Threat Intelligence?

The term threat intelligence reminds me of the age-old joke about Military Intelligence:  it's oxymoronic.  

Truthfully, I don't think that is the case for either MI or for computer security threat intelligence.   I think the term "threat intelligence" is ambiguous, however, and a number of security vendors have jumped into this space. It might be good to tease it out a little bit and try to figure out what it might mean and whether it adds any value when trying to defend your network.

Here's how I think about it.  First as a background, I like to use the terms threat actors and threat vectors.  The actor (or "agent," in some circles) is the person or organization with the motive, means and desire to attack you.   The vector is the exact means by which they accomplish that.

Threat Intelligence in this context can really come from two sources:

1)  an analysis of the attack vectors from a review of incident artifacts
2)  penetration of threat actor groups to identify their motives, capabilities and imminent targets

For the first source, the threat intelligence is ostensibly valuable because an understanding of historical attack patterns should give an enterprise some understanding of what defenses are most effective.  In my practice as a consultant, I find that this can be a good approach.  It certainly has benefits in terms of managing a security program, where decisions about where to invest resources are better driven by some true understanding of the threat.   One can never be 100% secure and if you can't be strong everywhere, you want to be strong where it counts.

Clearly, this approach is historical and hinges on the theory that past events can be good predictors of future events.   This is somewhat true in that the basic model of how intrusions are carried out is still pretty consistent with the pattern as described in the seminal Hacking Exposed books.   However, given the dynamism of today's IT landscape (BYOD and Cloud immediately come to mind) - new vectors are arising everyday.  Furthermore, it's important to note that this intelligence is primarily sourced from an analysis of data (log, forensic, malware reversing) from attacked systems.

In short, this approach is valuable, but not the whole story.  I find the value is  mainly in understanding the Tactics, Techniques and Procedures (TTPs) of the various criminal and APT groups, versus getting lists of bad domains, IP addresses and the like.  To use the cliched phrase, it's all about actionable intelligence.  I don't think those IPs and domains are actionable - by the time you know about them, it's too late in most cases.   (That's not to say you shouldn't use security gateways!  I'm simply saying as a security professional, you are better served by understanding the approach of the attackers.)

As an example of what I am talking about,  I think there is a great paper written by Jon Espenschied at Microsoft, which can be found here.  I think threat feeds that emphasize exact details of the new vectors and how they are might be deployed against your enterprise are worth looking into.  There's also a very good exploration of this topic in the context of the "Cyber Kill Chain" in a paper written by the folks at Lockheed Martin, found here.  I think we can be assured that these fellows have a great deal of experience dealing with APT.  I may devote an entire post to that paper and some other related work.

The second approach involves penetrating the circles of likely attackers and trying to determine what they are planning.  This is obviously more proactive (vice historical) and has the added advantage of potentially helping you determine if YOUR enterprise is being targeted, before or during the act.  An example of this would be when Zeus or SpyEye botnet operators add certain financial instituions to their config files for credential stealing.   However, I think the number of times that attacks are caught before they occur is probably small, if for no reason other than that one can attack your enterprise without attacking your infrastructure (in the example given, the bank can't keep its customers from getting Zeus - they can mitigate it a bit but can't stop it entirely.)

Furthermore, I think penetrating these groups is non-trivial.   Guys like Brian Krebs have done a good job of getting some penetration of these groups, but one can assume that his credentials as a journalist may be helping.  I don't know, but maybe he'll comment on that here on this blog.  Brian made available on his site a good reference - the indictment of Bx1, the SpyEye creator/botherder (interesting that they charged wire fraud and not CFAA, but that's for another post.)

I call your attention to paragraph 24 in the "Overt Acts" section of the indictment.  It gives one a good understanding of how these criminals come together to plot these schemes.

Another good discussion can be found here at TechRepublic, which then links to an academic paper  found here.

On a final note,  penetration of criminal groups is one thing - but what about APT?  Aside from some of the open source intelligence gathered and presented in Mandiant's APT1 report, one suspects that this is the kind of information only the NSA and CIA could provide.  It seems like we've got a long way to go before the USG figures out how to declassify stuff to provide actionable intelligence on these groups without burning their sources.

So which is more valuable?  I think one needs to use both, without expecting too much out of either.  But, this is a blog, so I don't have to solve the issue.  Comments are welcome.