Cyberthreat

intelligence
Creating order and drawing
actionable information data from
a multitude of log files and
data streams is a daunting task
but help might be on the way in the
form of cyberthreat intelligence.
Sponsored by

over the past year in the information security

world and vendors want to profit from it.
For that reason, anti-virus vendors might
describe their products as being powered by
Organizations today are using combinations of
threat intelligence because they classify their
useful data left behind by attackers and combinsignature feeds as CTI. However, Pescatore
ing it with analytic tools to create a new generais dismissive of this tendency, defining CTI
as more than just signatures. Instead, he
tion of intelligence, reports Jesse Staniforth.
explains, What SANS tends to call cyberthreat intelligence is information about active
threats that you can consume to both prevent
hether mucking about in the murky
more attacks and detect ones you cant
world of the Dark Web or developprevent more quickly. While he acknowledging Big Data analytics to process the
es that anti-virus signatures can be helpful in
thousands of log files and data feed, security
both preventing and detecting attacks, he says
professionals are searching advanced tools to
that CTI encompasses a much broader array
create order from chaos.
of information than simple signatures.
Cyberthreat intelligence (CTI) is evidenceSome will define threat intelligence as
based knowledge including context, mechaindicators of compromise, and those are gennisms, indicators, implications and actionerally signatures, he says. If youre broken
able advice about an existing or emerging
into by this threat, you should see these files
menace or hazard to assets that can be used
on your machine. What we really want threat
to inform decisions regarding the subjects
intelligence to do is go a little more broadly
response to that menace or hazard, according
to describe exploits or techniques and indicato Gartner. It also can be described as the
tors that are more
process of detectthan just signatures.
ing potential and
We want to identify
actual threats using
OUR EXPERTS:
broader behaviours.
evidence-based data,
Cyberthreat intelligence
If you see signs of
responding to them
Ed Bellis, founder and CTO, Kenna Security
those behaviours,
and defeating the atBob Gourley, co-founder and partner, Cognitio
you may have been
tackers using forensic
Andrew Hay, CISO, DataGravity
attacked.
and logical data the
John Pescatore, director of emerging security
As an example, he
attackers themselves
trends, SANS Institute
provides the recent
leave behind. It is
Michael Orosz, director of the Decisions Systems
discovery of vulfast becoming one
Group, Information Sciences Institute Viterbi School
nerabilities in SSL
of the key security
of Engineering, University of Southern California
(secure socket layer)
resources for CISOs
encryption. Potential
and security teams,
threat actors would
but its not just enterleave traces in the form of log events to show
prises benefiting from CTI; small to midsize
that they had been exploring vulnerabilities in
businesses are finding value in CTI as well.
a targets SSL and a second set of data would
One of the barriers to understanding the
show traces of whether they had exploited
merits of CTI is confusion about what it is
any vulnerabilities they found. An ability to
and what it isnt. John Pescatore, director of
identify both types of evidence is an example
emerging security trends at SANS Institute, a
of threat intelligence that is responsive to
research and development organization, says
information that both prevents attacks and
that threat intelligence has become a buzzword

CTI

Cyberthreat
intelligence

www.scmagazine.com | 2016 Haymarket Media, Inc.

67%

Percentage of respondents in the 2014

Global Information
Security Survey who see
threats increasing in the
infuse risk environment
Source: EY

