The Cyber5 Podcast

EP71: Building Your Own Intelligence Program within the SOC and Beyond

Episode 71 | April 27, 2022

In episode 71 of The Cyber5, guest Nisos moderator and teammate Matt Brown is joined by security practitioner Matt Nelson.

Episode 71 | April 27, 2022

In episode 71 of The Cyber5, guest Nisos moderator and teammate Matt Brown is joined by security practitioner Matt Nelson.

In this episode they talk about a recent intelligence blog Matt Nelson wrote about how to operationalize intelligence for the SOC and some outcomes that an incident response team looks for from intelligence. They also talk about how to make intelligence more broadly used for investigations and discuss the intelligence market more holistically.

Here are the 3 Topics We Cover in This Episode:

 

1) Threat Intelligence Augments Threat Hunting in the Security Operations Center (SOC):

Intelligence requirements are critical throughout the business and not just limited to the SOC. Threat intelligence can be a significant help to the threat hunting and detection team. The outcomes that threat hunting teams generally look for are:

    1. Cyber Kill Chain: Analyzing payload, including commands it’s running, attack hosting infrastructure, what ports is the infrastructure using to communicate, etc.
    2. Target Verification: Identifying who and how they are being targeted and for what intent is often missing context when just looking solely at forensics data.
    3. Collection Intent of Attacker: Trying to determine what kinds of data the attackers are aiming for. This is hard to determine simply from forensics data.
    4. Target of Opportunity Versus Targeted Attack: Determining if attacks are targeting the many or the select few is critical for defense strategies. If targeting efforts are directed solely at IT personnel with admin access, that’s more significant than a “spray and pray” campaign.
    5. Outcomes: Outlining detections, protection strategies, and awareness campaigns.

 

2) Evolving Threat Intelligence Beyond the SOC:

Threat intelligence is not just cyber news or indicators of a compromise (IoC) feed. Threat intelligence is useful for insider threat, fraud, platform abuse, corporate intelligence, and supply chain risk.

 

3) Single Data Aggregators for Enterprises (SIEMs, TIPs, MISP) Aren’t the Panacea:

  1. The SIEM is not the greatest place for threat intelligence data because there are too many internal logs that aren’t relevant.
  2. The TIPs are mostly focused externally and good for IOCs and correlating threat intelligence that’s not useful. It’s simply repeating what is already known.
  3. MISP (https://www.misp-project.org/) is open source but can be effective with the right resources. Data modeling and getting the right taxonomy of the data is the most critical.

 

Listen to other podcast episodes

 
Read Transcript

LANDON: Welcome to the Cyber5 where security experts and leaders answer five burning questions on one hot topic and actionable intelligence enterprise. Topics include adversary research and attribution, digital executive protection, supply chain risk, brand reputation and protection, disinformation and cyber threat intelligence. I’m your host Landon Winkelvoss, co-founder at Nisos, a managed intelligence company. In this episode, guest moderator and Nisos teammate, Matt Brown talks with information security leader, Matt Nelson, who runs incident response for fortune 500. They talk about a recent intelligence book Matt Nelson wrote about how to operationalize intelligence for the SOCK and some out comes that an instant response team can look for. They also talk about how to make intelligence more broadly used with investigations and discuss the intelligence market more holistically. Stay with us. 

MATT B: It’s my privilege tonight to be able to sit down and talk with not only someone who I view with great admiration, but also a friend that I’ve known for a few years, and we’re gonna be doing a chat here with Matt Nelson. Matt Nelson and I go back in time about seven years, give or take, at a former employer together. And I’m really looking forward to this conversation with him. Matt has taking a time in the last month or so to kinda put down some thoughts and it really struck a chord within me to be able to talk to him about this. And we’re gonna be looking at tonight, just talking to Matt about the idea of incorporating intelligence within the SOCK and beyond. And so Matt, I just wanna say, thanks for joining us and won’t you give us a little bit of background about yourself?

MATT N: Sure. Yeah. Hey first, thanks for the introduction there. You almost made me tear up a little bit. Yeah. So, you know, again, obviously my name’s Matt Nelson, been doing this InfoSec IT security stuff for quite a long time, feels like, but to cut my teeth, doing IT things when I was in the Marine Corps back in the 90s and in early 2000s and got out and was doing regular IT stuff, IT admin type of things, you know, worked in a bunch of different places, manufacturing, insurance, banking, even did some consulting stuff. You know, was all great experience and eventually landed into doing InfoSec. Back in those days, we didn’t have fancy titles for people that were doing incident response or that type of stuff. These are my opinions and not the opinions of my employer.

MATT B: You know, you just showed your age quite a bit by-

MATT N: Yeah, yeah.

MATT B: Expressing some of those things just to keep that very real.

MATT N: That’s right. Yeah. Well, it happens to everybody, right?

