granted that they can supply Anomali's solutions to these members.
So one is obviously providing possibly a community version of Anomali, which might be possible.
But if that is not there, they can take advantage of APIs.
So they can do an API call to your Anomali platform to go and grab the data.
You can output files in a lot of different formats-- JSON, CSV, STIX, et cetera-- and then make that available to your partners.
It could be scripted.
But it's a method of delivery of these files over to them so that they can plug it into the system of choice.
You can export the strategic information-- the threat bulletins, information about threat actors, whatever you think is relevant-- and send that across to your members.
A lot of members now could take advantage of the TAXII service.
So have a TAXII client.
Then it's-- they can choose any vendor that they want to have a TAXII client and then integrate with Europe the information that you have using the TAXII service within Anomali.
Would that help to some of these methods?
AUDIENCE: Yeah, absolutely.
PARTHI SANKAR: Yeah.
Yeah.
So you don't need to have one specific vendor to be able to share information.
It makes it easier, but a lot of different ways and protocols to do this.
So, yeah, thank you for being here and listening to the presentation.
If you want to find me, my name is Parthi.
Just Google parthi@anomali, and you'll find me.
There's not many of us.
Actually, there's two of us in the company, which is a real big surprise.
Yeah, and I'll be around here as well.
Thank you very much.