Tackling the Threat Intelligence Problem with Multiple Sources and Robust RFI Services
A prevention-only strategy to combat threats is not sufficient; enterprises must incorporate intelligence from all relevant intelligence domains
When it comes to Threat Intelligence, I think there are some misnomers. Data is not information, and information is not intelligence. Most “Intelligence feeds” are “data feeds.” Some are “information feeds.” Data is the collection of raw facts, while information is the logical grouping of contextualized data. Intelligence is actionable and helps drive decisions.
In most cases, security and intelligence teams lack finished intelligence, which leaves them ill-equipped to combat motivated and sophisticated adversaries. Most of the threat intelligence market is solely focused on cybersecurity and large, generically-aggregated data lakes. This global collection approach, followed by an AI and ML analysis that looks at trends and correlations, can provide significant insight into known, widespread threats. However, this approach lacks the perspective necessary to detect threats specific to the individual organization, identify previously unseen tactics, techniques, and procedures (TTPs), and deliver true intelligence.
The solution to this problem is to combine multi-source intelligence data lakes filtered to a client-specific data pipeline and then bolster that data with expert analysis and robust RFI services to deliver intelligence specific to your organization. Relevance and context are often the critical differentiators. To that end, intelligence providers must have a robust request for information (RFI) capability that allows them to investigate and analyze information from numerous intelligence domains, including cyber threats, fraud, third-party, reputation, platform, and physical protection.
Responding to Requirements
After identifying intelligence requirements, an intelligence team will generally focus on:
1. Monitoring Services: These services monitor for Personally Identifiable Information, data leaks, online mentions of executives and vendors, negative sentiment, leaked credentials, misconfigurations, and malicious IPs/domains typically termed “digital risk profiling.”
2. Requests for Information: An RFI response service provides the ability to query, research, and investigate alerts that come from internal or external monitoring services. This takes many forms including open source research, direct threat actor engagement, and technical signature analysis.
3. Organizational Awareness: Findings and recommendations will typically impact multiple organizations. It is important to disseminate this information to all relevant team members and business units.
Assess RFI Capabilities
Regardless of the sources of information or intelligence, support for RFIs will be required to understand relevance and context. Four areas to consider when evaluating an intelligence solution are:
1. Timeliness: Every RFI is different, but timeliness is important. Security professionals usually attempt to solve security events with 2-4 day sprints. More complex events can take a month or more.
2. Data lakes: Many intelligence vendors boast about their ability to provide the largest data lake of social media, dark web, and open source information. This is meaningless without context specific to the client. Data should be chosen collaboratively and may include:
• Chat services and platforms
• Closed sources including invite-only forums
• Dark web
• Domain registries
• Paste sites
• PDNS, mobile, ISP data
• Commercial data, people databases, public records
• Social media
• Compromised hosts and botnet victims
• RDP traffic, open ports, scanners, proxies, spam domains, user agents
• Beacons, malware, banners, honeypots
3. Intelligence Analysis: Any intelligence or security “scrum” that addresses a serious threat requires multiple technical and analytical skill sets. These skills are broad, varied and include analysis, forensics, engineering, languages, journalism, and networking. It’s important to have access to a diverse team.
Getting RFIs Right
A problem that organizations encounter is that some vendors only provide RFI responses to alerts on their own data. Often these responses are limited to identifying known threat actors or TTPs. As a result, intelligence teams are forced to purchase data from multiple vendors leading to data overlap and conflicting analytical viewpoints.
When an intelligence team matures beyond the cyber threat intelligence domain to address physical security threats, fraud actors, or those looking to abuse a technology or platform, security teams have trouble integrating varied intelligence and lose a consistent, consolidated, and informed view of their data.
To optimize RFIs, vendors should focus on the following:
1. Scope: All organizations struggle with budgets so vendors must provide clarity and predictability in terms of time and cost.
2. Context: Providing client-specific context (regardless of threat type), namely identifying the threat as a target of opportunity or a targeted attack.
3. Actionability: Recommendations may be technical, organizational, legal, or other, but are critical to resolution.
Enterprises realize a prevention-only strategy to combat threats is not sufficient. They understand they must incorporate intelligence from all relevant intelligence domains. They realize that to achieve intelligence that is timely, relevant, and actionable they must combine organization-specific data with monitoring, analysis and RFI services. This comprehensive approach will enable them to effectively counter today’s sophisticated adversaries.