Threat Intelligence Unfiltered

Exposing the challenges in actioning threat intelligence

Threat intelligence is a hot topic right now and rightly so. But just having intelligence doesn’t make it useful in protecting your organization. It’s easy to get threat intelligence but difficult to derive real value from it. 

Incident response guru MacKenzie Brown joined PlexTrac’s offensive security experts Dan DeCloss and Jon Wisdom for a Friends Friday episode to discuss actioning threat intelligence for reactive and proactive security. MacKenzie Brown is VP of Security for Blackpoint Cyber where she focuses on driving Blackpoint’s security vision, nation-state-grade technology capabilities, and their ecosystem. 

Watch the full episode or read on for the highlights. 

TI Unfiltered: Exposing the challenges in actioning threat intelligence

The challenge of threat intel

MacKenzie kicked off the conversation by identifying the value of threat intelligence: “In many cases for incident response is threat intelligence. And so when I think of threat intelligence starting there, I think of the way that it creates predictability, right? It creates some sort of method of where we should be looking.” 

She continued by explaining how threat intel can also become a burden. “Because, you know, there can be a ton of information — or I guess we would say like data — but how does this become information that I can use, right? And how can I automate some of this without needing to have another person? Because I think we fall into that trap in cyber a lot where I might have this problem, so I should go solve it with this data feed or with this tool or with this shiny new object. And then all of a sudden I’ve incurred more debt on my team because I need somebody to manage it, I need somebody to cultivate it. And all of a sudden it’s becoming more of a distraction than what it’s worth.” 

Dan agreed that information without a clear way to analyze and act on it is not helpful for improving security. “Well, this happens even in the pentesting world, right? A lot of frameworks will say, like, hey, you should be doing pentesting, but they don’t actually say, are you doing anything with those results? Do you have SLA’s around it? So,  it comes back to kind of that diligence.”

The promise of threat intel

Despite the challenges and the potential for data overload, all the panelists felt that threat intelligence also presented a great opportunity, especially to inform offensive security. 

Dan said, “I see a lot of opportunity, in what you can use this threat intelligence for. Because if you’re starting to learn about what the attackers are doing and what, what are the key vulnerabilities they’re exploiting, ideally you’re actually taking that into your testing program, into your current list of vulnerabilities and overlaying that information and saying like, okay, have we ever tested for these things? Do we have these gaps in our environment? Then if we do have vulnerabilities, we have now validated that they’re being exploited in the wild. So we should prioritize those higher. That, to me sounds like common sense, but I don’t know how common it is.” 

MacKenzie agreed that a systematic approach to actioning threat intel to prioritize remediation can create value. “I think that people actually scheduling and timelining and making things happen from a remediation stance is the best you can do with it. And applicability too, a lot of people are looking at things that — you know, 0 days are going to be up here — but like everything else, they’re not really necessarily learning how to prioritize intel that they receive. Like, why should they care about APT 31 or something? But, if they really broke it down, like, let’s break down what this threat actor group does. Then you can take those TTPs and say, now let’s align it to MITRE. Is there a likelihood that this specific tactic or technique could impact you? Yes. Are you monitoring for it? Maybe. Are you mitigating it? Maybe. Right?  I feel like a lot of intelligence when it’s translated appropriately so they understand the criticality of it and whether or not to take it seriously. But then it’s fed back into the groups that do general risk analysis that can determine this is a high likelihood and the impact would be really bad.” 

Dan concluded, “I think that you know, continuing to utilize threat intelligence appropriately — I gave a talk at Wild West Hackin’ Fest a couple years ago around threat-informed pentesting — how threat intelligence is typically seen in the responsive space, but it can have a lot of value in the proactive space if you use it as part of your testing program. And deriving a continuous framework around it can be quite valuable.”  

Read more about threat intelligence for offensive security.