Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Incident Response

Tackling the Threat Intelligence Problem with Multiple Sources and Robust RFI Services

A prevention-only strategy to combat threats is not sufficient; enterprises must incorporate intelligence from all relevant intelligence domains

A prevention-only strategy to combat threats is not sufficient; enterprises must incorporate intelligence from all relevant intelligence domains

When it comes to Threat Intelligence, I think there are some misnomers. Data is not information, and information is not intelligence. Most “Intelligence feeds” are “data feeds.” Some are “information feeds.” Data is the collection of raw facts, while information is the logical grouping of contextualized data. Intelligence is actionable and helps drive decisions.

In most cases, security and intelligence teams lack finished intelligence, which leaves them ill-equipped to combat motivated and sophisticated adversaries. Most of the threat intelligence market is solely focused on cybersecurity and large, generically-aggregated data lakes. This global collection approach, followed by an AI and ML analysis that looks at trends and correlations, can provide significant insight into known, widespread threats. However, this approach lacks the perspective necessary to detect threats specific to the individual organization, identify previously unseen tactics, techniques, and procedures (TTPs), and deliver true intelligence.

The solution to this problem is to combine multi-source intelligence data lakes filtered to a client-specific data pipeline and then bolster that data with expert analysis and robust RFI services to deliver intelligence specific to your organization. Relevance and context are often the critical differentiators. To that end, intelligence providers must have a robust request for information (RFI) capability that allows them to investigate and analyze information from numerous intelligence domains, including cyber threats, fraud, third-party, reputation, platform, and physical protection. 

Responding to Requirements

After identifying intelligence requirements, an intelligence team will generally focus on:

1. Monitoring Services: These services monitor for Personally Identifiable Information, data leaks, online mentions of executives and vendors, negative sentiment, leaked credentials, misconfigurations, and malicious IPs/domains typically termed “digital risk profiling.”

2. Requests for Information: An RFI response service provides the ability to query, research, and investigate alerts that come from internal or external monitoring services. This takes many forms including open source research, direct threat actor engagement, and technical signature analysis. 

Advertisement. Scroll to continue reading.

3. Organizational Awareness: Findings and recommendations will typically impact multiple organizations. It is important to disseminate this information to all relevant team members and business units. 

Assess RFI Capabilities 

Regardless of the sources of information or intelligence, support for RFIs will be required to understand relevance and context. Four areas to consider when evaluating an intelligence solution are:

1. Timeliness: Every RFI is different, but timeliness is important. Security professionals usually attempt to solve security events with 2-4 day sprints. More complex events can take a month or more. 

2. Data lakes: Many intelligence vendors boast about their ability to provide the largest data lake of social media, dark web, and open source information. This is meaningless without  context specific to the client. Data should be chosen collaboratively and may include:

• Chat services and platforms

• Closed sources including invite-only forums

• Dark web

• Marketplaces

• Domain registries

• Paste sites

• PDNS, mobile, ISP data

• Press

• Commercial data, people databases, public records

• Social media

• Compromised hosts and botnet victims

• RDP traffic, open ports, scanners, proxies, spam domains, user agents

• Beacons, malware, banners, honeypots

3. Intelligence Analysis: Any intelligence or security “scrum” that addresses a serious threat requires multiple technical and analytical skill sets. These skills are broad, varied and include analysis, forensics, engineering, languages, journalism, and networking. It’s important to have access to a diverse team.

Getting RFIs Right 

A problem that organizations encounter is that some vendors only provide RFI responses to alerts on their own data. Often these responses are limited to identifying known threat actors or TTPs. As a result, intelligence teams are forced to purchase data from multiple vendors leading to data overlap and conflicting analytical viewpoints. 

When an intelligence team matures beyond the cyber threat intelligence domain to address physical security threats, fraud actors, or those looking to abuse a technology or platform, security teams have trouble integrating varied intelligence and lose a consistent, consolidated, and informed view of their data. 

To optimize RFIs, vendors should focus on the following: 

1. Scope: All organizations struggle with budgets so vendors must provide clarity and predictability in terms of time and cost. 

2. Context: Providing client-specific context (regardless of threat type), namely identifying the threat as a target of opportunity or a targeted attack.

3. Actionability: Recommendations may be technical, organizational, legal, or other, but are critical to resolution. 

Enterprises realize a prevention-only strategy to combat threats is not sufficient. They understand they must incorporate intelligence from all relevant intelligence domains. They realize that to achieve intelligence that is timely, relevant, and actionable they must combine organization-specific data with monitoring, analysis and RFI services. This comprehensive approach will enable them to effectively counter today’s sophisticated adversaries. 

Written By

Landon Winkelvoss is Co-founder and VP of Security Strategy at Nisos.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...