Threats and threat actors are continuously evolving, and pushing businesses to proactively and actively prevent, detect, and respond to cyberattacks. Security analysts have the daunting task of staying abreast of the threat landscape and this ever-shifting threat. How do businesses utilize threat intelligence to guide decisions and fortify their ecosystem? Chris Yule, Director at Secureworks® Counter Threat Unit™ shared his insights with CyberCrime Magazine’s Hillarie McClure on how CISOs and security analysts know which threats are relevant and what remediation should look like.
So, Chris, tell us a little bit about your role at Secureworks.
I'm a Director in the Counter Threat Unit (CTU)™, the team that develops the understanding of the threat and turns that into ways that we protect customers. So, really generating Threat Intelligence (TI). In previous roles in the company, before I joined the CTU, I was in our consulting organization with a slight specialization in helping organizations build internal threat intel teams. So, I've been on both sides of the fence of generating TI and also consuming it.
Excellent. So, where and how can organizations collect threat intelligence?
Threat Intelligence is such a huge collection of things. I think a lot of people think of just written TI and reports, but TI really encompasses anything that you're applying to your systems, that helps you detect things or evaluate the threat.
Something as simple as antivirus signature updates, those signature updates are a form of threat intel and are telling your system, “This is what the threat is.” Machine-readable TI like this includes indicator feeds, blocklists, signatures and countermeasures on the endpoint or network, TI encompasses all those things as well as the human-readable reports.
The best advice is to try and automate machine-readable TI as much as possible Make sure that anywhere that you can apply TI signatures, blacklists and things like that, that that’s automated as far as possible. Make sure that you know the source of that TI, that they have good visibility, and they've got good research capability to know what is really bad and what isn't. Automatically applying TI that is crowd-sourced or poorly-verified can cause more problems with noise than not applying it.
When we think about human readable TI, the reports that you get from threat intel vendors, that can be a much harder problem to solve. But you still need process around it. At a basic level, you do need to have smart people reading these things and doing the right thing with it but you can definitely operationalize and create policy and process for that. But a lot of it does just rely on a degree of expertise.
When we think of threat intelligence at Secureworks, we talk about the “TI lifecycle.” That starts with planning and direction; making sure you understand, “where is all my TI coming from?” Once you know that, who analyzes the TI, and where does the analysis get disseminated to? It’s making sure that it's going to the right part of your organization.
The first part of any TI program is collecting threat intel. Then you want to make sure that from a technical security controls point of view you have everything ticked off and automated. Then generally, I would recommend you have at least one credible, reliable source for human readable threat intelligence reports.
With that context, how do businesses utilize intelligence to then guide decisions?
When we're thinking about the threat intel we produce, there's strategic threat intel, there's tactical stuff, there's operational stuff and each has their own place within an organization. For example, every year we produce an updated threat analysis of the total threat from China, which many technical people would read and maybe say, “Well, I don't really know what I'm supposed to do with this information.” But it can be really useful for senior management evaluating risk profiles of various activities and threat modelling.
For a tactical example, think of analysis of a new ransomware group that we're tracking or a new particular malware family, and then operationally, there might be an exploit for a vulnerability that's just been developed. With this you need to patch the system right now, otherwise you're going to have problems. A lot of the problems organizations face on the consumer side of TI is that all of those different kinds of TI are coming in through the same channels. And when I've worked with organizations building out TI programs, the main question being asked is “What sort of processes do we need?” Initially, it's triaging. So, figuring out, “Well, how much of this do I need to care about right now? How much of it is more strategic?” and then making sure it goes to the right place.
