The background:
This is a blog post I’ve been meaning to write for a few months now. It’s based in part off a twitter conversation that carried over in to a phone call. It is also something I’ve personally observed, a trap I fell in to, and heard other Threat Intelligence people say they observed. And while reading Cyint’s favorite tweets of 2016, I finally decided to sit down and write.
In the tweet list was a tweet was from Alex Pinto asking ‘how many more #ThreatIntel articles do we need about the difference between “data”, “information” and “intelligence”?’
So my answer is, as many as it takes to break out of our own echo-chamber / choir and figure out how to talk to our Cybersecurity peers and the stakeholders. So everyone is able to understand what is being bought. So here is yet another article talking about Intelligence vs Data Feeds being sold as Intelligence.
The Problem:
Companies are selling data feeds while calling it intelligence.
It’s just a data feed, with either limited or no correlation to the company buying it. In order for it to be Intelligence it has to be actionable to the recipient. Some feeds are just lists of IP addresses. Blindly blocking addresses without knowing the impact doesn’t work well, and may cause problems for users that need to go to sites hosted on the same infrastructure. The block list would end up being huge with IP addresses that possibly no one ever goes to. Searching the logs for the IP address isn’t actionable, that’s taking the data and making it into information. Doing extra work to find out if the data received even has meaning to the recipient company.
Actionable would be: 100 employees have been seen going to this website and a file being downloaded to their Firefox cache to generate fake ad-clicks. There is now a site that can be blocked and why, and a list of systems to go do remediation actions on.
What is being sold instead might be “industry” specific to healthcare, automotive, or whatever but even those “industries” break down in to smaller pieces.
For example. In healthcare, you have Primary Care Doctor Offices such as dentists, optometrists and physicians. The people seen for the “basics” like the annual exams and follow ups. Then there are the secondary care known as specialists that a Primary might send a patient to. Next would be Hospitals. Then the billing companies that have taken on the outsourced billing for all three previous groups, and the insurance companies. This list of “industry” could break down to First responder such as EMTs / Paramedics.
An example of Automotive would include the whole supply chain from the providers of the raw material, the specialized shops that make parts like car seats or piston rods, through the finished product at the auto-plant, and finally to the sales dealership and loan companies.
Yet the “industry” data feed might be for all parts of those, and the data provided might only impact some parts of the “industry”.
Back to the conversation that made me want to write this:
I had a conversation on twitter, that ended up leading to a phone call. During the conversation that we had, it came out that my interest was in Threat Intelligence, and he said his company just bought it. Asking deeper, it turns out his company bought Threat Data feed, not Intelligence. It was just the typical “industry” data feed described as above. There was no correlation to the company he worked for, even though the sales people said it would take care of all the company’s Threat Intel needs.
For it to be Threat Intelligence, one needs to make it Actionable. If my industry is automotive, and my company makes piston rods, I don’t care that much that the company making seat foam just got breached by a phishing email and their servers encrypted by ransomware.
Using Alternative Competing Hypotheses (ACH) the above attack could be:
- A target of opportunity
- A planned attack against the company for something in the news
- A disgruntled employee (former or current) seeking revenge for a perceived wrong
- Someone targeting Seat makers, to make their own product sell better
- the beginning of a large attack on the industry
Without more data, it’s hard to say. But the data feed says “automotive is under attack, a company has had it’s servers encrypted by ransomware”.
I used to follow the Recorded Future Cyber Daily, but it has the same problem. Even though I’m not paying for it, it doesn’t tell me enough to be information. It’s just data. It says what the sender thinks is the “top news” but it could be completely un-related to me. I liked it for their “Top Suspicious IP Addresses”, until I started tracking them. I started taking the IP address along with the first seen data, and putting it to notepad. But there wasn’t enough there. While it said the IP addresses and when it was first seen as malicious, it didn’t say how, or what it was doing, or why it was considered malicious. Even running them against OpenDNS Investigate or Passive Total, didn’t give me much more information. I think I unsubscribed from the list when I realized some of the “suspicious addresses” were in Akamai’s address space.
And that was the trap I fell in to. I would spend at least an hour a day, trying to make those IP addresses mean something for the company I worked for. All because they were from part of what I was using for a “Threat Intelligence Feed” which really was just a data feed.
So how do we fix this?
First, don’t just buy a data feed. If a company is thinking of doing Threat Intelligence they should start by looking at their own data sources. Start with the internal sources like the ticketing systems, the logs, the polices, required regulations and standards, and the mission statement. Look at the company’s external facing footprint by using tools like Shodan, or scanning the external address range.
The policies, regulations, and mission statements should give an idea of what the company’s management thinks is important. The logs, the tickets, and the change control documents will tell how those systems are being used.
Then answer some questions, which I’m borrowing from James Dietle’s book ”
Effective Threat Intelligence: Building and Running an Intel Team for Your Organization“:
- What are the Biggest Three Assets your company is trying to protect.
- Name three groups of people trying to steal them.
Then confirm the answers with the company stakeholders. Senior Management and the C-Levels. Change the answers based on their feed back.
Then figure out what is needed to watch those assets. Find if there are gaps, and make recommendations to fill them. Revisit the answers on a regular basis, quarterly if need be, annually at the very least. Over time, that list of three will grow beyond three items based on what is seen, and some of those items may stop being important as the company matures and changes.
Make “industry” contacts and share data with them. Use PGP/GPG to send it over encrypted. Also make contacts at non-industry companies and see if there are things that are crossing industries. Is that phishing email that just came in targeted to just healthcare workers, or is it a larger impersonation campaign targeting everyone that might have a retirement account at some large retirement company?
Build metrics off what is seen, and use those to help drive the reports written. Use Alternative Competing Hypotheses to find the most likely senario. This is where building the metrics will come in handy. The two, ACH and metrics, go hand in hand. The one that has the most metrics will most likely be the correct or best hypothesis. By this point, there should be data that has meaning for the company (Information) and is actionable by the the company (Intelligence).