Saturday, February 08, 2014

Red Sky Weekly (2/8/14): We NEED Intel!


We hear this a lot, and at the same time, I know for a fact that even if I gave it to them, they wouldn't know what to do with it!   Last week I met with several companies, but one of them was a five person company; another, 30,000.  The five person company had the ability to ingest intel. The 30,000 person company did not. ...but they wanted it in the worst way.. they just didn't know why.

An organization's ability to consume, process, and actually use threat intelligence is directly proportional to the maturity of their information security processes. Let me explain.

At the highest end of the maturity model, let's use CMMI-CYBER for kicks. CMMI uses a maturity model that runs from none, through level 5 --optimized and automated.

At maturity Level 5, APT is just another thing. At Level 1, companies know about it, but have never really done anything about it.

So here's what I know... at L5, companies want enormous amounts of data. They inspect and analyze everything. No packet goes unscrutinized, and every link and attachment is checked before entering the networks. These guys don't use your father's security tools. They use high speed, home-grown sensors on their networks because they don't trust the tech in stuff you buy (nor should you!), and the idea that they want to evaluate EVERYTHING that enters or leaves your network becomes a reality... all while keeping users happy and clicking away (it's gonna happen!). This is maturity in Information Security. It occurs when APT events become the new normal.

L5s use an assortment of these home grown proprietary tools that allow them look into even the darkest corners of their networks. They know their network. They know how and when changes occur and how those changes affect operations. These guys need data. Intelligence keeps the their blood flowing. SOC members at L5 companies compare data in their networks to intelligence and IOCs in real time. They realize that the IP address they're looking at both serves up DNS and at the same time, opens a hole in their network. How that address is used is context. How it's going to be used in the future is intelligence. Intelligence matters because that L5 company will evaluate every piece of information that they get to manipulate and defend their network. L5 companies are efficient. They're constantly watching their external environments to know how it will affect their internal.

L1 companies on the other hand don't monitor their network. They rely on their "firewall" and maybe they have anti-virus running on most machines. Grandpa, who runs the company, believes he's safe. Like a moonshiner sitting on the porch with a shotgun, he knows that that 10 year old firewall protects his largely flat network. It's funny. On the train back from NY the other night, I watched a guy write a presentation. I couldn't help it. He was a big-4 consultant working on the train. He was writing a document on mobile use in the enterprise... on his Windows XP machine. He'd been onsite at a customer location, and worked over remote access to his employer, on a machine whose operating systems were never built for security! This guy was remoting home on KNOWN COMPROMISED VPN. The L1 company doesn't need intelligence. They wouldn't know what to do with it. They're issuing laptops with insecure operating systems. Their networks are undoubtedly unmonitored. Certainly the VPNs weren't (spoiler alert.. it's one of the favorite vectors of entry!).  L1 companies rely on others for security.  They don't need intelligence. They need information, training, and maybe a little help.

At lower levels of maturity, companies make the mistake of becoming voracious consumers of IOCs. The IOCs get loaded into defenses, or they'll get loaded into individual hosts (computers) until users scream because their systems are slow. Don't confuse hash values, IP addresses, SSDeep hashes, and regex strings with intelligence. They may be, but consumers of these IOCs need to know the difference and how to use them effectively. That difference comes from maturity, and if you don't have it, or don't know where to get it, you're headed for a life of trial and error and whack-a-mole... (a problem pops up and you whack it... over and over and over and over...)

Intelligence is analyzed information that helps aids in decisions about futures. 

Do you need IOCs for your UTMs, IPSs,  HIPS or DLP? Are you evaluating PCAP and need context? Are you preparing to open a conversation with your CIO or CEO?  Or are you working on your current posture trying to figure out what to do next?   There's intelligence supporting decision-making in all of these scenarios. In every case, intelligence will help you evaluate your current posture, identify the gaps in that posture, and make decisions about how to move forward.


I spent last week on the road, and the team was flat out. We're chugging through a nearly 4T chunk of data in a triage experiment, at the same time, writing reports for the FS-ISAC and Red Sky Alliance. We're a small team. We love being busy. I had the opportunity to present to the Vigitrust team in Manhattan. Fun day!

Inside Red Sky...
  • This week we held our monthly threat call.. jump on the call and interact directly with other analysts. We hold weekly sessions by phone to understand priorities, but once every month we jump into a deeper dive of some of the reporting that's been posted. 
  • Sykipot resurfaced. Older versions still show up now and again.
  • One of our interns profiled yet another group of attackers.
Upcoming? We're hosting our quarterly threat day in Boston in March. We've invited the National Security Fellows from the Harvard Kennedy School to have cocktails with the membership during the night before. There are probably better names, but we call it Booz'n and Brainstorm'n. The NSFs are asked to bring a couple of hard problems to generate conversation. Our members will do the same. The NSFs are heading into influential positions in government. Our members are influential people in the security space, and do share a lot with the government. This should be a great night. We're hosting the "BnB" at the Harvard Club of Boston, with threat day held, for the first time, at a local hotel in Boston.

Enough for now.
Have a great week!