Browsing: Security

Improve your threat intelligence strategy with these ideas

You do want to improve your threat intelligence strategy, right?

I mean, who wouldn’t?

Isn’t it every CISOs wildest dream to run a ship so tight that not a single exploit, APT, or hacktivist threat could ever hope to make it through?

Well … yes, it probably is. But it shouldn’t be.

The problem is that as someone gets closer and closer to the idea of optimising their threat intelligence strategy, they lose sight of the big picture.

The collection, dissemination, and use of threat intelligence has only one real purpose:

To reduce operational risk in order to maintain or improve profitability

Of course, that’s no easy feat.

Breaches are increasingly common, and with the troubling new trend toward data destruction the risk of long-term damage has never been higher.

So what’s my point?

Simply this. Threat intelligence is a massive subject, and it’s natural to want to produce the most comprehensive range of intelligence possible … but that’s not always useful  — in fact it’s usually not.

By concentrating intelligence efforts on highly specific business objectives (eg to maintain or improve profitability), this broad subject can be narrowed down to the point where a small amount of highly valuable intelligence is produced.

With this principle firmly in mind, let’s look at some ways to enhance your threat intelligence strategy.

Go beyond passive intelligence gathering

Broadly speaking there are three primary means of gathering cyber threat intelligence:

  • Signals intelligence (SIGINT) results from intercepting and analyzing signals, usually those used for communications. This includes monitoring of all signals incoming to your networks.
  • Open source intelligence (OSINT) comes from publicly available information. Technically this includes all sorts of books, publications, radio, television, and so on … but for our purposes it’s intelligence sourced from the Internet, whether through search engines or focused “crawling” technology.
  • Human intelligence (HUMINT) is a little different. Where SIGINT and OSINT are primarily passive forms of intelligence collection, often taking the form of automated software, HUMINT is largely active. It could, for example, include human sources within threat actor communities.

So which is best?

Well, threat intelligence is useful because it enables us to take a proactive approach to security, so essentially this comes down to a breadth versus depth argument.

Passive threat intelligence gathering will turn up huge amounts of intelligence, which will inform the bulk of counter-measures … but active intelligence can shed light on specific threats that might otherwise cause massive damage.

Unsurprisingly, the ideal solution would be to utilise both.

There’s just one problem. Whilst nation states continue to invest heavily in HUMINT, most organizations simply don’t have the resources to do so.

It’s tempting, then, to rely solely in OSINT. It’s freely available in huge quantities, it yields some excellent results, and there are a plethora of excellent platforms available to exploit it.

But that would be a mistake.

Firstly, by investing time and resources in the analysis of your own incoming traffic (SIGINT) you’ll spot anomalies that relate specifically to you. Clearly, this is invaluable in the ongoing fight to maintain or enhance profitability.

Secondly, HUMINT data is not as elusive as it might seem. In fact, human “tip” data is evident throughout the Internet, it’s just difficult to aggregate and correlate it all into a useful format. This is where threat intelligence platforms really shine.

Strictly speaking this is a crossover between OSINT and HUMINT, but let’s not split hairs.

By investing in a quality threat intelligence product, you can gain access to a broad array of usable HUMINT sources without investing huge amounts in active intelligence gathering.

Isn’t it a beautiful time to be alive?

To build or not to build? Bite the bullet and choose

The thing about threat intelligence is that you never seem to have enough.

Most companies start out small. Maybe a few of the “tech guys” start regularly checking security blogs, forums, and exploit databases looking for clues to help them secure the organization’s networks.

And of course, the more they look, the more they find.

After a while the job gets too big, and something has to be done. With a bit of time and effort a basic threat intelligence program is built … and for a while all is well.

A few months pass. Inevitably, the platform’s shortcomings are exposed, and further development is required.

You can see where this is going, can’t you?

Eventually a point is reached where further development is simply not feasible. Either the platform needs to be rebuilt from the ground up, or it needs to be replaced with a vendor-built alternative.

Yup, that age old question: Build or buy?

There are so many variables to address and questions to ask in order to make this decision, so I’m afraid I can’t tell you what to do.

Will the platform need to scale? Do you have the skills and manpower to build your own? Can you do it better than anyone else?

These are questions you’d ask of any IT project. There are, however, two questions that I believe must be asked when it comes to your threat intelligence platform:

  • Is your organisation so different that existing vendor-built platforms won’t suffice?
  • Will a homegrown platform survive the constantly evolving threat landscape?

