Intelligence Redux

Anybody who was at the RSA Conference a few weeks ago can attest to the fact that "threat intelligence" has become the catchphrase du jour. As was the case with "cloud" a few years ago and "data analytics" last year, every vendor on the show floor was hawking a product or service which claimed to increase my understanding of the bad guy and thus improve my ability to better defend my enterprise.

As I began to dig into these products and query my fellow practitioners, I became concerned about what the vendors were calling intelligence and the real value this latest array of tools and services would (or would not) provide. Many of my discussions quickly focusd on the concepts of intelligence and intelligence collection and how to apply these to concepts practically. While it's been years since I worked in Army Intelligence, some lessons certainly spill over into the corporate world. Allow me to share some of my thoughts on these concepts for your consideration...

Intelligence Defined.  With the term threat intelligence being widely (overly?) used these days, it's worth stepping back and understanding the difference between data, information, and intelligence. Data are facts; they are immutable and unchangeable. Information, simply put, is data in context. Intelligence is information that is extracted and revealed from an analysis of given data and information.

Confused?  Let me give you an example. Take the number 3015178088. This number is  piece of data, devoid of any context. We can attempt to provide some context to this data in an attempt to provide some level of information to the reader. Examples:

• 3,015,178,088 -- a number in excess of three billion
• 30151-70808 -- an overseas telephone number, most likely European
• (301) 517-8088 -- a North American phone number

As you can see, adding context to the data provides different information to the consumer.

In this particular example, the North American telephone number is the correct context. Now let's provide additional data/information to the reader:

• 301 is one of the area codes for Maryland
• I lived in Maryland from 1995 to 2003

Given these pieces of data and information, you might be able to extract the intelligence that the phone number listed was one of my old phone numbers. That piece of information is not stated anywhere within the provided data/information, but through simple analysis and some deductive reasoning, it can be extracted with a reasonably high level of confidence. Consumer organizations regularly extract "business intelligence" from data collected with member loyalty programs in an attempt to focus its markting and sales efforts with laser-like precision -- occasionally to the point of becoming quite intrusive.

Actionable Intelligence Collection. In order for intellignce to be actionable (i.e., result in the abiliity for me to do something better/smarter/differently/more effectively than I am at the moment), the intelligence collection effort within the enterprise must be organized and deliberate. Intelligence collection is more than information gathering/information consumption; it requires the enterprise to remain focused on fanatically answering three seemingly simple questions:

• What do I need to know? What are the most important questions for you to get answered? In the military we referred to these questions as priority intelligence requirements (PIRs). Intelligence collection efforts should be focused on answering these questions first and foremost. Note that determining these questions may be simpler than you think. I remember an intelligence exercise from my GI days involving the transport of relief supplies into a fictional European country via military convoy. As the exercise assumed a hostile force which occassionally disrupted transports along the one major highway into the area, the #1 PIR each was always "Is the road open for travel?" I would imagine that some of the PIRs for most enterprises would be equally straightforward. Some examples:
• Are bad guys in my environment right now?
• Is sensitive data leaving my environment in an unauthorized fashion?
• Which bad guys trying to get into my enterprise? 
• Where are the most likely/most vulnerable attack points?

• What is the best way to get the answers I need? Folks, PIRs can (and should) be answered by a multitude of sources. These include (but are not limited to)
• News reports
• Existing enterprise tools 
• Communications via professional organizations
• Organizations which monitor threat activity regularly (CERTs, ISACs)

While a "threat intelligence" platform or service, properly constructed, might provide indications and warning about an iminent attack it may be argued that existing sources of data from within the enterprise are better suited to determining the current state of attack if properly monitored and utilized. Indeed, focused monitoring and analysis of open-source information providers may provide reasonbly accurate and timely indications and warning of threats and attacks against the enterprise.

• What do I intend to do with the intlligence gathered?  Intelligence collection should not be an academic exercise. Answering your PIRs should drive action within your environment. If fulfilling a PIR does not drive even a minimal course correction on the actions and activities of the enterprise, then you need to consider whether or not you are answering the right questions...or whether or not you need to adjust you efforts down to that which is actionable within your current culture. This last phrase may seem like an anathema to the security professional, but given limited resources we must constantly balance our collection efforts against our execution priorities lest security become simply an academic exercise.

