In recent days I had some conversations with folks regarding the common INFOSEC comprehension of threat intelligence and what it really is, and we all come back a marketing buzz phrase “actionable intel”. My concern is that the definition of “action” seems to be getting diluted these days and at worst it has been morphed into “write a signature to prevent X” or create some hot new technology that uses artificial intelligence to anticipate ABC and block the attack. Also, everyone wants to be first to blog about the latest threat that hit the landscape. Researches spend hours trudging through dashboards, PCAPs, log files and retro hunting with yara rules looking for that needle in a mountain of needles that is sitting inside of their grandmothers sewing bench, and hope they don’t prick themselves wasting time with “unrelated” data or false positives. We’re inundated and consumed with the tactical execution. Why? Money, and possibly a case of nearsightedness.
Businesses are consumed by needing to show immediate value (nearsighted), and value is usually measured in the number of bad things blocked. Thus the tactical war against malicious actors saturates every aspect of our information security programs, our hiring for INFOSEC roles, the reports we produce, the metrics we pull our hair out trying to develop, and most of all BUDGET – where we spend our money. We are at constant war, just ask any incident response, forensics, malware reverse engineer, threat researcher, or SOC analyst – it is an all out 24/7 war against bad guys, and one thing you need to win a war besides soldiers, beans and bullets? Strategy.
Strategic operations are nothing new to any military organizations. Nor is strategy new to any successful CEO trying to position his company to gain a competitive advantage over a market share, but strategic planning and execution to an INFOSEC threat intelligence team seems to be as foreign as a fully nude woman standing in the flesh in front of a virgin. The concepts of profiling, understanding, and anticipating your enemy so that you can not only win battles but win the war, are something I find few people grasp. Make no mistake, I am not saying that the tactical activities mentioned above are without merit, they are 100% critical and vital to protecting assets both tangible and intangible, and even lives. What I am saying is that, organizations that have reached a maturity level where they are effective with near-surgical precision in squashing malware and phishing attacks, should be looking to take things to the next level.
I tweeted recently something to the effect that the words “new malware” literally have a Pavlov’s effect on threat researchers. Everyone gets excited about the shiny new malware, we all want to rip it apart, see how it works, hopefully find flaws in it, & blog about and HOPEFULLY to share indicators of compromise (IOCs) with the whole world to make the Internet a safer place. (Side rant – if you blog about threats and don’t share IOC’s and actionable intel, IMHO you are a douche nozzle being used for an enema) Back to the topic at hand…..We want to tell everyone how the malware did it’s backflip, blindfolded, across hot coals and broken glass, shit a peanut that turned into a malware tree, that bloomed ransomware buds whose pollen poisoned the threat landscape and that’s how we got money to grow on trees. Okay, not exactly, but close enough. But then what? Then we all go back to looking for the next shiny piece of malware, cuz we can never have too many in our collection right? Well, this all falls into tactical operations, a very instrumental element to protecting and defending our orgs and current customers, not to mention attracting new customers. The race is to be the one that finds it first, blogs first, and makes current and potential customers feel safer – basically whack the mole the fastest and most accurately. Heaven forbid if another organization blogs about some new major threat and you didn’t, your org is destined to get a tsunami of “are we protected” inquiries. And of course, that’s what the business is worried about – happy customers who feel safe because that’s what pays the bills. So I ask again, but then what?
In all of this, after the hours spent finding it, ripping it apart, and figuring out which IP or domain it came from so you can write a signature, blacklist and block it, what have you learned about your enemy? Better yet, what have you converted from an observation into codified knowledge that can be used later – that is not an IOC? What do you know about their objectives, short and long term? What do you know about their resource needs, infrastructure, motivations (are they political or financial)? Trying to teach strategic threat research in one blog post is insane, so I’ll try to give an example via an imaginary conversation.
Do you know or understand why *THAT* malware was used against *THAT* organization? NO
What about that domain, have you run down the registrant to see what other domains he/she owns and if there’s any other malware associated with them? YES
Oh really! Well do you know if it’s the same kind of malware? It’s not
It’s not? Well bad actors are kind of like serial killers they usually have a modus operandi (method of operation) aka M.O., a habit, that they rarely deviate from, so why did you actor change his M.O.? I don’t know
OK, go figure out if something caused your actor to change his M.O or if this indicates multiple actors sharing the same registration information.
Is it on a dedicated/shared IP? SHARED, on an ISP that only owns 200 IPs and only hosts 100 domains, and they’re behind bulletproof hosting
Do you have enough information based on victims to build a potential target profile so we can figure out where/who they might attack next? NO
What vertical was that attack against? Transportation
What org? a trucking company
What geographic region? Timbuktu
Are there any key political figures headed to that region? sporting events coming up? tourist or entertainment events planned in the near future? Yes
Really, hmm what other resources are needed to support (X from previous question)? Catering? Power? Decorating? Air Travel? Yes
Now the scenario above is completely made up, and there is an entire line of questions that could follow. In fact, changing the answer to any one question can change the next round of questions that would follow. Nonetheless I think you get my point. And if you really do get my point, then you’ll understand why a massive “threat intelligence feed” from a company is practically useless. You’re better off just ingesting a black/whitelist from some trusted asset with an understanding that you may have false positives, but you’d rather be secure and inconvenienced. It is time the INFOSEC community take threat intelligence to a new level and start looking past the shiny new malware and actually start trying to understand attackers.
It kind of reminds me of the sci-fi movie I watched this weekend (I won’t name it because I don’t want to get sued). Basically our planet had been attacked in the past and we defeated the enemy. Then the humans studied the technology left behind from the aliens. They used it to advance the human race and unite the world. But then years later, another alien shows up, without hesitation we blasted it out of the sky, then a bigger alien shows up and threatens the planet again. However, a group of scientists takes the time to study and understand the first alien that showed up those years later. They come to find out the motivation behind that alien, learn from their observations and if they apply the knowledge correctly they can then ultimately defeat the massive alien force that now threatens them.
The key here, is that they took time to study – let me type that out a little more slowly “T H E Y T O O K **T I M E**” to “S T U D Y” – of course it was after they whacked the mole, but they did do the deeper investigation. This is where we all need to be headed. After we’ve honed our skills at quickly finding and annihilating the immediate threat, let’s start adding a new function to our INFOSEC portfolios: teams to do strategic analysis, enemy profiling, and developing threat intelligence that allows us to take proactive measures to prevent attacks or at the very least identify behaviors that indicate a larger (measured by impact not volume) threat on the battlefield.
THE END 🙂
BTW, Business people – please pick your faces up off the floor, I know, I just said we need to invest time and money into something that has long-term payouts and not immediate ones. Let me know if you need me to pay your co-pay for your hospital visit.
As always, thanks for reading and supporting.