A couple weeks ago I caught up with an agency colleague of mine to discuss the latest high-profile attacks and he mentioned a new term to me – ‘situational understanding’.  After having done an 8-month stint in USG Proposals I’m not new to vomit-inducing buzzwords and the term triggered an immediate eye rolling but as I’ve been mulling over the conversation for a couple days the term itself is gaining credibility.  It accurately describes the frequently subconscious process organizations undertake as they must wrap their arms around the volume of crowdsourcing sharing efforts – what to dig into and what to pass over.

The term situational awareness has deep roots in military affairs but within the simplest form it is defined as “…being aware of what is happening in the vicinity to determine how information, events, and one’s own actions will impact goals and objectives.”

Does awareness equate to understanding?!  Absolutely not – awareness is the 50K ft view, whereas, understanding is a 360-degree view.

In most organizations, the majority of the analysts’ day-to-day responsibilities distract them from the adversary hunt.   It’s all about clearing the queue and moving on to the next ticket.  Instead, organizations are reliant on *-ISACAs and Commercial Intelligence Providers to supply situational awareness by way of indicators of compromise and other intelligence products.  Unfortunately, teams blindly deploy those indicators without a true ‘understanding’ because they can’t drink from the fire hose and time is of the essence.  The initial hat-tip of information is the much-needed situational awareness but companies must digest that awareness and transform it into situational understanding – much like taking threat data to produce threat intelligence.

How does an organization mold situational awareness into situational understanding?

By not only deploying the intelligence into firewalls, routers, and other sensor grid technologies but also by performing rear-view mirror searches against their log repositories.  Intelligence from external resources can provide a rich amount of data but it will never cross the threshold of situational understanding until the attack can be studied in an operational environment; especially the targeted attacks.  (In another blog I’ll dive into the monstrous challenges of Rear-View Mirror searches across an Enterprise’s multiple technologies.

The ThreatQ Splunk app provides a sizable leap into the situational understanding by allowing customers to ingest shared intelligence and bounce it off an ongoing watch-list.  This is the cursory step to help determine how relevant it is to your organization – were you hit?!  The extension of this step is incorporating the additional context available in the ThreatQ threat intelligence platform to help jumpstart the investigation…is it just an Internet-wide scan or does it require a larger incident response effort?

Efficiency is critical due to the volume of events an analyst has to wade through.

The ThreatQ Splunk App allows an analyst to easily see if the event in question was blocked, allowed, quarantined, or any other status through a secondary query.  It’s as easy as entering action=ACCEPT to whittle down the investigation worthy events by eliminating those that did not succeed.  This helps teams that are struggling with the amount of data provided by modern security tools which lead to incorrect conclusions, red herrings, and extend the time an investigation greatly.

The tactical goal of situational understanding is identifying and forcefully punching the miscreants in the face!  But, more importantly, the value of situational understanding is becoming more intimate with your adversary, your network, and your defenses.  By studying the network logs and other peripheral activities that can’t possibly be conveyed by commercial providers, industry peers, or other machine-readable formats the transition from situational awareness into situational understanding develops an operational maturity model continually assessing defenses.