Maximizing Threat Intelligence for Proactive Security

This is a little bit close to my heart because it might be the semi-most boring part of today’s talk. And the reason I say that is because it’s the processes behind the threat intelligence and dark web intelligence that you bring in on the market today. There are tons and tons of great sources you can use, from open source to private tools. However, the area that a lot of companies lack in is the ability to actually process it themselves.

There is so much you can do and so much you can use, but organizations today are just not standardizing the processes for validation and tracking the intelligence, which leaves massive amounts of risks. I’ve talked to many CISOs — many organizations — and one of the first questions I always ask them is, “Are you using intelligence and dark web?” And they always respond like, yes, of course we are. And I’m like, “Great. How?” And their responses are incredibly vague on a very common sense of it. And I always tell people the difference between a great organization using dark web intelligence and one that is maybe on the lower maturity curve is not in relation to how much you are possibly spending or how much time you are putting into it. It is regarding the processes and the context that you apply, and what’s important to you.

So let’s kind of separate a little bit today. This is what we’re going to talk about:
What is the current problem and what are the solutions around it? And I really want today to be quite educational. So please, hit me with them QAs at the end. I’m looking forward to hearing lots of questions that you might have.

So let’s talk about the current state. Most organizations engage in some form of dark web and threat intelligence collection, but they face a lot of challenges. They lack specificity, they don’t have a clear understanding of what they want to actually look for. And when that happens, efforts become a little bit unfocused and you become a little inefficient.

The second one is they get overloaded with data. The sheer volume of dark web and threat intelligence that exists in the world today is absolutely massive. And if you’re not being very focused on what you want, you tend to overlook or not react quickly enough to what actually matters.

The next one is undefined priorities. And really this is the standardization that I was kind of talking about at the start, is what methods are you actually using to evaluate the risk or relevance of the findings to your organizations to help you be more focused and respond effectively?

Now, I’ve talked about a little bit more already, but if you have this current state, you’re probably having consequences such as missed threats, wasted resources, and inadequate protection. And what I’ve always talked about in this area is people don’t realize it’s happening. They will go and buy and they will start to collect dark web of threat intelligence, but they don’t realize that they actually have to do something with it.

And that’s kind of why I said of like, this is going to be less interesting maybe to some people because it’s not as sexy per se. It’s not like, hey, let’s go and find some dark web, let’s go threat hunting. And I’m not using the cool words. I’m using words like processes and validation, which are going to have a much larger impact. Even if you’re using from open source all the way to the highest quality data source, dark web intelligence source, on the market today, you need to have something in place. And the wasted resources are a massively big one for me.

On the consequences side, the number of organizations, from public to private, that I’ve seen hunt down and figure out that the dark web or possible attack coming from hacker discussions have been false, or they’ve been misunderstood in some way, or they don’t really apply to their most protected resources. And what I’ve seen is that really talented folks are trying to validate it, but they don’t really have a standardization around it, they don’t have a way to track it as well.
And I really want to get into this and really want to get into not just the problem that I’m laying out right now, but also how can we improve it. And I think that’s something as a market and the industry as a whole within cybersecurity, and not just in the vulnerability management or pentesting or detection side, but also in the post as well, and also in the SOC world — malware analysis, IP detection, incident and response. How you use it needs to have some focus that matters to you and to the situation that you are in. So let’s move on.

So next one is we’re talking about elevating it. So what do we do? What does standardization look like? So we need a new approach. The absence of this structured, prioritized, context-driven approach to dark web and threat intelligence undermines a lot of the efforts that you do and exposes your organizations to unnecessary risk without you even realizing it.

Now the value of standardizing your processes is that you actually start to validate, you start to track, so you start to categorize and assess the actual different types of finding the different types of intelligence that matter most to you. So think about it. If you find IPs really important, maybe credentials intelligence is really important to you. So you have that as a higher level of importance or criticality in some way.

