Saturday, July 04, 2015

The difference between Intel and an IOC feed... lemme tell you a story.

I just took a few minutes out of my 4th of July - in MD for the weekend - watching the rain, hoping my new fly rod gets delivered - wasting time until the fireworks tonight (fingers crossed)... anyway, I just took a few minutes to read Joe Pizzo's piece on the difference between threat intelligence and threat feeds. And while I know the criticisms taken on the chin by Norse for their marketing campaigns, the idea that someone else writes about the differences between threat intelligence and threat feeds makes me happy. 

I use a graphic in my presentations. I know I'm violating some kind of copyright. Sorry for that. If you're the artist, send me a note and I'll credit you.
I love the graphic. It demonstrates a point.... intelligence attempts to answer the 'you don't know what you don't know'. It's not technical, it's contextual. 

Here's a great example.. for the last two years, we've tracked and analyzed the happenings between Russia and Ukraine.  Ukrainians knew that their smart televisions had been hacked and that their traffic cameras were being used by someone to monitor comings and goings of the Ukrainain people, but the story is much bigger than most know.

We tracked the activites and drew parallels to writings in the Ivanov Doctrine - a paper written by senior Russian officials to use asynchronous warfare methods --computers used to affect a change in behavior by the Ukrainians while other physical actions couple with signals intelligence and psychological operations played out. By comparing actions to the writings, one can quickly identify patterns, reasons for targeting of specific victims, and potentially, what's to come. We believe for example, that one of the major bank hacks of last year was in direct retribution for a combination of US Sanctions against Russia, combined with the fact that the bank was an investor in PrivatBank --the bank who's owner was personally funding much of the Ukrainian resistance. The bank was targeted not by government hackers, but by a criminal element that we believe was operated through 'wink and nod' agreements with the Russian government both asking for the action and then turning the blind eye when it occurred... plausible deniability, but with definitive action.

We knew, from our work, that the Nordics would be taunted, and Poland would fall victim to cyber activities, and many of the banks involved in Ukraine would be hit...  all three occurred... and we from prior forensics, we knew the tools that would likely be used to carry out many of the attacks.

So what's the intelligence? It's the story. The intelligence is the information needed by a decision maker, to make decisions on futures and courses of action.

The feed? IOCS? This is information based on analysis of past events -largely forensic based. Network forensics, host based forensics, intrusion analysis, sandboxing and surface analysis. 

It's that simple. Both are required. The intelligence tells the story. The feed tells you what to look for and how to protect against it. The CISO needs both to make informed decisions --which threat (story) to protect against, and where in the potential kill chain to place defensive measures.

If you'd like to read more of our work, we publish TLP White and Green information at One download per month is free.

It's raining like hell here now. I'm going to go see if my new fly rod has been delivered yet.

Until next time, have a great 4th of July!


Post a Comment