Printer to Shredder – The Problem of Threat Intelligence

By   ISBuzz Team
Writer , Information Security Buzz | Feb 11, 2015 05:03 pm PST

You’re an IT executive, and your company receives regular cyber intelligence updates. They land in your inbox (or have been forwarded to you by your managers, flagged “urgent”) every once in a while. When opening one, you can find a brief summary of current events or alerts and an attachment, usually a PDF document. If it’s over 10 pages long, you will then print this and then… well, most likely keep it on your desk for several days. If you have some spare time you might even gaze into this document and maybe even highlight a paragraph or two for future use. But most likely, you will either ask one of your subordinates to read and summarize it for you or never look at this again before finally shredding it.

I know because in my previous job I’ve sold these exact reports.

Free eBook: Modern Retail Security Risk – Get your copy now.

And it was difficult since most potential customers were reluctant to pay for something they did not fully understand its need or value. But the really sad fact was that even the clients who were paying for this service were hardly gaining any benefit from using it. Some upon renewal said it was a complete waste of money, but he renewed anyway because, like insurance, deciding to stop buying it was psychologically more difficult than doing a proper Risk vs. Value estimation.

In short, most reports were hardly read and acted upon, and very little value was gained by the customers. I was baffled by this for a long time until I started to put myself in the clients’ shoes. If a report or an alert contained a specific, relevant piece of information pertaining to their organization, they all knew what to do: either block a specific IP address or range of IP addresses, or prepare for a hacktivist attack which would likely happen in exactly 48 hours. But if the intelligence wasn’t so specific, which was the case in about 99% of times, they had very little use of the information.

A new malware variation being sold on the underground? So what.

A new global APT campaign targeting their (and 5 other) industries? So what.

A discussion in a Blackhat forum about breaching the chip & pin system? So what…

In fact, I’ve heard the “so what” question so many times that it made me think, “What do we expect the IT security staff and management to do with a piece of non-specific information?”

One CISO even said to me once: “What do you expect me to do now that I know this new piece of troubling intelligence? Sleep less at night?”

You know what? He was right. If it wasn’t relevant or actionable, he couldn’t care less. He can’t configure new SIEM rules, he can’t patch systems (which their software maker are not yet aware of this new threat), and he can’t instruct his people to do things differently because some schmuck on the Underground asked for help in developing a new breed of POS malware.

But relevant and specific intelligence is very rare, so what are we to do? Ignore (or shred) all non- relevant information? Dilemma indeed. It seems the threat intelligence has an inherent “last mile gap” in its value proposition. So I would like to propose a different paradigm, one which will broaden the definitions of relevancy and actionability and could actually make sense to customers.

To begin with, customers need to be willing to except that not all applicable intelligence is specific. We would all love to find this incredibly sexy piece of intelligence which will alert the customers about an elaborate scheme to target their IT infrastructure by a cybercriminal mastermind, but the reality is that even if such campaign were taking place, it would be extremely difficult to send out an alert about it before or even during the activity. So instead of focusing on the 0.0001%, let’s try to use all the rest of the information which is out there and check the relevancy not by a direct link to the target/ victim but by a broader definition of industry and geography. For instance, when we stumble upon an intelligence alert about new cybercrime activity, we need to ask if it’s aimed at my industry (retail, healthcare, etc.), my geography (N. America, West Europe or even global) and my business assets (PII, transactions, IP, etc.). If the answer is yes to all, then it is relevant and should be taken into consideration. Taking this further, if we collect enough information from various sources, we can even identify geographical- and industry-related trends, which could be used for strategic decision-making.

So turning our attention now to the actionability question – how do we utilize this intelligence?  I believe that being actionable answers two questions:

What do I do now?

What do I do tomorrow (or next week, or next month)?

To read the answers to these questions, please view the remainder of the article on Cytegic’s blog here.

About Cytegic

cytegicCy-te-gic /pronounced: sʌɪ-ˈtē-jik/ adjective: A plan of action or strategy designed to achieve a long-term and overall successful Cyber Security Posture Optimization – “That firm made a wise Cytegic decision”.

Cytegic develops a full suite of cyber management and decision-support products that enable to monitor, measure and manage organizational cyber-security resources.

Cytegic helps organization to identify threat trends, assess organizational readiness, and optimize resource allocation to mitigate risk for business assets.

Notify of
0 Expert Comments
Inline Feedbacks
View all comments

Recent Posts

Would love your thoughts, please comment.x