Threat intelligence. A buyer s guide

Transcription

1 Threat intelligence A buyer s guide 1

2 Table of Contents Executive summary Introduction The rise of digital business What is cyber threat intelligence? Common types of cyber threat intelligence What is new? CATER Coverage Accuracy Timeliness Ease of integration Relevance Summary Get a proof of concept and tell the world End notes All Rights Reserved

3 Executive summary Over the course of the last several years, cyber attacks have become more and more targeted in nature. Traditional attacks were largely indiscriminate, whereas today s attacks focus on specific individuals or organizations. These targets are often acquired after a great deal of planning and reconnaissance has taken place over days, weeks, months, and even years. The threats posed by these new types of attacks has been compounded by the lower barrier to entry that the global adoption of social media, cloud, and mobile technologies have introduced. Now, more than ever, organizations are seeking to understand which threat actors pose a viable threat to their assets and business operations. In order to gain insight into this uncertain environment, several steps must be undertaken all of which can be influenced by cyber threat intelligence (CTI). The past three years have seen an explosion in new information security firms offering CTI. Many of these firms were traditional security vendors who have established intelligence products alongside their traditional product offerings. As a result, there are many options from which to choose in the market, which often leads to confusion. The question then becomes, which providers should potential buyers turn to in order to gain a better understanding of their threats? This paper provides an overview of the CTI market. It does so by looking at the rise of digital business in today s world and at the impact that threat intelligence has had on the market. Additionally, the paper outlines the fundamental characteristics of a CTI provider: Coverage Accuracy Timeliness Ease of Integration Relevance With our CATER checklist you can better understand these fundamental characteristics and make more informed decisions with respect to which providers are best suited for your organization. 3

4 1. Introduction

5 The rise of digital business We live in a complex world, which has transformed the way we do business and the way we live our day-to-day lives. The interaction of over three billion individuals 1 across multiple platforms has formed a new world: the world of digital business. 2 Social media, mobile computing, and cloud services have increased the ease and speed of communication, whilst simultaneously reducing the cost. As a result of the complexities introduced to our world and due to the advent of digital business, new threats are introduced to our enterprises. In this complex, volatile and uncertain world, we are exposed to a range of people and organizations that present a threat be they agenda driven (hacktivist), organized criminals, or nation states. These are some of the groups that are successfully penetrating our traditional boundary defenses on a daily basis. As a result of the evolution of these threats, enterprises are evolving their defenses to respond to this changing landscape. These enterprises are placing an increasing emphasis on security controls that exist beyond the traditional perimeter. Many are focusing their efforts on building a threat intelligence capability. In doing so these organizations introduce a means to reduce the uncertainty they encounter within the threat landscape while also protecting themselves from data loss and targeted attack. This is easier said than done. The market has been seeking a stable definition of what effective cyber threat intelligence (CTI) means. Specifically, there is a confusion between data, information and intelligence. This will be explored further in the following sections. 5

6 Cyber threat intelligence is characterized by many vendors in the market as a means of analyzing huge volumes of data, in multiple formats, or indeed languages, across public and closed data sources. The objective of this analysis is to provide information in context that can mitigate a harmful event. If this information in context allows an enterprise to take some sort of direct action, it is possible to argue this is intelligence. This is by no means a trivial task. Many organizations simply lack the resources, skills, time and money to establish a meaningful in-house intelligence capability. 3 Consequently, they are turning towards external help to plug this capability gap. As more and more vendors produce and go to market with cyber threat intelligence solutions and services, enterprise organizations are forced to face a confusing picture to attempt to select a good quality of support that presents a long term, value for money approach. As with many areas in security, there is no silver bullet for CTI. As a result a judicious assessment of the market should take place to choose an appropriate CTI solution. We believe that through the use of the CATER model, arriving at a decision regarding CTI solution will be much easier. The remainder of this paper will explore the definition of threat intelligence, the different types of threat intelligence categories present in today s world, and characteristics of a CTI provider. 6

