TI Unfiltered: Exposing the challenges in actioning threat intelligence

MacKenzie Brown, VP of security at Blackpoint cyber. I’ve been with Blackpoint a little over a year now. And really a big part of my job is enablement, of course, with our partners. We primarily work in the managed service provider space. So we work with our partners, our MSP’s, and we do MDR essentially. So we support a large aspect of small medium business, which is really important, especially as you can imagine from an information security and, you know, threat landscape perspective. Yes.

And we also, you know, we’re on the topic today. We also have our adversary pursuit group, which is essentially our threat intelligence threat research division that works really closely with our SOC and then also providing rapid prototyping back to our engineering side. So I am local to Boise, even though we’re all virtual here and we’re all local. Yeah, I know. It’s funny, but it’s exciting. None of us are introverts at all.

I thought you would be here today, Dan. I came in for this.

I have so many recordings to do. Like, I just stayed home. Like, I’ve got no, it’s so. Well, yeah. MacKenzie, thanks. Thanks so much for joining us.

We’re excited. Jon, do a brief intro for the audience and kind of share who you are.

Sure. Yeah. Jon Wisdom. I am the director of security operations at PlexTrac. So I manage the information security function as well as our cloud operations team. Keep the servers online and keeping them safe.

Yeah. Couldn’t do it without you, Jon, so thanks so much. And people may know me, I would hope, possibly, but probably not. So, Dan DeCloss, founder, CTO of PlexTrac, but we’re really excited. If you’re new to the Friends Friday, we’re just joining friends from that we know in the industry and the space to come on and chat for 20 to 30 minutes. And it’s just real low key, it’s a Friday kind of thing. And just enjoying learning about different topics, learning about the space, interesting topics that are happening in cyber as well as tech. And so just enjoying meeting a lot of new people, enjoying bringing new old friends onto the cast as well. And MacKenzie definitely falls in that category with, it’s been a pleasure just working alongside her in different capacities.

So, yeah, today we’re talking about threat intelligence, or TI Unfiltered was kind of the, was the topic that we, or the name that we gave today’s cast. So I’m really excited to talk about it. MacKenzie, obviously you have a deep background in threat intelligence and threat response and things like that, but maybe kind of share with us what you think the appeal and the promise has been of threat FTI and threat intelligence, you know, over the years.

Yeah, yeah. Well, I mean, outside of the functioning method and concept of threat intelligence for actual warfare. And now that’s utilized going to the. What did you guys like? Cyberspace, information security, cybersecurity, whatever you want to call this industry. I find that really industry interesting that you guys have categorized those. But I digress. I actually, you know, I really come from the incident response world, and I have been blessed and privileged in a way to work on the detection response team. Formerly at Microsoft, I was with them for a little over four years, and I did incident management over there near the end, which was a lot of just, I like to call it like fantasy football and putting together teams.

But what we saw on dart from an incident response side is we supported global investigations, extremely large investigations, everything that would basically you would see on the news screen or in the media, we likely already had our hands in investigating forensically. And then, of course, Microsoft being the big wide world, giant, massive company that it is, we were able to provide recovery, remediation, a component of that, and in many cases for incident response is threat intelligence. And so when I think of threat intelligence starting there, I think of the way that it creates predictability, right? It creates some sort of method of where should we be looking? How can we work faster when it comes to cyber warfare specifically. And obviously, you know, things have already hit the fan when you get to the incident response world, but it doesn’t mean that you don’t have hands on keyboard. It’s not nation state, it’s not apt. So you do rely heavily on attribution ioc development. You rely on something that is aggregated in a threat intelligence function that allows you to do the investigation and then hopefully, predictably assist in future investigations before they get really bad.

Moving into a role where we work left of boom, as we call it, which is this MDR world, we really have visibility on small things. And so what I’ve witnessed in probably the course of a decade of how people market threat intelligence, hopefully I don’t get too spicy today.
It’s marketed as this. Oh, we’ll give you an inside look at what the threats you face are today, specific to your. But they don’t necessarily do that. You’re really just paying for like a big dump of dark web data maybe and some sort of level maybe, if you’re lucky, of risk analysis, but it’s not curated, it’s not applicable. And people just want to have that peace of mind, but it’s really not giving you any peace of mind. I have a fire extinguisher over here on my wall. Do I have peace of mind? Yes. I don’t actually know how to use a fire extinguisher, so would I have to google it in the amount of time I need it? Yes. Did it proactively help me? No.