CTI

detects the unpreventable ones more quickly,

tial consumer to determine the value of the
he explains.
intelligence that the CTI company provides.
Another example is the insider threat.
Theres nobody out there comparing,
Imagine you have an employee who, out of
grading and rating them, SANSs Pescatore
the blue, accesses a critical, privileged datasays, and there are just so many of these
base, posits Michael Orosz, director of the
sources. The bad news is theres a lot of buyer
Decisions Systems Group, Information Scibeware.
ences Institute, Viterbi School of Engineering,
Pescatore assumes that every business is
University of Southern California. Maybe
likely to be taking a few basic steps to defend
theyre totally within reason; maybe theres a
itself against cyberattack, such as deploying
new job responsibility added
anti-virus software. This
to this employee. But maybe
constitutes a base level of denot. Thats an indicator that
fenses. If youre not up that
may require further investigabase level, he says, dont
tion, which is where threat
even think about threat intelintelligence comes in.
ligence. But if youre at that
Traditional defenses against
base level, then you consider
viruses, worms and distribthe staff you have and the
uted denial of service (DDoS)
security controls you have in
attacks are reactive and rely
place, and ask what sort of
on recognizing established
information, if you had it,
threats, says Orosz. By
would allow you to detect
contrast, CTI is an attempt
faster and prevent more.
to put up a proactive defense John Pescatore, director of emerging security
However, even for those
trends, SANS Institute
that sets up appropriate
who have surpassed the base
countermeasures before an
level of security, integrating
attack can occur.
it into existing systems can prove difficult.
Its about identifying the steps, processes,
CTI, in general, takes the form of feeds of
tactics and techniques that are used by people
information and Hay emphasizes that without
launching these attacks, explains Pescatore,
the means to apply that raw information to its
rather than simply identifying these threads,
defensive footing, CTI will be useless.
and rather than just a hash-tag of a file or a
Unless you have something to plug those
simple signature to look for.
feeds into, or a policy procedure process to
actually do something with that data received,
Who needs cyberthreat intelligence?
youre really just throwing money out the
There are a lot of companies getting funding
window, he says. The absolute minimum
for threat intelligence, says Andrew Hay,
barrier to entry is a SIEM [security informaCISO at DataGravity, a Nashua, N.H.-based
tion and event management] or log managestorage vendor. At the beginning of 2015,
ment product of some sort. Then you at least
youd just walk up and say, Ive got a threat
have something to correlate the information
intelligence solution, and [venture capitalists]
thats coming in with your security ecosystem.
would say, Shut up and take my money! Go
Another barrier would be a recent firewall
make me rich!
something that has the ability to act on those
Through his hyperbole, Hay, a former IANS
threat intelligence indicators.
Research faculty member, is serious about the
On its own, the information is too disconplethora of CTI companies presently operating
nected to be of any use. DataGravitys Hay
a variety that makes it difficult for a potenoffers the analogy of a person trapped on a

www.scmagazine.com | 2016 Haymarket Media, Inc.

37%

Respondents who
say real-time insights
on cyber risk is not
available.
Source: EY

Its important the information is

timely, accurate and relevant.
Ed Bellis, founder and CTO, Kenna Security
a strategic consulting and engineering firm
managed by a team of former senior technology executives from the U.S. Intelligence
Community, breaks cyberthreat intelligence
down into three categories: strategic, operational and tactical.
Strategic cyberthreat intelligence is used
by senior decision-makers for long range
decisions and can be delivered by briefing or
writing assessments, he explains. Operational cyberthreat intelligence is focused on
the day-to-day operators directly engaged
in incident response and other cyberdefense
functions. It can also be delivered in writing,
frequently in email. Tactical cyberthreat
intelligence is for immediate action and is best

configured to enable automated response.

While a CTI intelligence feed might be
readable by humans, Gourley notes, its ultimate goal is to enable your next-generation
security device or endpoint device to take
automatic action. In order to configure this
connection, you will need input from your
feed provider and the vendor of your security
solution.
Pescatore adds that CTI information delivered in the standard TAXI and STIX formats
can be easily plugged into existing security
processes, such as a SIEM. For that reason,
he counsels a potential buyer to make certain
that whatever information theyre signing up
for will be delivered in standard formats.
Furthermore, he offers questions for potential CTI customers to ask as they enter the
marketplace: What are my security controls
and what sort of threat intelligence information could I immediately take advantage
of? What could I do to improve my security
controls so they could take advantage of this
threat intelligence information?
Ed Bellis, founder and CTO of Kenna
Security, a Chicago-based vulnerability management vendor, says that the value of CTI is
predicated on the information it provides. Its
important the information is timely, accurate
and relevant, Bellis explains. While it can
be said that integration is important for most
security products, its vital for security intelligence. The ability to act on threat intelligence
that is relevant to your organization in a
timely manner is where the real value resides.
However, says Gourley, the market is so
full of CTI at the moment that selecting a
provider is a challenge. Venture capitalists
are funding CTI startups at the same time as
traditional security companies are getting into
the CTI game, and it is difficult to determine
which products will survive the competition.
Some CTI is worth its weight in gold and
you will find it directly supports decisions and
helps defend the enterprise, Gourley says.
Some is of little value and you may regret
signing up for it.

