How To Use Threat Intelligence Intelligently

Sometimes it’s about a beer, but it’s mainly about being prepared before opening the threat intel floodgates.

Sometimes the best threat intelligence strategy is to not bother adopting it at all.

“You probably should not be using threat intelligence unless you can act on it,” Jason Trost, vice president of threat research at threat intel firm Anomali, said this week. “If you can’t act on it, it’s probably not worth consuming that data.”

Trost, who was a panelist on the Collecting and Using Threat Intelligence Data panel in this week’s Dark Reading Virtual Event, was making a point about one of the biggest problems with the way organizations approach threat intelligence: they often sign up for feeds and services without the resources or mechanisms in place to actually use the resulting information they receive.

Think of adding threat intelligence to the security operation as a commitment: “You need to take it on as a project and it’s a commitment to looking at what you [really] need. You can’t just go buy it. You have to look at the data and what you have internally and how you apply it,” says David Dufour, senior security architect at Webroot. “If you don’t have the available resources to work with it, then you’re wasting your money.”

That money is then better off spent on incident response, he says.

It’s about smart threat intelligence strategy, security experts say.

Take It Slow, Have a Beer

Intel-sharing’s humble roots began with security pros and executives from different companies in the same industry or region getting together over a beer or dinner, face-to-face, to swap their attack or threat war stories. Mark Clancy, CEO of Soltra, a joint venture between DTCC and the Financial Services Information Sharing and Analysis Center (FS-ISAC), joked during virtual event session chat that “beer = first-generation cyber threat intel sharing platform.”

It’s true. The early days of intel-sharing were mainly face-to-face, phone calls, or emails. And that’s still the mode of operation for many organizations.

How organizations collect and use threat intel depends on who they are, says Wendy Nather, research director of The Retail Cyber Intelligence Sharing Center (R-CISC), an intel-sharing group made up of retailers, restaurants, grocers, hotel chains and retail suppliers. Nather, who was also a panelist on the threat intel panel at this week’s virtual event, says sharing often starts with a social meetup after-hours in a more unofficial capacity.

“It starts as gossip, you know somebody at another organization and you get together for a beer and talk about what you’ve seen,” she said. “The challenge is getting all sharing more formalized, open, and more organized. We try to support whatever we can from the Soltra structured data feed through the unstructured discussions.”

Company A’s security manager tells Company B’s over a couple of IPAs that he saw a specific IP address serving up a specific amount of traffic, and the attacker shifted gears to “low and slow” once he realized he’d been spotted. That’s a useful bit of intel for Company B, but then there’s the process of taking action: “It’s hard to put that into structured data, but it’s extremely valuable when you can tell that story and other people in other organizations can add to that story,” Nather explained.

When adopting threat intel feeds and ingesting that information, take it slowly at first. Anomali’s Trost says he often sees organizations taking in too much data and getting overwhelmed. They’re typically under pressure from management that “we need to get into threat intelligence,” so they go all in and end up drowning in false positives and events they can’t respond to, he said. “That’s the biggest mistake we see.”

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

A better approach is to start slowly with an intel feed or two, assess how the organization is able to respond to the threats, and then gradually ramp up. “You may have to pivot to different [intel] providers, or processes, to make sure you’re doing it in increments, but moving forward and increasing your capability” to use and take action on the threats, said Adam Meyer, chief security strategist at SurfWatch Labs and a panelist at the virtual event.

Needs v Wants

Webroot’s Dufour says before taking in threat intelligence, there’s a soul-searching stage of analyzing what you want to get from the feeds as well as what you need to protect. And sometimes, you get what you pay for.

“There’s bad threat intelligence out there. It could cost you more to get good threat intelligence, but you may not [then] need to hire three extra people” to triage and apply it, he says.

Beware of dated intel data, or the data going stale before you can actually convert it into a defensive action that thwarts a would-be attack. “What exactly is the data you’re getting and what’s the timeframe reference” it’s related to, Soltra’s Clancy said.

