Posted
The Cost of Bad (and Value of Good) Threat Intelligence
Written by Andy Pendergast, co-author of the Diamond Model for Intrusion Analysis
Earlier this week, Sergio Caltagirone. published an article on his blog, highlighting the cost of bad threat intelligence. His points were valid. There is a very real risk in terms of lost time, misdirected resources, and even from missing true issues because of distractions that can occur from acting on “bad” or incorrect analysis. This is likely a bit of a wake up call for many that have been wooed by the increasing buzz around threat intelligence as a solution. Threat intelligence is supposed to help your organization find security issues faster and more reliably, yet if carelessly used it can do exactly the opposite.
As Sergio points out, the burden of the solution to this problem rests with both the intelligence producers and the consumers. We built ThreatConnect to help those who need to consume intelligence about threats to their network environment to be able to make better, faster, more accurate decisions and actions using it. In short, while bad threat intelligence can cost you, we help you get measurable value from good threat intelligence.
We do this through both automated scoring and human feedback. You have the ability to rate, weight, and validate the intelligence at the operational (indicator/IOC) level as well as at the tactical (courses of action, TTP) and strategic (risk level, adversary motivation) levels. This ensures the most accurate and relevant intelligence picture for your security team.
These are the specific areas we see as critical focal points a Threat Intelligence Platform can offer as capabilities to help achieve higher confidence that their intelligence is worthy to be actionable:
Crowdsourcing: You may not be able to validate intelligence yet, but your trusted sharing partners can do this in a community within ThreatConnect.
Feedback Loop: Threat intelligence can be 100% accurate but absolutely irrelevant for you. Worse, if the intelligence is not reliable it can generate a lot of noise in the form of false positives when deployed in your network. A feedback loop integration between the TIP and security monitoring and enforcement products can show relevance in terms of number of valid hits and reported false positives. This can help not only operational needs for applying different sources and types of intelligence, but also in making purchasing decisions from threat intelligence vendors.
Source Reliability: A Source and its intelligence can be more trusted as it’s proven. This concept has existed in law enforcement and intelligence community organizations for decades. At its essence, it relies on the axiom that trust is built not granted. Based on the operational insight from the feedback loop and analyst assessments of intelligence reports the history of a source’s validity can be used to provide automated initial assessments of new intelligence from that source.
Accounting for Multiple Source: As an extension of source reliability, if you are seeing indicators of an active threat from multiple sources, it is typically more reliable than from just one source.
Timeliness: There are two factors to timely intelligence. First it must get to you quickly enough to take meaningful action on it. Next, you do not want to take action on “stale” intelligence. For the former factor, source reliability can effectively measure this. For the latter, acting on old intelligence can be just as costly. A compromised host today, may be cleaned up tomorrow. Blocking or alerting on indicators that “used to be bad” is still a false positive. The ability to distinguish active vs inactive states is critical.
All of these factors are ways a TIP can help your organization make the most out of the threat intelligence it is consuming and producing. CISOs and CSOs should be able to see net positive returns on investment for their time, energy, and dollars put to leveraging threat intelligence. Unfortunately simply plugging in a feed, or worse a bunch of them, without a platform and associated processes to manage the incoming data is often the quickest way to turn your network sensors into Christmas tree lights and turn the potential value add into a negative cost. A TIP should be able to lower the signal to noise ratio from threat intelligence feeds immediately and over time learn what is most relevant to your organization to highlight what intelligence is most important now and take or recommend actions to your team to protect the network.
We just added a number of new feeds to ThreatConnect – all ready for you to crowdsource and build good threat intelligence for yourself.