After walking the halls of the RSA Conference several weeks ago, both my knees and back have finally recovered, as well as my sense of the security industry. The RSA Conference takes its toll on your physique, as well as your psyche. For the untrained eye, it would seem that the security industry has solved all of its traditional problems, and is obsessed with threat intelligence, APTs, and 0-days.
Bearing in mind that APT is now just marketing for “malware,” and 0-days have and always will exist (and there’s pretty much nothing you can do about them — especially if they target your security controls and the humans in your organization), we are left with the elusive “Threat Intelligence” (TI).
Various vendors’ promises range from “hacking back” to “stealing back your data” to “we’ll push hundreds and thousands of URIs and MD5s down your throat.” These all seem either vague, borderline criminal, or what-the-hell-is-my-AV-supposed-to-do-with-that. I figured I would try to make some sense out of the buzzword bingo and, based on experience (gasp!) and logic (still following?), put TI into context. So here goes:
If you ask me, TI comes into play when:
- You have a threat model for your organization that includes your assets, processes, controls, and threat actors/communities.
- You have identified where in your threat model/controls you can improve — either by improving the profile of the threat actor or boosting the effectiveness of your controls.
- You have a security practice and an existing SOC/SIEM/IR integration in place.
When you operationalize and make these elements effective (read: actionable), then a threat intelligence program will yield high value for your risk management practice. The benefits are mostly in reducing the risk you assume for operations surrounding critical assets and increasing your control resistance, detection, and mitigation capabilities. In the best case scenario, you are also getting counter-intelligence which further pushes the lines of engagement into your threat community’s territory.
The key to achieving this security posture is to create and maintain a TI practice that gathers relevant information specific to your organization’s unique threat model — tailored to your organization, to your assets, and to your threat communities. If it does not, you are just paying for something that you could have (should have) gotten for free.
Sound promising? Sure does. In my upcoming “Actionable Threat Intelligence” talks, I focus on the elements of building an effective TI practice for your organization, while learning from past experiences (and failures) and marrying different aspects of intelligence to a cohesive, result-oriented program.