Interview of Mark Arena of Intel 471 on threat intelligence

Today I listened to an interview from August 2020 with Mark Arena, the CEO of Intel 471, as part of my research into how threat intelligence interacts with incident response and the use of Security Orchestration, Automation and Response (SOAR) solutions.

He explained that when he founded Intel 471 he wanted it to be a “really good collection capability focused on financially motivated cybercrime”. 

Mark shared that in his mind he sees a threat as a person, someone with a motivation and a goal, with a way of working; their tactics, techniques and procedures (TTPs). He spoke of how there's a lot of companies that consider event based activities or incident response, tracking compromises of credentials or brand monitoring the dark web, as threat intelligence. He suggests you want your team to be proactive and intelligence led because that's what you're paying for, it's an expensive process. Threat intelligence should be about tracking people and their groups, prioritising them and then defining what's relevant, that's intelligence! That needs to be wrapped up into a report which is disseminated to the appropriate audience in a timely manner, is accurate and is actionable. That needs to reach the stakeholder in an organisation, within the relevant specific geographical location, who has a specific technological vulnerability, that means they can action the intelligence and potentially prevent an attack. 

He explained that there is no reason to provide technical details or indicators of compromise for ransomware, it is information that does not really matter. Attacker techniques move so quickly that is not likely going to stop the business impact, you're better off looking at the precursors to ransomware, such as infections delivered by email. Look for what causes the impact, think of the kill chain. If the attackers are exploiting a vulnerability and if you see that being talked about in the criminal underground, prior to this being executed, you can research if that vulnerability exists in your network and take action ahead of an attack.

This patching proactively gives a reason for this type of decision making threat intelligence, helping to direct your limited resources, to triage and prioritise your actions. He sees the future of threat intelligence as being a service baked into all products, such as SOAR solutions, thereby automatically operationalising the intelligence. 

An interesting listen!