But, like, threat intelligence is intended to help information security be better. And then the world of threat intelligence, information sharing, I do also think it’s really limited to more government entities. Right. More lockdown things, things that end up being redacted later on or subject to liability and not put in proven in court. So I do find my opinion on threat intelligence today is it’s just a big, shiny gold star sticker, and it’s also something people can’t budget for, realistically.
And it’s not necessarily something they have to pay for, too, but it does take time and resources. So I have. I’m a little bit this on where we’re going in intel today. So hopefully I opened up the floodgates of opinion for you and Jon.

Yeah, for sure. I mean, like, I think, like, you know, you kind of, you kind of bring the notion of like, hey, this sounds really cool, right? This is one of those things that sounds really cool and, like something that we really think we could use. And then you probably get it or you get all these open source feeds or like, you know, you try to build that threat and tell program, but it’s like, hey, we’ve got a lot of data here, but like, what are we doing with it? I mean, you know, Jon, I mean, like, what are your thoughts? I mean, I share the general opinion of kind of mixed feelings.
Like, just hearing this, it made me think of something that prior to being in cyber, my background was in software engineering. And anybody who’s ever used a version control system, like example, GitHub, what’s the first thing that you do? You ignore the notifications because there’s so many. Everybody just goes and looks, am I supposed to do something? Versus, I was proactively told about it and I see potential for that to go either way.

With threat intel, sometimes you get that big bang and it’s like, wow, I’m really, really, really glad that I had this. And this actually helped me. Other times you could equate it to, you know, some of the products that oftentimes get sold as this is gonna solve all your problems, and then you pay a bunch of money for it, you acquire it, and then you’re like, well, crap, I need a person to deal with this now. You know, there’s a lot of, there’s a lot of potential hidden fees, right?

Yeah, yeah, exactly. Hidden fees.

Someone to translate it all to us. That’s the biggest hidden fee. Yeah, so much like if you’re really, really tapping in like the, you called out floodgates, it is literally that. Right? And you don’t align it. I mean, I think organizations, they get a lot of this information back that’s considered like threat intelligence, but then how do they apply it? Like, how does it apply to their vulnerability management program? What’s the likelihood that, yes, we’re in the healthcare sector and ransomware is a big deal and these threat actors are a big deal, but what is the likelihood it’ll actually impact their infrastructure? And I do think intelligence really maps up to, from a security operation side, what are you seeing to an infrastructure side of what is broken and what is more liable or why get more risky? I guess.

Yeah. How does this apply to me? I mean, and then being able to distill it down, right.

Because like, you know, there can be a ton of information, but like, you know, or I guess we would say like data, but like, how does this become information that I can use, right. Like, and how can I automate some of this without needing to have another person? Because I think we fall into that trap in cyber a lot where it’s like, oh, I might have this problem. I should go solve it with this data feed or with this tool or with this shiny new object. And then all of a sudden I’ve incurred more debt on my team because I need somebody to manage it, I need somebody to cultivate it. And all of a sudden it’s becoming more of a distraction than what it’s worth. Be curious if you’ve got any thoughts, aspects to that or ways that people could actually use it to their benefit.

I mean, I do think. Sorry, Jon, go ahead.

You go ahead. I was just going to say from a business context side of how it’s utilized, I think it just depends on the organization, right? Depends on not just like, the industry you sit in, but not just your budget, but really the time you have allotted and where it fits in your cybersecurity programs. Because there’s so many bigger things that once you get into the intel area and you start, you know, extrapolating from a long list of things that you could be potentially vulnerable to, you realize that it all results back to your basics anyway that you’re not already doing.

So you’ve just allotted and spent all this time focusing in this area, and then you just think TI is a bunch of BS and you don’t need to worry about it. So I think the best business context is actually your partners who do you work with that automatically kind of offer in their services that you’re already paying for a version of, maybe a feed or a version of feedback of what they’re seeing.
So if you’re paying for a SOC or you’re outsourcing engineering or you’re doing certain things, just implementing little controls that then can be translated by the vendors that you work with, but that’s, that’s only because it realistically, who can afford that when they’re not doing the basic security stuff?

