Nothing like starting off the day with a topic that I'm passionate about. Earlier this morning a colleague asked me to weigh in and give my opinion. Pre-caffiene induced decisions lead to the creation of today's blog post.
To say that there is a divergence when it comes to
commercial Threat Intelligence services is like saying the battle on the gridiron between Ohio and that state up north is "just a silly little game."
Threat Intelligence, in the commercial sector, is relatively
new. We hear and see vendors use terms
“intelligence” and “information” interchangeably. The resulting confusion around precisely what
Threat Intelligence is has allowed a number of vendors to loosely define what
“Threat Intel” is and how they position their service offerings to potential
clients under these ambiguous terms. Often this turns into what I call "a list of bad" that when challenged the vendor responds back "Trust me, it's good".
So let’s talk about threats for minute, currently the most abused and misunderstood word being slung around by vendors at the moment. For a threat to be a credible, three dimensions must align:
- Motive – an adversary wants to do something against you,
- Means – the adversary has the skills and resources to act against you, and
- Opportunity – a vulnerability must exist, the proverbial “weakest link” which allows a motivated adversary with adequate means to act against you.
This should come to no shock to anyone, but we have no ability to influence the
Motive or Means of an adversary, try as we might, we just can’t do it. When it comes to Opportunity however, this is
the only thing we have any say in or ability to influence. We had best ensure we are on top of that one,
or we could be having a bad day.
Why is this important? Because lacking context, we do not have a clear understanding of the threats that face us. We must have context and perform some analysis in
order to see if an opportunity exists which would provide an adversary a way
in.
Now, I don't want to get off on a rant here…
Let’s take a look at the recent disclosure of the Microsoft
Internet Information Server’s HTTP.sys vulnerability:
Netcraft reports that at least 70 million websites are vulnerable – wow! 70 million websites vulnerable!! Okay, so what does that mean when there are 849,027,856 websites at last count? (Netcraft Web Server Survey April 2015) -- if my pre-caffiene induced mathematical calculations are correct, that's roughly 8.25% of websites.
Now that sounds like a large scary monsterous threat looming out on the
horizon doesn’t it? HTTP.sys, 70 million websites vulnerable! Fire and brimstone coming down from the skies! Rivers and seas boiling! Forty years of darkness! Earthquakes, volcanoes, the dead rising from the grave, human sacrifice, dogs and cats living together… yup, basically mass hysteria!
Well, what if you’re running Apache, lighttpd, nginx, or
GWS? Is it still a threat? More importantly, is it a threat “to you?”
No, no, we’re all good. You assure management. We run the latest
and greatest Apache servers. We don’t
have any IIS systems in the environment, let alone connected to the
Internet. We're not impacted, problem
solved, all is well in the world again and I can get back to important things,
like… …you know metrics, key risk indicators, and other indicator based yummy goodness.
But wait, there's more! Let’s dive a bit deeper into the information
available, we may not be off the hook quite yet.
Well this seems a tad odd, Windows 7, 8, and 8.1? Those are
desktop operating systems!? I don’t know
of many people who run a desktop OS as their production Internet facing web
server, but hey I've been wrong before.
You know what they say “Devil’s in the details” and here it
looks like yes in deed we may have a threat, because we just upgraded from Windows XP and are now running Windows 7
professional.
Looks like we’re going to have a long night scheduling
patches because it appears this is now a credible threat to us after all.
So, after all that, we are back to the begining. I was asked to weigh in on the comment about “Sharing IPs is not
Threat Intel Exchange.” My opinion, this is a true
and accurate statement. The simple act of sharing or possession of raw data does
not equate to intelligence. Now, there still is a potential value and gain in leveraging raw data (that's another blog post I'm working on), but raw data it is not Threat Intelligence.
Just so I'm not misunderstood: You cannot
have intelligence without understanding.
You can only gain understanding through the process of analysis, in the context
of your environment.
Sadly this is not always the case. What we are seeing are vendors who are pushing IP Addresses,
domain names, and hashes and calling it (and successfully selling it I might
add) as “threat intelligence” – I have to call “BULLSHIT”, predominately
because I have been advised by legal counsel not to use terms like “fraudster”,
“charlatan”, “grifter”, “swindler”, “impostor”, “con man”, or “scammer”, but honestly because
Raw data, without context and analysis, IS NOT Threat Intelligence.
If you are a vendor and hocking IP Addresses, Domain Names, and Hashes as Threat Intelligence and do not offer the context or insight into how the information was analyzed, you're of limited value to me and at best you're another source feed.
Remember $VENDORS, when you start talking threat intelligence, be prepared to answer the question
"Why is it a Threat to me?"
P.S. $VENDORS: Do not use terms or phrases like "proprietary", "exclusive technology", or "our tool says", for the love of all that is holy and sacrosanct, we get that you have a number of sensors all over the globe, we know you're running honeypots to collect the data and running them through a tool of some sort. We want the understanding how you went from raw data to Intelligence.
P.P.S. $VENDORS: If you can't answer that question, maybe you should come to one of the upcoming Threat Intelligence training programs coming up @CircleCityCon June 12th in Indianapolis, IN and for ISACA International's upcoming CSX 2015 Summit October 17-18th in Washington DC.
Trust me, it's good.