The dangers of bad cyber threat intelligence programs
I love a surprise ending in a movie. Whether I’m watching drama, action, or sci-fi, there’s nothing better than a plot twist you can’t predict.
At work, however, I feel the exact opposite. Movies are one thing, but surprise endings in the real world are rarely as welcome or harmless. Much has been written about cyber threat intelligence (CTI), including proposed standards on how to share the information (e.g., TAXI and STIX), what the information should look like, what role governments and private industries play as key stakeholders of information, and how actionable the intelligence should be, what formats they should be published, etc. In the U.S., the Federal Financial Institutions Examination Council (FFIEC) is asking member financial institutions to seriously consider adding CTI as one of the key attributes of their overall risk management strategies.
While I largely agree with the need for academic solutions, in many cases these programs introduce more questions and unknowns into an organization’s security environment. To date, there hasn’t been enough discussion about the key success criteria of a CTI program or enough documentation about its potential risks.
I’ll attempt to remedy that below by outlining four key areas where a CTI program can actually harm your organization by exposing vulnerabilities, a surprise ending neither welcome nor easily remedied.
CTI vulnerability 1: Failure to establish bona fides
Many of my security brethren believe deeply in sharing all information available, but they don’t seem to understand the potential threat of doing so. We don’t need to look far for a powerful analogy: The lessons honed over the centuries by key nation-state intelligence-gathering apparats. These programs work in an effective manner because they establish how worthy the information is. Nation-states have learned, often the hard way, to understand the worthiness of the intelligence they’ve gathered and to tag the data based on its source and methods used in collecting it.
In fact the military definition of bona fides is:
1. The lack of fraud or deceit: a determination that a person is who he/she says he/she is.
2. In personnel recovery, the use of verbal or visual communication by individuals who are unknown to one another, to establish their authenticity, sincerity, honesty, and truthfulness.
The military and intelligence community have relied on bona fides because simply trusting information because we want to believe it is fraught with potential failures. As a result, most security organizations have a process to evaluate the bona fides of the information they collect to protect themselves from low-quality or purposely false information. This system requires trust and has produced much of the classified information in government today.
We also hear a lot about a Pollyanna, almost innocent cry for the sharing of data, as if open sharing of information will enable us to reach a higher state of awareness and a higher level of security. History begs to differ.
Free information sharing services would likely be the least reliable. Meanwhile organizations that could afford to pay for high-quality, highly vetted, and actionable intelligence would obtain the best level of CTI in the industry.
CTI vulnerability 2: Ethno-centric information and not enough data points
There are, of course, other fallacies of a highly functioning CTI program:
- Government-provided data is trustworthy.
- Government-provided data is good enough and covers enough.
- There is no risk to government-sourced data.
Data derived by one nation-state is skewed to that nation-state and is qualified for the threat to the resident nation-state. As a result, the information may serve some companies well, but not all. Why?
The closer a company works with one nation-state, the less likely others will follow as they don’t want to risk losing their own data to another nation-state through that company. For example, if a company works closely with the U.S., it stands that intel from China and Russia will be hard to come by. But even countries like Switzerland, Canada, Germany, and France have publicly stated reservations on information-sharing with the U.S.
Data from a nation-state has numerous restrictions and is mired by many laws and quagmires on gathering information or releasing the data. As a result, the data may be non-actionable, may have been altered in some way to benefit the nation-state, or may not be available at all. In any of these scenarios, threats to the company come from relying either too heavily or too centrally on government-driven data.
CTI vulnerability 3: Failure to establish “backout” criteria
Imagine a bad guy acting as a good guy shares hot information with a security community, and advocates certain actions, such as the onboarding of certain signatures, changes in configurations, automating a certain defense, etc. If executed successfully, companies would be implementing security protocols and initiatives that, instead of protecting themselves against the supposed threats, play right into the hands of the bad guy. These perpetrators now have a wonderful new way to quickly open up an industry or set of companies.
CTI vulnerability 4: The system is too automated (or too manual)
A proper CTI program needs a key decider to determine whether the information is relevant for your organization, not for an industry or particular technology. This is a necessary step in the process that’s often overlooked when the industry discusses fast implementations. Either the system is automated and brushes past the issue, or conversely, builds complicated change-management profiles to implement changes, negating the whole point of actionable and fast-moving CTI.
In the end, the information security function has taken on more roles and responsibilities, including intelligence gathering and risk weighting. These new functions act more like modern day war-fighting functions, and we’d all be advantaged to learn the deep historic lessons of nation-state intelligence organizations before standing up well-heeled intelligence functions or CTI ourselves.
Modern day CTI must evolve to include the following key attributes – a process to understand what information needs to be harvested, such as:
- Technical – Tools, techniques, types.
- Source / Attacker Profile
- Destination / Victim Profile
- Trajectory Data – In transit
As you can tell from the list above, today’s way of looking at the data sharing conundrum is flawed and needs to evolve. You must evolve too! That way, you can better avoid a surprise ending.