You’re an IT executive and your company receives regular cyber intelligence updates. They land in your inbox (or have been forwarded to you by your managers, flagged “urgent”) every once in a while. When opening one you can find a brief summary of current events or alerts and an attachment, usually a PDF document. If it’s over 10 pages long you will then print this and then… well, most likely keep it on your desk for several days. If you have some spare time you might even gaze into this document, and maybe even highlight a paragraph or two for future use. But most likely, you will either ask one of your subordinates to read and summarize it for you or never look at this again before finally shredding it.
I know, because in my previous job I’ve sold these exact reports.
And it was difficult since most potential customers were reluctant to pay for something they did not fully understand its need or value. But the really sad fact was that even the clients who were paying for this service were hardly gaining any benefit from using it. Some, upon renewal said it was a complete waste of money, but he renewed anyway because, like insurance, deciding to stop buying it was psychologically more difficult than doing a proper Risk vs. Value estimation.
In short, most reports were hardly read and acted upon and very little value was gained by the customers. I was baffled by this for a long time, until I’ve started to put myself in the clients’ shoes. If a report or an alert contained a specific, relevant piece of information pertaining to their organization, they all knew what to do it- Either block a specific IP address or range of IP addresses, or prepare for a hacktivist attack which will happen in exactly 48 hours, by 100 participants using such and such tools. But if the intelligence wasn’t so specific, which was the case in about 99% of times, they had very little use of the information.
A new malware variation being sold on the underground? So what.
A new global APT campaign targeting their (and 5 other) industry? So what.
A discussion in a Blackhat forum about breaching the chip & pin system? So what…
In fact, I’ve heard the “so what” question so many times that it made me think – what do we expect the IT security staff and management to do with a piece of non-specific information?
One CISO even said to me once: “what do you expect me to do now that I know this new piece of troubling intelligence? Sleep less at night?”
You know what? He was right. If it wasn’t relevant or actionable, he couldn’t care less. He can’t configure new SIEM rules, he can’t patch systems (which their software maker are not yet aware of this new threat) and can’t instruct his people to do things differently because some schmuck on Underground ask for help in developing the new breed of POS malware.
But relevant and specific intelligence is very rare, so what are we to do? Ignore (or shred) all non- relevant information? Dilemma indeed. It seems the threat intelligence has an inherent “last mile gap” in its value proposition. So I would like to propose a different paradigm, one which will broaden the definitions of relevancy and actionability and could actually make sense to customers.
To begin with, customers need to be willing to except that not all applicable intelligence is specific. We would all love to find this incredibly sexy piece of intelligence which will alert the customers about an elaborate scheme to target their IT infrastructure by a cybercriminal mastermind, but the reality is that even is such campaign was taking place, it would be extremely difficult to alert about it before or even during the activity. So instead of focusing on the 0.0001% let’s try to use all the rest of the information which is out there, and check the relevancy not by a direct link to the target/ victim, but by a broader definition of industry and geography. For instance, when we stumble upon a new intelligence alert about new cybercrime activity we need to ask if it’s aimed at my industry (retail, healthcare, etc.), my geography (N. America, West Europe or even global) and my business assets (PII, transactions, IP, etc.). If the answer is yes to all than it is relevant and should be taken into consideration. Taking this further, if we collect enough information from various sources we can even identify geographical and industry related trends, which could be used for strategic decision-making.
So turning our attention now to the actionability question – how do we utilize this intelligence? I believe that being actionable answers two questions:
What do I do now?
What do I do tomorrow (or next week, or next month)?
Regarding the first, it is obvious that only an extremely focused piece of tactical-technical intelligence will answer this, such as which IP address to block, which rule to configure in the SIEM, etc. So if you are consuming machine-readable feeds and linking it to your machines (providing them with bad IP, new malware signatures, etc.) you should be fine.
Regarding the more strategic (meaning not now, but tomorrow), there’s currently a gap in what the industry offers. Today IT security managers have to consume AND digest the intelligence (usually in a form of reports), identify the trends, decide which is relevant to their organization, correlate between threats and assets and decide the best course of action. It is not impossible, but it requires attention and resources – and as the talent gap widens (especially for cyber intelligence analysts) it will become even harder for organizations to make effective use of such intelligence. There are several promising technologies which will help overcome this “last-mile” problem: automation of intelligence collection and processing, big-data analytics to identify trends from huge amounts of data, and smart correlation engines which will help decision-makers to prioritize action to mitigate the most relevant threats to their organization.
But above all, a paradigm shift is required – intelligence in not “nice to have” anymore. It’s a must. But it needs to be consumed and digested in the proper way in order to deliver any value. Otherwise, it can be printed and shredded instantly.