Some indicators of compromise (IOCs) are that way: they have a shelf life, as attackers shift their command-and-control servers, IP addresses, and malware variants to evade detection.

The Holy Grail for threat intelligence, like anything in security, is automation, of course, but not all organizations are equipped to go there just yet. “Try to remove humans from every possible place it makes sense” in threat intel, Anomali’s Trost advised.

SurfWatch Labs’ Meyer says to know why you’re collecting certain threat intel data and for what purpose. “You need clarity and context, situational awareness around threats. You need a methodology structure around collection – some instances at the machine level, correlating against tools specializing in that area, the actor’s motivations in your industry … compare that information to your own processes. Are you well-defined in those processes or not?”

It’s not just about sharing technical indictors of a threat actor, but also the techniques they use to flip the equation and put a little economic squeeze on them, according to Meyer. “Maybe [the attacker] now has to write 50 to 70 pieces of malware instead of one” to attack a vertical industry, for example, he said.

He breaks threat intel “consumers” of information into three groups. “Defense is the low layer, practical, on-the-wire information to defend the organization with context, situational awareness and correlation. Then there’s the operational level: the campaigns and actor motivations … are they targeting their industry or not? This is pure intel disciplines,” he said. At the top is the strategic layer, the people in the organization who are evaluating the overall security strategy and evaluating its effectiveness.

Bottom line: threat intelligence is not the endgame. “Threat intelligence empowers decision-making. It’s not the end goal in itself,” says Adam Vincent, CEO of ThreatConnect. “Similar to business intelligence, threat intelligence has the power to support all different kinds of [things] and people and make faster and more accurate decisions across the security organization.”

Related Content:

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise … View Full Bio

More Insights

Black Hat USA 2016: Beware of Malware

Over 430 million new pieces of malware were discovered last year, a 36% increase from the previous year (according to Symantec). Malware attacks are projected to rise in volume and frequency. Hackers are becoming more skilled at detecting vulnerabilities and commonly use malware as their method of attack. It is critical to be aware of the current malware threats and learn how you can defuse potential exploits.

O-checker: Detection of Malicious Documents Through Deviation from File Format Specifications describes a powerful tool, o-checker, that specializes in identifying documents containing malware-infected executable files. O-checker detected 96.1% of malicious files hidden in targeted email attacks in 2013 and 2014. Targeted emails attacks normally inject malware in various document formats. This talk will examine the techniques used for hiding infected files and discloses why o-checker is projected to maintain a high malware detection rate.

Next-Generation of Exploit Kit Detection by Building Simulated Obfuscators reveals that exploit-kits are driving epidemic levels of malware delivery. Each exploit-kit has a obfuscator, which transforms malicious code to obfuscator code to bypass firewall detection. Many researchers examine the obfuscated page instead of the actual obfuscator since purchasing an obfuscator that was utilized by an exploit-kit is incredibly expensive. This Briefing will introduce a cost-effective method of building simulated obfuscators to conduct in-depth examinations and reduce malware attacks.

An AI Approach to Malware Similarity Analysis: Mapping the Malware Genome With a Deep Neural Network introduces a new method of detecting malware codes, which is easier to manage and more efficient than traditional systems. Standard malware detection systems require constant, manual effort in adjusting the formula to identify malware similarities. This new malware detection approach significantly reduces manual adjustments in the formula and is the first to use deep neural networks for code sharing identification. This talk will explain how the new malware detection approach operates and provides examples of its improved accuracy.

If you’re interested in a hands-on experience detecting malware, Hunting Malware Across the Enterprise teaches students how to track malware without having an obvious starting point. This nearly sold out Training will dive deep into the threat landscape, indicators of compromise, and scripting–which will help in your search for malware. If you want to take a highly-technical course that challenges malware defense mechanisms, check out Advanced Malware Analysis. This Training teaches students how to combat anti-disassembly, anti-debugging and anti-virtual machine techniques.

