close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

Intel’s in the way that you use it, Snoke don’t you know

threatconnect intelIt’s in the way that you fuse it
Intel comes and it goes
It’s in the way that you use it
Snoke don’t you know
                       - Eric Clapton (modified)

When I decided to join a cybersecurity startup, I had no idea fashion designer would become part of my job description. But I must say I’m really glad that it has (btw, google images for “cyber fashion” will give you great ideas for cyber casual Fridays). After the first offering in our Star Wars-themed clothing line was voted a show favorite at BlackHat, we knew it wouldn’t be our last. And the 2016 RSA Conference offered the perfect venue for unveiling our new spring line.

The release of Episode 7 conveniently provided us with a treasure trove of new material to choose from going into the ideation phase. I watched the movie 3 times and listened to the book once - strictly for professional research and inspiration, mind you. Our internal designers got together and came up with several good options, including a “Who is Rey?” attribution-style concept that will fit better in a blog post someday than on a t-shirt.

 

***WARNING - SPOILERS AHEAD***

We initially shied away from doing another “Rebels Resistance blows up the Death Star Starkiller Base” design, but, like J.J., we simply couldn’t help ourselves. It just ain’t Star Wars unless you’re blowing up planet-sized guns in the face of overwhelming odds, right? Plus, the events leading up to the destruction of Starkiller Base conveniently parallel the “Aggregate – Analyze – Act” construct we often use to describe major functional categories of the ThreatConnect platform. So we yielded to the will of the Force and just went with it.

threat intelligence aggregate analyze act

It’s not the size of your blaster…

threatconnect t shirt frontOur 2015 BlackHat shirt began with the premise that if the Emperor had known about Luke’s womp rat targeting capabilities, he might have better protected the Death Star’s exhaust ports. The moral, of course, being that good threat intelligence should drive defensive actions.

For the new tee, we wanted to expand a bit on that theme. Exactly how does intel inform and drive action? Furthermore, what separates those who successfully leverage intelligence from those who, like the Empire, don’t? In the end, we landed on the premise that what really separates the Ren from the Boyegas in the Galaxy far, far away boils down to how you use your intel.

threatconnect t shirt backFollowing the initial demonstration of Starkiller Base’s destructive power against the Hosnian system, the Resistance was in a tight spot. The Galactic Senate was no more. A large part of the New Republic fleet annihilated. The Resistance was now left largely on their own against the might of the First Order. It was as if millions of voices suddenly cried out in terror…no wait…wrong episode; my bad. But it’s probably applicable here and I’m pretty sure more than one of the Resistors (is that what we’re supposed to call them?) had a bad feeling about this development.

But it didn’t stop there; would this be how liberty dies…with thunderous applause? Demonstrating their counter intel prowess, the First Order tracked a Resistance reconnaissance ship back to the Ileenium system, where their main base was located on the planet D’Qar. General Hux was coordinating an effort to pinpoint the exact location, but Snoke was like “nah, it’s cool; our blaster is big enough to destroy the whole system.”

Aggregate – It’s the way that you fuse it

We’ve all been here. Our adversaries do indeed possess some pretty big guns (including an Ion Cannon!) and they know how to use them. Many of us have experienced them wiping out or invading multiple systems in one fell swoop. Thus, the “cyber battlefield” (I kinda hate myself for saying that) is often described as “asymmetric” due to the many disadvantages facing defenders.

One way to level the playing field is for defenders to gain information superiority over the adversary…or at least something that approaches information parity. And take my word for it – a bunch of disparate, disjointed, and disconnected intel silos is definitely NOT the way to achieve this.

aggregate threat intelligence

Consider how the Resistance handled their present predicament. They had virtually zero intel on Starkiller Base other than Leia sensing an Alderaan-esque disturbance in the force. Though their intel sources were scattered across the galaxy, they gathered everyone together in the command station on D’Qar to develop an understanding of what they were up against. Han, Finn, and Rey all shared what they knew about the First Order’s super weapon. None of this intel was sufficient by itself, but the sum proved greater than the parts and gave the Resistance what they needed to begin formulating a plan.

And that’s basically what the aggregate component of ThreatConnect does. You bring everything you know about threats from everywhere you know it together into one place so your analysts have the best shot of making good, informed decisions to protect your business. Plus, it’s much less hassle than flying all stakeholders to a remote planet for a face-to-face. 

