The Aussie NiFi Ninja

A blog for cyber security data engineering aficionados

April 08, 2015 / by Andre F de Miranda

On how to do Threat Intelligence intelligently

ZDnet has published a [good summary](http://www.zdnet.com/article/new-threat-intelligence-report-skewers-industry-confusion-charlatans/ on a whitepaper by MWR InfoSecurity about this year’s panacea (ok, not very this year but still a hot topic): Threat Intelligence

By now most information security practitioners realise access to emerging threats as a vital part of the success of securing organisations and their critical information assets. However as the market gets filled with companies, venture capitalists and in some cases, some ludicrous pricing, professionals should carefully consider how to proceed.

Yes, Threat Intelligence may provide valuable insight on what are the critical cyber-risks a company face and to assist in prioritising risk mitigation activities. Yet achieving this may mean that instead of going “Big data”, it may well worth going small data but with lots of context.

The secret for success is focusing on the quality of the sources, but more importantly on being able to identify what questions your company want to respond (requirements) and how to use that information once it is gathered (dissemination).

And without wanting to act like a bucket of freezing cold water let me state it upfront:

Rather than trying to discover the location of 99% of the tor exit-nodes available on the Internet, maybe your company would benefit from using proper incident analysis to develop a profile of your own security incidents and try to identify patterns that may assist in getting stakeholders to buy-in some not so popular remediation activities.

And by analysis I mean; knowing event X happened but also trying to understand how and why it happened and adding all context you can grab.

  • What chain of events have possibly preceded it?
  • Was the event unique to my company?
  • How frequently does it happen?
  • Was it unique to my country?
  • Was it unique to my industry sector?

All these questions are important questions and their answers enable you to create context. As a good manager I had once told me:

Please don’t bring me bad news! And if you bring me the bad news, try to answer in advance what they mean and hopefully how to fix them.

In reality, what that manager wanted was information that can be consumed, either strategically or operationally and as such, was worth of dissemination and as consequence, beneficial to the company, and he certainly had a point!

I still remember randomly looking at virus propagation patterns and being able to pin-point the delivery of advanced malware via drive-by exploitation of JAVA vulnerabilities to business critical desktops.

That information was used to:

  • Notify the desktop support team on what the best course of remediation of the workstations affected;
  • Feed the SOE teams with information they could use to drive Java upgrades more actively;
  • Highlight to the Senior Security Policy makers what sort of real world events were occurring and what gaps needed to be addressed.
  • Inform the IT risk management teams about what business impact was being caused by those events;

The dissemination of the series of events and gathered context resulted in the eventual buy-in to push with an extremely aggressive JAVA patching strategy that manage to rollout fleet-wide upgrades of JAVA in less than 4 weeks from its public release.

Having worked with that manager for too long, I would now even dare to say that it makes little sense to process any kind of security related information if the intelligence gathered will not result in better understanding of risks affecting the organisation or as MWR points out: “It quickly becomes clear that effective threat intelligence focuses on the questions that an organisation wants answered, rather than simply attempting to collect, process, and act on vast quantities of data.”

Hope you will enjoy the read!