Yeah, yeah. Really filtering my bad language right now on my podcast, we do a lot of beep, beep, beep.

I like where you tied into the, I don’t want to say reliance, but the allowing the vendors you’re already working with to try to do the basics. For some of that example I could give is static code analysis and open source dependency management. Yeah. To truly do that well and say, find issues in open source that are o days that are unpublished, you need an army of people that needs to be part of your bread and butter and your offering. Not that you have a cybersecurity team at a software company as an example and, you know, take advantage of someone else curating it for it to then be useful information for, you know, someone like myself. You know, the raw feeds, you know, those come in. You know, a lot of times people cloud, you know, governance, compliance, regulatory, cyber is all kind of being the same.

And, you know, I read a lot of contracts and dpas and msas and, you know, the, hey, I’m going to buy your product and I need to feel good about it. And everywhere is like, oh, you need to. You need to subscribe to feeds. They don’t ever, like, say you’re supposed to do with it. Yeah, yeah. It’s like those emails. So you’re good to go.

Well, even, like, in the pentesting world, right? Yeah. A lot of, like, frameworks will say, like, hey, you should be doing pentesting, but they don’t actually say, like, are you doing anything with those results? Like, you know. Right. Do you have SLA’s around? Like, hey, if a criticals report it, how, you know, so, like, it comes back to kind of that diligent. To me, it’s a very similar conversation, you know, related to, like, the diligence of, like, hey, you can really make a lot of good use out of this information if you’re treating it well, treating it correctly. Like, you know, when. When I was a security director and, you know, that’s actually where I first met Jon, and Jon worked for me. And, you know, like, what I cared about was like, hey, if we get through some intelligence, I actually want to make sure that the partner that we’re working with, our MSSP, is actually aware of this. Right. And they. They have developed a threat model around us to know what. What information is the most pertinent for us. Right.

I mean, I would. I would assume that’s kind of like what you’re working with. I was gonna say, what MSSP are you working with? Damn. Like, today, this was when we were at a different job. Yeah. Shall not be named. Yeah, no, totally. I do think it comes down to, like you said, it’s.
I would say it’s very similar to pentest results. You would hope people, if you’re paying for a pentest, you would hope people would do something with that information. But. And I also could go on a full on diatribe of other legacy things like SEAM technology. And what are people actually doing with it outside of just storing and dumping logs somewhere? But I do think it’s similar to pentest, though. It’s like, what do you do with the results? Are you actually, do you have a remediation schedule? And with TI, it’s a version of that of like here is potentially something that correlates or is applicable to you. Now, what is the likelihood that it’ll affect you?

And then the secondary thing or the third thing I guess at that point is how do you translate that to the people that actually, for lack of a better phrasing, sign the checks? Right. The people who sign the budget approval, the people who are going to say, yes, this is important to us. You have to still translate it almost in layman’s term, from server room to boardroom so that they understand, like actually this is a big deal per justification for us to make changes infrastructure, process wise, things like that. And people don’t look at TI like that. You know, it’s just kind of like, oh no, something hit the news. This is gonna affect us. What are we doing about ransomware?

Yeah, yeah. Or there’s a, there’s a new report about, you know, some threat actor. But like what, you know, and I think that’s kind of maybe like, like something to really hone in on for like, you know, with this top talk is like, you know, I see, I see a lot of opportunity, right. That you can use this threat intelligence for, right. Because if you’re starting to learn about what the attackers are doing and what, what are the key vulnerabilities they’re exploiting, ideally you’re actually taking that into your testing program, into your current vulnerability, you know, list of vulnerabilities and overlaying that information and saying like, okay, have we ever tested for these things? Do we have these gaps in our environment? That’s like, I would, yeah, super important to know, you know, and then like, and then like, hey, if we do have vulnerabilities, we have now validated that they’re being exploited in the wild. So we should go. We should, we should prioritize those higher. Like that, to me sounds like common sense, but I don’t know how common it is.

