Threat intelligence is not just for big businesses. One security pundit explains what SMBs gain from becoming 'threat intelligent,' and offers tips on how to gather actionable intel.
Information Security Architect John D. Swanson is on a crusade. He disagrees with the popular belief that threat intelligence is only for enterprise organizations with a mature information-security department.
"Contrary to popular narrative, I believe it makes a lot of sense for small information security programs to build a threat intelligence capacity," mentions Swanson in this Swannysec blog post. "While this may not be a popular opinion, I know smaller operations can benefit from a right-sized threat intelligence program because I'm in the process of building one currently and there have been tangible results."
What is threat intelligence?
As with anything techy, terms like "threat intelligence" have myriad definitions. For our purposes, let's use Gartner's description:
"Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard."
Swanson mentions there are two key components in Gartner's definition:
- Threat intelligence consists of context, indicators, mechanisms, and actionable advice.
- Threat intelligence enhances security decision-making.
How to proceed
Next Swanson looks at how SMBs can become "threat intelligent." He starts out by explaining that threat intelligence can be absorbed and applied without any investment in technology. "Anyone interested in threat intel should start by seeking out and reading published threat reports from companies such as FireEye, Palo Alto, or Symantec," suggests Swanson. "A large repository of these reports can be located on GitHub."
- Mandiant's APT1 Report (PDF): It's somewhat dated, but it's the standard that many threat reports follow to this day.
- Symantec's Report on the Dyre Banking Trojan (PDF): A top to bottom look at a family of financial malware.
- Palo Alto Unit 42's Recent Look at Angler's Continuing Maturation: An in-depth look at a specific exploit kit that shows among other things, how bad actors utilize counterintelligence to harden their malware and prevent blue team research.
The next step, according to Swanson, would be introducing low-effort and low investment automation to process the freely available threat intelligence. However, before even considering any form of automation, Swanson feels the following must be considered.
Human oversight: No matter how empowering machine learning is humans need to be part of the equation. "No automated system is going to make any amount of threat intelligence magically useful without people making informed decisions about the data as it relates to the security and risk posture of the organization," explains Swanson.
Machine assistance: The amount of available threat intelligence is more than humans can effectively process. "Therefore, tools capable of accepting, parsing, and manipulating large data feeds are essential," suggests Swanson. "The quickest way to this capability for many organizations will be flexible SIEM (Security Information and Event Management) tools that organize and store the data."
Operational planning: With threat data coming in and being analyzed, the next step is developing a plan based on information gleaned from the threat intelligence. Swanson suggests that company economics and maturity of the security department will define which type of plan: hands-on or automated.
- Hands-on: Corrective actions are based on information derived from cross-checking log data from one or more security systems (firewalls, endpoint logs, IDS, web proxies, or forensic artifact collectors) against intelligence data.
- Automated: The deployment of automated systems capable of blocking pre-configured indicators. Some examples would be Palo Alto's dynamic block lists or Symantec Endpoint Protection's hash blocking.
Besides external threat intel, Swanson suggests data mining all possible internal sources for actionable intelligence. "What can possibly be more relevant than data on what is actually happening on your network?" asks Swanson. "There might be valuable information about the 'what, where, when, and how' of threats directed at your organization in the internal logs and incident reports."
It is not rocket science
Swanson cautions to start small, "Generate top ten lists of exploits, malware, brute-force attempts, etc. and start to observe trends in those reports."
Swanson also suggests paying attention to David J.Bianco's Pyramid of Pain (PDF), which promotes "intel-driven detection and response to increase the adversary's cost of operations. "If nothing else, begin learning the natural rhythms of your network. You will notice when things stand out," adds Swanson. "In short, make sure you're looking at what's happening on the inside before you begin adding external information to the picture."
Some final advice
Swanson believes most SMBs should be using threat intelligence in some capacity. He cautions, "Those feeds need to be correctly understood, parsed and filtered to remove false positives, and applied appropriately to avoid business interruptions."
- 4 essentials to creating a world-class threat intelligence program (TechRepublic)
- A simple framework for SMB IT risk management (TechRepublic)
- Know thy enemy: Symantec launches cyberthreat intelligence service for the enterprise (ZDNet)
- Ebook: Penetration testing and threat filtering (Tech Pro Research)