If you’re in a position to build and maintain a comprehensive threat intelligence platform, which will continue to function for 3-5 years, it may be worth your while to do so.

Equally, if your organisation is radically outside the norm, and vendor-built platforms won’t do the job, you may be forced to build your own.

If, however, you don’t fall into these categories, vendor-built platforms have many advantages.

The threat landscape is progressing at a tremendous rate, and vendors focused specifically in this area are constantly developing and refining their platforms.

So while it might be a greater investment than you were hoping to make, trusting the specialists could well be a decision you look back on fondly.

Get some context

I know, I know.It’s tempting to focus exclusively on the latest threats, and pore over the last week’s incoming signals data trying to identify nefarious (micro) trends.

But if you get lost in the minutiae you risk falling prey to other, more enduring threats.

Let’s not forget, most breaches aren’t the result of cutting-edge malware or state-sponsored cyber espionage. Most breaches result from completely mundane events, such as lost passwords, careless online activity, and petty theft.

So shouldn’t we instead focus on larger time periods? Can we successfully defend ourselves simply by identifying macro threat trends and preparing for them?

Here’s the problem. Unlike most forms of analytics, threat intelligence must identify both macro and micro threat trends in order to be useful, because a single breach can cause massive long-term damage to even the largest organizations.

Take 2014, for example.

Anyone paying attention to the threat landscape around that time would have noticed a sudden and marked increase in destructive cyber attacks against high-profile organizations. Taking a purely macro approach to threat trend analysis at that time would have placed an organisation in great short-term danger of suffering a breach they weren’t prepared to deal with.

But fast-forward to 2016. Destructive cyber attacks are still a serious threat, and would clearly fall under the umbrella of macro trends.

We’re also seeing a big move towards increasingly sophisticated phishing and spear phishing attacks, and away from payload-based malware attacks. Knowing this, we’re much better able to allocate our resources in line with business objectives.

So what does all this tell us?

Basically, your threat intelligence must cover both macro and micro time periods in order to minimise the risk of suffering a serious breach.

But there’s a silver lining.

By understanding macro threat trends, it’s much easier to spot (and respond to) anomalous threats within a smaller time period. In other words, macro threat trend analysis provides the context for micro threat trend analysis.

Or, as Levi Gundert puts it in his white paper “Aim Small, Miss Small”:

In addition to addressing defensive control improvements, analysts should be using collective data points to prognosticate on perceived future threats.

If the majority of threat actors are doing one thing, but you start to see something wildly different in your incoming signals data, you might want to sit up and take notice.

It’s not what you know … it’s what you do with it

Remember the golden rule?

Your threat intelligence strategy must help the organization stay profitable.

It’s a sad fact, but one of the most common issues with threat intelligence is not the collection or processing of intelligence. It’s the communication of intelligence between different areas of the organization.

Red teams, security operations centers (SOCs), incident response (IR), vulnerability management … these are all areas that can benefit dramatically from high-quality threat intelligence.

Not only that, if they’re involved early enough they can inform on which specific aspects of threat intelligence will help them to do their jobs, which in turn helps the organization stay profitable.

This may seem like stating the blindingly obvious, but I can’t stress the importance of this point enough.

If the only thing you do after reading this article is investigate the way intelligence is disseminated within your organization, it will have been worth your time.

I can almost guarantee you’ll find someone who isn’t receiving the intelligence they need … and they might not even be aware of it.

Breach the knowledge gap

When it comes to threat intelligence there is a wide (and widely publicised) knowledge gap, and it’s roughly the size and shape of the average C-suite.

This needs to change.

But before you start bemoaning the state of C-suite cyber knowledge, I’m afraid I have some bad news. The knowledge gap isn’t necessarily the fault of C-suite members … it’s the fault of cyber specialists who lack the ability to translate these very real cyber threats into language that leaders can understand and act upon.

Thankfully, rectifying this is simple, so long as C-suite members are willing to listen.

Engage with them. Ask them what they need, and how they need it. These are exceptionally busy people, and they need poignant, useful information in a format they can digest and understand easily.

More importantly, they need information they can act upon, take to the shareholders, or use to allocate budgets.

Stop complaining that you’re not getting the support you need from above, and start proactively helping them understand what they can do to help.

Cultural change can be difficult, but it’s in everybody’s best interests.

Just keep asking yourself one question

When it comes down to it, threat intelligence is as complicated as you want it to be. There’s always something else to test, more logs to check, and new research to pore over.

