At the RSA USA 2013 Conference I overheard an attendee remark that threat intelligence was "the latest fad in the security industry." The person further commented that security fundamentals were, and always will be, the only thing that really matters.
I can't disagree that the fundamentals of security are as important as ever to an enterprise security program. And the number of vendors pitching threat intelligence products at the RSA Conference was certainly making threat intelligence feel like the buzzword du jour. However, threat intelligence deserves its place in the limelight, and is more of a security fundamental than many people realize.
When we talk about threat intelligence, the conversation sometimes gravitates toward signatures or tactical indicators that allow security teams to detect more evil: IP addresses, domain names, MD5 hashes, etc. However, real security intelligence does much more than this. It allows us to draw conclusions based on observed data and judge the likelihood of future actions - something that's invaluable to a company's security posture and central to any CISO's program. Following are three benefits that threat intelligence programs can provide to the enterprise:
- A solid understanding of the threat actor and their tools, tactics, and procedures can increase the speed of response: A firm grasp of threat intelligence won't just help your security team to identify more evil, it should help speed response. I've seen Mandiant's own incident response consultants eliminate weeks of forensic searching by instructing a client which indicators they need to search for, based on just a few clues and their intimate knowledge of threat actors. This requires understanding the tools, tactics, and procedures of the adversary so that one tip-the name of a piece of malware, or the staging location of data for exfiltration-can allow you to test a hypothesis quickly ("Whenever we see this malware used, we've also seen them use stolen credentials on the Exchange server. Let's check the Exchange server for unusual login patterns from administrators."). Mandiant always stresses the need to look at the environment broadly, to avoid missing other actors or divergent techniques. However, saving hours or days in the initial response can make the difference between being a headline or not.
- Threat intelligence allows your team to work smarter by prioritizing what's most important. Threat intelligence should inform every aspect of your security program: vulnerability management should prioritize based on current exploits. Improvements in identity management should be informed by how the threat exploits identities and authentication mechanisms. Prioritizing the information security program in light of current threat activity can bring great clarity to a CISO's crowded agenda.
- Threat intelligence with attribution informs business decisions. The importance of attribution is often debated. I know that some CISOs tend to fixate on the location or motives of threat actors, and others dismiss this as wasted time. The latter group is missing the point. We don't talk about attribution so that the board can tut-tut about which country is stealing our data. We talk about attribution so that we can understand our adversary, determine their motives, and use this data as input into our defense and detection mechanisms-and into larger business decisions. If a particular entity is stealing your company's financials while your company is negotiating with that entity, the CEO may incorporate this into the decision-making process. It's clichéd to quote Sun Tzu but, "know your enemy and yourself" is still axiomatic. We'd never get into a boxing ring without knowing our opponent, nor play a serious game of basketball without scouting the opposing team. Trying to defend the enterprise against shadowy threats without identifying them is equally hard.
Threat intelligence might be a buzzword, but that doesn't mean it's a fad. Serious security programs should look to invest in threat intelligence programs to increase the speed of response, work smarter, and make more informed business decisions.
Mandiant can help! We offer the Mandiant Intelligence Center™ , which draws on our proprietary intelligence to provide organizations access to information, tools, and contextual analysis about advanced threat groups; and we offer the Response Readiness Assessment, where we provide organizations with a comprehensive survey of existing security event monitoring, threat intelligence, and incident response capabilities and deliver specific recommendations for improvement.