Or if you do a lot of web applications and you’re really important, tracking the IPs coming in, IP for intelligence or analysis is going to be very important to you as well. So you need to figure out what’s important to you: What do you actually want to collect? Why do you want to collect it? You want to then allocate efficiently the resources to that, and you want to allocate those resources, not just in general to task web and say like, hey, you’re in charge of this, off you go. You want to say, all right, allocate to the most critical threats and have a workflow behind that as well.

Moving along. Perfect. The next one is going to be the contextualization. So you need to understand how does this threat relate to you. That’s really, really key. Do you mean what are the efforts that you’re going to apply to the specific threat landscape that you’re looking to cover and what are the vulnerabilities that you’re most worried about and how do they prioritize as well. The final one is understanding how you’re going to respond based on the potential impact to your own operation assets. For example, if you know continuity is really high on a certain web application or certain asset, then you are going to respond very differently. If you find a potential threat through your threat intelligence feed or dark web against that particular asset, and how you validate it and respond to it is very different to how maybe you do the IPs.

Some will be really easy. I’m not saying everything needs to be really difficult. For example, you can automate a lot of this as well, but you need to have a discussion around the types of intelligence you’re collecting and how you respond to it, and also the categorization of that intelligence because even just one category — and one thing I’ve worked very closely with before is dark web. There’s a very big difference between looking through hacker forums and seeing potential implications against your brand or attacks coming your way, or maybe attacks against vulnerabilities that you have in your environment versus credential intelligence. So you need to categorize it, think about how you respond to it, and understand the impact on your organization. Not only will that help you with the efficiency in responding and reducing risk, but now you can actually talk to the wider audience.

So to your stakeholders, the board, your leadership, your managers, you can say, hey, I’m doing this because of this exact reason. That’s the really powerful aspect of what we’re talking about here, is you can show progress, you can measure it now. So it’s really, really important that you think about these things when you’re collecting this data. And this is also really big on when you’re assessing maybe market tools. Every tool in the market today, if you are looking to buy something, will have its own strength. Does that strength that they have map to what you are trying to protect? That’s really essential as well.

Now, one thing I always think about when a lot of people present this stuff to me is that they’re not tailoring it to themselves. Now, what I mean by tailoring is, I mean in presentation. So let’s say a little story right now, you’re a CISO of a tech company, and you find that, hey, I’m going to start prioritizing my vulnerabilities based off the intelligence I see. Maybe, hey, does it have an exploit available? What type of exploit is that? Or someone talking about it in the dark web, etc., etc., etc. Now the important thing here is you can take that as it is and say, hey, I’m just going to patch all my exploits. But the issue that I see in a marketplace today is that, what type of exploit is that? Where did it come from? Have you actually validated that that exploit is a real thing? And how does it impact the applications you have? What security controls do you have existing already that could maybe stop that exploit? Most cross-size scripting vulnerabilities today, and the exploits against them will be stopped by most firewalls. Obviously, that’s not the case. So again, you need to tailor how you respond to them.
Do you want a validation against it? Are you going to prioritize based on the criticality? Are you going to prioritize based off the business criticality of that particular asset and what it means to the organization? So there’s a lot of thought processes that you need to think about when you ingest this data. And a lot of times I see organizations, they ingest it and they go, “good,” and they wipe their hands clean of it. They do the next thing. I really want you guys, and the market as well today, to really think about, how are you tailoring it? How are you prioritizing the response to it as well? Now let’s move on to the next one.

Now, the final bit, and I think this is something that’s very under-talked about, is that threat intelligence and dark web intelligence are a team issue. It impacts everything across all of your silos, from the vulnerability management to the SOC to incident response to even the sysadmin, to your engineers, and your application engineers. Whatever types of categorization of silos you have, all of them are impacted in some way, or they can benefit in some way from having this data.

