Why April Fools' Day is My Favorite HolidayPOSTED BY NEAL HUMPHREY
And on that note, let’s talk.
There are certain parts of our culture that I just enjoy: the sound of well-worded foul language, the drama and pageantry of college football, and when humanity unexpectedly encounters a wall of reality. People in general are creatures of habit, and from time to time it is good to be reminded that straying from a routine can be a good thing. That stopping to think something through before continuing on like always can be helpful. There are even stories or metaphors in our culture that point this out and have become resets for our thinking.. For example:
- The Emperor has no clothes
- Remember Man that you are dust and unto dust ye shall return
- Remember you are mortal (from Roman Triumphs)
I can appreciate a good prank, particularly those that remind people that they need to be more observant of reality’s rules in general. Thinking critically and expecting a different outcome are valuable, rather than repeating the same action again and again.
It is for this reason that April Fools’ Day is my favorite holiday.
Now how does this apply to a threat Intelligence platform company blog post? Well, I’m glad you asked. So did my marketing department.
It comes down to this. Threat intelligence is a market based almost solely on data, lots and lots of data. The question arises when the norm is an ever increasing massive amount of data: are intel analysts critically thinking about the sources, relevancy and prioritization of the data they work with?
There are plenty of feeds out there with varying focus, type, specificity, timeliness and overall quality. Threat intelligence platforms were conceived to provide value through the collection, aggregation, enrichment and distribution of IOC’s from multiple sources. But a funny thing happened over the last couple of years. As the feed market has gotten more crowded, the threat intelligence platform (TIP) market started to blur with the threat intelligence market.
This blur causes the following question to come up fairly often, “As I start to build out a threat intelligence program here at Acme Company, do I get a feed or a platform first?”
The historic answer has always been to get an intel feed first, because without external data what use would you have for a TIP? It is in this answer the confusion lies. Our competition in the market also got the same question, and decided to do both. Provide an aggregated or industry specific feed or an online sharing based community along with some threat intelligence platform functionality and call it a day. While this provides a response to both points of the question, it doesn’t really answer the question and adds to the blur.
To clear up some of the blur let’s talk a little bit around why people even ask the question. Why does the question always start with feed based external data first, and not prioritized internal information first?
Generally, the reason users look externally first is that it is simply a learned response. The security industry has been taught to look for external guidance from the beginning of Anti-virus DAT’s and updates. In effect, we have been trained to look externally for detections and reactive alerting information.
However, what we have learned so far in the maturation of the threat intelligence market and the confusing mess of messaging around threat, is that looking externally first may not be right for all organizations.
Maybe we should look internally first. We could look for patterns, repeat offenders, or even better: consistent targets. From an intelligence based view we could then determine:
- What value does the target have?
- What information could the attacker be looking for?
- Where does the target or victim fit within the organization?
- What is their inherent exposure to be targeted? (IE finance personnel involved in mergers and acquisitions, recruiting personnel that receive spear phish after spear phish attachment, manufacturing or fulfillment dealing with delivery schedules, engineering and development with IP, etc? )
Answering these types of questions can point a threat intelligence team in the direction of what data needs to be collected and monitored, provide better risk management, and potentially compliance or asset management data.
Going this direction also helps in the selection of external feeds. We need external intelligence, of that there is no argument, but you need the external feeds and data that are right for your company. Generally you want a collection of external feeds that enable you and your team to verify the data as much as possible before introducing it into the network.
The bane of security, as seen in almost all breaches, is that there is just too much data. Blindly accepting that you need to be on the lookout for threat X due to feed Y leads to constant reactive actions and no time for critical thinking.
Security teams are being pummeled by events and data like never before. We all want to make better decisions, some of us are looking at orchestration and automated actions to deflect some of the events before they land. That’s fine, get a little breathing room. But before waddling out of the corner, maybe we could look at the results of those actions to determine their value. Do some self assessments before turning on that additional feed. Think about your tactical and operational needs. More importantly, think about your critical assets before purchasing additional services like feeds, or monitoring, and fusion centers that don’t really understand your changing issues, internal targets and security needs.
You and your team are your own best defense. You need the right tool and the right information to stay off the mat. Don’t be a UFC fighter going into a boxing match.
Let’s all try to think a little more critically before we take that next action or decision. Everyone’s goal is to become more proactive and get up off the mat. But by taking a little more time and thinking a little critically about how you ended up on the mat may help you stay off it a little longer next time.