Thinking of threat intelligence as a contributing member of your security team

Threat intelligence is widely considered as a significant asset for organizations, but implementation of this intelligence within security operations can often be cumbersome. In this Help Net Security podcast recorded at RSA Conference 2019, Nicholas Hayden, Senior Director of Threat Intelligence at Anomali, talks about the intelligence-driven security operations center.

threat intelligence implementation


Here’s a transcript of the podcast for your convenience.

My name is Nicholas Hayden. I’m the Senior Director of Threat Intelligence for Anomali. Today, on Help Net Security, I will be talking about the year of the intel SOC.

I first want to start off by saying that everyone has been talking about threat intelligence for the last few years and it’s been a struggle to implement threat intelligence into people’s everyday normal operations. I took a step back to say why is this happening. Why is everyone hoping that they’ll get a tidbit of information that will lead them to some type of prevention of a security event?

One of the things that came to my attention is that everyone is hoping that they’re going to get lucky. I kind of broadened my perspective and said: what does this really mean? I had the opportunity to read a book called Competing Against Luck by Clayton M. Christensen. It talks more about product and why are you hiring this product or hiring this thing to do something for you.

That made me take a step back and say: What are people trying to do with threat intelligence? What is it? Then I decided I was going to write a job description for threat intelligence, and it very quickly led me to understand that, when you write this job description, you need to treat threat intelligence as another person coming into your SOC operations.

That led me to look at Tuckman’s strategy for group formation, which you start off by forming a group and then you move on to storming. Once all the personalities start to deconflict, you move into the normalization phase and then the performing. It’s my opinion that we as an industry, are really starting to move into that. About 2014, maybe give or take a few years, threat intelligence kind of came out to the market and that’s the norm. That’s the forming phase.

What is threat intelligence? “Oh, it’s exciting! Oh, it’s this new wonderful thing! It’s going to save your life! It’s going to fix everything! It’s the silver bullet of threat intelligence!” Although some of that may actually be true, what we’ve discovered in the industry is that that’s not always the case.

We then discover that we had a hard time implementing it. So, we had this data, this is great, this is information, but what do we do with it? How do we implement threat intelligence in order to move us forward in our security operations maturity model? That was a struggle. You saw a lot of people start to push back on threat intelligence.

What threat intelligence ended up becoming really was a reactive way of understanding what was going on. I haven’t alerted my network, I’m going to go look at my threat intelligence to maybe identify what’s going on. It wasn’t really used for what the purpose of intelligence is.

We’d have to go back and look at the military strategy of what intelligence is. Intelligence is just a collection of data in order to drive some form of action, whether it be troop movement, whether it be dropping bombs somewhere. But really, it’s a gathering of information in order to force some form of action. That’s not what we’ve been using threat intelligence for. We’ve been really using it for a reactive purpose. This year I think we’re going to transform for that.

People are starting companies and starting to identify what threat intelligence really is. We’re moving away from that storming phase into the normalization phase, and some of the larger companies are starting to have a security operation center that’s starting to move up the maturity model.

As we progress up that maturity model, we’re starting to get that employee, that is threat intelligence, to start to be a contributing member to the company and to the team. From 2014 to 2016 we have the normalization. Everyone was jumping into the threat intelligence market, everyone was creating indicators of compromise or IOCs.

From 2016 into the first half of 2019 was a storming phase. “This is great! Why am I spending so much money onto it? I’m not seeing my return on investment.” I think that paradigm is starting to shift over to the normalization. Maybe we don’t have to have all these intelligence feed because they don’t pertain to us. Maybe we should stop, slow down and figure out what we actually want this contributing member to do for our team.

You start to identify what is the threat intelligence, what are you looking at that threat intelligence to do? It goes back to writing that position description of what is threat intelligence. Why am I hiring it? What is it? What is the purpose of it? Am I hiring a manager to come wash dishes at a restaurant? Probably not. Really, you’re trying to think about what it is you’re hiring: that product, that person that is threat intelligence, to do for your company. Once you identify that, I think that’s really where this year of the intel SOC is starting to come from.

What you’re going to see from this implementation strategy is, people are going to start writing these position descriptions because they don’t want to get lucky. They want to actually have it as a fully functional operating piece of their team, which is part of the Tuckman’s group of formation. Also, it relays back to Clayton M. Christensen, once you identify the purpose of the threat intelligence coming into your company and what your expectations are of it, from there just do an annual review, just like you would an employee. Is this meeting the mark? Is this doing it? Do we have to give it more attention? Maybe we’re not training it enough. It’s really thinking of threat intelligence as a person and contributing member of the team.

Where you’re going to start to see that come into play is with the addition of the MITRE ATT&CK strategy. People are going to be utilizing the MITRE ATT&CK in greater depth. The ATT&CK framework was used to describe the overall picture a higher level strategic approach to security. I think it’s going to migrate away from that to a more tactical approach, to help identify what’s going on. You’re still going to have that description piece, but it’s going to help you identify what’s going on in the network. You’re going to start seeing more of the technical implementation of the MITRE ATT&CK.

How is this particular tactic and technique being demonstrated in a network? What is the technical data that I can use to identify that? That’s what’s going to start coming out throughout this year’s security products. Once we start collecting that information, we’re going to be able to piece those pieces together.

We talked about intelligence, right? I’ll use my cat for an example. Intelligence is a collection of data and my cat, for whatever reason, if the water bowl is empty, he is going to jump up on the counter and drink out of any glass that has water in it. Historically, I’m collecting these data points. I’m understanding the fact that if A happens, which is the water bowl is empty, and B happens, that the glass is half empty or half full of water, the cat’s going to jump up and knock it and probably shatter the glass. If you relate that to what’s happening inside of our networks, it’s the same philosophy. If A happens, if we know that a particular threat actor group is doing A, and historically speaking, they’ve always done B, and you start to see one, you can statistically predict that the next piece is going to happen because of that data.

Now we’re truly starting to use threat intelligence data, historical data, as intelligence, and a way to drive some form of action. We have A and B, the probability of C that’s going to happen is going to have some statistic to it. So we should be looking for C. Maybe we don’t have a tool that can prevent C from happening, because there’s not a tool for every single technique that’s out there, but we should be at least figuring out a way to monitor and to identify whether or not C is going to happen, because the probability is there.

As you start to collect more and more of those data points, you can potentially see who your adversary is that’s coming at you, and potentially why they’re coming at you, because of that historical data that’s out there. That’s really why this is going to be the year of the Intel SoC. We’re starting to identify that the teammate that we’ve brought on to our Intel security operations centers is starting to become a performing member of the team. We’re starting to integrate them closely into the team, with the help of the MITRE ATT&CK.

Now we’re going to start taking the reactive phase, that has been threat intelligence for the last four to five years, and turn it more into a proactive. For the next two to three years, you’re going to start seeing that normalization. Then again, in the next two to three years you’ll see the performance really start to ramp up. It is threat intelligence as a teammate.

Don't miss