Threat Intelligence: What's the day to day job like?

UnixGuy

I have little understanding of this area of work, and I want to know more.

I know that some vendors (FireEye?) have appliance that do Threat Intelligence, but I have no idea how this works or how we (IT pros) use it, and for what purpose?

Say for a big organisation that has a threat intelligence team or a CERT team with dedicated Threat Intelligence, what do they do?


And last question, what do you guys think of this new course? (I know this should go to SANS forum but I didn't wanna start a new thread..)
https://www.sans.org/event/sydney-2016/course/cyber-threat-intelligence

ArabianKnight

I am interested as well, trying to leverage my intel analyst background and my technical degree to get into this arena.

Problem is as I have seen it, they really want your IT skills first as well as cyber security experience and the intel background is more of a plus.

dustervoice

I may appear as being negative here but to me"Threat intelligence" is just a buzz word for RSS feeds. Unless you are a nation state with resources how are you really going to find out who wants to attack you specifically? most companies get all these rss feed about vulnerabilities but dont even know what assets they have so cannot correlate it to an actual risk. If you cannot map vulnerabilities to your assets , "threat intelligence" is nothing but noise. Here is how i create my own threat intelligence: I have the responsibility to protect customer credit card on a daily basis so what i do is have my company apply for a few cards with low credit limits . Then i put those credit card details in our critical systems in plain text in RAM and have an alert system setup where im alerted if those cards are used. So i'f my company servers are infected with a RAM scraper and those cards are used then i know for sure that my critical systems are hacked(might have gotten this idea from someone cant recall). Thats real intelligence!!! not a bunch of RSS feeds filling up my inbox about technology that i don't even have. so essentially what im saying real intelligence you must build for yourself. I dont see the point of spending budget on threat feeds, communities, etc when your infrastructure/webapps lacks basic security controls.

NightShade03

UnixGuy wrote: »

I know that some vendors (FireEye?) have appliance that do Threat Intelligence, but I have no idea how this works or how we (IT pros) use it, and for what purpose?

Say for a big organisation that has a threat intelligence team or a CERT team with dedicated Threat Intelligence, what do they do?

Threat Intelligence is a very specific term, but it is approach differently by everyone. For orgs like FireEye, they are deploying their hardware appliances all around the world to different customers in order to "see" what comes in and goes out of their networks (duh). The Threat Intelligence portion comes in by taking all the alerts and events and pushing them to a central location where machine learning (hopefully) takes place to correlate the data and provide that threat intelligence back to their customers in the form of security rules, marketing reports, etc. Most of this is automated with the manual part coming into play when their researchers digging in deeper to advanced forms of whatever they collect.

CERT teams take a similar approach, but much of their correlation is built up by them instead of a vendor (again duh). They build scripts, tools, use different products, and their advanced knowledge to comb through several data sets and again provide their org with threat intelligence. It's the same principle as FireEye, but limited to what the CERT can either a) capture or b) pull in from external threat feeds.

Getting back to your original question of what the day job is like? It depends...

Are you looking at an analyst role where you'll be analyzing the data? An operations role where you bring all of the data together? A security role where you leverage the different security vendor tools to come up with alerts and false positives? There are several different angles you can take in these roles, but they all kind of come back to pulling data together, analyzing the data, filtering out noise, and providing additional security mechanisms to the organization.

There was a good article out recently (can't remember the source) that was talking about why machine learning and AI will never work for security. The basic gist of the article spells out how there are too many data points/variables for these types of technologies to ever be truly effective at protecting networks. I would agree with the sentiment and also add that Threat Intelligence is some what of a marketing therm that falls into this category. The threat feeds and intel data provided by tools like FireEye and CERT teams will always help advance any orgs security posture allowing them to mitigate things, but they will almost always be re-active instead of pro-active. If you have a new piece of malware there is nothing out there aside from manual inspection that can determine if it is good or bad. Tools like FireEye look at several data points + their threat intelligence data to automate that process but there are still many false positives. The more data you pull in the better your intelligence and chances of catching something before it attacks, but this also goes back to money = security which almost never a reality. With enough money you can secure anything, rebuild anything, etc. etc.

Threat Intelligence in my opinion is more about adding insights and additional data points to security tools and procedures to help minimize false positives while enhancing the security posture of your organization. It is no more or less effective then the tools and the people powering it though.

the_Grinch

duster and NightShade nailed it on the head. Very big buzzword that ultimately means security monitoring. If you aren't in the military or government (in the US State or Federal have intelligence analysts) or at a major security company then no one is really doing threat intelligence. The idea is basically monitoring with a bit of a deeper analysis. Your looking for the tactics, techniques, and procedures of the person who is attacking you. There are open source feeds that you can use, but at the end of the day if you aren't actively analyzing it does you no good.

The course content looks pretty good and I would definitely take it if I had the chance. You'll definitely learn a lot, but you also have to have the stools and procedures in place to actually catch these items.

ArabianKnight

"stools and procedures".....wow, they give you free stools!

dmoore44

It really depends on the organization and the resources they dedicate to the practice of gathering Threat Intelligence.

@dustervoice is somewhat correct in that TI is used as marketing term and means nothing more than aggregation and tangential analysis of infosec rss feeds and brand sentiment. This is a detrimental use of the term as it sours TI consumers on the actual possibilities that TI can deliver.

More sophisticated orgs wishing to build out their TI capabilities tend to hire former IC analysts and collections managers and put them to work collecting and analyzing information as it applies to the various cyber actors, threat vectors, vulnerabilities, exploit code, and IoCs.

UnixGuy

Thanks for the replies guys!