Podcast: How to Make Threat Intelligence Actionable

Hello, everyone, and welcome to another edition of Cyberscoop Radio.

I am your host, Greg Otto.

We're here with another chapter of our threat intelligence series, sponsored by Anomali.

So threat intelligence really is just ones and zeros, unless your organization can pull actionable information from it.

With millions of indicators contained in threat intelligence data, it's important for analysts to stay focused on worthwhile information that could indicate a data breach for their particular organizations.

I spoke with Jessica Ferguson, director of security architecture at Alaska Airlines, on how organizations can apply the right resources to the most critical threats, how threat intel fits into an overall security plan, and how organizations of every size can benefit from threat intel feeds.

OK, Jessica, thank you for joining us today.

I know that you have a wide array of experience when it comes to working with threat intelligence, so I'm eager to get into this and see how your expertise fits into how organizations can create their own threat intel feeds.

Yeah, thanks for having me.

I appreciate it, and looking forward to the conversation.

So a common challenge for security teams has been the overflow of unstructured data.

I would love to hear about the challenges you have faced over the years with this type of data, and how it factored into your dealings with threats.

Yeah.

So you know, I think that there's a couple different challenges that you have with unstructured data.

You know, we've looked a lot at particularly in the space of open source intelligence, right?

And how do you take information that's public, that's unstructured data-- let's say, Twitter, right, Twitter is kind of a classic example-- and be able to ingest all this data, and then be able to mine for intelligence information out of it as you go along.

The challenge that you have is there's such a large amount of data coming in, being able to ingest that real-time, even if you had a list of indicators or things that you wanted to look for inside of that data stream, you know, as soon as your data model changes, going back and trying to identify new threats on that data is very hard.

So anybody who's worked with large unstructured data sets before knows that doing large historical searches across that data set is hugely challenging.

And two ways to do it.

Either you throw large amounts of machine power at it, or you throw large man hours at kind of doing those kind of historical data searches.

I worked at an organization in the past, and right after Heartbleed came out we got lucky and caught wind of the next vulnerability that was going to come out for SSL on Twitter, right?

And it just happened to be somebody saying stay tuned, something's coming out related to a new vulnerability, a new threat.

And we basically had to look at how do we respond to that and how do we track that.

So we actually tracked that threat actor, the actor who posted that tweet, and all the information around it.

You're kind of taking a gamble that 50/50 you could be right or wrong, right?

Anybody can post anything to Twitter, right?

And that's kind of how do you understand what's real, what's not and develop a baseline of different people, different profiles, and what your confidence value is inside of those data sets.

But it is a huge challenge.

You're kind of mining for that little 1% inside of a huge amount of noise.

So when you are mining for that-- I mean, and security teams across small, medium, and large enterprises are all doing this, so with that, you know, what are most security teams missing from the intelligence they receive?

There's two things that drive relevance in intelligence, and it's confidence and context, right?

So how do I trust the source of this data, and then is this data actually relevant to me.

And I think that's one of the challenges that we have inside the organization, or inside of the industry, is a new threat actor comes out, say APT28, right?

That was a very popular one.

And everybody is going, oh my gosh, APT28 is out to get me, right?

Well no, APT28 is probably not out to get you, unless you are in military or government or something like that.

And so I think understanding the context of who a threat actor is is important to an organization to start building profiles of threat actors.

And then also understanding who are your data sources, right?

We work with multiple different threat intelligence partners.

There's multiple different threat intelligence partners who are geared towards different industries.

Our industry happens to be aviation.

For us to work with a threat intelligence provider, say, who's focused on financial organizations may or may not make sense.

So I think really understanding where your data is coming from, who that data is targeted to really drives that relevant.

With that said, I think that this kind of gets back into this unstructured data set.

You may have lots of unstructured data or open source intelligence data that comes in.

That may be low confidence, right, in that you may have your analysts spend time hunting through that data.

And then you may have higher confidence data that you can kind of start automating on because you have a higher trust level of the source of that data.

Besides the trust level and the man hours that get put in, can you kind of talk to me about how the products have evolved for better intel gathering?

I think that there's been a lot of development in the whole threat intelligence automation space, machine learning space.

You know, so we have threat intelligence providers, threat intelligence platforms that are able to kind of take mass amounts of threat data and be able to some machine learning rationalization around that [INAUDIBLE] is this actually a real indicator, you know, has this indicator been seen in the past, or this observable, you know, and then be able to put that data into kind of a format that is easily dispersed across your organization, and kind of allows you to begin getting feedback from that data in real time.

I think that the machine learning piece is key to that.

And then also, you know, feeding that data from your own intelligence gathering, and also working with industry intelligence partners, as well.

So we work in the aviation community with, for example, the Aviation ISAC.

And they feed us information, as well.

So we've networked a lot with other aviation entities on driving better intelligence.

So with the products and the manpower that now allow for better intel gathering, how do you integrate platforms like this into an overall security plan?

I like to look at everything as a sensor, right?

So we have lots of different systems in our environments, you know, everything from enterprise detection and response systems, firewalls, IDS, IPS, you know, even our anti-virus, anti-malware.

