How to overcome today's intelligence challenges to uncover the threats that matter [Q&A]
Threat intelligence is critical to protection efforts, but businesses often struggle with effective management and correlation of this data to help prioritize their efforts.
We spoke to Richard Struse, chief technology officer and co-founder of Tidal Cyber, to discuss the challenges presented when organizations scramble to update systems that aren’t actually vulnerable or stop threats that would essentially have no impact on their business.
BN: What role does threat intelligence play in organizational cyber protection efforts?
RS: Cyber Threat Intelligence (CTI) plays a key role in cybersecurity whether or not an organization is aware of it. Many cybersecurity tools and platforms leverage CTI on behalf of their customers and users, in an effort to keep up to date with the ever-evolving threat. There is a large and robust community of government, commercial and nongovernmental organizations that produce CTI for use by their stakeholders. The challenge is less of a 'supply' problem and more of a 'demand' (or more accurately, a 'consumption') problem. Taking CTI and using it effectively within an enterprise can be a complex and time consuming process.
BN: How has threat intelligence changed since you started working in it?
RS: I first began working in CTI in 2011 and at that time many of the challenges had to do with the 'plumbing' of CTI -- getting it from point A to point B in a timely manner in a format that could be readily used on both ends. By early 2012, I was deeply dissatisfied with the current state of affairs and set out to do something about it in my role as chief advanced technology officer of the Department of Homeland Security's National Cybersecurity and Communications Integration Center (DHS NCCIC, which has since been absorbed into what is now CISA). Over the next seven years I led the effort to define international standards for the representation and exchange of actionable CTI -- efforts that led to the development of the STIX and TAXII cyber threat intelligence standards in OASIS. We built an international coalition of the willing, with MITRE providing much of the early technical expertise, to collaborate on the definitions of standards that could be supported by security products and platforms around the world.
Since then many of those plumbing issues have been resolved and STIX and TAXII have become part of the foundation of many cybersecurity tools and platforms. While that is gratifying, the work is by no means done. The standards continue to evolve in the international community, but more importantly, the use cases driving their adoption continue to evolve. Since I first got the idea for an automated CTI exchange ecosystem back at the end of 2011, we've seen the community shift from a focus on 'indicators of compromise' (IOCs) to looking more at adversary technical behaviors often referred to as 'tactics, techniques and procedures' (TTPs). This has been driven largely by the reality that adversaries are continuously shifting their infrastructure (IPs, domains, malware, etc.) and therefore the useful lifetime of most IOCs is very brief, necessitating automated detection and remediation in order to be effective. Over the past ten years or so, we’ve seen the explosive growth of the MITRE ATT&CK framework which provides a 'common language' to describe adversaries and their technical behaviors/TTPs. When I arrived at MITRE mid-2017, ATT&CK was already growing rapidly because it offered defenders a way to reason about and communicate adversary TTPs at a higher level of abstraction. This has been crucial to ATT&CK's success since it means that TTPs are not nearly as brittle and short-lived as IOCs.
BN: What challenges do organizations currently face when it comes to obtaining useful and actionable threat intelligence?
RS: There are many great sources of potentially actionable CTI available, from open source intelligence (OSINT), to Information Sharing and Analysis Centers (ISACs), to commercial threat intelligence services. The largest challenge that we see is less about obtaining useful CTI and is much more about the difficulties of putting it into action. The reality is most organizations around the world lack any sort of dedicated CTI function. CTI analysts are generally a scarce and expensive resource and that means that only larger and better-resourced organizations have the ability to take CTI and apply it within their enterprise. This is particularly true for intelligence related to adversary TTPs as these are not as readily consumed by most security tools.
Overall, CTI is critical to protection efforts, yet businesses continually struggle with effective management and correlation of this data to prioritize their efforts. Few talk about the challenges presented when organizations scramble to update systems that aren't actually vulnerable or stop threats that would essentially have no impact on their business. While some organizations, including MITRE, have offered frameworks that help distill this intelligence, many require significant manual intervention and analysis. This discovery led my co-founders Rick Gordon, Frank Duff and I to leave MITRE at the end of 2021 to start Tidal Cyber, a Threat-Informed Defense (TID) platform.
BN: What platforms or knowledge bases are currently in place to support threat monitoring and defense efforts? What are their values and shortcomings?
RS: There are a plethora of sources of CTI and there are countless commercial as well as open source tools available. Again, the challenge is often not having the staff with the expertise, time and resources necessary to take full advantage of those information sources and tools. We routinely see organizations with security tools whose capabilities are not being fully leveraged.
With a solution like we offer at Tidal, customers are able to make the most of their security stacks as they can map new threats to their assets, vulnerabilities and deploy security solutions to determine if and/or how exposed they might be. This enables customers to align their specific environment and defenses with the threats that have the greatest potential to impact their business. Tidal's ability to help organizations employ TID to align their protection with the threats that matter ultimately leads to a reduction in solution overlap and technology costs.
BN: When a new threat is uncovered, what steps should organizations take to ensure they are protected?
RS: This is one of the core activities within the discipline of 'threat-informed defense' (which is a term I coined at MITRE back in 2018 as I stood up the Center for Threat-Informed Defense, a privately funded R&D Center). As new threats are identified, or existing threats evolve, it is critical to link those back to the specific TTPs used by that threat. With that specific, granular technical understanding of the threat, your next step is to line those TTPs up to your defenses, to answer the question, "what defenses do I have against this specific TTP?"
This is where it gets tricky because I've yet to meet an organization that does this in any sort of repeatable or scalable manner based on real data. One of the main reasons my co-founders and I started Tidal is because we were, and are, passionate about solving that problem, and not just for large and well-resourced organizations.
As mentioned, Tidal's TID platform ingests a wide range of CTI and automatically correlates the TTPs of concern with the specific defensive tools that are in place within the enterprise, showing our customers where their defenses are strong and where they are weak -- to inform action to improve those defenses. We’re giving our users unprecedented visibility into the security coverage they actually have based on the tools in their defensive stack. With that visibility, security teams can then make data-driven decisions about what gaps to fill and how, allowing them to maximize the value they get from their resources.
BN: Looking forward, what should organizations be doing to better align and inform their defenses and threat intelligence?
RS: Once the organization has mastered the basics of enterprise cybersecurity (cyber 'hygiene' if you will), they should be moving to adopt a threat-informed approach to their defenses. Having access to high-quality CTI is great, but it is essential to remember that for the vast majority of enterprises around the world, CTI is a means to an end. That end is improving the cyber defense and resiliency of each enterprise and that requires understanding exactly how your defenses relate to the ever-evolving threat landscape. Threat-informed defense can be thought of as a kind of continuously-evolving 'treasure map' -- helping you understand where and how you have effective defenses, and even more importantly, where you don't -- before the adversary does.
Image credit: denisismagilov/depositphotos.com