Page 36 - index
P. 36
Additionally, the faster we can get ahead or identify the threat, the more pain we put back on
the attacker. It forces them to change, and reestablish infrastructure. Finished intelligence
reports, while valuable, have already come to a predetermination or established a known
quantitative result from a specific tactic, technique and procedure. In the time it takes for this
information to be validated, vetted, decomposed and released, the adversary has already
achieved some degree of their objective.
To take advantage of threat intelligence an organization needs to develop a competency and
complimentary technology set that drives efficiency and effectiveness in taking atomic threat
indicators and rapidly reducing, and or hardening the attack surface and overall potential
impact based on the risk these indicators present.
This approach still leverages more finished products like human verified and vetted threat
intelligence and threat research; however, threat intelligence must provide a tipping and
cueing mechanism that attempts to move at the speed of the constantly evolving and fluid
threat landscape. To move and adapt at that speed, requires us to accept that we won’t
always have the detailed answers, or at least not immediately. Using these varying and at
times loose, but telling information sets can truly move us from a reactive posture into a
more adaptive and dynamic posture.
The challenge with indicators as a threat information source is that they are numerous and
change rapidly. Therefore, we need the industry to adapt the technology sets used to protect
and defend our networks and assets. These technology sets will need to be updated in near
real-time and support extremely large enforcement policies that change at an unprecedented
frequency. So as any industry we must develop a competency to understand what this next
generation of devices need to support.
What may have been presented as a high-risk element, signaled by an indicator, may no
longer be in use by the time you even process the original indicator. This dynamic nature
requires many different technology-driven mechanisms to handle the confidence of the
indicator, but there also must be organizational competency to assess what the information
is reporting and to determine whether that indicator poses a current or historical risk.
Even if the indicator is no longer of high confidence, understanding the timeframe in which it
did pose a threat and whether an enterprise asset communicated with that entity is crucial
information. So intelligence is not just a forward leaning capability, but one that can have
great historical value. Our own internal incident response data can be coupled with these
external indicators for an even more relevant and responsive information set.
As the threat intelligence market matures, there will be many more losers than winners. The
legacy security players are being given another chance to retool their technologies of the
past and provide more intelligence centric capabilities.
As an organization looking to leverage threat intelligence, remember that your people are the
intelligence creators. Machines can provide the critical information that you need to know
about the outside threat landscape to convert that information into relevant organizational
intelligence to better adapt and defend your organization.
36 Cyber Warnings E-Magazine – August 2014 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
