Rob McMillan at Gartner defines threat intelligence as:
Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.
Sounds great, but how do you make it relevant to your organization? It’s about being able to analyze the data.
Over the years, threat-exchange marketplaces have emerged to share information on cyber attacks. While we are still in the early days of easily consumable threat intelligence, this data is vital to many industries, platforms, networks, and environments. Here are five key sources of cyber threat intelligence:
Security vendors such as McAfee and FireEye are the companies that you would naturally expect to move into threat intelligence. FireEye, for example, ventured into threat intelligence after it acquired Mandiant, as the two companies’ forensic abilities worked well together. Councils like ISAC (Information Sharing and Analysis Center) exist for a variety of market segments including financial services (FS ISAC), aviation (A-ISAC), electricity sector (ES-ISAC), IT (IT-ISAC), and health care (NH-ISAC). And finally, service providers such as Dell Secure Works and Risk I/O further refine and correlate vulnerability data for the needs of their clients.
So, how do we go about making the best use of these threat intelligence sources?
Let’s look at the parameters we have at our disposal.
Note that the input parameters are more technology-oriented than issue-oriented, like financial fraud or a domain-centric event. Taking these into consideration, here is an outline of the three step approach we recommend.
Step 1: Go inside-out
- Asset inventory: To get the best out of a bottom-up exercise, you’ll need clarity and precision regarding what runs in the environment. An up-to-date inventory of the systems and platforms is mandatory.
- Vulnerability reports: Get the latest vulnerability-assessment reports ready for the platforms or environments for which you are soliciting threat intelligence.
- Public feeds: What the world knows about you is what it gets from public feeds. A constant watch on what your high-priority domains make available will give us a sense of how you could be attacked.
Step 2: Go outside-in
Choose the appropriate threat-feed vendors from the above list, depending on your technology landscape. It should be relatively easy to narrow down to perhaps the top five pertinent vendors. The criteria for choosing a vendor include hardware platforms, software providers, proprietary solutions, cloud service providers, network players, and more.
Step 3: Let the machine learn
Now comes the hardest part of threat analysis—a two-piece puzzle:
- Getting and cleaning data. By now, if you’ve gone through one or more sources, you would be convinced that they are mostly disparate; that they do not conform to a single structure; and that in some cases, the data is not consistent even within a single provider. Cleaning data is important for both input and the threat-intel data. Sources such as CVSS could be used to come up with the schema for the choice of platform (preferably something like Hadoop to hold the large volume of unstructured data). Remember that this activity is continuous.
- Choosing the right algorithm. This is a key decision point, driven by the maturity of a given organization and the level of participation that it can bring to the process. In one case, we found it acceptable to go the supervised-learning route that requires minimal manual intervention for threat prioritization, but it also required the following:
- SME skills to train the data: For example, if we look across the various sources of input to find a high-priority vulnerability for a Microsoft stack, you could quite easily end up with one, but then the significance to your organization is trained by an expert who eventually classifies it based on further parameters such as whether this web server is Internet facing or whether it has users outside a controlled environment.
- Engineering skills to build a platform: The data grows on both sides here, both from within and from outside. The right choice of technology options is important—from building a platform for hosting the data to applying statistical algorithms and presenting a visualization layer for demonstrating the pertinent threats.
- Operational integration: The end results need to integrated into a business’s normal operations. The exercise is not complete until we can feed specifics about vulnerabilities to the system infrastructure or to the security-operations team, and ideally, we would provide remedial steps for their systems.
Over the last few years, the world has woken up to leveraging good old statistics like never before. The focus is clearly on getting the right input and the industry sources relevant to your organization to achieve the best results in deriving pertinence. That said, there is no one-size-fits-all to each of the steps above. You could choose either to engineer a tailored platform for your enterprise or to leverage the model to better review the providers in your space.
In any case, the proof of the pudding is in the eating: if the team is resolving more vulnerabilities than ever before, you’re probably going in the right direction!
Please share your thoughts on each of the topics here, including source feeds, choice of algorithm, and past experience. The next post in this series will talk about the technology choices we’ve made and will include a snapshot from the outcome as well.
Acknowledgements: I’d like to acknowledge the contributions of Seema Dutta, Arockiam Ponnusamy, Karthik Sundararaman and Vinay Dwarkanath for all their ideas and feedback that went into this piece.
References and further reading