On Threat Intelligence

Red Canary

Share this Project

If my tour of the vendor floor at RSA was any indication, “threat intelligence” is rapidly becoming the new “APT,” which is to say that it means different things to different people and despite the best efforts of those who actually know what is going on, it may cease to have any meaning at all if those who value money over security have their way.

In a nutshell, intelligence breaks down like this:

  • data
  • data + data = information
  • information + intellect + methodology = intelligence

Feeds are not intelligence. Aggregated data, no matter how good it is, is not intelligence. Intelligence is what you use to make decisions. That the gas gauge in your car is at a quarter tank is just a piece of data; that you just passed the last gas station for 100 miles and your destination is 150 miles away are also data points that go into your brain where your 2nd grade math skills are engaged and you pull a U-turn. In this scenario you have generated your own intelligence and acted on it. If you didn’t know how to do basic arithmetic (intellect, methodology) and didn’t know what miles/gallon meant (information) you’d be stranded on the side of the road in the middle of nowhere wondering “why?!”

In security the problem is the same. There is no shortage of data sources, but does your organization have the intellect and knowledge of methodology to avoid an intelligence failure? Intelligence about threats is something that most mature organizations can produce themselves, but the number of such organizations is relatively small, and as recent history continually reminds us, in a network we are only as strong as our weakest link.

Even if an organization were to establish a strong intelligence capability, there is always the possibility that they could be blindsided by a development because they didn’t receive a warning or were not monitoring that data. This is why “sharing” is so important. Public-private sharing efforts fail – or are pale versions of private-private initiatives – because in the former the bulk and quality data all flows one way, whereas privateprivate models work to the mutual benefit of everyone in the network. It is this communal awareness that can lead to herd immunity, which is defense-at-scale, which is one of the few ways we can actually drive up the cost of attacks (as opposed to buying yet-another magic box).

Jokes about bureaucracy aside, an intelligence agency is a large and complex institution because “doing” intelligence right is non-trivial. Again, large organizations recognize the importance of intelligence and can invest accordingly, but the vast majority of connected organizations are drowning in a sea of data and at best know how to dog-paddle. You can call that swimming if you like, but you’re not going to survive in the open ocean of the Internet. If the go-to intelligence metaphor is a needle in a haystack, the problem in general is the volume of hay, but a 100-fold increase in needles of varying degrees of sharpness doesn’t make the problem easier.

We are obviously biased in how we would like you to approach this problem, but even if you don’t consider our service, you owe it to yourself, your people and your customers to educate yourself about intelligence and work with someone to establish (large companies) or join (SMBs) an outfit that understands that intelligence is not a buzz-word.