MATT B: Well, to the best of us, for sure. It’s like wine, right? We’re just getting better as we get older. So I wanna ask you a few questions in scope of the article that you posted there on LinkedIn. And I wanna start off with the first question is dealing with incorporating intelligence into an overall security architecture or, you know, an existing suite of tools. Why don’t you provide a background and kind of a library where you think the community, maybe the organizations where we’re lacking as endeavor?

MATT N: The original article that I wrote was fairly short, but started out writing it because I’d had some years and years here now of having cyber threat intel teams, you know, some better than others and not to say that they were bad, but you know, they had different varied missions that never seemed to have the cyber portion for instant responders and SOCK people and threat hunting people kind of at the forefront, right? You know, that article is called “Build Your Own Intel to an Extent.” Because I guess the way I look at it is that’s a mission that is missing, you know, from those cyber threat intel teams, I think, ’cause they get sucked into doing things like the business strategy support side, which again, it’s a great thing, right? And better for the organizations to have that, but where they really falling short in supporting the IR and SOCK and threat hunting and you know, even those threat detection teams is, you know, providing them intel and context when it came to attacks and threat actors.

MATT B: So I’ll put a little bit on a spot, just kinda ad hoc question because I think a lot of our listeners will get a kick out of this, especially those who’ve been around within the business long enough, but you had a, one of my favorite terms that I still hold dear to my heart when describing threat intelligence or cyber intelligence, threat intelligence is always a funny term for things for me. But if you call that unicorn sparkle hunting, what made you translate thread intel into that fantastic also known as

MATT N: Well, you know, like I said, the missions that they were supporting, they were probably doing a great job, but again, it was at a probably at a peak of frustration for me or, you know, at least with certain parts of that industry, because they weren’t really supporting me in a threat hunting role. You know, I was having to do a lot of that work myself and honestly there were things that I could have supported them with as well. And we can go into that stuff later, but there should have been some greater tie-ins there with the overall function for the threat detection side cyber wise.

MATT B: Yeah. You know, it’s not just cyber, that’s an issue even in traditional, you know, intelligence community, in my opinion, where the high and mighty intel folks think they have it all and we forget that there’s guys who actually need that information to be pertinent, you know?

MATT N: Well, yeah, you know. You could tie it into conversations about overreliance on SIGINT, overreliance on the human side of it. There’s gotta be a balance there.

MATT B: I agree. So thinking about this, using your examples that you provided in article, starting with email and who is being targeted, what kind of outcomes are you looking to generate?

MATT N: Well, it’s a huge one. So there’s a bunch of different things you can support there, but off the top of my head, when you start looking at the attack chain, just the basics of that, to be able to support your SOCK team were threat hunters in your detection teams as well is how is it being delivered? What’s the payload? If the payload’s a dropper, you know, what is that dropper pulling? How does it do it? Commands that it’s running? What’s the infrastructure look like that the attackers are hosting this stuff on and then communications all that sort of thing. Right? So just that basis, we wanna get that sort of thing. But now you can back that up, and start looking at it from a little bigger picture and we start talking what I think is maybe threat intel, looking at that envelope as a wrapper and reading that, who’s being targeted? Sometimes that can be an important piece of that aspect because now you can maybe determine intent, you know, how are they being targeted? Is this anything from trying to send attachments to links to maybe it’s more of a social aspect, you know, how are they being targeted can tell you things about your attackers. And again, I go back to what the intent is of the attacker, but once you start looking at who’s being targeted, how they’re being targeted, can you determine what they’re after? Are they just after system access? Are they just after credentials that applies to a lot of what the intent is and that can help guide your detections, guide your protections and even awareness campaigns. The other things is, are you the only one in your industry seeing these attacks or is this a big commodity campaign?

MATT B: Heaven forbid we share with others in the community. Right?

MATT N: Right. Right. But on one hand, you’re seeing this big, huge commodity campaign. You’re probably less worried to an extent, but if you’re seeing it sent to five people in a very small campaign, and again, depending on the other conditions of that attack that could be telling. That’s more of a targeted, targeted has a lot of connotations, but targeted at your organization and your people.

MATT B: So you talking about targeting, you’re not talking about, you know, the vernacular spear fishing or anything like that. You like to look at it even at the level as Bob Smith and accounting being targeted at a specific date at the end of the month, things like that.

MATT N: Right. You know, this steps into another aspect that I think that organizations need to look at from a broader scale too, is we always talk about the VIPs, right? It’s always the CEOs, you know, all these folks, but I like to at it more from a risk standpoint, who has the real power of the organizations? And again, this all depends on the attackers, what they wanna do in your organization. I’d target IT people.

MATT B: Oh, yeah.

MATT N: You target those people that probably have admin access on systems. If, again, your goal or your intent is to get into the systems and do that sort of thing. If I’m going after money, who do I go after? I probably go after the comptroller types, the folks that handle the money, maybe attacking the CEO isn’t the direct line you take, but you go after their assistants, their secretary, ’cause they probably have all the information.