So one thing I want to get across today is how are you actually collaborating on the threat intelligence? How are you utilizing it across the organizations? How many types of sources are you actually bringing in today? And could it be used somewhere else? And one thing I’ve always seen is having that shared understanding, hence the word being underlined, of the potential threats, and ensuring that the relevant stakeholders of each silo, or within each silo have an understanding of the actual threat against it and what that means to the operation and the results of your organization as well. A lot of times I talk to CISOs and I talk to organizations and I go, “What source for intelligence do you use?” And they always tell me, “Oh, yeah, we use this for an intelligence source,” — let’s keep with the example, the vulnerabilities they’re looking at exploits — “I’m like, fantastic. It’s amazing. Is that shared across all of the team? Do your pentesters know about this intelligence source? Do your red teamers, do incident management? This is the way to actually start to figure out where the attack matter came from. You need to have that conversation across your team, and they need a way to collaborate.

So not only are the processes you need to think about, but you need to think about how are teams collaborating on this to have a level of validation against it, and how are you coordinating that response as well. Because a lot of these threats, they can get quite complex. They are quite sophisticated. Not every single one, but you need to make sure that you are responding to it appropriately, to what that means to your organization, to the level of criticality it means to you as well. That means asset level or maybe personnel level as well. And also documenting this as you go through, that is the final thing that I really think is absolutely essential with our organizations and the market today.

A lot of what we’re talking about now is not documented. You might automate it and bring it in and you might prioritize and you might even look at it. You might even act on it as well. But how are you tracking it? How are you coordinating it? Does everyone know that you’ve possibly fixed or documented a threat intelligence piece? Let’s use the example of credential intelligence. If you find leaked credentials on the dark web, how do you respond? Who needs to know? How is it documented? How do you validate its real, how do you validate a protection against it? Does compliance need to get involved? These are the questions that I always ask and it always on an average basis get a very big set of excuses.

And it’s the truth. It is very easy today in the market and the tools that we have access to to go and buy and make us think that we’ve increased our maturity through that. But you need to understand that the process behind it is sometimes more important. One of my biggest recommendations to organizations that are looking to mature their ability in using intelligence and dark web is I tell them to pick one source and I always tell them to start with open source and it could be anything. And I get them to do the research as well. Sometimes I can provide some guidance, I provide some examples and I get them to think, okay, now what you’ve got this intelligence, what you do, and I get them to go through that process and they get a lot more value of using that open source and thinking about how they tailor respond to it. That means something to them than buying a tool today.

Once they have that sorted, then they can go and buy the tools or increase their source thing and apply it to different areas because now they’ve created a standardized way that they can do it that is really, really beneficial overall.

Now let’s go to the next slide. Perfect. So I’ve talked a lot today about what I think and what my recommendations are in how to use threat intelligence and the secret source that I think should be applied to every organization today. And I know a lot of the other organizations on this webinar likely have talked about the sources they have, how they do it. And I really wanted to get across that. There is a bigger conversation you need to have as a team, as organization, when you bring that threat intelligence in. And now PlexTrac is playing in this field.

We don’t collect threat intelligence, we don’t collect dark web. But what we do help with is the things I talked about today. We help you with standardizing the findings. We help with you tracking now. We also help with contextual scoring, and prioritization, and we also help with collaboration. You need a place document to validate, and that’s something PlexTrac is really, really in the position to do today.

When I talk about standardized findings, what I’m talking about is when you bring that dark web source in, you need additional ways to add evidence. You need additional ways to add validation. You need to need ways to provide not just evidence that exists, but evidence that you fixed it. What does that look like? How do you track that? How do you track standardized findings across credential intelligence, vulnerability intelligence, IP intelligence? All these are very important things, and you standardize them in very different ways. You need a tool and one place to do that. That’s something PlexTrac has a high vision of doing. In addition to the tracking and reporting capabilities, how do you walk into a boardroom today and say, “Look how much work we’ve done?” How do you customize that to different personnel? How do you communicate that to different stakeholders in your organization? PlexTrac has the ability to report in different ways, to present information in different ways. We also can help you with the tracking side.