7 What is cyber threat intelligence? Business leaders are becoming increasingly aware of the value of CTI. Cyber threat intelligence enables organizations to make more informed and better decisions about policy-making, defensive controls and resource allocation. However, the increased interest in CTI across industry and the media is creating a significant amount of hype in the market. A major reason for this is that there is no consensual definition for CTI. Without an intelligible and consistent definition, CTI is at risk of fast becoming a buzzword. At a high level, intelligence can be defined as simply information about the enemy. 4 This is a good starting point but, when definitions become more granular, problems with inconsistency and jargon soon arise. The most common of all is the failure to coherently differentiate between data, information, knowledge and intelligence. The difference between these terms is key to understanding the CTI market. Data refers only to observables and facts that becomes information when context is added. This becomes knowledge when meaning is given to the information. Within this context, intelligence is simply relevant and meaningful information. Figure 1. Relationship between data, information, knowledge and intelligence 7

8 There is no single agreed universal definition of cyber threat intelligence. It means a lot of different things to a lot of different people. One useful definition of threat intelligence came from a recent workshop held with a number of CTI vendors, and was included in a paper released by the Bank of England: Information about threats and threat actors that provides relevant and sufficient understanding for mitigating the impact of a [...] harmful event. 5 This definition of cyber threat intelligence is useful in that it is broad enough to be applied to numerous different service offerings, and to help differentiate data feeds from those that have value in the process of defending an organization or pre-empting an attack. However, with this breadth in definition, we also must look at what differentiates various offerings. 8

9 Common types of cyber threat intelligence Figure 2. Cyber threat intelligence market Security monitoring intelligence One of the most important types of threat intelligence is produced from within an organization itself. In many instances this type of intelligence is referred to as security monitoring intelligence due to the fact that it is derived largely from assets (network, gateway, end points, SIEM etc.), which already exist within the organizations enterprise environment. Examples may include information obtained from existing SIEM capabilities, Intrusion Prevention Systems, or internal netflow. Internal DNS can give vital clues about who or what is communicating out of the network. Staff themselves can flag unexpected behaviours to a central reporting point. Convergence of this array of sources provides a cohesive view of the organizations risk posture. 9

10 Sharing communities Sharing communities provide a great deal of value to individuals and organizations tasked with managing threat intelligence activities. These communities take on many forms and are represented in a variety of ways from vetted and private mailing lists, to sponsored threat exchange environments to more structured organizations such as national Computer Emergency Response Teams (CERTS), sector / vertical CERTS, and Information Sharing and Analysis Centers (ISAC)s. Participating in these communities is critical to substantiating an organizations threat intelligence programs. External sources The final type of threat intelligence is external sources, of which there are two types: Machine-oriented cyber threat intelligence Human oriented and analyst driven cyber threat intelligence Machine-oriented cyber threat intelligence This type of CTI focuses on providing organizations with machine derived technical feeds. These are typically very structured, composed of data objects provided at scale and volume. The value of such feeds varies dramatically as does the content delivered via the feeds themselves Often these will be simple updated lists of IP addresses, Domain names, MD5 hashes. More sophisticated versions implement lists of indicators of compromise (IOC). Good feeds can be timely and provide a firm basis for driving the configuration of key detection and protection actions in a network. Sometimes these feeds can lack accuracy or may offer an incomplete view. Human oriented and analyst friven These sources are human oriented and analyst-driven. They are most relevant to organizations that do not have dedicated in-house CTI teams. Such humanoriented sources eliminate more false positives and provide a more customized service focussed on known facts and behaviours about threat groups and actors. Unlike machine-oriented CTI, these improve accuracy at the expense of timeliness and coverage. 10

11 What is new? For decades enterprise organizations have sought out new ways to inform themselves of threats and the risks they are exposed to. Much of these activities have been internally focused. This includes the generation of security intelligence via activities including end point and network analysis, vulnerability analysis, penetration testing, and incident response. Some organizations have started to explore their online exposure through the use of search engine technology, by mining for information (so-called google-hacking ). In this case, what s new about CTI? There is an unprecedented scale and diversity of sources of cyber threat intelligence available to organizations today. Advances in technology such as those provided by Cloud technologies provide inexpensive computing resources that enable threat intelligence providers to collect and produce more intelligence at a lower cost. Other advances such as those related to data science allow for better automation of processes that can infer meaning and improve relevance. Finally, advances in intelligence sharing continue which influence the rise of integrated, automated, and centralized security controls. 11