I mean, I lived through the exchange server zero day that continued happening. We would do investigations completely unrelated to that and still find servers unpatched. So it’s like what, I don’t know at that point what intel you’re actually taking that’s just a giant red flag in your face and not doing something about it. But I agree. I think that people actually scheduling and timelining and making things happen from a remediation stance is the best you can do with it and applicability too. A lot of people are looking at things that, you know, 0 days are going to be up here, but like everything else, they’re not really necessarily learning how to prioritize intel that they receive. Like, why should they care about APT 31 or something? But, but if they really broke it down, like, no, let’s break down what this threat actor group does.Then you can take those TTPs and say, now let’s align it to mitre and let’s actually show you it. Is the likelihood that this specific tactic or technique could impact you? Yes. Are you monitoring for it? Maybe. Are you mitigating it? Maybe. Right?

I feel like a lot of intelligence when it’s translated appropriately so they understand the criticality of it and whether or not to take it seriously. But then it’s fed back into the groups that do general risk analysis that can determine like, oh, yeah, this is totally a high likelihood, and the impact would be really bad. Then you don’t know how to, and it’s just like old school stuff, right? General risk register old school stuff.

But like, they don’t know how to then assign and delegate and remediate it. It’s just you’ve educated a bunch of suits, which is also good. Everyone needs to learn a little more. But, like, actually making it actionable. I mean, I think, I think, you know, we’ve traditionally, as an industry, viewed threat intelligence as more of a reactive, you know, measure. Like, I mean, like a reactive. Something that’s used by the reactive and the response side of the house. But like, you know, it absolutely should be informing your proactive security program as well.

Right. I mean, Jon, I don’t know if you’ve got thoughts there, but I agree. I mean, something that comes to mind is like the Log4J issue. That was last year, the year before. Oh, my gosh. It’s a blur. You’re like, is it bad? Yes. Does it apply to you? Yes. Default? It applies to everyone in a way. Most people, I would imagine there were indications prior to just like, dumpster fire. But, you know, the question then becomes like, how do you, how do you proactively take advantage of that? How do you sift through that and say, hey, this is the thing that we should probably pay attention to before it’s in the news, right?

Well, you bring up an interesting point. You know, I think we had even talked about this in the prep for this, but, like, you know, the ability to share information outside of the government is actually pretty dang hard. I know there’s been, there’s been lots of efforts and maybe you know, maybe the ISACs have been kind of, you know, a forum for that. But I, I’d be curious on your opinion on some of that and where we could get better as an industry for some of that stuff.

You know, I’m really, I mean, I’m impressed with a lot of what CISA’s doing. Infragard. I’ve always been a member and really appreciate the things that they’ve pushed out. I mean, they definitely have five wrong emails for me now, so it doesn’t apply. But. And then everything I learned on Dart because we worked so closely with Mystic and just to put it in perspective, that’s like Microsoft level telemetry of the entire world because we’re all slaves to it to some extent and that those signals were so useful.

But again, from a response perspective, I think threat intelligence, if you look at it traditionally we think information sharing, and I know we kind of talked about this, but that information is often, again, redacted and filtered and educational at best. And big CVE’s, anything that’s scored above ten, obviously you’re going to want to do something about, but it’s not. Again, I just don’t think it’s intelligence that’s curated and useful. So then on the other side of that, we get this marketing world of it on the RSA showroom where you look at technology or you look at services or companies and they’re threat intelligence driven. And I’m allowed to say that because we say the same thing, but we have a function internally. You know, we’re a SOC. But it’s interesting to see certain vendors and certain software companies saying they’re threat intelligence driven, but there’s no context to that of what that actually means.

So I think we have two sides of the coin where it’s being exploited, the terminology is being exploited. And then again, the whole purpose of information sharing, people don’t share information as much as they should between. You see, a lot of them do from like different industries, you know, critical infrastructure, healthcare. But I’m thankful for organizations like CISA, I commend them because they do try to collaborate and get everyone together.

Yeah. And I think something that I’ve noticed in terms of like, you know, the, how publicly available is pertinent information. There’s kind of over the last, since I got into cyber, they can’t remember how many years there’s been like ebbs and flows, so to speak, with information sharing. And I would equate it similar to like red team tooling or like people writing scripts to exploit things for, you know, the intent is to help people get better. And, you know, we’ve seen, like, a rise of man. People are dropping all kinds of tools. Everything showed up. You know, Twitter’s on fire. Like, this is a legit source of, like, how to learn and get better at cyber in general. Same thing with threat intelligence where there’s times where, you know, there’s a lot. There’s times where there’s not a lot.

