Saturday, January 09, 2016

Get to the left of Kill Chain... The results are coming in!

We had a meeting yesterday in Manhattan, with another large company --non banking, who wanted to know more about our "Get to the Left of Kill Chain" model.  The question is actually two-fold --can you really offer actionable early warning? And is our data any good?

So far, the answer to both appears to be 'yes', even if in a small way.. The model is working,

Can we really do early warning? Last week we sent early warning to two DIB/Aerospace companies in the Space business. One was VERY grateful. The other unsubscribed. One .edu told us that they'd received a similar notice from their primary intel source (they have a source that specializes in .edu) --they'd received six at-risk accounts from their source, but we gave them over 40. And, we provided reports to over two dozen healthcare companies via the National Healthcare ISAC. Perfect model? Hardly. Good? Absolutely. Automated? Not yet but coming.

And for the second question -- is our stuff any good? This week we received feedback from another large company --this one a global security vendor, who'd been testing our data for the last couple of weeks. We provided them with ~3000 indicators, taken directly from Threat Recon, and had them run them against their global network of users. During that time, they found that more than 80% of our indicators were new to them, 2% of the indicators had over 1000 hits in 65 countries, and we had a single digit false positive rate.

threatrecon.co
The test was simple. We pulled only indicators from Threat Recon that we'd derived, taken from external tipping/queuing (our own intel sources), and provided them with the blob of data. We didn't cull anything out. 80% doesn't surprise me at all.  Those who are Red Sky members or subscribers of the lab know that we do things a bit differently.

False positive rates - single digits are still high, right? Consider this. Some days, X.X.X.X is used for command and control. Other days it's Y.Y.Y.Y.  Both, at the time of their use, are indicators of something happening. An analyst must watch both and know that X.X.X.X is a legitimate IP address -- but sometimes bad guys use it for C2.

So why's this blog worthy? Because we hear every day that every feed looks the same. We try hard not to be just another feed. The goal in 2016? We want to make every customer feel like their our only. And for that, we've been customizing data, pushing early warning notifications (manually for now) out to those we believe need them, and in some cases, non-customers -- just because we are Patriots and it's the right thing to do.

In 2016 as the threat persists, grows and becomes more complex, the ability to individualize data is going to become huge. We're building these models. We'll be pushing information through various new distribution points and partners, and will continue to push to the left of Kill Chain. All we ask is let us know how we're doing?