Why Professional Services Are Integral Components of Threat Intelligence

Introduction

Most of us have used multiple social media platforms and smart devices. New account creation or device setup requires basic and automated tips to teach you how to use various features and optimize your experience. The security field isn’t so different. Applying basic learning techniques enables us to understand the efficacy of security solutions and how best to utilize them to mitigate security risks. So why is there a lack of services to train security professionals – particularly in the field of Threat Intelligence?

Threat Intelligence – what seems to be a streamlined field today – lacks regular, long term expert training and specialized customization, which is crucial for improving security vigilance, and this could tremendously sway its optimization.

Adaptability

Today, the primary consumers of Threat intelligence technologies are the network security staff, the team that runs the Security Operations Center (SOC). The SOC team consumes a massive amount of security data and works in multiple digital environments. As such, the conventional wisdom vis-à-vis Threat Intelligence is to inculcate feeds and enrich their security environment, not overburden it. They want to tackle various security challenges while expending significantly less energy on in-depth utilization of the technologies. Many of them seek a plug-n-play scenario; to have the solution automatically configured to alert the security team when anomalies or suspicious activities are detected.

There’s a market for that. Numerous Threat Intelligence technologies today build their entire business on the ability to monitor the web for leakage of organizations’ data assets. From impersonating or fake domains to compromised credentials, teams need alerts when assets are found, such as in underground cybercriminal communities. Digital Risk Protection (DRP) solutions are a terrific way to mitigate potential risk, preserve critical data assets, and have ongoing brand monitoring and protection.

Now, this is only one use-case where Threat Intelligence technologies can save you on overhead costs and resources in tackling a severe risk without overwhelming internal security resources. What about the rest of the risk spectrum, such as insider threats, financial fraud, ransomware, and the road to a more comprehensive, programmatic, and mature security architecture?

Budgets

Today, many security professionals view Threat Intelligence solutions from a budgetary standpoint. If the cost of added security tools or training services fit within the annual budget, it is a go! There are multiple problems with this calculation, chief amongst them is that consumers often purchase a solution without a full understanding of their security challenges, simply because it fits the budget and checks a requirement box.

For instance, a SOC team may purchase a Threat Intelligence Platform (TIP) that enables it to de-duplicate, correlate, analyze, and enrich security data – a core technology to have indeed. However, the security team, burdened with tackling multiple digital environments while lacking the resources, must manually respond to every security anomaly or threat. The team may eventually become highly skilled in analyzing threats and adversaries, but will undoubtedly become overloaded with tackling every ticket manually. Burn out is high.

Therefore, a solution that can automate the response, such as a Security Orchestration, Automation and Response (SOAR) solution, becomes critical to have. Yet, both a TIP and a SOAR need initial and continuous configuration; they require intensive training and weeks of practice to streamline use. Without training, users are left to trial-and-error processes and, subsequently, underuse of the full capability of the technologies.

Training and Capacity Building

Nonetheless, neither technology teaches, for example, Threat Hunting; the process of sifting through an organization’s network defenses to find undetected threats. The answer lies in training. In-depth Threat Hunting workshops, as an example, are crucial for security teams; they provide the know-how to use domain tools, understand social media sites, launch honeypots, collect and index raw and binary data, and a range of other vital tactics. Once security teams are in an excellent position to understand and apply these tactics, it helps them quickly achieve optimization in addressing security threats.

For investigative organizations, such as law enforcement agencies, specialized Threat Intelligence training goes beyond understanding malware and anomalous behavior. For example, forensic examination of mobile and computer devices is critical in criminal investigations. Therefore, specialized hands-on training is paramount in uncovering intelligence that can help in shaping criminal cases.

Additionally, uncovering intelligence that enriches a case’s body of evidence, such as information observed from underground criminal communities – including the Dark Web, closed-source encrypted chat channels, and dumpsites – requires in-depth training on ways to securely navigate this environment, such as

·     OPSEC procedures,

·     Specialized software,

·     Cryptowallet set up,

·     Entry to online criminal communities where previously unknown threats are lurking,

·     HUMINT persona development to extract intelligence from these communities.

Off-the-shelf technology solutions may provide a partial, sanitized access to the raw data or chatter, but governmental investigative units typically work with absolute confidentiality. Their cases run for months on end. They build a specialized, in-house intelligence collection and analyst team that is armed with the know-how to investigate underground criminal communities; skills paramount to achieving optimization in criminal investigations.

Streamlining Professional Services

Professional services – including training, capability building, and investigative services – are not your typical security solutions. In today’s market, the provision of these services relies heavily on organizations’ active pursuit of improving their security architecture. Many view these services as “per need” or “on-demand” type of elements within the overall security process.