And these are all systems that we can either pull data out of or push data into, right?

You know, I always start with looking at opportunistically where can I take this threat intelligence data set that I have, and where can I opportunistically push that, right, and start putting that data in those sensors.

And I think that's a key piece with, you know, as we're talking about getting better at intelligence gathering is having a common taxonomy around your threat intelligence data.

And this is, I think, one of the challenges that we have inside this industry is each vendor, right, a lot of different vendors want to be kind of their own source of threat intelligence.

And what you end up with is a fractured threat intelligence set that's not consistent across your organization.

And this is why I'm a huge believer in open access APIs into all my systems, and being able to in an automated fashion, you know, pull threat intelligence data from certain systems and start overlaying that data into other systems.

And you may have systems that you cannot push through intelligence data into.

I can't with a lot of my systems.

And you know, and so really your log aggregation platform is really key for being able to apply that intelligence data to everything else that you have.

So for example, you know, we have airplanes, and we pull logs off of those airplanes.

Well, I can't exactly push threat intelligence data to an airplane.

It doesn't support that.

But I can, after the fact, parse through the logs of that airplane and be able to apply that threat intelligence set.

So the last part of that with what you were talking about in reference to threat intelligence with airplanes gets to my next question.

What does actionable threat intelligence look like to you?

I think I look at that in two different ways.

So when we're talking about from a programmatic perspective, like, what can I do in an automated fashion, things that are machine readable with a common taxonomy, right?

So I want to be able to have threat intelligence that I can push across the organization in an automated fashion.

And in order to do that, I need to have a single source of truth, and it needs to be machine readable in a way that I can easily apply and manipulate that data.

I think that, from a broader perspective of threat intelligence, it is threat intelligence that's relevant to my environment so that I have high confidence in and is contextually relevant to my environment.

I think data that we receive, particularly from other aviation partners or other highly trusted sources, you know, is all actionable intelligence, you know, that I can feed back into that machine, and be able to manipulate and use that data across the environment.

When dealing with this threat intelligence, what are your long-term goals with it, and how would you measure progress inside your enterprise?

Our long-term goals, you know, really what we're building to at Alaska is we want to get to a point where we can automate through our environment, right, which is we get a qualified event, which means I'm pushing that threat intelligence data out or doing searches against unstructured or restructured data with my intelligence set, and I'm able to respond to a qualified event in an automated fashion.

You know, from our perspective, you know, we want to be able to get to a point where we're building the automation platform and building the machine to be able to respond back to those.

And if those events are unable to respond to it in an automated fashion, or if we have high enough context or confidence in those events, we can push those up to our threat analysts, and they can respond to those appropriately.

So that's a real-- that is a metric that we can track, right?

What is my overall number of events versus what we were able to handle in an automated fashion.

You know, also we want to look at what are the effectiveness of our threat intelligence providers, right?

So we receive different intelligence from different entities that we're aggregating.

And you know, how effective are those entities?

Are we getting value out of those intelligence feeds?

You know, if we're not, then we want to be able to realign our intelligence sources make sure that we're working with the appropriate parties to gather that intelligence.

Working for Alaska Airlines, that is a pretty big company.

And while large enterprises can generally utilize threat intelligence pretty well, it sounds hard for IT practitioners in mid-sized businesses to leverage threat intel in their environment, since they're typically not security researchers or they have a small IT security staff.

How would you advise small or medium business to use threat intel platforms?

Yeah.

I would say start small, right?

You know, start with what you have.

And I think that perfection can be the enemy of progress, And you know, don't allow perfection to be the enemy of progress.

If you have different systems with threat intelligence feeds, then you can use that data-- and even if it's a disparate data set, when you can respond to those events, then that's awesome.

If you get to a point where you can acquire a threat intelligence platform, then that's even better.

That gives you kind of another layer of aggregation and machine learning around that.

I've met with and worked with some smaller organizations where they have a two-person staff, and they have an intelligence platform.

And they integrate that with their firewalls, right?

And it's really all they have time to do, is just integrate that threat intelligence platform with their firewalls.

They get alerts out of that.

And they're not tracking actors, they're not tracking any kind of threat modeling or anything like that.

They're just really, really, really tactical.

And that's awesome.

If you can get to that point where you can even just get that one in integration and kind of get a common data set, and you're getting value out of it, then that's a win.

Jessica, thank you very, very much for taking the time to speak with us on this.

I'm sure that, you know, this will continue to evolve as you continue building out architectures at Alaska Airlines.

So I really appreciate you giving us some insight into how you can manage that intelligence.

Thanks for your time, Greg.

Thank you again to Jessica for speaking with us.

The massive volume of known bad sources makes it nearly impossible to constantly monitor all traffic, so finding ways to pull the best information possible is paramount for organizations looking to stay ahead of malicious activity.

And thank you again to our sponsor, Anomali, who has sponsored our entire threat intel series.

For more on that series and all things cybersecurity, check out cyberscoop.com.

I'm Greg Otto.

Thanks for listening.