I have seen more recently a lot of, you know, less information with the CISOs being legally liable for things and, you know, he’s going back into the dark ages and the hackers. I mean, sometimes there’s a lot, sometimes there’s none. Maybe people will care about it when the cyber insurance companies start being like, do you have a threat intelligence program? And how do you analyze the feeds?

Yeah, no, it’s valid. I mean, I think, you know, I mean, I was chatting with another well known person in the industry. I won’t, you know, just say he was very much of the opinion that cyber insurance is going to start driving a lot of the decisions for, in investments, for the, for the security. For security in the, in general moving forward. Right. And I think it’s. I think it’s an interesting note. You know, I mean, I think it’ll be, you know, he definitely has the background and the exposure to the data on the back end that could, could definitely, you know, highlight that. But I think it’s. I think it’s an important aspect of, like, don’t just having. Not just having the information, but what are you doing with it? And if you’re using, you know, if you’re using a product, you know, that, that claims to have threat intelligence, how is it. How is it actually being used to drive the context within your business? Right.

Yeah. How do you take that and disseminate it into something that’s meaningful, that means you made a change or you’re fine and it doesn’t matter. Right, right. Yeah. And that may be the solution long term is because we do see these two gaps and what’s being utilized from a marketing standpoint and what’s actually being done, but yet not shared or filtered down, especially to the verticals that need it the most and the industries that do need it the most that can’t afford a full security team or one security IT team, they can’t even afford an IT team. That is something that, you know, at Blackpoint, we really are focusing more so on is how we work with MSP’s because they do have, they cover so many industries and we’re still teaching them how to just learn security and sell security, but also where threat intelligence fits within that. And that’s, that’s, I think the other bridge that we can create is how do we start influencing the cyber insurance space? Because I promise you, if you walk into net diligence, you’re going to be shaking hands and kissing babies and smoking cigars, but you’re not necessarily going to be hearing threat intel. And it’s like, how do we start incorporating things in the areas where people might care or a starting point at least.

Yeah, yeah, yeah. Similar to, like, PCI, you know, nobody really likes it. Right. But how many places are now doing internal and external penetration testing because of that? Yeah, I’m one of those, like, you should do it because it’s a good idea, but it’s easier to have a stick than words. Yeah, it’s always, I’m always a big fan of, like, doing it because you’re supposed to. I mean, like, because you should, like, it’s a diligent and, like, you know, the, you know, what’s. I mean, I always misattribute who this says, but it’s like, you know, freedom is the liberty to do what one ought to do, not what one, you know, is will. You know, like one wills, right? Like, just, you should do these things. So why, you know, like, like, rather than being told to do it, like, just go do it. But, like, sometimes people have to be told, and that’s just kind of the nature of. Nature of the beast.

But, you know, I, but I agree. I think that, that, you know, continuing to utilize threat intelligence appropriately and, you know, obviously I gave a talk at Wild West Hackin’ Fest a couple years ago around threat informed pentesting. Like, you know how threat intelligence is typically seen in the responsive space, but it can have a lot of value in the proactive space if you use it as part of your testing program. And deriving a continuous framework around it can, can be quite valuable.

But I think as we kind of like to wrap these things up, MacKenzie, I’d love for you to kind of see, like, hey, what are the key takeaways that you would love to like people to know from this talk? Any other things that you’d like to share and then I’ll let Jon, and then we can kind of, I mean, I think the key takeaway is not being scared by the word threat intel. The term threat intelligence, because it often creates this thought that it’s going to be expensive or out of reach. Or you just trust that someone’s doing it for you and that, or it’s unattainable and it doesn’t match security. So I think the first thing is, like, defining threat intelligence is something that is supposed to align with your security initiatives in the first place, and it doesn’t necessarily cost money. It just requires you to have some sort of level of a trusted advisor.