The two interconnected factors driving this view:

1.    Organizations believe that consulting and training are only necessary when an incident occurs or when there’s a need for a quick turnaround fix to a security issue; and

2.    We see them as short term additions to the security structure without a comprehensive understanding of their long term criticality.

This line of thought is flawed for a multitude of reasons, and to summarize, I choose three:

1)   Security is not an event; it is a process. More and more security incidents take place every day, and their success proves that no matter how many security technologies you have in place, the human element remains both the strongest and weakest link. The more you persist in elevating the know-how and expertise of security practitioners, the more likely they are to succeed in mitigating security risk. The more trained the operator in the collective security architecture, the better they are at using the security technologies, and vice versa.

2)   Professional Services are not platforms and technologies; they are expertise. Knowledge transfer is a vital part of the security learning curve – and most certainly in the intelligence tradecraft. Interns gain practical expertise when they spend a semester getting hands-on experience. So do junior analysts. Security practitioners gain expertise through practical, peer-reviewed work, and solving security challenges. They are walking and talking manuals. Gaining knowledge from those who have been practicing in the field is critical to advance in the security arena. While standardized certificates are essential, they only cover the basics. Customized threat intelligence courses and direct interaction with the experts, adds significant value and speeds the learning curve of security professionals.

3)   Expert trainers need not tether themselves to bureaucratic structure or hierarchical methods. They teach intelligence tradecraft, they get deeper into the weeds, blend theory with execution, they conduct practical investigations of threat actors, and gain knowledge from a firsthand understanding of adversarial tactics and methodologies. Many of the successful threat intelligence specialists out there are not mere observers; they have:

a.    Spent years reverse-engineering closed-criminal community malware,

b.    Rubbed cyber shoulders with hackers and hacktivists,

c.    Engaged financially-motivated threat actors, violent extremists, and online black market vendors,

d.    Gained invaluable knowledge of how these communities operate,

e.    In-depth and priceless experience in both theory and practice.

This is not something you can learn from packaged and standardized classes, let alone from technology solutions.

 Security V. Intelligence and The Intelligence Cycle

Security and intelligence specialists, with thousands of training hours under their belt, make the distinction between security needs and intelligence requirements. These pros help reduce the attack surface and implement preventative measures – and in the cyber world, this means through fully baked endpoint solutions, firewalls, vulnerability scanners, and the like.

The latter focuses on the proactive understanding of the overall risk scenarios, knowledge of adversarial tactics, techniques and procedures, awareness of risk vectors outside of the organization’s perimeters, understanding of exposure risk and insider threat, as well as the risk related to other teams in the organization – including crisis management, strategy, fraud, corporate security, supply chain, and VIP protection teams.

In essence, a programmatic Threat Intelligence operation for any organization unifies multiple risk assessment teams. Applying this process of thinking to the SOC team becomes more critical by the day. The Intelligence Tradecraft is crucial for any security professional, providing critical thinking and the ability to conduct robust assessments that technology solutions do not teach.

The intelligence tradecraft cycle looks like this, and it is what intelligence specialists apply when building a mature security program. It is an umbrella concept and practice for Threat Intelligence, well beyond the conventional binary data.

 1) Planning and Direction: Build a Strategy based on intelligence requirements. What is the organization trying to achieve?

2) Intelligence Collection: Plan for and collect historical and emergent, signal rich data to have a complete picture of threats, and build ongoing awareness. What is the threat landscape? What capabilities do our adversaries have?

3) Intelligence Processing: Understand the data and its applicability, removing the false positives and the white noise. What is the difference between data and intelligence?

4) Intelligence Analysis and Production: Understand what the data means to your systems, contextualize it, and begin producing relevant intelligence to the organization. What is the meaning of this intelligence to my organization, my industry, and my geography?

5) Intelligence Dissemination and Integration: Send the relevant security data to integrated devices, teams, management, and decision-makers. What does this mean to the organization’s ROI, and how can it better inform the next intelligence cycle?

In sum, organizations need to reconsider their approach to Threat Intelligence. No doubt, they need technology solutions to address specific challenges. Nonetheless, the inclusion of professional services and contracting experts to help in building a robust security architecture and intelligence program is a crucial element, possibly the main factor in achieving an optimal security posture. Gone are the days when reliance on technologies provides peace of mind. We live in a race with the adversaries, and they continue to achieve their goals at our expense. Building a well-defined, all-inclusive cyber threat intelligence program drives organizational maturity and moves your team to estimates for prevention.