To stay up-to-date with the latest information security research, take a look at the Briefings and Trainings we’ve lined up for Black Hat USA 2016. We hope you join us at Mandalay Bay in Las Vegas, Nevada, July 30-August 4 for the biggest week in InfoSec.

More Insights

How to install SparkleShare on Ubuntu and connect it to GitHub

Image: Jack Wallen

SparkleShare is a unique self-hosted service that not only allows you to do file syncing/sharing, but it can also do version control, client-side encryption, and connect and sync with your GitHub account. This makes it a great file syncing tool for developers.

What’s Hot at TechRepublic

Although SparkleShare allows you to set up your own, in-house server, there are times when syncing with GitHub is more practical. For this, I’ll show how to install SparkleShare on a Ubuntu 16.04 machine, and connect your new installation to your pre-existing GitHub account. Once it’s set up, you can easily sync all your work to a repository and share it out.

SEE: Job Description: Quality Assurance Engineer (Tech Pro Research)

What you’ll need

I’ll be demonstrating this on a Ubuntu 16.04 desktop, so you’ll need that up and running. You’ll also need to know your GitHub username and have a GitHub repository ready to go.

Installing SparkleShare

Fortunately, SparkleShare can be found on the standard Ubuntu repositories, so installation is simple.

  1. Open a terminal window.
  2. Update apt with the command sudo apt-get update.
  3. Type your sudo password and hit Enter.
  4. Once the update is complete, issue the command sudo apt-get install -y sparkleshare.
  5. Allow the installation to complete.

When the installation finishes, open the Unity Dash or your desktop menu and type sparkleshare; you should see the icon for the software appear. Click the SparkleShare launcher to open the first run wizard.

Setting up SparkleShare

When you launch SparkleShare for the first time, you’ll be required to walk through a welcome wizard. You’ll enter your name and email (Figure A), and then once the wizard is complete be given an SSH public key that will be required to connect to your GitHub account.

Figure A

Figure A

Figure A

Image: Jack Wallen

The SparkleShare first run wizard in action.

After the setup wizard is complete, click the SparkleShare icon in the notification area and then select SparkleShare | Add Hosted Project. In the resulting window (Figure B), click GitHub.

Figure B

Figure B

Figure B

Image: Jack Wallen

Adding a GitHub hosted project to SparkleShare.

Before you continue, you must import your SparkleShare public key into your GitHub account.

  1. Open a terminal window.
  2. Issue the command cd ~/.config/sparkleshare.
  3. Find the name of your .pub key with the command ls (it will end in .pub).
  4. Open the pub key with a text editor and copy the contents.
  5. Open your GitHub account in your desktop browser.
  6. Go to Settings | SSH and GPG keys.
  7. Click New SSH Key.
  8. Title the key SparkleShare.
  9. Copy the contents of your SparkleShare pub key into the Key text area (Figure C).
  10. Click Add SSH Key.

Figure C

Figure C

Figure C

Image: Jack Wallen

Adding the SparkleShare SSH key to GitHub.

Go back to the SparkleShare hosted project setup window and enter your username/project in the required field. The username is your GitHub username, and the project is the name of the GitHub repository to be used with SparkleShare. Then, click Add, and SparkleShare will link to the GitHub repository.

Now you can add to the GitHub repository by adding files to ~/SparkleShare/REPOSITORY (REPOSITORY is the name of the GitHub repository).

Congratulations! You’ve connected SparkleShare to your GitHub repository. If you’re looking to add team members, you can follow the same steps on their desktop machines, and then they’ll be able to sync with your GitHub repository.

A powerful tool

If you’re a developer (especially of an open source nature), you most likely depend upon GitHub. If you need a simple way to keep your work in sync with a repository, SparkleShare is ready to serve.

Also see

US courts didn't reject a single wiretap request in 2015, says report

(Image: file photo)

The number of wiretaps authorized by the courts in 2015 rocketed compared to the year before, says a new report.

