Most organisations understand the importance of integrating actionable threat intelligence into their security workflow, but very few organisations excel at doing so. There are many components to a successful intelligence programme, but this piece will focus on the challenge of sourcing intelligence. While there is no one particular approach to selecting intelligence sources that will lead to success in all cases, here are some pointers.
The combined knowledge of many organisations is greater than the individual knowledge of just one. Be known as a serious security professional intent on building a serious security programme. Invest in and contribute actively to both formal and informal information-sharing organisations, trusted forums and individual relationships.
Your peers will share their honest thoughts regarding different intelligence sources with you. In addition, those peers will likely also share information with you. Remember that those who give the most generally receive the most. Further, high-quality intelligence can generally be obtained through information exchanges, once trusted relationships have been built.
Context is key
Only information with its associated context can be considered intelligence. Without that context, that information is merely data. While sourcing intelligence, it is important to ensure that the source includes the proper context along with its data. The context need not be complicated or fancy, but should provide enough instruction regarding how to use the intelligence operationally.
For example, “these domain names are command and control domain names” or “these URLs are drop sites” provide adequate context, while “here is a long list of IP addresses for which there is no additional context” does not. If the intelligence offering does not include that important contextual information, it is probably not really much of an intelligence offering.
The combined knowledge of many organisations is greater than the individual knowledge of just one
A clear vision goes a long way towards helping source intelligence. Understanding what you intend to accomplish with your intelligence programme helps to prioritise risks and threats to the organisation. Prioritising risks and threats to the organisation enables the identification of goals and priorities.
Goals and priorities subsequently help to guide the selection of intelligence. For example, if your organisation does not handle payment cards, it is unlikely that intelligence on payment card-stealing malware will provide much value. Different intelligence sources have insight into different threats and provide different points of view, angles and perspectives.
Each source’s approach and perspective are likely to be a little different, and not all approaches and perspectives will suit your organisation’s needs.
It never hurts to do some vetting. If an intelligence source is valuable, word on the street will support that. In the physical world, we would vet an information source for being reliable before accepting and acting upon information from that source. The same holds true in the virtual world.
Value quality over quantity
In the intelligence realm, quality is far more important than quantity. Consider the example of two intelligence sources. Intelligence source A provides us with 5,000 pieces of information that generate 10 true positives and 100,000 false positives. Intelligence source B provides us with 10 pieces of information that generate 100 true positives and 10 false positives.
More about cyber intelligence
It is easy to see that source B provides us with more value in that it detects more true positives. But there is another, often overlooked aspect. Source A generates far more noise, which pollutes our work queue and clouds our visibility into the organisation.
Good intelligence sources will have a solid process, world-class people and cutting-edge technology. Do not be bashful – ask intelligence providers to explain to you how they generate their intelligence and why it suits your organisation’s risks, threats, goals and priorities.
While it is true that intelligence providers usually cannot disclose the inner workings of their intelligence apparatus, they should at least be able to explain the process conceptually. If the provider cannot articulate how they bring value, or the explanation does not make much sense, that is a good data point for the decision-making process.
Sourcing intelligence is, unfortunately, not as straightforward an endeavour as we would like it to be. Having said that, there are still a number of techniques that can be used to identify sources of intelligence (whether paid, open source or communal), assess their relevance to an organisation and evaluate their quality.
Understanding and using these principles can assist an organisation in making sense of what is out there and facilitate sourcing intelligence of high value, relevance and fidelity.
Joshua Goldfarb is chief security officer of the enterprise forensics group at FireEye