CTI

desert island while its raining. You could

just open your mouth and hope to get water
that way, he says, but itd be great if you
could have a bucket to hold all that water
so that you could drink from it at a leisurely
pace, or when you have time.
However, used properly, Pescatore says
the bucket-style of CTI can provide a strong
additional line of defense. There are a great
many really good sources of threat intelligence information that you can integrate
right into your DNS [domain name system],
he says, so that if any of your users tries to
access a site, or if software gets on one of
their PCs and tries to communicate it outbound, if its trying to resolve to a DNS location that the threat intelligence thinks is bad,
it will either alarm or not allow the resolution
to happen. Thats an easy one. If you can get
that information in the right format, you can
integrate it into your DNS and whammo.
Bob Gourley, co-founder and partner at the
consulting and engineering firm Cognitio,

www.scmagazine.com | 2016 Haymarket Media, Inc.

Number of variants to
the Backoff PoS malicious
code identified in 2014:
backoff, goo, MAY, net
and LAST.
Source: U.S.
Computer Emergency
Readiness Team

Some CTI is worth its weight in gold

and you will find it directly supports
decisions and helps defend the
enterprise...
Bob Gourley, co-founder and partner,
Cognitio
requirements in order to seek out CTI that
meets those needs. The first place to start
is with a use case or multiple use cases, he
says. What is the problem you are trying to
solve and how will threat intelligence help
your cause? Some threat intelligence providers are focused on the who, meaning what
threat actors, where are they coming from,
IP addresses, who are they targeting. While
others are focused on the how, such as, what
techniques are they using, methods and kits
and so on.
Bellis adds that a potential customer needs
to articulate their needs to a CTI supplier as
precisely as possible, ideally by presenting
real examples from experience. If the team
understands their use cases well, he says, a
vendor should be able to clearly demonstrate
how their threat intelligence product would
help achieve success for those use cases. By
having predefined use cases and questions
you want answers to, the prospective vendor
should be able to plug in their data to help
you find answers.

Orosz agrees. Its not just detecting a

potential attack or compromise, its a question
of what youre going to do about it. A vendor
needs to understand and work with an organization to develop a mitigation plan. You
have to have that in place. It should be really
obvious how it all pieces together and there
should be no question marks. If someone
presents you with something that doesnt
make sense, that might be your first clue.
Even then, determining the overall worth
of threat intelligence information can be
a difficult task and one that often leaves
organizations feeling taken advantage of. An
important consideration, says Bellis, is the relevance of the data, the value of which changes
daily and widely.
It is hash values, IP addresses, domain
names, network artifacts, tools or methods,
Bellis says. These all have different value and
very different shelf lives. An IP address being
used in a malicious campaign can be stale by
the time it even makes it into a feed, let alone
when its pulled into your process.
The specificity of industry-select CTI can
also be misleading, Hay adds. Imagine a
small-town credit union in the Midwest that
wants to purchase financial-services cyber
CTI in order to keep its coffers safe. An immediate problem appears in that most financial-services CTI will be geared toward much
larger organizations in major urban centers.
Consequently, information that a small-town
credit union derives from such CTI might not
prove applicable to that companys specific
needs and circumstances, even though the
industry vertical is fundamentally the same,
Hays says.
Pescatore notes that at the Executive Security Action Forum that preceded the 2015
RSA Conference, the 100 or so CISOs were
surveyed about the subject of cyberthreat
intelligence. The common response was,
When I first looked at one threat-intelligence
service, I found that about 75 percent of it
I got for free. So much of this information
can come from free sources that if you have

CTI

Still, he says, The only way we know of to

optimize your current threat intelligence feeds
is by independent assessment. The vendors of
the cyberintelligence products and the vendors
of security solutions all want to do good for
you, he says, but everyone comes with bias.
A detailed review by professionals who know
the art and science of cyberthreat intelligence
is the best approach.
Determining the value of information is
not easy. In order to do so, Bellis says that an
organization must begin by determining its

www.scmagazine.com | 2016 Haymarket Media, Inc.

