The Cyber5 Podcast

Using Intelligence Analysis in InfoSec: Think Globally and Act Locally

Episode 48 | June 16, 2021

In episode 48 of The Cyber5, we are joined by Rick Doten. Rick is VP of Information Security at Centene Corporation and consults as CISO for Carolina Complete Health. We discuss shifting the operating model of threat hunting and intelligence to a more collaborative model, “think globally and act locally.” We then dive deep into the critical intelligence analysis elements for collecting and analyzing the vast array of internal and external network data to prioritize network protection. Finally, Rick makes an argument for the outsourcing of an intelligence function as a viable model.

 

Here are the 5 Topics We Cover in This Episode:

1)  Security Operations Integrating with Cloud, Applications, and Mobile: (01:00 – 06:00)

Security operations involve integration with key elements of the business such as the cloud, applications, and mobile team. Risks to a container are much different from a server and force security operations to integrate with many teams, especially in large enterprises. This will guide how we protect proactively with alerting and reactively with incident response.

2) Using Intelligence Analysis with Information Security Data Collection: (06:00 – 08:52)

Intelligence includes tracking specific campaigns of threat actors, their intentions, and capabilities. Intelligence analysis in the disciplines of information security is linking the human to the malicious act. For example, suppose a criminal threat actor uses email phishing and credential harvesting. In that case, the data collection model and instrumentation will be different than looking at actors who use exposed RDP or take advantage of supply chain risks. It will also be very different from a nation-state actor who is known to go “low and slow” and persist in 10 different places in a network.

3) Value of Attribution and Communicating to the Board of Directors: (08:52 – 13:26)

The mindset of keeping confidentiality, integrity, and availability of information safe and not wanting to attribute the threat actors and building appropriate threat models is becoming more antiquated. Understanding the human who perpetrated the act is critical. Their job is to break into a network and collect and/or monetize. This used to be easier in the defense industrial base because there are cleared environments for information sharing; however, this is becoming more efficient with Information Sharing Analysis Centers (ISACs). Boards of Directors understand competitors stealing intellectual property, so framing cyber threats in the same vein is the most productive way to get them to understand the importance of nation-state espionage or cyber criminals.

4) The Right Way to Do Threat Intelligence: Think Globally Act Locally: (13:26-24:00)

The most important threat intelligence is internal network telemetry. The wrong mentality is to buy threat intelligence feeds and load indicators of compromise (IOCs) into a security tool like a SIEM. This will result in tremendous workloads with little results as good actors change their signatures constantly. Instead, it’s important to get timely, actionable, and relevant finished intelligence on actors and their campaigns, not data or information. Finished intelligence might be reviewing technical methodologies of Russian GRU (or REvil ransomware) actors and identifying behaviors that can be detected internally on the network. At the highest level of attack campaigns are assignments of individuals to attack one particular company and steal/monetize something very specific. After gaining this intelligence, a security team can “dogpile” with the different entities of the business (SOC, applications, IT, development, mobile, etc.) to hunt and defend, “think globally, act locally.” Threat intelligence could certainly be outsourced, especially for companies who do not belong in an industry with ISACs.

5) The Hardest Part of Intelligence Analysis: Determining Targeted Attack Versus Commodity: (24:00 – 31:00)

The hardest part of intelligence is being able to quickly identify if the attack is targeted or commodity. An actor who persists on Active Directory and the domain controllers is much different from those who want to exploit a bug in a cloud application or mobile application. Security teams who have minimal visibility gaps with internal network telemetry that can quickly detect these differences separate the mature security teams from the less mature security teams.

Adversary Research
Discovering the methods, motives and identity of threat actors to disrupt attacks 
Reputation Defense
Technical guidance for countering disinformation and slanderous attacks 
Trust & Safety
Intelligence to secure business operations and defend against fraud, abuse and e-crime 
TPRM Exposure
Adversary-centric intelligence to address supplier, M&A and investment risks 
Outside Intel
Research for defending outside the firewall that leverages tier 3 intelligence programs 
Executive Shield
Assessment of threats to key personnel with attribution and PII takedown  
Adversary Insights℠ Retainer
Annual retainers for client-driven inquiries and rapid-response research 
Intelligence Team as a Service
Collaborative engagement providing robust intelligence and tier 3 cyber analysts  
Event-Driven Intel Investigations
Multidimensional security fact-finding that delivers insights into adversary behavior 
On Demand Threat Research
Proactive and preventative investigations that reveal threat actor context and risk correlations 
Investment Zero Touch Diligence℠
Project-based discovery to assess risk for investments, IPO, Mergers and Acquisitions 
TPRM Zero Touch Diligence℠
Subscription assessment of external network hygiene, key personnel, and non-traditional business risks