In recent blog posts I discussed the concept of Switch Targeting and the fundamentals of how adversaries use seemingly trusted hop points as vectors in and out of primary targets. I also introduced the concept of R3 or (Readiness – Response – Resiliency) based on my experience in the field helping organizations position themselves to detect where these switch targets may be based on attack infrastructure intelligence.
One of the main challenges occurring in the field is aggregation (automation) and sharing of relevant intelligence that is both meaningful and actionable to address the full life cycle of R3 particularly as organizations begin to migrate to intelligence driven security operations. Kathleen Moriarty, Global Lead Security Architect, EMC Corporate Office of the CTO, in collaboration with my team and several practices within RSA characterizes these challenges in the following ways:
- Shared data is difficult to act upon – Threat intelligence often delivers low value because the information lacks sufficient detail, is unverified or is not well-matched to an organization’s business needs (i.e., does not apply to the organization’s vulnerabilities, system configurations or information assets).
- High levels of manual processing required – Threat intelligence typically requires intensive processing by recipients (e.g., human sorting, cutting and pasting data between applications) to uncover what’s useful and make it actionable.
- Redundant effort – Each organization receiving threat data must often do its own processing and analysis of information, resulting in massive duplication of effort among recipients of security information.
- Scarcity of skilled resources to analyze threats – There are simply too few security experts available, considering the mountains of security data to be analyzed and the thousands of organizations needing their help.
- Poor linkages to security controls – Many threat-intelligence feeds are not integrated with security tools, creating delays in acting upon useful intelligence as controls await manual processing and activation by security experts.
- Remediation addresses symptoms but not the cause – Threat response may block URLs, change system configurations, or take other corrective steps to prevent harm, but they do not address the root cause of the threat that creates recurrent vulnerabilities.
What Kathleen has characterized is a long standing challenge even in the midst of an abundance of intelligence sharing and collaboration initiatives within the security community. The question to ask should not be focused on whether we are sharing or not, but rather whether we have the context and expertise to put threat intelligence to work for our organizations. Providing useful context is partly the responsibility of the organization providing threat intelligence, but it’s largely the responsibility of the Security Operations Center (SOC).
Does your organization integrate threat intelligence into ongoing risk assessments for your highest value targets (HVT) and programs (HVP)? Does threat intelligence inform our understanding of cyber adversaries’ intent and targeting techniques in nuanced ways beyond black-and-white indicators such as block lists? For instance, even though an Eigenvector attack infrastructure analysis may not reveal direct threats against your HVTs and HVPs, could potential hot spots indicate that adversaries are prepping your network for use as a trusted hop point in attacks on a business partner? Does your ability to collect and consume threat intelligence support that level of analysis?
Over the next few weeks we will be partaking in a more in-depth discussing on the details to these challenges and proposed solutions. Stay tuned for more!
In my next post, I will continue the discussion on driving contextual intelligence within the R3 concept and the impact to the Next Generation SOC. If you’d like to hear more about R3 for advanced cyber defense, please listen to my recent webcast on the subject.