We can help you not just in tracking in a typical manner, but in facilitating different processes for different scenarios. So we give the power in your hands to facilitate the operation. You need to tackle the intelligence in your way that means something to you. The next one is a contextual scoring and prioritization on the prioritization. What we do is we can help group these findings in accordance with certain applications or certain network segmentation. For example, if you bring in a load of sources of dark web intelligence or from the credential intelligence, that credential intelligence might have different logins and maybe cookies associated to different applications across your organization. Now, what you might want to do is group that according to the applications you’re looking to prioritize, so you can prioritize it and then make treatment plans.

You can start looping in the different teams, such as assisting admins who are in charge of that application, for example. So maybe they can do a reboot of that password that’s associated with that credential intelligence. Maybe you can have the evidence to go with it for that priority as well. So when you go to your stakeholders, you can go like, “Look, we found all this stuff, we fixed it. Here’s the proof, here’s the priority. We’ve lowered it. This is our strategy.”

The other one is contextual scoring. We want to unlock the box of the scoring methodologies that organizations do today. We want to give you the ability to create your own scoring within your own context. So if something means something really important to you against a priority, hence, hey, if I see a credential intelligence and it has a password with a URL, I want that score to go up because that means something really important to me. And now I can communicate that to the wider people in my organization.

Then the final one is the enhanced collaboration. This is absolutely essential. I think this is massively overlooked. PlexTrac has the ability to support collaboration across teams. We have the ability to track findings, track changes. You can make comments, you can have almost like a Google Doc experience within PlexTrac itself so teams can talk to each other and everything in one place. That’s the real value is as you’re reporting on this stuff, as you’re tracking this stuff, you can work with your team at the same time.

Now that is all from me on this end. Keith, I’ll hand it over back to you. Thank you for your time, everyone. I really appreciate it.

And thank you, David, what a great presentation. I loved it. I will say that you mentioned that process may not be sexy. And while that’s probably true, process — is just, you know — without it, you’re kind of wandering around. You don’t know how to react to things, you don’t know how to anticipate. You don’t have a way to evaluate after the fact too. I mean, process just undergirds everything you’re doing. So here’s a shout out for processes, right? Even if it doesn’t have that wow factor.

I appreciate it, Keith, thank you.

Yeah, for sure. So I threw up the poll question here. Please let us know as Dave and I are going through some questions here, what additional information you would like about the PlexTrac solution. They are standing by and ready to talk to you, so please keep voting while we go through these. Now remember also that we have a great handout from PlexTrac that I encourage everyone to download before we’re done today. It’s a link to get a demo so you can see PlexTrac in action. That’s definitely worth a look. So you can see what it can do for you. So our first question here today for you, David.

Paul wants to know, is PlexTrac able to streamline and make workflows efficient enough for an SMB to monitor threat intel, even with minimal staffing?

Yeah, absolutely. So the key thing about PlexTrac is that we have the ability to ingest multiple types of data. We have multiple tools that can do that, but we also have the ability to do CSV uploader. Now the nice thing about PlexTrac is, yes, we have an open API, but what we have, we have something called the Parsers actions. And what the parser actions can do is it can help automate and clean the data that comes in. So you can ignore things, you can change the severity, but what else you can do is you can have standardization from a writeup standpoint.

Now it’s kind of hard without showing you, but we have this knowledge base where you can make pre writeups in accordance to what you want to say. So for example, let’s say you bring in credential intelligence, and I’ve used that example quite a few times and I’m going to keep going with it. But let’s say you have writeups against it that you hide in a password, you find a username against a URL and you say, like, hey, I want to say this for that. You can assign it to that in accordance, so you can add the context pre-send.

Now in addition to that, you then can track it and assign people to it. We’re all within the platform, so there’s no need to have a ticketing system against it. You can utilize the notifications that we have as well and organize them in clients and reports. So there’s a few different way we can help streamline from SMB standpoint. 100% good question. That is great to hear becausem obviously, they’re the ones very often the most strapped and fighting fires constantly.

Okay, next up, someone wants to know how do I get started using threat intel and what types of intelligence data should I begin with? Really good question.