Strategic intelligence should, in a mature organization, be feeding into executive leadership and board risk management. So, “Where should we be investing? Is there anything that affects us in different markets or in different geographies?” And then also taking a strategic and cybersecurity investment point of view - “Which security controls should I be investing in?” The tactical is really about making sure that your security analyst and your security team on the ground understands the different kinds of threats that are out there. What are their similarities? What are their differences? What tactics are they using? Then really asking yourself every time you're reading something about a new group or a new campaign, “Do we have the security controls to detect this or to prevent it?” And if the answer is yes, then great. If not, then that should feed into an architecture discussion around where you should invest. On the operations side, that's the urgent stuff. You need to make sure you've got good processes in place to identify that quickly and put it in front of the right people to make sure that you're protecting yourself from things that might be happening very, very soon.
How do CISOs and security analysts know which threats are relevant?
One of the things my team does is threat briefs for customers and other organizations that say, “this is our view of the threat landscape.” And one thing that we're often asked to do is make it specific to the organization or to that market vertical. Of course, that's a natural question. You don't want to spend an hour learning about threats that aren't relevant to you.
But from our perspective, in those presentations, we know that 80% of the content we deliver will be pretty much the same as we deliver to other organizations, and maybe 20% of it might be slightly tailored. The majority of threats are relevant to most organizations and that’s certainly true when we're talking about cybercrime such as ransomware, business email compromise, etc. Most cybercrime groups are really only interested in making money, and they will go after any organization that they can find to do that. They're very opportunistic in that way. And so, we often see people talk about ransomware families or ransomware groups targeting specific verticals, and sometimes that has been true. But more generally, it's just the case that they will go after anybody who is an easier target than the next organization. Particular targeting of verticals, certainly around ransomware and other cybercrime incidents, doesn't tend to happen on a massive scale. Most organizations should assume that they are likely to be a target or a potential target of ransomware and the kind of lower-level malware trojans and loaders that lead to those kinds of attacks. That tends to be the vast majority of the incidents that we see affecting our customers and the things that our customers should care about.
If you can't protect yourself against those kinds of threats, you're definitely going to struggle against some of the more sophisticated nation-state type threats. And it’s this type of threat that can vary amongst different organizations. If you have intellectual property or interesting research and development, then that may make you a potential target of the likes of China. Russia tends to be more focused on geopolitical espionage and disruption. If you have information or data that's of relevance to the Russian state then Russia should be a factor in your threat modelling. We saw this with SolarWinds last year, which was very much focused on U.S. government entities even though lots of organizations were caught up in the fallout. We also see Russia targeting their near-abroad, and then that may be a relevant threat to you if you have operations in Ukraine and other former Soviet states. We generally advise organizations to come up with a set of PIRs (Priority Intelligence Requirements). That should be the foundation of any threat intelligence program, as these are the finite list of threats that we think are relevant to us based on our profile. Once you have that, then that makes it easier to triage threat intelligence coming in based on what's relevant and what's not relevant. But as I said, in many cases, a lot of it will be relevant regardless of what kind of organization you are.
And so, my final question for you, Chris, is if a threat is detected, what should remediation look like?
There’s two different ways to use TI – proactively and reactively. We’ve discussed proactive use, and lots of organizations focus exclusively on that; receiving TI and then doing something with that to protect themselves. But actually, a lot of TI really finds its value when you're in the midst of an incident and you're reacting to something. For example, we often publish really technical deep dives into a malware family. When you first receive that, there might be very little you can do with it other than just ask yourself, “Do I think I could detect this?“ But suddenly, if you do detect it in your network and you're doing incident response to remove it from your environment, having a reference manual that says exactly what the malware does and how it propagates itself and what things to look for in your environment suddenly becomes very relevant. So, don't always think that TI has to be a proactive thing. Even just having access to a library of technical TI when you are responding to something, that you can use effectively, is really crucial as well.
Any time you detect something, the more context that you have, the better you will be. When you detect something, make sure you're always trying to find the bigger incident. If you find an indicator and you detect the indicator, don't just block the indicator on your firewall. Understand where that traffic is coming from. Is it coming from a malware infection? What possible malware could it be? How did it get there? Make sure you understand the full extent of the incident, and TI will play a very important part in that to really elevate your response from just knocking things down as they appear. From our experience, organizations that do that are way more successful at truly remediating threats.