What does a truly Flexible Threat Intelligence Platform look like?

POSTED BY NEAL HUMPHREY

The ThreatQ Fantasy Football Use Case

Working in a new market is always an interesting experience. I am reminded of this every time I go out to a trade show and quickly get the question: “So, what do you guys do?” I’ve gotten pretty good at explaining the threat intelligence platform, but explaining the space can be a challenge. Besides the confusion that sometimes emerges between feeds and platforms, people’s expectations of how to use threat intelligence is always variable.  It seems that every company approaches threat intelligence operations differently and wants to put in place their own naming conventions and processes.

With that in mind, the ThreatQ threat intelligence platform is different from the rest of our competition. Since ThreatQ is on-premises by design we have inherent flexibility that no other platform can offer. We not only apply custom tags to information in the system, but also create custom statuses and workflows. Custom attributes and values can be created, and to keep track of all these options and to allow analysts to focus on what really matters to them and their company we provide personalized scoring and prioritization.

So, how can I show you how flexible ThreatQ can be? Well, I deal a lot in analogies. It’s just how I talk. One of my co-workers challenged me to come up with an analogy that would help explain what threat intelligence is and how a threat intelligence platform works and provides value. Since I had recently gotten my Fantasy Football seasonal grade from Yahoo Sports, as you will see, it was not good, Fantasy Football was on my mind.  So, I started thinking about the parallels between fantasy football and threat intelligence.

The initial reaction I got was: “Do enough people play fantasy football to make the example relevant?”

Well…

Believe it or not, that is a graph of the number of people playing fantasy football (American) across the world.  59.3 million people were expected to play fantasy football this year.

I play, my wife plays, and we even have a company league. Some people in our company league are in multiple other leagues. It’s an epidemic.

Using fantasy football as an analogy is a little out there, but it does work. So, let’s walk through it. Fantasy football is based on:

  • Outside information from multiple sources of varying known and unknown quality
  • Personalized information based on what I care about from my current roster and bench players
  • Actions or decisions including who I play and when, and who I drop and when

Sounds like a great application for a threat intelligence platform to me.

So, can ThreatQ’s threat intelligence platform help me make smarter decisions?  Could it help me win at fantasy football?

With that in mind, I humbly present the ThreatQ fantasy football use case.

Let’s begin with my roster. Note: I didn’t use ThreatQ this year, but now that I have a system.  Next year look out.

League Roster

Figure 2: Yahoo Sports Fantasy Football League – Looser’s Roster

So, let’s talk over what is on this page, besides the point that my draft strategy is just bad. (I dropped Odell Beckham, Jr. a while back, and that action is frankly what spawned this post.)

Anyhow, as you can see, I have a series of players that I am following. I have prospective point totals for their next game, injury information, data on who they are playing next and even the weather forecast for game day. All of that data is presented directly on the screen. It’s aggregated data from multiple locations and different sources. In fact, I even found this handy article from Aug 21st on USA Today:

Top 5 Most Mentioned Fantasy Football Experts

  1. Evan Silva (@evansilva), RotoWorld.com
  2. Adam Rank (@adamrank), NFL.com
  3. Matthew Berry (@matthewberrytmr), ESPN
  4. Brad Evans (@yahoonoise), Yahoo! Sports
  5. Mike Clay (@mikeclaynfl), ESPN

Top 5 Most Followed Fantasy Sites

  1. @ESPNFantasy(472,000 followers)
  2. @YahooFantasy(272,000 followers)
  3. @Rotoworld_FB(254,000 followers)
  4. @DraftKings(233,000 followers)
  5. @CBSFantasy(163,000 followers)

Rankings: Updated top 200 fantasy football rankings More: How should owners respond to Ezekiel Elliott’s suspension? All-bust team: Cam Newton leads the 2017 fantasy football all-bust team

Top 5 Most Mentioned Fantasy Provider

  1. @MyFantasyLeague
  2. @DraftKings
  3. @ESPNFantasy
  4. @YahooFantasy
  5. @CBSFantasy

Top 5 Most Mentioned Fantasy Football #1 Overall Pick

  1. David Johnson (@DavidJohnson31), Arizona Cardinals
  2. Ezekiel Elliott* (@EzekielElliott), Dallas Cowboys
  3. Le’Veon Bell (@L_Bell26), Pittsburgh Steelers
  4. Antonio Brown (@AB84), Pittsburgh Steelers
  5. Julio Jones (@juliojones_11), Atlanta Falcons
  6. Odell Beckham, Jr. (@OBJ_3), New York Giants

So, yeah back to that Odell Beckham, Jr. pick.  I was just doing what I was told.

