Cyber Intelligence as a Free Lunch: Let the Buyer Beware
Without proper analysis and context, free threat intelligence could be costly for organizations.By: Barry Hensley
The aphorism “knowledge is power” rings especially true in the cybersecurity field. Without context rich data and analysis (the combination of which we’ll call intelligence), security practitioners cannot effectively defend against both internal and external threats. Because of its commonly accepted value, routine cybersecurity intelligence sharing has long been an industry aspiration, and although some security providers are stepping forward to fill the gap with free data feeds, the question must be asked—is this “intelligence,” in itself, helpful?
As well-intentioned as “free” threat intelligence may be, there is a wide variability in the quality of the data and analysis provided, but this variability is often opaque to defenders that are not focused on studying those areas of the threat landscape on a daily basis. Organizations can be faced with the challenge of acting on data that lacks proper analysis and curation, and if not fully vetted, may lead to poor conclusions based on faulty assumptions and waste resources on ineffectual outcomes. Not every security practitioner has time to follow a story to conclusion and then act; rather, they may be forced to act on initial reporting to protect their organization and inform management. Knowing when not to make a knee-jerk response can be as important as knowing when to act fast. Having a trusted intelligence partner to provide an alternative perspective or validate open source reporting can save time and resources.
There are notable instances where having only part of the story has led to bold proclamations about impending doom, only to be later revealed as misunderstandings or analysis failures. For example, when a security firm claimed to have evidence of watering hole and phishing attacks on a hedge fund in 2014, they later suggested the scenario was “illustrative only,” and claims of attack were misinterpreted. Similarly, in 2015, a security research firm noted a specific group of Russian threat actors were preparing for attacks on U.S. banks, a claim that was exposed by online researchers as a flawed conclusion. Placing trust in a single source without validating the information can lead organizations down the wrong path. Bottom line – producing accurate, timely intelligence is hard. Real threat insight comes from meticulous analysis of network and host data types, adversary tools, direct observation of intrusions and assessing adversary tactics to predict their actions, as well as attempting to understand the economic and geo-political perspective of the adversary.
Good threat intelligence is more than just producing a hash/IP address/domain. The right data combined with expert analysis provides predictive information about the adversary, such as how they will gain access, pivot within the compromised network and exfiltrate data. Traditional corporate controls don’t arm defenders with the appropriate tools to apply richer forms of threat intelligence and collect the telemetry that expands their visibility across the enterprise. For us, enhanced end-point visibility (e.g. Red Cloak) are especially helpful not only for capturing detailed indicators of compromise at scale but applying corresponding intelligence derived countermeasures that benefit multiple clients.
At the end of the day, there is no substitute for intelligence that has been produced by trusted and experienced analysts, assessed for its true impact and applied with urgency and context. Developing this capability in-house represents part of the hidden-cost associated with “free” threat intelligence feeds. Increasingly organizations want and need this capability but should embark on this path with their eyes open. There is a lot to be gained from open source intelligence analysis, including free threat intelligence feeds, but the cost to extract that value is not insignificant and relies on gaining an understanding of what the data represents, how it is collected, when it was collected and perhaps crucially, what is missing. Cyber threat intelligence is an area where quality trumps quantity, but this can be at odds with industry expectations where “more” and “faster” have been the hallmarks of progress. The challenge ultimately lies in creating more signal and less noise as we arm the defenders with actionable data.
Of course, it goes without saying that even the best threat intelligence and tools will never overcome poor security hygiene. Security practitioners should never forget that failing to implement the ongoing basics of cybersecurity (patching, permissions, passwords, logging, email and web filtering) broaden the attack surface and open the environment for compromise. Once an organization exceeds that baseline level of maturity, it can begin to leverage threat intelligence to tackle the more persistent or sophisticated cyber threats, detecting earlier and preventing faster.