Topic: Using Intelligence Analysis in InfoSec: Think Globally and Act Locally

In episode 48 of The Cyber5, we are joined by Rick Doten. Rick is VP of Information Security at Centene Corporation and consults as CISO for Carolina Complete Health. We discuss shifting the operating model of threat hunting and intelligence to a more collaborative model, “think globally and act locally.” We then dive deep into the intelligence analysis for collecting and analyzing the vast array of network data to prioritize network protection. Finally, Rick makes an argument for the outsourcing of an intelligence function as a viable model.

5 Topics Covered in this Episode:

1. Security Operations Integrating with Cloud, Applications, and Mobile: (01:00 - 06:00)

Security operations involve integration with key elements of the business such as the cloud, applications, and mobile team. Risks to a container are much different from a server and force security operations to integrate with many teams, especially in large enterprises. This will guide how we protect proactively with alerting and reactively with incident response.

2. Using Intelligence Analysis with Information Security Data Collection (06:00 - 08:52)

Intelligence includes tracking specific campaigns of threat actors, their intentions, and capabilities. Intelligence analysis in the disciplines of information security is linking the human to the malicious act. For example, suppose a criminal threat actor uses email phishing and credential harvesting. In that case, the data collection model and instrumentation will be different than looking at actors who use exposed RDP or take advantage of supply chain risks. It will also be very different from a nation-state actor who is known to go “low and slow” and persist in 10 different places in a network.

3. Value of Attribution and Communicating to the Board of Directors: (08:52 - 13:26)

The mindset of keeping confidentiality, integrity, and availability of information safe and not wanting to attribute the threat actors and building appropriate threat models is becoming more antiquated. Understanding the human who perpetrated the act is critical. Their job is to break into a network and collect and/or monetize. This used to be easier in the defense industrial base because there are cleared environments for information sharing; however, this is becoming more efficient with Information Sharing Analysis Centers (ISACs). Boards of Directors understand competitors stealing intellectual property, so framing cyber threats in the same vein is the most productive way to get them to understand the importance of nation-state espionage or cyber criminals.

4. The Right Way to Do Threat Intelligence: Think Globally Act Locally (13:26-24:00)

The most important threat intelligence is internal network telemetry. The wrong mentality is to buy threat intelligence feeds and load indicators of compromise (IOCs) into a security tool like a SIEM. This will result in tremendous workloads with little results as good actors change their signatures constantly. Instead, it’s important to get timely, actionable, and relevant finished intelligence on actors and their campaigns, not data or information. Finished intelligence might be reviewing technical methodologies of Russian GRU (or REvil ransomware) actors and identifying behaviors that can be detected internally on the network. At the highest level of attack campaigns are assignments of individuals to attack one particular company and steal/monetize something very specific. After gaining this intelligence, a security team can “dogpile” with the different entities of the business (SOC, applications, IT, development, mobile, etc.) to hunt and defend, “think globally, act locally.” Threat intelligence could certainly be outsourced, especially for companies who do not belong in an industry with ISACs.

5. The Hardest Part of Intelligence Analysis: Determining Targeted Attack Versus Commodity (24:00-31:00)

The hardest part of intelligence is being able to quickly identify if the attack is targeted or commodity. An actor who persists on Active Directory and the domain controllers is much different from those who want to exploit a bug in a cloud application or mobile application. Security teams who have minimal visibility gaps with internal network telemetry that can quickly detect these differences separate the mature security teams from the less mature security teams.