Yeah, great question. So the sources I would definitely recommend getting started with is the vulnerabilities is my recommendation. There’s a lot of open-source threat intelligence on the exploitation of vulnerabilities in the market today, and I’m talking from Twitter and even Reddit, they talk about it a lot as well. You don’t even need to go to the dark web to scrape this data. You can go to exploit DB where they’re collecting exploits. You can go to multiple sources, Alien Vault to also give you a free indication of exploitation of a vulnerability. So does Microsoft.
That is my number one recommendation for organizations today to figure out which vulnerabilities exist in their environment and which ones are actually truly being exploited in the wild today.

Great stuff. Yeah, you got to have an accurate view of what’s going on. Okay, next up, what are the common mistakes people make when they try to use dark web intelligence for the first time in this sort of proactive way?

I think the biggest one is that they think buying will solve their problems for them. I think that’s the biggest thing I’ve seen of all the thousands of conversations I’ve had, is when they think about using dark web or threat intelligence, the first thing they think about is, what can I buy to do it? I personally think that’s one of the biggest mistakes you make, because you’ll go into a rabbit hole with all the tools on the market today, all doing different things, and they will likely confuse you even more. You would need to decide what’s important to you, what data you want to collect. And sometimes that is finding a tool in the market because maybe open source doesn’t have it or doesn’t have it in a certain way you want. But you need to figure that out for yourself first. Before you go and talk to someone, make your own criteria of what intelligence you want to collect and what’s most meaningful to your organization.

Just great advice. No silver bullets out there for sure.

Yeah, not yet.

So, final question for you today here, David. Someone wants to know, asks, what is the actual impact I can expect from using dark web intelligence in my security program? And the second part of that is, how do I know if it is helping us get better? So a nice practical question there.

Yeah, really good question as well. And I think this comes to part of my presentation is, you know, you’re getting better because now you’re actually tracking it. A lot of times, it’s coming to the foundational, figuring out what’s important to you, figuring out the impact that has to your organization if something occurred, maybe hypothetical. You have to think like that sometimes.
Think from a hacker’s view. But then you can start to start measuring the impact. So if you are doing the credential intelligence, environmental intelligence, the IPs, if you’re starting to understand fracting or threat hunting, then you start to build what it means to you. And that means then you start to build a bigger impact of like, hey, it’s not just these general comments you see in the market. Like, hey, I can reduce the likelihood of a ransomware attack on yourself because you’re using our tool now. You can actually say, no, I can reduce the likelihood of ransomware attack to my organization because that’s going to do this, this and this and this. And it’s within your own context.

That’s when, when you go and speak to the stakeholders and the board, you’re talking about your own personal context and your own personal impact that you’re reducing. And the fact that you’re measuring it for the validation and the tracking that’s coming from your data sources. Now you can give them numbers of, hey, we validate all of these criticals because these criticals mean this to us and we validate that they’re not real or they’re real and we’ve done this particular action to it as well.

Okay, outstanding, and final thing. But just before I let you go real quick, you have created a lot of interest around what PlexTrac is doing. If somebody wants to get started with PlexTrac today, in fact, or find out more, what do you recommend they do as their very next step, David.

I think a next good step in my high recommendation is to go to www.plextrac.com/try. And the reason I say you should go to that specific link is you can actually do a nice little walkthrough of PlexTrac today to actually see what the platform looks like. It is very basic, and then if you’re really interested in seeing more, you can actually fill in and get a request for a demo. And you might even get me depending on where you are in the world. And I’d love to have a little chat with you guys.

All right, so maybe you’re going to have a really long day, then after, if a bunch of people are going to want to get hold of you when they call up and I want to talk to David.

I would love that. You’re more than welcome to request me, so please let me know if I’ve been requested. I feel like I want to tell everyone, absolutely, absolutely.

Well, David, this has been an absolute pleasure to have you on today. Thanks for educating us on PlexTrac and what they’re doing. Always great innovation going on with your company and it’s been really fun to learn today from you.

Thanks for your time. Yeah, I really appreciate it. Thank you very much as well, Keith.