Section 1
1.1 Executive summary
The last few years has seen a rise in awareness regarding security breaches and the limitations that come with classical tools. This has resulted in the development of enhanced threat detection capabilities with an increasing number of security researchers investigating methods to identify and share threat information.
In this report, we surveyed attendees of InfoSecurity Europe to paint a picture of how threat intelligence is obtained, utilized and shared. As well as seeking out views as to the role government and law enforcement has to play to help better protect enterprises from threats.
1.2 Key Findings
›
Upon finding a threat, 43% of respondents will only share the information internally.›
43% of security professionals are most concerned with insider threats.›
81% of participants believe the government should share more threat intelligence with the private sector.›
Most respondents view the government as a trusted partner in protecting them against nation states and other major threats.1.3 Methodology and Scope
This report is based on the professional experience of the author (a former security consultant and industry analyst), in conjunction with a user survey conducted at the InfoSecurity Europe conference 2015 gathered from 328 responses. Secondary research was collected from security industry practitioner opinions.
Demographic data of survey respondents was not collected; however we feel that the number of respondents does allow for significant discussion. The participants were all attendees at the conference and were not prompted for their answers nor was any clarification provided about the terms used or definitions.
This report was written by Javvad Malik, Security Advocate, AlienVault. Any questions about the methodology should
the Government’s Role in It
Section 2
Using threat intelligence
Like most detection and response capabilities, once threat intelligence has been acquired, the onus is on the company to make use of it.
As Dr. Krypt3ia articulated on a tweet-chat we held
A point which was further reinforced by others including Ian Amit who elaborated that obtaining threat intelligence is relatively easy. Finding threat intelligence that is relevant to an organisation and can help it make decisions about defence is more challenging.
Dan Glass went further into defining threat intelligence. Stating that threat intelligence itself is a program, not a product and that indicators of compromise (IOC’s) are inputs that a threat intelligence program would use.
Section 3
The questions
Survey participants were asked:
1. What sources of Cyber Threat Intelligence do you rely on (select all that apply)?
a. Our own detection processes b. Trusted peers
c. Paid subscription service
d. Government / government agencies e. Crowdsourced / Open Source
2. How do you utilize threat intelligence data?
a. Manually ingest indicators of compromise (IP addresses, MD5 hash of malware, etc.) into a tool like a SIEM to set alarms or configure IDS signatures
b. Manually analyse details c. For incident response purposes d. For information only
3. When you discover a threat do you share it with?
a. Trusted peers / closed community b. Publicly share
c. Government / government agencies d. No-one
e. Internal only
f. Share with crowdsourced / open source platforms
4. Which threats concern you the most
a. State sponsored attacks b. Hacktivists
5. Should the government share more threat intelligence information with the private sector?
a. Yes b. No
6. In protecting your business from hostile nations and major threats, do you see the government as
a. Just paying lip service b. A trusted partner
c. Consumes threat intelligence but doesn’t share d. Understaffed and undertrained
e. I would have no idea who to contact there even if we needed them
7. Do you actively use any of these open standards?
a. STIX b. TAXII c. CyBOX d. OpenIOC e. All of the above f. None of the above
8. Have you ever had to call law enforcement in to investigate a breach?
a. Yes b. No
9. If yes, were they
a. Very effective b. Somewhat effective
c. Neither effective nor ineffective d. Somewhat ineffective
3.1 Standards and sources of threat intelligence
Threat intelligence can be obtained and collected from a variety of sources. However, not all threat intelligence is created equal – the relevance, origin, freshness, variety and overall confidence amongst other factors all play a part in how valuable a threat intelligence source is.
The majority of participants relied upon their own detection processes to obtain relevant threat intelligence. Although the survey did not ask participants to detail what these processes are, the likely sources would be detection data from products such as antimalware, intrusion detection, vulnerability scanners.
3.2 Using Threat Intelligence
There’s a saying that a fool with a tool is still a fool – and the best threat intelligence can go to waste unless it is utilized effectively.
Broadly speaking, organisations typically have to be at a higher maturity level to utilize threat intelligence to drive alerting, threat modelling and rule monitoring. A fact that is reflected in the survey results whereby the majority of participants manually analyse the data or utilize it for incident response purposes only.
3.3 Sharing the Wealth
One of the key aspects of threat intelligence is the fact that it cannot be consumed infinitely without any contributors to it. The more variety of sources that can contribute towards a feed, the more it can be refined and made useful. Threat intelligence is one of the few markets where providers do not displace one another – it just has to provide different data that adds to the overall feed.
Whilst most people we spoke to agreed that sharing threat intelligence benefits everyone, the results showed that most organisations still keep threat intelligence to themselves. Of those who do share threat intelligence, the vast majority will share only amongst a trusted peer community or with government agencies.
Whilst this is a legitimate concern for many, it doesn’t need to cover the entire spectrum of information contained within threat intelligence, with items such as hash values, suspicious IP addresses and domain names shareable with relative ease and without exposing any internal information.
3.4 Threat Concerns
Threat intelligence is used to help a company prevent a successful attack – or to be able to recognize when an attack is underway and take responsive actions. But with a large number of threats, it is important to understand what threats are of particular concerns to security professionals.
At 42.7%, insider threats topped the list. Both hacktivists and 0-day exploits garnered 39.6% of responses with only 30.2% stating state-sponsored attacks were of primary concern to them.
3.5 Government sharing?
With the rise of organized criminals moving online as well as nation-states reportedly getting more involved in
launching attacks against businesses, we wanted to get a better understanding of how security practitioners perceive the role of the government.
Another interesting fact was that 23.5% felt that the government was better at consuming threat intelligence than it was at sharing. A point that was highlighted in a follow-up question where a whopping 81% of participants felt the government needed to share more threat intelligence with the private sector.
3.6 Involving Law enforcement
Hand in hand with government comes law enforcement and the role it has to play, particularly in post-breach analysis.
Conclusions
Threat intelligence remains somewhat of a mystery wrapped up in an enigma. Whilst being an old new market, there remains much inconsistency in how it is interpreted, used or applied.
The majority of companies probably lack the security maturity to use the most detailed form of threat intelligence efficiently. But some types of threat intelligence such as IP addresses, URLs, DNS information, malware samples and botnet data are a lot easier for companies to collect, ingest and use to make decisions around defense.
Many free threat intelligence feeds exist and most security platforms are capable of ingesting open standards. These, when utilized in conjunction with internal telemetry and alerts such as IDS alerts, phishing attacks, malware trends and log correlation can provide a robust view of the threat landscape.
In doing, companies can not only improve their own security posture – but that of their partner ecosystem, making it difficult for adversaries to undertake successful attacks repeatedly. However, to do so effectively, the information will need to be shared both amongst peers and between government and private sectors. Not doing so will negate many of the benefits threat intelligence can deliver.