12 2. CATER

13 Characteristics of an external CTI provider If organizations choose to embrace the advances in CTI and turn to external sources, it is essential that they select the vendor(s) that best address the organization s needs. Large organizations, for example, may have the resources to take on machine-generated feeds whereas some smaller organizations may not. Buyers of CTI are often overwhelmed by providers who either provide data feeds or have simply re-badged existing data feed services as cyber threat intelligence. In such a crowded industry, how can buyers ensure a vendor provides the intelligence an organization craves and not raw data or irrelevant information? In order to pick through the noisy CTI industry, buyers of CTI should use CATER as a guide to assessing vendors across six categories: Coverage: how wide and how varied are the sources? Accuracy: how does the provider ensure my intelligence is free from cognitive biases and false alarms? Timeliness: how quickly will my organization receive an alert following an event and how far back does the context go? Ease of integration: how well does the service integrate my organization s existing services, and how does this ensure that action is taken? Relevance: how tailored is the service to my organization and its supply chain? 13

14 Coverage Coverage is one of the most important characteristics of a threat intelligence provider. A provider that is able to ingest millions rather than thousands of unique domains will, understandably, be expected to generate more results. A provider that covers many sources will reduce the chance of threats going unnoticed. But coverage is about far more than volume: variety is just as important. The provider should have the capabilities to collect and ingest a wide range of source types such as web and Internet services, a mixture of public and private forums and a range of media types such as IRC chats, and video. This variety is necessary in order to develop a better understanding of the threat environment. 6 Neither quantity nor variety are possible without a broad language capability for unstructured information. Cyber threats are a global phenomenon and a provider whose technology and analysts fail to process and analyse threats in languages such as Russian, Portuguese, Arabic and Mandarin Chinese will miss a significant quantity of relevant information. Many providers claim to offer superior coverage but there is no one single provider who can claim to have the best coverage. 7 To get the best coverage it will be necessary to go with many providers who can combine to offer you the widest and most varied offering. 14

15 Accuracy Wide, varied and multilingual coverage is key but it is not enough. Coverage must be balanced against the accuracy of the alerts. There is a deluge of automated data feeds from providers that focus on how a computer system has been compromised and the forensic remnants of the attack. Unfortunately these machine-generated data feeds are often overly technical, fail to give context and may be riddled with false positives. This leaves a burden on the consumer to sift the information for relevant content. Some providers will also reuse existing data feeds that are acquired from other parties. This results in a highly time-consuming, costly and overwhelming process for the organization. For data to become intelligence it must be transformed into information and then effort must be made to strip out the false positives and then to prioritize and contextualize the information. A balance ought to be found between the machine-oriented, high volume CTI and the human-oriented, more curated and tailored CTI. Accuracy is often impeded by cognitive biases and heuristics. Therefore, it is important to ensure that a provider employs a range of techniques to ensure the consistency and accuracy of the information. This should include systems in place to remove conformation bias and mitigate against other cognitive errors where results are curated by an analyst. 8 Good intelligence tradecraft have existed for many years. Some providers take a purely technical view of the gathered intelligence without recognizing the importance of accurate and clear intelligence. 81% *Ponemon Of respondents felt that the high false positive rate was one of the biggest problems of CTI Institute,

16 Timeliness The blend of coverage and accuracy must also be balanced against the timeliness of information. A managed service might succeed in removing false positives but if the alerts are not timely they will become redundant. For example, several providers produce thorough and expertly-written reports which, despite being comprehensive pieces of analytical work, are received too late in the day to be considered actionable. In this hyper-connected world, information spreads quickly. For example, 56% of those asked in a recent survey said that intelligence becomes stale within minutes or seconds. 9 Providers must be able to demonstrate that they understand that dynamic, high volume data sources such as Twitter which are ingested at very high rates, produce intelligence that is relevant the moment it is collected. Buyers should expect a provider to be able to alert the client within at least 30 minutes of an event. It is also useful to understand how far back in time a provider can go. The ability to spot malicious tweets from previous years, for example, can prove invaluable. Just as understanding the historical behaviour of an IP address can provide valuable clues. 84% *Ponemon Of respondents felt the dissemination of intelligence in a timely fashion was one of the biggest problems of CTI Institute,