>19K

Number of hacktivist
attacks against French
websites credited to
#OpFrance.
Source: Verisign

CTI

the people, you could be downloading it and

would take to integrate open-source CTI, Hay
doing it all yourself. At one level, the first
wonders whether CTI might simply be too
check of a threat-intelligence service is to ask
much trouble for small and midsized business.
whether its providing more than you can get
Its potential for improving defenses could be
on free websites that we already know about.
equalled through alternative measures, he
Thats a simple but worthwhile check.
says, what he calls shoring up the kingdom.
But even that is a difficult measure to be
See what softwares installed, whats out
certain about. DataGravitys Hay points out
of date, what needs to be patched, he says.
that there is an enormous amount of overlap
A good guide that I usually tell people, espein the data provided by CTI vendors who
cially mid-market and lower, is to look at the
generally find their intelligence in the same
SANS Institute or the Center for Internet Seplace as their competitors find their own.
curitys Top 20 Critical Security Controls. If
A lot of them start with grabbing informayou follow and implement and measure that,
tion from honeypots, such as source IPs,
youre going to cover 95 percent of the holes
Hay says, or theyre just getting them from
that could really be attacked. Your attack
the same free feeds that get published online,
surface area will be reduced that much.
and amalgamating them, maybe slicing and
With that much reduction in attack surface,
dicing them so that it aligns with the types of
the necessity for CTI would be greatly
industries theyre selling to.
reduced, he notes.
For that reason, Hay wonders whether
For those who believe that they have
smaller organizations would
already covered their bases
be better off handling CTI on
and would like to add CTI
their own through the same
to their arsenal, the easiest
widely available sources of
upgrade, Hay says, is simply
threat information curated
whatever is in front of them.
by CTI companies for their
If [an organization has] an
specific audiences.
existing product that has an
The open source route is
upgrade or add-on service
probably the best starting
that is a threat intelligence
point, but again, what are
feed, that would probably
you going to do with the
be step one, he explains.
data? he asks, identifying a
Measure the effectiveness
central CTI quandary. You
of that. If theyre not getting
need to have something that
any positive results or any
Michael Orosz, University of Southern California
can use the data. Theres no
marked improvement followsense in pulling the data in if
ing that, then start looking at
youre never going to look at or act on it.
dedicated threat intelligence vendors that may
Cognitios Gourley notes that there are mulplay nicely with your equipment.
tiple open source feeds. An example of a strategic feed is ThreatBrief.com from Cognitio.
Finding the right CTI vendor
The feed is free but requires a subscription.
Looking for dedicated CTI vendors, Pescatore
Some examples of free operational feeds are
and Orosz agree, is best done with advice
those provided by the United States Computer
from experts. Orosz suggests contacting the
Emergency Readiness Team, or US CERT. On
FBIs local InfraGard information-sharing
a tactical level there are many feeds, including
organizations, which have 86 local chapters
those provided by the National Cyber Forenacross the country. He also counsels simply
sics and Training Alliance (NCFTA).
calling ones local police department and
However, considering the time and trouble it
asking them for advice on who to trust.

www.scmagazine.com | 2016 Haymarket Media, Inc.

