In the
never ending argument over which source of data is more important to the
defense of your
A key
construct of the Cold War was the “nuclear triad.” That is to say: our ability
to deliver nuclear weapons via missiles, airplanes, and submarines. It was
important that all three legs of this metaphorical atomic stool were equally
strong because from both an offensive and defensive perspective, a
one-two-three punch was better than a one-two punch, though we are talking
about nuclear weapons here, so just one (from both sides) is more than enough.
There are
many arguments in cybersecurity, not the least of which is whether you should
focus more on endpoints or network traffic to better defend your enterprise.
Both sides have strong arguments and powerful personalities serving as
proponents. On the one hand, evil has to ask a system for cycles in order to
work. If you can monitor those cycles you have a good chance of detecting evil.
On the other hand, unless your attacker’s goal is destruction (rare) evil has
to move through the network to exfiltrate what they’re after, which means if
you can sort out good traffic from bad you also have a chance of detecting
evil.
But both
approaches have shortcomings. If either were perfect the market for the other would
disappear overnight. When the things you cannot control fall short it pays to
look to external sources. Yahoo recently found
this out.
In the fog-shrouded chaos that is the online underground, there is
threat-related gold. As the story relates, there is also iron pyrite amongst the gems so you have to do your
due diligence, but the presence of legitimate data of yours ‘in the wild’ that
you didn’t know about is a sound indicator that you are sitting on a two-legged
stool.
The buzz
phrase for external sources is “threat intelligence,” but if you asked 10
threat intelligence vendors what they offered you’d probably get 11 different
answers. The other commonality in this thread is that if you ask 10 different
threat intelligence vendors, you’ll likely be overwhelmed with the vastness of
information scraped from the open internet, with an opinion rendered on what
the individuality of the 50 mil tea leaves collected that day actually mean.
That’s not
intelligence.
That’s
data. Sometimes it’s big data. Most time just aggregation.
We do this
for a living, and some of us have done it for decades, so consider this as you
evaluate how to build your third leg:
Is the
source credible? Data on 500M users is a pretty amazing set of data. You would
be right to be skeptical if someone you didn’t know from out of the blue
offered to provide you with such data.
Does the
source have access? The tip that triggered the Yahoo investigation was
reportedly not legitimate, which means the source didn’t have the access
claimed (or implied).
Is the
source reliable? People think that just because someone operates in the
underground that they don’t have to deliver. Things like ransomware work
because the bad guys, while being bad guys, are also professionals. The profits
from ransomware dry up if the bad guys don’t provide decryption keys when
they’re paid. Likewise the first time someone rips you off is the last time
they have to make money off of you. Shady or not, this is how some people make
a living. They live well and they want to keep it that way.
Good
sources of threat intelligence must be vetted and it will take time for you to
determine who you can trust. You will get ripped off, and you will be
overwhelmed with meaningless information that you’ll have to wade through to
find the real nuggets. That’s the price of admission to the underground. Not
everyone in this business provides something worth paying for, but for those
reliable, credible, trustworthy few, you have a makings of a beautiful (if
wary) friendship.
