I was on a discussion panel today at the Annual Advanced Cyber Security Center Conference. The discussion topic was Threat Sharing. We spent a good amount of time discussing challenges when wanting to share threat data, including Indicators of Compromise, outside of your organization. It was a great discussion and worthy of a blog post, which I will do soon. This post I want to talk about a side of threat sharing that isn’t covered often. The ability of an organization to consume threat intelligence data.
The discussion today made me realize that in addition to challenges in sharing threat data there are also challenges in receiving that data. I’ve recently had the opportunity to talk to Incident Response and advanced threat / intelligence teams for several very large organizations. What stuck out was the variance in maturity levels within these organizations security programs. The more advanced ones had a cyber threat intelligence function and someone(s) focusing on advanced threats (I.e. APT…there I said it :). It is these functions that are almost a necessity to process threat data and IoCs from other sources. The challenge is that these functions are still not that common in organizations. Why? Well it’s hard to show ROI for these functions.
These functions are almost considered a luxury in man organizations. My team and I get paid to “hunt” more or less. Our ammunition is IoCs and threat actor TTPs. If we find something today but don’t find anything else for a week does that mean there was nothing to find or we did a poor job looking? That’s a question that is almost unanswerable. It’s a leap of faith or an investment that organizations make to support those functions. The very functions that are an integral part of processing threat data. Without which an intelligence driven security model is very tough to get of the ground and support,
So before you run out and sign up with threat intel providers, private mailing lists and other sources of threat data and IoCs ask yourself a question. If someone gave me the file hash of a specific Trojan, could I actually do anything useful with it? The same would apply to other IoCs like HTTP user agent strings or email MTAs. If the answer is no, what then?
I was asked during the panel why some of the IR teams I met with had cyber intel / advanced threat capabilities and others did not. I can say that there was a direct correlation between an organizations maturity level in the IR department and whether or not they have had a major breach. The ones who have been breached realize these functions are not a luxury but an absolute necessity to combat the current cyber threats we are all facing.