Regardless, the article above is a great example of a list of sources. Sources that we could use as a continuous feeds. What are some other sources that we could pull data from, either from an initial draft perspective or from our weekly or daily management of our rosters?

Let’s start with the larger providers:

And then of course we have some of the more direct services that feed the aggregators above: Twitter – There are so many that I found a list of lists: https://twitter.com/chriswesseling/lists/fantasy-football-writers?lang=en

And let’s not forget the local newspapers’ sports reporters, local and national sports radio shows, etc. There is a continuous stream of information, even back channel information, around fantasy football. It has morphed from a fun game to play amongst friends to now a paying hobby and I imagine, for some people, a true source of income. It is a business these days. Just like hacking.

So, now that we have information sources, how could I use the data within ThreatQ to my advantage? Let’s start with setting up some profiles. Now remember, this is just a case study to see if this idea would even work. I’ll start with my mistake that set the tone for the whole season: Odell Beckham Jr.

Let’s create an indicator, in this case a string indicator, for Mr. Beckham and talk about how this could be created and utilized.

Odell indicator

Figure 3: Odell Beckham Jr.’s Indicator custom attributes in the ThreatQ threat intelligence platform

custom attribute

Figure 4: Odell Beckham Jr.’s Indicator custom attributes in ThreatQ

I created this indicator profile by hand, but through the use of the ThreatQ API it would have been easy to pull this information on an ongoing basis from the different sources listed.

I’ve used attributes around the Physically Unable to Perform/Injured Reserve (PUP/IR) list as published by the NFL, and validated that against the team-specific list. I’ve also used CBS Sports as a source for the next game to be played. I am interested in their data around the weather and the team Odell will be playing against. I am also using CBS as the feed for data around practice reports and injury news.

On a slightly deeper level, I have gone to Sporting News as they publish a weekly ranking of Team Defenses. This list gives me an idea of the strength of the next opponent and can be used in a scoring metric.

indicator description

Figure 5: Odell Beckham Jr.’s Indicator Description in ThreatQ

I’ve pulled a simple description for Mr. Beckham from his NFL profile which also includes his historical stats. The description can be edited at the end of the year, or every week if I wish, to append additional stats and historical data.

Indicator comments

Figure 6: Odell Beckham Jr.’s Indicator Comments in ThreatQ

Rotowire puts out news briefs on a regular basis around each player. I have pulled this in as comments to give more detail and a basic real-time feed of data around the player within this profile.

As comments can come in on an irregular basis from Rotowire, I’ve gone through and added this indicator profile to my watch list, the same as I have for all the other players that I have on my team.

Once the players have been added to my watch list I can look for any new updates for any player on the fantasy team simply by checking my watch list activity on my main screen within the ThreatQ threat intelligence platform.

ThreatQ Main Page

Figure 7: Hump’s Chumps Fantasy Football ThreatQ Main Page with Watchlist

This running list of activity can be broken down on a per player basis or, if I am in multiple leagues, I could create an adversary or event as a collection point for a series of players.

Let’s get to the real heart of the system, something outside of organization and update collection. How can I tell which kicker to use this week?

We will allow the system to run some personalized scoring constraints against the data that’s been entered into the system to give us some guidance or prioritization.

Figure 8: Custom Indicator Scoring Policy using Custom Attributes and Values

Custom Attributes and Values

Figure 9: Custom Indicator Scoring Policy using Custom Attributes and Values

In the screen shots above I’ve gone through and built a quick scoring policy based on the defensive ranking of the team to be played next. Again, this ranking is being pulled from the Sporting News rankings on a weekly basis. So, it’s not a static ranking that is assigned at the beginning of the year as that would not be very valuable. I obviously need as much help as possible to set up my weekly rosters, so getting near real-time rankings into the system is invaluable.

In setting up the scoring based on defense I tried to make it simple: the top six defenses get a negative 2, the bottom six defenses get a positive 2. Also, being on the PUP/IR list gets a player an instant negative 6, and being questionable “No” from the Rotonews reports is a positive 1, vs getting a “Yes” which is another negative 2. I should probably also use my source scoring to apply a positive score to all players with NFL as a source so that I have more room to move scores in the negative.