But while you’re doing that, I hope you’ll keep asking yourself the same question: Will this help the organisation stay profitable?

And any time the answer is no, I hope you’ll put it down and move on.

After all, there’s plenty more where that came from.


This article was written by RFSID on February 2, 2016 and recently republished by Recorded Future


About Recorded Future
Recorded Future delivers threat intelligence powered by patented machine learning to significantly lower risk. The company’s technology automatically collects and analyses intelligence from technical, open, and Dark Web sources. Twitter at @RecordedFuture.


VigilAir drones first-response security guards of the future

Kiwi-owned and operated VigilAir has launched its semi-autonomous aerial surveillance drone technology onto the global market.

The VigilAir software product will undoubtedly disrupt the security industry and is a product that has the potential to change the face of security worldwide.

International patents are well underway for the software that can dispatch camera-equipped drones to investigate any external security event.

The VigilAir solution will be provided as a full-service solution, with drone enclosure, installation and full ongoing support provided.

“Simply put, our software will enable drones to be the first-response security guards of the future,” says director of VigilAir, Mike Marr.

New Zealand has been at the forefront of drone/UAV (Unmanned Aerial Vehicles) regulation and VigilAir continues to work closely with the Civil Aviation Authority (CAA) to develop the equipment, systems, and processes to provide a safe and effective service.

The product and service operate under a current CAA certification, with work underway to rapidly expand the operating parameters.  

The company spent years pioneering the use of drones with new technology for security purposes, including self-funding its own research and development.

VigilAir is a SaaS product that integrates drones into existing electronic security systems.

It’s suited to large outdoor sites such as retail and industrial parks, hospitals, university campuses, schools, ports, prisons, and town centres which are at risk of burglary, vandalism or security breaches. A security drone will also act as an effective deterrent.

When not flying, the drone sits in an enclosure – dubbed a nest – located on a business site.  When alerted by an alarm sensor trigger, it will be dispatched to fly over the site to investigate, record and live-streame high definition video footage to whoever’s monitoring the action.

The drone may include a thermal or infra-red camera, and bright LED floodlights to illuminate any intruder and record the scene. The hovering drone may sound a siren or even talk to the intruder using a two-way communications system.

Before leaving the nest, the VigilAir SaaS system checks the weather data, then the drone flies a pre-determined flight route that’s geo-fenced to preserve neighbours’ privacy and comply with flight regulations.

A future release will allow the drone to be further manoeuvred to follow any fleeing suspects, capturing images of them and their vehicle license plate number. It then returns to its nest to recharge.

“After considerable R&D, innovation and years of trials, not to mention processing technology and software patents, to now be able to unleash the product onto the international market is really exciting.

“VigilAir’s system is all about delivering faster, safer, and more cost-effective security for organisations or businesses with large sites and security installations,” says Mr Marr.

He says to be able to fly a rapid response drone literally directly into a crime, and to record and transmit all that’s happening, has huge advantages over a traditional on-the-ground security response.

“And we’ve designed it to be user-friendly. Security guards, whether on site or operating remotely, will be able to use the system and it’s one that can already ‘talk’ to 99 percent of all existing electronic security systems.

“As you can imagine this is all a lot safer than dispatching a guard on foot to check out a security problem.

“Drones will help catch perpetrators as everything’s recorded which is gold for any eventual prosecutions. And importantly, the ongoing cost will be lighter on operational budgets,” Mr Marr says.

VigilAir has the potential to make NZ$400 million in its first year largely because the fully integrated semi-autonomous system is a world-leader.

“Its ease of operation and effectiveness has wide appeal for any organisation needing to protect its assets or people,” he says.

VigilAir is completing reseller agreements with two major international corporations, providing a channel for product export and on-going support.

“We’re very confident in its success. We’ve done exhaustive searches and cannot find anything to compare with VigilAir’s system worldwide. It’s truly a global first with unlimited potential.”

Mr Marr believes harnessing drone technology for security purposes was “somewhat inevitable” for a company that has been at the forefront of CCTV and wireless security technology in New Zealand.

VigilAir’s interest in drones doesn’t stop at security.

“While their use for aerial photography is well established, considerable potential remains in core like agriculture, construction and forestry.

“Our drones have assisted the police in search and rescue operations in hard-to-reach terrain like cliffs and crevasses. And we’ve done all sorts of work from inspecting the Auckland Harbour Bridge to looking for leaks on the roofs of central city buildings.”

