The importance of context, actionable intelligence and definitive answers in security management.
The emergence of a dynamic threatscape has resulted in the growth of an ecosystem of cybersecurity players. Each of these defenders has unique capabilities, which demands a shift in the tactical approach to disrupt any given threat campaign more effectively than before.
This is a positive development but necessitates a fundamental change in the way organisations consider the management of the too often static security controls used to fight a dynamic threatscape. Equally important is how we respond and manage the myriad of alerts bombarding the SOC (Security Operations Center) on a daily basis.
Taming alert fatigue with Context
Considering the breadth of issues facing security organisations today, the need for context has never been more important. The ability to quantify the probability of an attack could potentially be less subjective if the context of a given campaign could be incorporated. Over-reliance on indicators such as CVSS scores, for example, could be supplemented with labels that provide considerably more helpful information. For instance, the targeting of a threat campaign against a specific geography or sector could influence the prioritisation of implementing emergency security patches or the application of compensating controls.
This means that organisations can prioritise the fascination with TTPs and IoCs based on long and distant geopolitical conflicts accordingly. This introduces objectivity into risk and threat modelling, shifting the focus from what might happen to what is actually happening. As we consider the adoption of strategies in dealing with rapidly evolving political and economic changes, there is finally an opportunity to implement an approach that is based on facts.
Threat fact vs. Threat theory
We have often cited the asymmetry of information as the biggest advantage that threat actors have over the cybersecurity sector. The ability to track the prevalence of specific threat campaigns and add critical context to known-exploited lists begins to shift the balance in favour of threat analysts and overworked security teams.
Such data allows for the prioritisation of actively exploited vulnerabilities, for example. The ability to direct threat hunting activities based on this intelligence increases the likelihood of disrupting the kill chain considerably earlier than the final stage.
This is a key point as we often theorise about the best approach to prepare for more volatile cyberattacks, or how to consider the operational elements required to protect an organisation in the face of such an unpredictable landscape.
The ability to make better-informed decisions lies at the heart of such an approach. Beyond the decisions, however, the accessibility of actionable intelligence to support activities such as threat hunting becomes the sharp tip of the spear.
Actionable intelligence takes centre stage
The term 'actionable intelligence' is one that has yet to be integrated into formal processes, and yet it has never been so important. Typically, the feeds that comprise traditional threat intelligence merely add to the noise of ever-increasing alerts and concerns for security departments. They also contribute to the briefings that security executives are tasked with disseminating to senior leadership, often adding to the list of what-if scenarios without providing any quantifiable data regarding the probability of being targeted by such threats.
The role of actionable intelligence should incorporate context, with objective data points that detail the probability based on the prevalence of a given campaign likely to target a specific geography or sector. When combined with hunting rules based on the TTPs of a specific threat actor, this fundamentally changes the narrative.
The benefits of such an emerging approach become obvious, from the prioritisation of resources to address the most likely risks for the organisation (based on prevalence tracking and exploitation in the wild), to hunting within the environment using the TTPs employed in that campaign, and ultimately to quantifying the potential security risk and RoI for the investments already made.
This does demand a shift from the fire hose of IoCs taken from automated feeds to a more curated approach of collecting indicators, considering the potential lethality of each indicator. While hunting for dual-use tools often leveraged by both defenders and attackers is necessary, it often results in numerous false positives that detract from prioritising indicators that can and often are part of the final stage.
Making 'maybe' a thing of the past
In one of my previous roles as a CISO, I frequently encountered vague responses to security and risk-related questions. It was difficult at best to give a confident ‘yes, we’re secure’ or ‘no, we’re not vulnerable.’
Most often, the answer ended up being ‘maybe.’ Such ambiguous answers were poorly received, but those of us tasked with defending a corporate network understand all too well that, in the absence of time and complete information, these uncertain responses are often the reality. However, by shifting to a strategy that incorporates context and objectivity into the opaque world of managing threats, we can finally provide definitive answers to straight questions. Furthermore, as we have witnessed over the past few years, the time from vulnerability discovery to exploitation has been decreasing. This emphasises the critical need to adapt to a more intelligence-led approach.
Written by
Raj Samani
SVP Chief Scientist
Rapid7
Raj Samani is a computer security expert responsible for extending the scope and reach of Rapid7’s research initiatives. Raj joins Rapid7 from McAfee where he served as McAfee Fellow and Chief Scientist after serving as VP and Chief Technical Officer in EMEA. Raj has assisted multiple law enforcement agencies in cybercrime cases, and is special advisor to the European Cybercrime Centre (EC3) in The Hague.