So again, vendors, partners start examining who you work with and how they can offer some sort of education or intel that benefits you in improvements of your security posture. And then also internally, how do you educate the masses on it? And that’s the important part of threat intelligence. Don’t purchase things. I’m really watching my language. Don’t purchase things that sell you threat intelligence. But that’s not their primary business. It’s different if they actually do security monitoring or something or threat and tell, or they have an entire dedicated department towards it, like an MSSP often would. Otherwise you’re getting sold on a marketing thing and then really look at the types of resources that you can lean into that aren’t going to cost you money. And this is me just speaking not as, like, Robin Hood, but definitely on, you know, behalf of what I know, what our customer bases or our downstream customers of our partners are. They. They don’t. You throw in threat and tell, it’s not gonna. It’s gonna overwhelm them.

And then I like what we’re talking about of, like, what does the future of intelligence look like? And this is a shout out to, like, cyber insurance. This is a shout out to the industries that do a lot of redaction or they’re concerned about liability. And where do we go here from information sharing and what it really means to share information.

Yeah, I couldn’t agree more. I think, you know, dipping your toes in the. I’m going to go find threat intel and turn it into information waters. That’s for people whose business is trying to sell threat intel as a service. We should. We should do that, Tiaas. But like, you called out with vendors, like, find trusted partners, people who are going to help you with that. When all you’re trying to do is keep people from getting into your systems and, you know, protect your customers data, you know, unless you have an unlimited budget, you’re probably very well suited to find a good partner or a set of partners where trying to, you know, being an engineer, I could build that. You’re gonna have a bad time. Everyone can build anything, too. It’s just maintain it. Yeah, well, past that.

Hard to say, yeah, and I think just always, you know, like, Jon, when we worked with one of our colleagues, Joe Skeen, who’s maybe someone we need to get on this show too. But, like, and you know Joe as well. Yeah. You know, he always, and I always appreciate about this, but like, you know, he always came back, what problem are we trying to solve, right. Like if you’re going into these waters, what problem are you truly trying to solve? And then, and then start there, you know, with whatever you’re going to use it for. Right. Because otherwise you’re just opening the floodgates similar to like SIM, right. You know, or like, you know, you know, an EDR that may alert on everything.

Right. So I think, I think really taking that to heart of like, hey, what problem are you trying to solve here? And yeah, should likely be partnering with somebody to help you in that journey. But if you are bringing in threat feeds, what are you trying to do? Like, I’m like, I’ll always tell, like, there’s a great use case for it in terms of, like, informing what tests, you know, you should be testing for in your environment in identifying the gaps that these, that these, you know, that these iocs are actually indicating that are happening in the wild. So, you know, being able to use it from that perspective can be very valuable.

But, yeah, don’t, don’t get sucked into. Just, oh, well, this should be the next thing that we do, like, actually work with somebody. Like, help you define, like, what is the path and journey we should be on when we’re using these, this type of technology and, you know, and information and then also being able, being a good neighbor.

I think, I think I always like, like the notion of being able to find forums to share information as you learn it and helping other organizations as well. It truly is a village when it comes to securing our infrastructure and our Mister Rogers approach. I like that. Exactly.

Awesome. Awesome. Well, thanks, Jon. Thanks, MacKenzie. I mean, it’s been a fantastic episode. Naturally, we went, we went about half an hour, which is kind of where we always target these things to go. And it could probably go on for a lot longer.

But, but I really appreciate your insight, really appreciate your time and we know it’s valuable. And so, so with that, if you have any comments, that if you’re listening, if you have any comments, feel free to shoot them into the, into the, into the chat section there in the LinkedIn part. And then, you know, definitely, MacKenzie, feel free to kind of, like, if there’s any other resources for you, like, we’d love to learn about. Yep. Yep. You can. I mean you can find me on LinkedIn of course, but you can absolutely reach out to or explore and maybe not reach out but explore a YouTube channel at Blackpoint Cyber between the Unfair Fight podcast and then my podcast, Return of the Mac.
That’s a very serious name. You can dive. I dive into a lot of security topics but definitely in the MSP space. And I actually think we posted one more recently. I think there’s two out there specifically around threat intelligence. So a little debunking, a little reality check. More content to hear.

Awesome. Awesome. Well, yeah, that sounds fun. It sounds exciting and you know, thanks again. Thanks for joining us. Jon, thanks again for your time. I know it’s super valuable for us, so and for all those that are out there, enjoy the rest of your Friday and enjoy your weekend.
Thanks a bunch.