This was another Gartner talk covering the threat intelligence landscape, what you can expect, and things to consider.
Where did that come from?!
Important concept: “Threat”;
- A threat exploits a vulnerability resulting in an incident
- Threat – you can’t control this, you can only be well informed and plan for it’s arrival
- Vulnerability – you can control and understand these – secure coding, defiance in depth, vulnerability databases etc.
- Incident – you want to avoid this!!
The problem is getting the Visibility…
- The bad guys follow the same lifecycle that we do..
- They talk and research – planning – perhaps up to a year or more
- They customise attacks – build
- They attack – run
Without threat intelligence your view looks like;
- Ignorance (they are researching)
- Ignorance (they are planning)
- Hacked (they are running their attack)
Understanding upcoming threats allows you to match defences and mitigations required to your strategic planning cycle. To do this we need good information on what is coming up, and what the bad guys are discussing for the future.
Important concept: “Intelligence”
- Goes beyond the obvious, trivial, or self evident:
- developed by correlating and analysing multiple data sources / points
- Includes a range of information, for example:
- Goals of the threat actor
- Characteristics of the threat, and potential organisational outcomes if it is successfully executed
- Indicators and defences
- Life expectancy of the threat
- Reliability of the information
- Use it to:
- Avoid the threat
- Diagnose an incident
- Support decisions on how to invest in security (strategic planning)
Reliability and planning horizon are key considerations;
- Network traffic feeds – automated information feeds – very reliable, but not real intelligence – good for immediate issues, not for planning. Inexpensive
- Operational intelligence – combination of automated and human, e.g. malware analysis, more intelligent that above, good for immediate planning, reasonably reliable (for short term). still relatively inexpensive.
- Strategic intelligence – Can be very tailored to your organisation, great deal of human interaction, custom made research, some human judgement. Reasonably reliable, but as planning goes further out obviously reliability lowers as criminals can change plans. Expensive, but great for strategic planning especially if you are in a high risk industry or organisation.
- Snake oil – no one can predict 3-5 years out with certainty, so don’t believe anyone who says they can..
- Use dedicated services to plan for long term strategies, and ensure you are concerned about the right threats.
- It can take up to two years to be ready for an emerging threat.
- Plan – How will you use the service? How will it be consumed? Who will consume it?
- Consider whether you need just the threat intelligence, or adjacent services as well.
- Before using, engage heavily with the vendor;
- How flexible are they to your needs?
- Will they go outside of the contract in an emergency or to assist you?
- How well can you work with them – need a good, trusted and close working relationship with them.
If you are considering a threat intelligence service, this talk raises come great points to consider. For me, they key point is how well you can work with them. For these service to be successful you need to work very collaboratively together and they need to have a deep understanding of your specific business and concerns as well as just the industry sector. Another recommended talk.