As part of M-Unition's Importance of Intelligence series for the month of January, I recently caught up with Mandiant's Principal Threat Intelligence Analyst, Jen Weedon, for an interview. Jen brings five years of experience in the cybersecurity field, leading a team and conducting analysis for commercial and government clients.
HB: Jen, what are most security teams missing from the intelligence they receive?
JW: I think it's important to first define what we mean when we talk about intelligence in cybersecurity. Intelligence, broadly, is relevant information about a threat or a potential adversary's action, and the consequent analysis that informs your actions. Intelligence in cybersecurity can be tactical, to include host and network-based indicators, malware functionality, or identifying vulnerabilities to patch. This includes descriptions of threat actor tactics, techniques and procedures (TTPs) so you can learn about and anticipate their behavior. We can also use strategic analysis in cybersecurity. Strategic intelligence may include analysis on industries targeted, the intents and motivations of threat actors, or trends in TTPs over time. This longer-term outlook can inform a company's strategic planning, investment decisions and risk postures.
Many intelligence providers provide threat feeds with a deluge of information but with little context to help analysts, responders and defenders prioritize the threat. Intelligence can identify the type of threat (e.g., Advanced Persistent Threat, Persistent Financial Threats, nuisance malware, etc.), if the indicator is known to be malicious, or future activity by threat actors.
HB: What's important about knowing context in relation to intelligence?
JW: Context helps security teams prioritize and sort through the noise with more efficiency. It expands their visibility and understanding of threats outside of their immediate environment, and allows for correlation of activity and a greater understanding of the threat landscape. If analysts can associate a domain, IP, or malware with a known threat group who has targeted a particular industry and who engages in theft related to certain information, they can better understand why a company was targeted, future targeting scenarios, and the implications of an incident. Ideally, context provides decision makers the ability to anticipate future threats and posture themselves accordingly.
HB: What do you find to be the average shelf life of new intelligence?
JW: It depends on the intelligence. Certain types of intelligence perish quickly as threat actors adapt and change their infrastructure, tools and malware. Longer term trending and analysis of intents, motivations, and drivers of behavior evolve over time.
HB: And lastly, what is the importance of monitoring emerging trends in the threat landscape?
JW: It's critical! Before you can monitor trends and changes in the threat landscape, you have to define what is most important to your enterprise. Different threats may resonate more depending on the industry you're in, the information actors may be after, and the potential impact of threat activity. Monitoring trends helps you forecast and apply intel to your business needs.
Cyber intelligence has evolved from vulnerability management and the right IDS configuration. Good analysis takes us a step further in predicting an actor's motives and understanding their capabilities. It's inevitable that compromises will occur, so understanding the actors' motives and targets along with their TTPs is increasingly paramount.