17 Ease of integration Two to three years ago, threat intelligence providers were pitting their services against one another. In a 2012 blog article Rick Holland of Forrester Research quipped that it was a case of My threat intelligence can beat up your threat intelligence. 10 Now the situation is beginning to change amid a growing realization that no single provider can satisfy all of an organization s needs. No matter how advanced their offering may be, providers must demonstrate that they can integrate with other solutions. The market still has room to mature, however. According to the SANS Institute there is a shortage of standards and interoperability around feeds, context and detection may become more problematic as more organizations add more sources of CTI into their detection and response programs. 11 Similarly, a recent study by the Ponemon Institute reported that 59% of respondents found that the problem with CTI is that it does not integrate with various security technologies. 12 Providers will all have their own particular focus. Some will focus on technical data feeds, some on context and others on detection. As such, it is essential that a provider s solution has an API that can easily integrate with existing solutions and wider sharing communities such as FS ISAC, CISP and utilize standards such as OpenIOC and STIX. 17

18 Relevance The final and perhaps the most important characteristic of a threat intelligence provider is the relevance of its information. The intelligence an organization receives often covers threats to geographies or specific sectors. This is good but it is not enough. The most valuable intelligence is that which is specific to an organization and its assets. This tailored intelligence offering will help organizations understand how they appear or are discussed online. With so many incidents to deal with, organizations are at risk of becoming overwhelmed by alerts. There should therefore be a mechanism in place for prioritizing alerts. 13 These alerts should be graded according to the severity of the threat and the urgency of remedial actions. Through taking this tailored approach, the organization will have the opportunity to give feedback to the intelligence provider and improve the process. Such feedback mechanisms should not be perceived as an optional extra but as a fundamental feature of the service. The provider should be in place to help you understand your threats. Therefore, the service should be fully tailored to your organizational assets and requirements. 18

19 3. Summary

20 Get a proof of concept and tell the world The CTI landscape has been obscured by hype, unrealistic expectations and inconsistency around key definitions. Coverage, accuracy, timeliness, ease of integration and relevance are fundamental characteristics of an external source of CTI. Using our CATER checklist can help you whittle down the market and pick out the signal from the noise. In order to get the best service, it may be necessary to go to more than one provider in order to give you the comprehensive service your organization needs. Furthermore, a successful threat intelligence capability will have a mix of internal, sharing and external sources. Of course, it is only possible to see the true value of a CTI provider when the service begins. If you have any reservations, ask your provider for a proof of concept before signing up for a lengthy contract. You might have to pay for this, but it can be a great way of demonstrating value and making it easier to secure budget. Last but not least, once you re in the favourable position of having a vendor or multiple vendors that caters to your needs, make sure you share your findings. Communicating with your peers is key to cutting through the hype and making the most of cyber threat intelligence. Good luck. 20

21 End notes 1. Internet Live Stats, Internet users in the world, com/internet-users/ (last accessed 26th May 2015) 2. Gartner, Putting Digital Business to Work in 2015, October Ponemon Institute, Intelligence Driven Cyber Defense, February D. MacLachlan, Room 39: A Study in Naval Intelligence, Bank of England, CBEST Threat Intelligence Framework: Qualities of a threat intelligence provider, Bank of England, CBEST Threat Intelligence Framework: Qualities of a threat intelligence provider, Verizon, 2015 Data breach investigations report, 2015, 8. Digital Shadows, The dangers of groupthink, February Ponemon Institute, The Importance of Cyber Threat Intelligence to a Strong Security Posture, March Rick Holland, My threat intelligence can beat up your threat Intelligence, 22 May SANS, Who s Using Cyberthreat Intelligence and How?, February Ponemon Institute, Intelligence Driven Cyber Defense, February Bank of England, CBEST Threat Intelligence Framework: Qualities of a threat intelligence provider,

22 About Digital Shadows Digital Shadows is the only company to provide cyber situational awareness that helps organizations protect against cyber attacks, loss of intellectual property, and loss of brand and reputational integrity. Its flagship solution, Digital Shadows SearchLight, is a scalable and easy-to-use data analysis platform that provides a holistic view of an your digital footprint and the profile of its attackers. It is complemented with security analyst expertise to ensure extensive coverage, tailored intelligence and frictionless deployment. digitalshadows.com London San Francisco Level 39, One Canada Square, London, E14 5AB 535 Mission St, Fl. 14, San Francisco, CA (0) [email protected] +1 (888)