As well as inspecting infrastructure and assets, smart drone technology is used for Infrared imagery to track heat-loss and to create 3D models that are dimensionally correct to a few centimetres.

VigilAir was invented and developed by ASG Technologies – a technology incubator established three years ago by TPT Group.

Mr Marr is the founder of TPT Group and remains its chief executive. He is also directly heading VigilAir which was founded last year to commercialise ASG’s drone control software.

“Our experienced VigilAir team, led by Andy Grant an ex Warfare Officer from the Navy, includes software and mechatronic engineers and a commercial pilot,” says Mr Marr.

“The team remains focused on the ongoing development of the VigilAir capability and delivering world-leading future-focused security technology.

“To now launch a semi-autonomous ‘eye in the sky’ solution, incorporating an on-site drone with cloud-based SaaS software, is a long way from how we initially viewed drones – as flying CCTV cameras to support the fixed ones.”

Ongoing security technology innovation will help with many governments’ aspirations to develop safer cities in a continually urbanising world.

And for the future: TPT is advancing robotic technology with the intent of one day launching fully autonomous ‘foot patrol’ robots to work in conjunction with its security drones.


About TPT Group

More than150 people are employed at TPT Group which has a stable of security businesses including VigilAir Ltd, ASG Technologies Ltd, Advanced Security Group, TPT Finance (NZ) Ltd, Promessa Property Group Ltd, ASGSPL Ltd, Asset Insight Ltd, and TPT Group Investments Ltd.

Mike Marr +64 29 281 0221

Seven out of 10 customers use Dark Web sourced threat intelligence

Recorded Future is a leading threat intelligence provider which numbers 86 percent of Fortune 100 companies among its clients.

The company announced recently that 70 percent of its customers have adopted Dark Web sourced intelligence to gain insight into their own risks from the adversary’s perspective.

They also use it to identify compromised assets, such as credentials and intellectual property.

These Dark Web sources include underground forums where threat actors discuss intrusion methods, malware, and fraud schemes outside the scope of open web search engines and marketplaces for illicit goods and stolen data.

In addition to capturing the latest dark web posts and listings in real time, Recorded Future constantly integrates this content into its massive historical archive.

This process connects “hacker chatter” into the larger context, such as pastes that appear on the web for just seconds, technical details of exploitable vulnerabilities, and security research published on the “surface” web.

Using machine learning and natural language processing, Recorded Future automatically analyses these sources to identify trends, highlight emerging threats, and score the risk of millions of vulnerabilities, domains, addresses, and executable files.

By leveraging Recorded Future’s Dark Web monitoring capabilities, customers receive:

  • Hundreds of thousands of detailed threat actor profiles including behavior patterns, indicators, motivations, and targets.
  • Alerts for compromised credentials and stolen data exposed in the dark web.
  • Trending threat data based on machine-learning analysis conducted at a scale beyond what human analysts can do.

“Recorded Future’s threat intelligence from the Dark Web provides unique insights we utilise to help protect our clients every day,” says Bruce Biesecker, Global Director, Security Operations, Security Engineering, Client Care, and Identity Management at Verizon.

“Their distinctive approach to structuring the data and using it to enhance other open and technical-sourced intelligence makes the data more critical to more companies than other offerings in the market.

“We continue to see increasing significance as the capabilities and breadth of sources continue to grow,” he says.

Top banks, retailers, hospitals, government agencies, and other organizations around the world are using Recorded Future’s Threat Intelligence Machine™ to identify threat trends, find compromised data, and alert on threats specifically targeting their data and networks.

“Security teams may look to the Dark Web first for incident detection: are our credentials or sensitive information exposed?,” says Matt Kodama, Vice President of Product at Recorded Future.

“But operational monitoring is just one way to leverage dark web sources. We know that adversaries will find new intrusion methods and fraud schemes.

“Which technologies are emerging as targets, and how are threat actors finding exploits? By harvesting and indexing the dark web at scale, we highlight these emerging trends as a key input to an intelligence-driven security program,” he notes.

Part two: Improve Your Threat Intelligence Strategy With These Ideas will appear on this site on Friday December 1.


About Recorded Future
Recorded Future delivers threat intelligence powered by patented machine learning to significantly lower risk. The company’s technology automatically collects and analyses intelligence from technical, open, and Dark Web sources. Twitter at @RecordedFuture.