* * * * * 

Given the aforementioned definitions, many of the "threat intelligence" products and services being advertised today provide threat information versus threat intelligence -- i.e., they are providing yet another credible data/information source to the enterprise defenders versus true intelligence. While this data source may be more focused and more useful than other data sources available, without an understanding of organizational PIRs this data source becomes yet another firehose of "stuff" which the security team must consume lest it drown. Worse, without an ability to guide and focus collection efforts across the enterprise the security team may be looking for indications & warning regarding attacks from largely ineffective (and probably expeensive) sources.  

Threat "intelligence" products and services do have a place within the enterprise...but only if the enterprise is prepared to utilize and absorb the information provided in a cogent and thoughtful manner. While the temptation to garner information from closer to the bad guys is appealling, having yet another firehose to drink from will only hasten the drowning if you're not careful.

My two cents...

A Three-Pronged Approach to Protection

In the wake of recent merchant breaches, I have found myself on an increasing number of calls with customers, reporters, and business leaders from various industries.  Invariably, the questions asked all boil down to one overarching interrogative:  "How do we avoid becoming the next breach victim?"  After I attempt to calm nerves and reiterate that there are no silver bullets out there, my answers tend to center  around three fundamental areas that I offer up to you for critcism or comment.  Here goes...

1.  Be Harder Than The Other Guy.  Folks often ask me whether or not they should put the alarm sign in front of their house when they buy an alarm service.  My answer to them is "yes, absolutely!" Most burglaries and break-ins are by amatuers looking for easy targets and/or targets of opportunity.  While the alarm sign will alert the 1% who are specifically aiming to break into your house to cut the phone lines, it will also steer the remaining 99% to your neighbor's house if your neighbor doesn't have an alarm sign posted.  No alarm equals an easier target, so becoming a harder target than your neighbor is an attack deterrent.  The same principle applies in cyberspace.  If your protections and controls are preceived to be more durable and more resilient than your competition, it stands to reason that the bad guys will attempt to acquire data from the weaker target instead of attempting to breach the harder target.  We can see this occurring in a strategic fashion if we step back and observe the class of businesses that hackers are attacking;  instead of focusing predominantly on financial institutions and payment processors, we have seen concerted efforts against merchants, contact centers, and other potential 3rd party "aggregation points" for data.  Even within certain classes of targets, there is value in informing your  adversary  -- in general (but not opaque) terms -- of the strength of your protections in order to discourage attack.  (Note:  Those of you reading this post who have some military experience will recognize this approach from your unconventional warfare training;  if you think about it for a bit, you'll see that the same principles apply when facing off against the hacker community :o)  )

2. Be Best-In-Class At Incident Response.  If you accept the premise that even the most prepared defenses will be breached -- and they will, believe me :) -- then the ability to identify, contain, and eradicate the threat as early as possible becomes critical.  There are statistics out there which state that  the average time between infection by a sophisticated attacker and its detection in the network can be measured in months if not years.  Investing in the technologies and the personnel needed to shrink this window is a critical step in breach avoidance.  Note that investing in personnel does not just mean headcont; more importantly, it means training and education to improve general security knowledge; an understanding of the threat; and critical thinking skills.  This training needs to go beyond just those within the security team but to all members of the extended incident response team.  

3.  Add Threat Intelligence To The Mix.  If this year's RSA Conference is any indication, the importance of understanding one's adversary has come back into the forefront of the security discussion.  This will be considered good news by those who have long stated that we have become so process and business focus that we have diluted our understanding of hard-core security.  Still, I wonder how many people understand the difference between threat information and threat intelligence.  True threat intelliegencce, in order to be useful to the enterprise, requires an understanding of what knowledge is of paramount use (priority intelligence requirements); what the best sources are for obtaining that knowledge (collection management); and what actions need to be taken based upon the information obtained (risk management planning).  In the absence of these key components, threat information becomes yet one more firehose from which the the security team must drink from whilst attempting not to drown.

While these answers may provide small comfort to organizations looking for quick-fix solutions, they represent the basic building blocks for moving toward a risk-based security program.  Consider using these concepts when discussing security needs with your business leaders.  Enjoy!