Threat intelligence is considered by many to now be an essential component in a firm’s arsenal when fighting cyber crime, allowing them to use data to make better decisions in tackling threats. It brings together data of known and previous threats, to identify if an organisation is being exposed to one.
There is a growing concern in the industry, however, that cyber security analysts are being inundated with too much data, resulting in too many false positives being generated and devaluing the power of threat intelligence.
"Are we being overrun by threat intelligence? Yes, absolutely," Wade Woolwine, Director, Rapid7 Threat Detection & Response Services told CBR, "because a lot of organisations don’t really take the time to really curate and analyse that threat intelligence as it’s coming in."
Inappropriately deploying threat intelligence and data, like IP addresses associated with attacks from a number of years ago, can waste significant time and resources for an organisation.
"Looking at the time factor as kind of the number one decision point as to whether you should use it or not will allow you to reduce that volume of threat intelligence that you’re applying, therefore it’s going to reduce the amount of time your analysts have to spend analysing threat intelligence incidents as they happen," said Woolwine
It can have very serious implications, as it can mean that key data that might prevent a breach is missed. Indeed, Woolwine said that some major breaches may have been caused by analysts having too much data to go through, and so they were unable to get to some key information.
He said "When we look at Target, for example, some of the information that came out a few months after the breach had occurred, the investigation had closed, is that they had actually received some indication that there was malware in their environment, however it was buried in a mountain of other data that that the analysts hadn’t had the opportunity to get to and review that particular hit."
It is an issue that Steve Ginty and Brandon Dixon have also identified, and tried to build a product around. They co-founded Passive Total, which was purchased by RiskIQ in October 2015. The firm provides a one stop shop for a variety of threat intelligence data, and uses visuals to, they hope, present some of this data in a more accessible and useful way for overworked analysts.
Ginty explained to CBR: "I think the thing is connecting dots. Connecting dots between attack campaigns for an analyst, it takes a lot of time, and so what we’re trying to is make that simply by presenting not only our analysis but also an organisation’s analysis. So analysts can tag and classify things in our system, that they’ve previously seen. If they see it in the future we will report that back to them and say hey, this overlaps with what you looked at a week ago."
The ongoing skills shortage in cyber security is also a factor in the issue, as is so often the case. Dixon said: "One of the things you see plastered all over the place is that that there’s a need for cyber security people to fill these roles.
"What we’re finding is a) we can’t find them, b) even some of the people I’ve interviewed in previous jobs, they don’t have the requisite skill set coming out of any 4 year degree programme, whether it’s focussed on cyber security for them or not, to be actually be able to do this work."
How much is the industry contributing to its own problems? Woolwine thinks it is doing so by overemphasising quantity, instead of quality, of indicators and alerts a threat intelligence system throws up.
Woolwine said: "I think it’s a constant conundrum right in the industry, specifically around threat intelligence to think the more alerts they’re generating the more likely they’re going to find that investigative lead that is going to lead them to a targeted attacked.
"Vendors themselves are really participating, I guess in this farce, or facade, because a lot of them count the number of indicators they have, which is irrelevant."
The comfort blanket of data is actually suffocating cyber security analysts, and reducing the power of threat intelligence to combat the range of threats it is meant to be monitoring.