According to the annual wiretap report released on Thursday, which outlines how many real-time intercept requests were submitted by state and federal law enforcement agencies, the courts allowed 4,148 wiretaps during the last calendar year, up by 17 percent on the year-ago period.

Most were issued by state courts. The majority of wiretaps were authorized in California, which accounted for 41 percent of all applications.

New York came in second with 17 percent of wiretaps for the year.

But not a single wiretap request was rejected during 2015, the report showed.

The report showed that the majority of wiretaps were originally authorized for a 30-day period, but almost 80 percent were extended for a period of time. But it also showed that one Illinois-based wiretap was extended eight times for a 263-day bribery case, and another wiretap that ended last year came after 30 separate extensions for a three-year racketeering investigation.

Congress had to receive the annual report by June 30, according to a spokesperson for the US Courts.

The report doesn’t take into account classified national security requests, which typically involve terrorism, submitted to the Foreign Intelligence Surveillance Court, which were already reported earlier this year.

The government received 1,457 requests from the National Security Agency and the Federal Bureau of Investigation to intercept phone calls and emails last year, but too did not reject a single order.

Building Black Hat: Locking Down One Of The World's Biggest Hacking Conferences

For security pros, being asked to help secure Black Hat is like being asked to be on the Olympic basketball team.

Like most networks, infrastructure requirements for Black Hat are constantly evolving.  This year, show management wants to increase bandwidth and performance while maintaining security and reliability. So Black Hat 2016 is moving away from the switching technology provided by Mandalay Bay and implementing secure, high-performance switches, along with enterprise firewall security appliances and wireless access points. 

Providing security for an event like Black Hat, especially when it is followed directly by DefCon, is a significant challenge. Our security team, along with the folks from UBM and the amazing Black Hat volunteers, begin reviewing the show’s architecture and scoping out the security strategy several months before the event. From a security perspective, the network design is very similar to a university with open networks and datacenter-like applications.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada July 30 through Aug. 4, 2016. Click for information on the conference schedule and to register.

Onsite setup begins several days before the show events start. We begin with establishing Internet connectivity and core infrastructure deep in the lower levels of the Mandalay Bay. Then we quickly make our way upstairs and work with the show infrastructure team to establish a Security Operations Center (SOC) that showcases all of the security technology in use by the event. As we work closer to the official show start, secure wireless is installed along with L2 switching across the venue to provide security and connectivity for all of the event users.

We then need to secure the proprietary applications and data used by the show to register attendees, process financial transactions, and manage sensitive data and personal information. Using the segmentation functionality built into the firewalls is a critical part of the security design.

The next objective is to create a segmented environment in which the world’s elite programmers and hackers can play, while still protecting the network, attendees, vendors, and presenters. The challenge is in creating a robust and open environment, while still securing the Black Hat event as a whole.

This is easier said than done, as the security team needs to actively monitor the network and make careful decisions about the kinds of traffic and malware being seen. Frequently, traffic is allowed to pass through and propagate that would send an enterprise security manager running through the halls but keeps everyone on our team on their toes.

In addition to all of the device configuration, physical security is absolutely essential. Efforts need to be made to prevent attackers from gaining physical access to the networking devices and implementing precautions that will prevent them from gaining further systems access if they do.

Finally, we provide constant active monitoring and penetration testing both before and during the show, and gather forensic data so we can update and improve show security both in real time and in anticipation of future events. (Stay tuned for an article from our pen testing team about what we learned from last year, and the kind of testing and active monitoring we are planning for this year’s event).

Being asked to help secure Black Hat is a bit like being asked to be on the Olympic basketball team. It’s not only gratifying to be invited, but it is also exciting to be able to work and play with some of the best folks in the industry. This year is no exception.

Related Content:

Aamir Lakhani is a cyber security researcher and practitioner with Fortinet and FortiGuard Labs, with over 10 years of experience in the security industry. He is responsible for providing IT security solutions to major commercial and federal enterprise organizations. Lakhani … View Full Bio

More Insights