Why Threat Intel is Broken

Why Threat Intel is Broken

As a security analyst, we’ve all been there before. You’re getting ready for work, scroll the news, and notice that a new breach was discovered at a company that’s not even in your industry. You know it’s going to be the shiny ball of the day as soon as you roll into the office. Your manager, CISO, and everyone in a three-mile radius want to know what’s going on and if your enterprise is exposed. This happens so frequently that threat intelligence analysts are feeling desensitized to breaches at this point. So what next?

You contact all the threat intel vendors that your team subscribes to, as if they have the magic 8 ball to provide you all your answers. Instead, you’re given a possible suspect and now you have to read pages upon pages of intel reports, double check with your vulnerability management team to ensure you’re patched from all their previously used CVEs, and ensure all the IOCs (which oftentimes are irrelevant) are blocked.

Traditional threat intel is broken. We’re trained to conduct threat intel analysis based on what the industry has given us: wordy threat intel reports, long lists of indicators of compromise with little context, and TTPs that are difficult to take action on. At some point, this was relevant because it was the best we had. But as time goes on, we need a new approach.

The purpose of threat intelligence is to gather information that helps you understand an attacker’s capabilities, level of sophistication, motives, and behaviors so that you can proactively take action against it. The current generic intel (long lists of indicators and reports) won’t help get you to that goal.

So, where can you get this contextualized rich intelligence on attacker activity? Despite years of effort, endpoint and network sensors have only limited success in gathering attack data due to the ratio of normal activity to malicious activity. In the noise of the network, you lose the attack data. There is too much data to process, too much noise.

The next generation of threat intelligence collection and analysis has to come from advanced honeypots/honeynets, or deception environments, tailored to your attack surface. This is the only way to gather intelligence on how your organization is being approached and attacked. Every business, organization, and industry are vastly different and have unique attack surfaces, which is why security teams need to consider mimicking their environments to lure threat actors and understand how they operate against your business and infrastructure.

Deception environments are exceptionally effective because they generate known “bad” data. No one should be messing with them. So, the data they collect is clear and unequivocal. This is how to gather data without disturbing operational IT systems. This is how to see clear signals in all the noise. The threat data collected can be used as an input into threat hunting across larger networks and for training other AI based systems. Deception environments provide concentrated quantities of highly valuable threat data than other comparable detection systems.

Threat intel analysts need to be more agile and understand the context of attacks, which is why mapping real-time attacks in deception environments will help inform how real threat actors are behaving against your infrastructure. This will alert your teams on where you’re exposed, as well as inform you on which control uplifts are needed.

Deception environments allow you to observe and react to intruders in real time. That means that when you see illicit actors on your networks, you don’t have to wait for piles and piles of generic intelligence. Instead, you can watch their behavior and place decoys as you go, which can provide you with specific, timely information on your attackers.

So what does a world look like where we have fixed threat intel? You arrive to work and check the deception campaigns deployed. You note that someone is trying external recon on exposed deception systems, attempting to leverage the latest CVE exploits from one of last week’s newly discovered breaches. You gather the attack data and pipe it into your SOAR system to run a playbook, checking for the IP addresses and IoCs that you have just collected across the rest of the enterprise IT estate to see if the recon activity that you picked up in the deception environments is present in other areas of the enterprise. You head off to a meeting with the CISO armed with data to show how impactful the latest news stories about breaches are for your organization. You are ready for the shiny ball of the day. But, this time it is in your pocket. This is threat intel in action.

Like Jim Morrison said, this is the end. But you can...