7Gbps
Average bandwidth

used in DDoS attacks

in 2014.
Source: Verisign

CTI

Pescatore also recommends InfraGard,

tion of the threat intelligence vendors, Hay
although he suggests becoming involved in
posits. There are so many right now, and a
an Information Sharing and Analysis Center
lot of them are just two or three people who
(ISAC) related to your organizations indusgot together with a plan to reformulate a
try. Members might well be able to suggest
feed and sell it. Theyll get acquired, where
CTI feeds that are most helpful, and which
theyre happy to have a job and to be working
are more likely to be less
on their tool. I think theres
effective. This information,
going to be a lot of that this
drawn from wide experience,
year and early next year,
is probably the best measure
because I think were at a
presently available of the
critical mass.
merits and demerits of the
His prediction seems to be
wide range of CTI providers
coming true: The day after
presently on the market.
he talked to SC Magazine,
Hay underscores that
news broke that well-known
determining the effectiveness
cybersecurity giant FireEye
of CTI is far too complicated
had paid out $200 million to
for a single organization to
shareholders to acquire CTI
do on its own. Theres no
company iSight Partners in
Andrew Hay, CISO, DataGravity
good stick against which to
order to make that compameasure the effectiveness of
nys cyberthreat intelligence
your threat intelligence, he says. You cant
offerings, sourced from some 200 partners
just say, I didnt get breached after buying
across 16 countries, a keystone to the rebuildthis. Well, you werent hit by a tornado either
ing of its empire. n
does it cover tornados as well as nation-state
hackers?
For more information about ebooks from
Meanwhile, as the Wild West mentality of
SC Magazine, please contact Stephen
the industry inevitably stabilizes, Hay sugLawton, special projects editor, at
gests that those waiting to sign up for CTI
stephen.lawton@haymarketmedia.com.
might soon see a smaller and more stable
If your company is interested in sponsorarray of providers from which to choose.
ing an ebook, please contact David Steifman,
One thing I think were going to see in
VP, publisher, at 646-638-6008, or
2016 and 2017 is probably a lot of consolidadavid.steifman@haymarketmedia.com.

15%
In 2015, only 15

percent of assessed
organizations are
meeting corporate
cybersecurity goals.
Source: Hewlett
Packard Enterprise

www.scmagazine.com | 2016 Haymarket Media, Inc.

For more information, visit www.HPE.com

LogRhythm empowers organizations around the globe to rapidly detect,

respond to and neutralize damaging cyber threats. The companys awardwinning platform unifies next-generation SIEM, log management, network
and endpoint forensics, and advanced security analytics. In addition to protecting customers from the risks associated with cyber threats, LogRhythm
provides innovative compliance automation and assurance, and enhanced IT
intelligence.

Sponsors

HPEs approach to enterprise security disrupts the lifecycle of an attack with

prevention and real-time threat detection, from the application layer to the
hardware and software interface. HP Enterprise Security enables organizations to take a comprehensive approach to security, delivering actionable
security intelligence while providing insight into the future of security and
the most critical threats facing organizations today.

For more information, visit www.logrhythm.com

Recorded Future arms you with real-time threat intelligence so you can
proactively defend against cyber attacks. With billions of indexed facts, and
more added every day, our patented Web Intelligence Engine continuously
analyzes the entire Web to give you unmatched insight into emerging threats.
Recorded Future helps protect four of the top five companies in the world.

Masthead

For more information, visit www.recordedfuture.com

EDITORIAL
VP, EDITORIAL Illena Armstrong
illena.armstrong@haymarketmedia.com
ASSOCIATE EDITOR Teri Robinson
teri.robinson@haymarketmedia.com
SPECIAL PROJECTS EDITOR Stephen Lawton
stephen.lawton@haymarketmedia.com
MANAGING EDITOR Greg Masters
greg.masters@haymarketmedia.com

DESIGN AND PRODUCTION

ART DIRECTOR Michael Strong
michael.strong@haymarketmedia.com
PRODUCTION MANAGER Brian Wask
brian.wask@haymarketmedia.com
SALES
VP, PUBLISHER David Steifman
(646) 638-6008 david.steifman@haymarketmedia.com
REGION SALES DIRECTOR Mike Shemesh
(646) 638-6016 mike.shemesh@haymarketmedia.com
WEST COAST SALES DIRECTOR Matthew Allington
(415) 346-6460 matthew.allington@haymarketmedia.com

www.scmagazine.com | 2016 Haymarket Media, Inc.