“Good Intel Is Hard”
– Perch SOC Lead, Patrick S
Today, Patrick and I were discussing some intelligence that we’re sensing on. This intel comes straight from a private intelligence source, that’s supposed to have highly accurate, and targeted intel. Our focus is on private sharing communities, e.g. ISACs, ISAOs, etc. In our experience, these sources of intel are supposed to be highly relevant and vetted, to make sure members of said communities are watching our for the most significant threats to their industry or community.
Contrast that to a threat feed like the open source Emerging Threats data. It’s excellent data that everyone needs to be detecting against. It’s just not specialized. It’s valid data , that’s publicly available, and you should detect on it. ( ( I’m trying to be super clear here, I’m not knocking ET at all… use ET data.. pay for ET Pro, you need it, but, it’s table stakes, and getting the data from that source is key ) )
There are few issues in the state of cyber intel that I see so far:
- Even targeted, industry specific intelligence ingests ‘other’ intel. Thereby making it not very targeted. ( One Stop Shop for Intel vs Highly Focused and Relevant)
- Intel is shared before it’s vetted leading to a lot of garbage (BUT I tend to prefer this, compared to ….)
- Intel is researched, and vetted, and analyzed before it’s shared, slowing down the release of information
TIPs and Private Communities
TIP = Threat Intelligence Platform .. a content management system that specializes in the creation, collaboration, ingest and export of cybersecurity intelligence data in standardized formats, for human and machine consumption.
ISACs (Intelligence Sharing and Analysis Center) and ISAOs (Intelligence Sharing and Analysis Organization) offer communities a fantastic resource, when they’re run well. They provide a common center for analysis , research, communication with other groups (FBI/DOJ, 3 letter agencies, etc), and are chartered to disseminate intelligence with its members. The issue that I’m currently running into during the automation of intelligence to detection, is that these highly focused groups, are ingesting data from other organizations or intelligence sources. They’re ingesting some commercial and public feeds. This dilutes their value, in my opinion. Any tool that’s worth it’s salt (what a weird saying) already pulls in open source intelligence and even popular closed source intelligence. Continue to add value by focusing and sharing highly relevant data.
Vetting of data
There’s a balance between sitting on data too long, and being paralyzed by analysis, vs sharing data too early that’s wrong. I’d lean toward sharing too early, than too late though. It’s very easy to tell if comet.yahoo[.]com, is a False Positive. I don’t mind an analyst taking 5 minutes to figure that out. I tend towards that compared to holding valuable intelligence too long “just to make sure it’s super bad”. By then, my systems may be “super dead” (to quote A. Hamilton, or at least the musical, Hamilton)
If you’re pretty sure it’s bad, push it out. Let the boots on the ground figure out for sure. Worst case scenario, we take 5-10 minutes investigating alerts because of it. Best case scenario, I alerted to some outbound traffic to a new C&C infrastructure, and was able to squash it REALLY quickly.