Analyze – It’s the way you peruse it

Having gathered every scrap of intel they could muster on Starkiller Base, the Resistance set about figuring out how to destroy it before it destroyed them. And with the weapon well into the recharge cycle, time was not on their side.

They knew it drained a star’s power to collect dark energy known as “quintessence.” They conjectured this energy must somehow be stored within the base’s core until the weapon was fully charged and ready to fire. And they had gleaned a rudimentary understanding of how the weapon’s beam of concentrated phantom energy traveled through sub-hyperspace to it’s target (don’t think to hard about it…this is not the science you’re looking for). But having all the right pieces doesn’t mean the puzzle is done.

Which is exactly what the “Analyze” component of ThreatConnect is all about. We’ve brought together a suite of capabilities, integrations, apps, and processes that enable analysts to peruse all the pieces of intel and fit them together to form an accurate picture of what they’re up against. Note: holographic projection of threats isn’t currently available but is on the roadmap.

analyze threat intelligence

Based on the aforementioned intelligence, Resistance scientists set about solving their own puzzle, reasoning that a planetary magnetic field would not be enough to store the massive amount of energy they had witnessed deployed against Hosnian Prime. Rather, it would necessitate some kind of oscillating field because “much less energy would be required to sustain it than if it was maintained at a steady state.” Further analysis led them to deduce that destroying the oscillator with the weapon fully charged would destabilize the planet and cause it to implode. But destroying the oscillator was easier said than done, and determining the best course of action to do that presented their next challenge.

Act – It’s the way that you use it

hux kylo threat intelligenceWith a good understanding of the threat against them, Resistance tacticians set to work assessing how to exploit Starkiller Base’s formidable defensive measures. They presumed the entire planet would be shielded and the First Order would have applied the hard-learned lessons from the Death Star debacles to harden protections around the oscillator itself (after all, Hux and Kylo had been spotted wearing our BlackHat t-shirts). They also surmised their attack would be detected quickly and the response would include an aggressive deployment of military force.

Seem hopeless? Well, not to this small band of rebels struggling to restore freedom to the galaxy. Planetary shield? Please – Han concocted a never-attempted, physics-defying stunt to penetrate it by flying through the shields at lightspeed. Don’t even bother telling him the odds. Disabling the shield so Resistance fighters can attack? No problem; big, tough Captain Phasma will cave without even having to use enhanced interrogation techniques like Wookieboarding. Oscillator protections? Pffft – they’re soft and “Chewie” on the inside, baby! Certainly nothing a few well-placed thermal detonators can’t handle. Military forces? You must not have met the best pilot in the Resistance nor seen his bad@ss black X-Wing fighter. Good intelligence empowers them to stay on target and renders the neutralization of Starkiller Base mere padawan’s play (except, of course, for a certain death that I can’t elaborate on lest I cry).act on threat intelligence

Join us, and together we will rule the galaxy

Bringing all this back to ThreatConnect, I’m not going to insult your intelligence (pun intended) by suggesting threat intel becomes padawan’s play in our platform. But what it will do is give intel padawans the tools they need to become jedi and help turn jedi into jedi masters. It even has something for those of you who are little too short to be a Stormtrooper and can’t seem to hit your target. So, don a bathrobe, grab a flashlight, sign up for a free ThreatConnect account, and become a guardian of peace in the galaxy!

Oh – and I’m not sure how to tell you to get a shirt. Maybe contact your local ThreatConnect rep, drop by our booth at a conference, or try hitting us up @ThreatConnect on the Twitters.

ABOUT THE AUTHOR

Wade Baker is the Vice President, Strategy and Risk Analytics at ThreatConnect. He believes improving information security starts with improving security information. In keeping with this belief, he’s working to complete his doctoral thesis, “Toward a Decision Support System for Managing Information Risk in Supply Chains”. Previously, he served as Director of Cybersecurity Strategy and Research at Verizon Security Solutions where he led the overall direction of security services, technology capabilities, intelligence operations, and research programs. Baker spearheaded Verizon’s annual Data Breach Investigations Report (DBIR), the Vocabulary for Event Recording and Incident Sharing (VERIS), and the VERIS Community Database. Wade holds a B.S. and M.S. from the University of Southern Mississippi, and a PhD from Virginia Tech. He currently lives in Virginia with his incredible wife and 4 awesome kids.