We hear this a lot, and at the same time, I know for a fact that even if I gave it to them, they wouldn't know what to do with it! Last week I met with several companies, but one of them was a five person company; another, 30,000. The five person company had the ability to ingest intel. The 30,000 person company did not. ...but they wanted it in the worst way.. they just didn't know why.
An organization's ability to consume, process, and actually use threat intelligence is directly proportional to the maturity of their information security processes. Let me explain.
At the highest end of the maturity model, let's use CMMI-CYBER for kicks. CMMI uses a maturity model that runs from none, through level 5 --optimized and automated.
At maturity Level 5, APT is just another thing. At Level 1, companies know about it, but have never really done anything about it.
So here's what I know... at L5, companies want enormous amounts of data. They inspect and analyze everything. No packet goes unscrutinized, and every link and attachment is checked before entering the networks. These guys don't use your father's security tools. They use high speed, home-grown sensors on their networks because they don't trust the tech in stuff you buy (nor should you!), and the idea that they want to evaluate EVERYTHING that enters or leaves your network becomes a reality... all while keeping users happy and clicking away (it's gonna happen!). This is maturity in Information Security. It occurs when APT events become the new normal.
L5s use an assortment of these home grown proprietary tools that allow them look into even the darkest corners of their networks. They know their network. They know how and when changes occur and how those changes affect operations. These guys need data. Intelligence keeps the their blood flowing. SOC members at L5 companies compare data in their networks to intelligence and IOCs in real time. They realize that the IP address they're looking at both serves up DNS and at the same time, opens a hole in their network. How that address is used is context. How it's going to be used in the future is intelligence. Intelligence matters because that L5 company will evaluate every piece of information that they get to manipulate and defend their network. L5 companies are efficient. They're constantly watching their external environments to know how it will affect their internal.
L1 companies on the other hand don't monitor their network. They rely on their "firewall" and maybe they have anti-virus running on most machines. Grandpa, who runs the company, believes he's safe. Like a moonshiner sitting on the porch with a shotgun, he knows that that 10 year old firewall protects his largely flat network. It's funny. On the train back from NY the other night, I watched a guy write a presentation. I couldn't help it. He was a big-4 consultant working on the train. He was writing a document on mobile use in the enterprise... on his Windows XP machine. He'd been onsite at a customer location, and worked over remote access to his employer, on a machine whose operating systems were never built for security! This guy was remoting home on KNOWN COMPROMISED VPN. The L1 company doesn't need intelligence. They wouldn't know what to do with it. They're issuing laptops with insecure operating systems. Their networks are undoubtedly unmonitored. Certainly the VPNs weren't (spoiler alert.. it's one of the favorite vectors of entry!). L1 companies rely on others for security. They don't need intelligence. They need information, training, and maybe a little help.
At lower levels of maturity, companies make the mistake of becoming voracious consumers of IOCs. The IOCs get loaded into defenses, or they'll get loaded into individual hosts (computers) until users scream because their systems are slow. Don't confuse hash values, IP addresses, SSDeep hashes, and regex strings with intelligence. They may be, but consumers of these IOCs need to know the difference and how to use them effectively. That difference comes from maturity, and if you don't have it, or don't know where to get it, you're headed for a life of trial and error and whack-a-mole... (a problem pops up and you whack it... over and over and over and over...)
- This week we held our monthly threat call.. jump on the call and interact directly with other analysts. We hold weekly sessions by phone to understand priorities, but once every month we jump into a deeper dive of some of the reporting that's been posted.
- Sykipot resurfaced. Older versions still show up now and again.
- One of our interns profiled yet another group of attackers.