Remember the goal here is to help point out the players on the roster that have the best chance of success for that week.

So, a player starts with a score of 0.  If that player was playing indoors they now have a score of +2.  If the player is listed as a “NO” on the questionable list due to injury then they are a +3. If that same player is also playing against a defense ranked in the bottom 27-32 for that week then they are now a +7.  Say they were playing top weekly defensive ranking (1 -6) and the player is instead ranked a -1 for that week.

A player being reported as injured will drop the score.  Perhaps I need to create some scoring components based the position of the player.  Or status of other injuries on the team that may impact the player.  Offensive line injuries for a Quarterback or Running Back.  Injuries to other wide receivers that may cause potential double coverage for a Wide Receiver on the roster.  Maybe I give the players some positive points at the beginning since most of the points are negatives, I could just + 3 for all String indicators and then I am looking at the options that remain in the +5 to +7 range on my roster.

The scoring options are effectively endless based on the level of customization and personalization ThreatQ allows.

I have also added a little more detail in the system to track how I fare throughout the year. I expect to drop and add players over the course of the season, so I went in and added “Dropped” as a status for the players within the system.

Custom indicator statuses

Figure 10: Custom Indicator Statuses in ThreatQ

At this point in the season, I didn’t make the playoffs within my league. To be completely honest, I didn’t win a single game.  I blame that record on not having a system like this up and running. Using ThreatQ, maybe I wouldn’t have had Amari Cooper on the bench when he put up 35 points in a half a couple of months ago.  (I lost that game by 8 points, my other wide receiver scored 6 points that game. I’m not bitter, promise).

So, what was the point of putting all this together and building out this sample environment?  Well to give people an idea of what threat intelligence really and truly is. Intelligence is information gathered and applied toward a certain goal. The goal here is to see if the subject being monitored is doing well or not and this assessment changes from minute to minute requiring intelligence to be consistently gathered and critically reviewed.  Intelligence gets stale very quickly meaning we need to get new data constantly.

We all work with intelligence in our daily lives.  The process and tools people use to play fantasy football are very, very close to what we do with respect to threat intelligence and threat operations.

One of the most important aspects is that I was able to mock the entirety up in ThreatQ. I didn’t have to change code or ask for help from engineering to change the capabilities of the tool to meet the needs of my hair-brained example.  ThreatQ is built to be a flexible threat intelligence platform.  It is built to able to change to meet our customers’ needs.

I can create whatever attributes or tags I want to use on any indicator or object within the system. I have a full REST API that I can communicate with to add, update or remove data from the system whenever I need. It is expected that users are going to want to collect data from some non-standard feed sources, or even to communicate with systems that don’t operate like standard feeds. Think of the Rotowire comments I added for Odell Beckham Jr.  Or being able to pull profile information for the description directly from the NFL website whenever I need.   Being able to monitor a Twitter page or even pull information from an email account when I get notices from a trainer I know that works for the Giants.  All of these are sources of information that ThreatQ can consume and then make use of for the analyst’s (or fantasy football fan’s) advantage.

The personalized scoring is the linchpin here. Being able to personalize my scoring to rate some players higher or lower based on new data being entered in the system, or existing data being removed, gives me the assurance that the player or roster moves that I am making match my needs and keep me to my plan. If following that plan isn’t working (see this year) I need to be able to change the rating system I am using, or determine that the Sporting News weekly defense rankings are way off and I need to find a new source for that information.

This level of personalization is required for a successful threat operations program. You need to be able to move through masses of information and collected intelligence to make the best decision you can, or provide more specific and timely intelligence to the person making a decision in defense of your network.

So, when someone asks you what threat intelligence is, or what you do as a fusion analyst, or working in incident response or as a tiered security operations analyst think of this example and tell them: “What I do is similar to making sure I have the right players in my fantasy football line-up, based on the latest information available at the time.”

Because, in short, that is what we are all doing.  ThreatQ just gives you the ability to do that with respect to cyber threat intelligence and specifically for your organization.  Based on your terms, your rankings, your priorities, ThreatQ is helping you to make better decisions to protect your business better.

I can’t tell you that a threat intelligence platform like ThreatQ will help you win your league, but maybe some of these ideas and information sources can help you to put Amari Cooper on the field at the right time and not have him on the bench.

Yup, not bitter.

0 Comments

Share This