The Tao of Intel Driven Security


How to implement an intelligence-driven defense by uniting your threat intelligence and orchestration

We’ve been talking a lot lately on topics such as how to mitigate threats faster with an intelligence driven defense and “what is a SOAP,” that’s Security Operations and Analytics Platform – not the stuff I have to remind my kids to wash their hands with. Along the way, we’ve gotten a few questions and comments like “Hey, I thought you were a threat intelligence platform….ya’know you’re supposed to just aggregate feeds of indicators of compromise (IOCs), send them to the SIEM, do some matching, and be done!”

Based on those comments, I thought it good to clarify just what it is we’re doing here at ThreatConnect and why we think it’s sort of a big deal for the entire security industry. Since our beginning we’ve been talking about something more than just matching indicators of compromise (IOCs) for creating alerts, you can see this from our eBook we published quite a while ago.

Not just a product; a philosophy

At ThreatConnect, we’re working so that any organization with a network security function can realize an intelligence driven defense. Why? Because you’re going to need it, that’s why. If you are trying to operate your organization in the twenty-first century without awareness and preparedness against the digitally based threats to your business processes, rely on purely compliance-based security, then you stroll blindfolded and willfully ignorant into a minefield of unmeasured risk.

So what is so great about an intelligence driven defense? Well, if I’m honest with you (and I am, of course) there is nothing amazing about it, it’s common sense. What’s astonishing is that it is so sparsely adopted. In order to understand the concept better, let’s break it down to it’s components.

Intelligence de-Hyped

First, let’s talk once again about what threat intelligence (TI) should mean. The hype machine has put TI in a box, it’s largely misunderstood as merely referring to IOC feeds. These feeds have their place to support defensive operations, but they are far from a complete and accurate picture of what TI can be. Most IOC feeds are better characterized as information not intelligence. Conjuring the DIKW Pyramid and broadly recognized Joint Publication 2-0:  intelligence is not raw data, it is not merely information, it is knowledge of threats you can use to inform decisions and possibly allows prediction of future circumstances or events.

Intelligence and Operations

Intelligence does not exist for its own sake, as stated above: it exists to inform decisions. Threat intelligence therefore specifically exists to inform decisions for security operations, tactics, and strategy.

This relationship is not one way. Intelligence and operations as functions of the security team should be cyclical and symbiotic. Intelligence informs decisions for operations and then actions are taken based on those decisions. Those actions (such as cleanups, further investigations, or other mitigations) will beget data and information in the form of artifacts such as lists of targeted or affected assets, identified malware, network based IOC’s, newly observed attack patterns, etc. These artifacts can be refined into intelligence that can thus inform decisions for future operations. While many organizations do not have a formally defined intelligence function in their team, the concept of using what you know about your threat-space to inform your operations exists in all organizations regardless of whether or not they have threat intelligence analysts employed. The relationship between intelligence and operations is fundamental and exists in all security teams, even if they are not explicitly named functions.


Through the lens of the OODA Loop

This same concept can be more usefully articulated if we describe it in terms of OODA (observe, orient, decide, and act) loops. (Because OODA loops are fairly well cited and understood within the security industry, I won’t spend time explaining them here. If you’re unfamiliar, you can read up on John Boyd’s concept of OODA loops here, or also explore the breadth of writing on the topic as it applies to security and incident response here.) Especially relevant is that OODA loops, are in name and fact, loops. There is a feedback mechanism at several steps of the decision cycle providing new data, information, and understanding back to the observation phase. You and your adversary both have OODA loops. The side that can move through their OODA loops faster are able to adapt, likely disrupt their opponent’s OODA loop, and win. If your intelligence is doing it’s job, it is helping you adapt by allowing you to observe more and orient more accurately by filtering out what is unimportant. Likewise once operational decisions are made and action is taken, the results of those actions are themselves observations and drive the next decision.

Enter ThreatConnect

Tightening the intelligence and operations feedback loop, thus shrinking OODA loops is what ThreatConnect is all about. It is the primary value for implementing an intelligence driven defense.

If there is so much value to be gained with implementing an intelligence driven defense, why aren’t more doing it? There are some significant challenges for organizations of all sizes to do it right. Fundamentally, these challenges all have their root in fragmentation that inhibits clear access to relevant information by those who need to act. We set out to help organizations implement an intelligence driven defense by focusing on addressing the fragmentation problem across information, people, technology, and process.

Information: In order for relevant information to be refined into usable intelligence, it must be available to be correlated, enriched, and contextualized. You must remove the silos segmenting the data by creating a common source of record for it. ThreatConnect does this by aggregating internal and external information normalized to a common data model so that it can be refined into intelligence usable for informing decisions. Internally sourced information; details of an IR investigation, notable events from the SOC, or even curated intelligence from an in-house team is often the most valuable part of the feedback loop we enable.

People: Like data, the various functional teams within your security organization (IR, SOC, Intel, Risk, Executives, etc) also need the silos taken down around them. They need access to relevant information from other teams, and intel sharing communities outside your organization. They also need to be able to work seamlessly together with a dynamic workflow. ThreatConnect facilitates this by allowing teams to provide tips and tasks to each other, create and funnel intelligence to relevant functional organizations, and create reports for executive decision makers based on threats to the organization.

Technology: Most organizations today have a very heterogeneous and disconnected set of point defensive technologies. Coordinating action across them for most means coordinating tickets between IT and various facets of the security teams. ThreatConnect enables organizations to coordinate intelligence driven action across our ever growing library of over 100+ integrations.

Process: Once you have removed the silos between information, people, and technology, ThreatConnect enables you to streamline your processes with playbooks that leverage both internal and external intelligence to inform action for your teams and your technology as well as learn from past experiences.

Since we’ve set out, we have been passionate about solving these problems. Others products perform Security Automation and Orchestration, but they rely on intelligence as simply a lever with little or no regard to its veracity and certainly do not enable adaption for future runs of their playbooks. Some Threat Intelligence Platforms allow for aggregation of external “intelligence” (often better characterized as information), creation of internal intelligence, and even have many connectors to defensive products. None focus on getting the most value out of that intelligence by enabling cross team coordination and workflow around it, or the ability to orchestrate action between technologies with it.

If you’re ready to start enabling your own intelligence driven defense, contact us for an evaluation of TC Complete or one of our other products.

Andy Pendergast
About the Author
Andy Pendergast

Andy is a community respected analyst, innovator, and thought leader. He has over 15 years of experience working in the Intelligence and Computer Network Defense Communities from within the U.S. DoD and Fortune 500 companies. He brings his passion for intelligence-led defense to his role as Product Director for ThreatConnect. Andy is a co-founder of ThreatConnect, Inc. and is a co-author of “The Diamond Model for Intrusion Analysis“. Andy is a veteran of the U.S. Army, holds a Diploma in Chinese Mandarin and a Bachelor of Science from Excelsior University. He lives in Columbia, MD where he regularly climbs rocks and enjoys getting Thai Dynamite Chicken with his wife and three children.