MATT B: Oh, in my experience, thus far outside of, you know, the private sector and working for the vendor side is these CEOs just let their admins have everything, passwords, all their personal email passwords. It’s amazing. I agree with that for sure.

MATT N: So if I am an intelligence organization collecting on another organization, another target, that’s a different aspect when we start talking about VIPs and how you rate those, because now I can start putting those people in lists and I can now start going, okay, I’m seen these type of attacks to these people. And if I see an instant pop up with one of their user IDs, that makes me shift my focus and my response a little bit.

MATT B: Yeah. Yeah, for sure. Thinking about this just a little bit, your background has been fairly heavily focused in SOC and an incident response. I know this from experience cyber intelligence, I’m finding it being shoehorned inappropriately sometimes. We just look at it very tactically. It’s in the SOC and IR, but thinking about holistically, the strategic and operation side of intelligence too, do you think the outcomes stop in the SOC? And how does it move beyond the SOC?

MATT N: Obviously, you know, that’s my realm. So I really focus on that piece. But when we start looking at and shift to that threat hunting side and it depends on the organization. You know, threat hunting can be close to the SOC or close to IR vice versa, but you start looking at insider threat things. You start looking at fraud events. I don’t remember who said this one time, but they talked about, you know, everybody talks about insider threats. What is a compromised account? The account that is compromised or you know as an insider threat, because that’s an account that lives in your organization, it’s probably valid and has access to valid data shifting to that kind of aspect, it can support things like that insider threat type of thing, and the fraud things and shifts into that sort of stuff. But from the threat hunting landscape CTI should be well embedded into that probably even more than the SOC, I think, because that ends up being a lot closer to that type of pre-notification, knowing what your attackers are doing and you know, and things to look for.

MATT B: Do you like the terms threat intelligence? Do you like that term? What’s your opinion of… ‘Cause that’s what we’ve used. How long we been using threat intel now, whenever it became a sexy term for it to be thrown out there, do you like the term, or could you see it changing in morphing and maybe evolving?

MATT N: I honestly don’t have a problem with it. I don’t even have the problem with the word cyber, but, you know, the problem is if you’re going to do it, I mean, if that’s what it’s called, you gotta do it. It’s more to me then what I’ve seen and I don’t know if I touched on this previously, but it’s more to me than, you know, an IOC feed or a cyber InfoSec news regurgitation when it comes down to it. That’s not cyber threat intel.

MATT B: Right. Well, that’s what it’s become in many cases. Here’s your cyber intelligence brief on X, Y, Z. And it’s, you know, a CNN article, it’s like that doesn’t help you. It doesn’t help you as a threat hunter at all.

MATT N: Right. Now I’ll switch sides here. I’ll play the devil’s advocate. I could see where that helps, you know, maybe regular IT and maybe non-IT business folks. They don’t have the time, they aren’t embedded in that IT security, InfoSec realm. There’s people that are in InfoSec that aren’t in it. They don’t follow Twitter, they don’t follow the news in IT and good for them. But in certain jobs you gotta stay on top of things and I’m sometimes maybe threaten help that.

MATT B: I actually follow into that category. I think there’s something there to that particular notion where you can take those articles and remove the flood. And just get to what is really saying and kind of just helping people who are not nerds like us, if you will, just become situationally aware of really what’s going on. And I do believe in that and I believe that is a huge portion of the cyber intelligence spectrum.

MATT N: I take the example of, you know, like ransomware events. Right? Okay. Great. Ransomware group, a, attacked another company. Okay, great. But we got that. Now tell me the novel pieces that we don’t already know. Maybe repeat the things that we should already know, but gimme the novel pieces that I can now use for that direction finding capability. Like I can start putting my threat detection so I can tweak my EDR. Maybe I can tweak some logging here. Maybe I can tweak my SIEM or SIEM depending on how you say it. But we can tweak some things there to be able to catch that. I can go back to my EDR and make sure that, you know, we have those detections or we can at least record that now that we know about it.

MATT B: That’s a good segue here to kind of the next round I’m gonna fire at you. And this is always a very interesting conversation to have with those in the industry. I’ll start off with the first one, because you mentioned a bunch of different, you know, tools and tools that need data. At the end of the day they need data. Let me ask you, what’s been your strategy for putting all the data in one place?

MATT N: Well, so I’m particularly sensitive to this because I’m kind of in that middle place right now, ’cause I’ve been doing threat hunting, right? I don’t particularly want all the logs. I want specific logs and I want specific data from those logs. So in most places that SIEM is not the greatest place for that, because what’s gonna happen is I’m doing threat hunting and I’m gonna have gobs and gobs of other garbage I have to search through or it’s not parsed correctly or this or that. Then the other side of that is, you know, from your incident response teams and from outside sources that again, cyber threat intel should may be handling for me. There’s stuff that I call… I’m still trying to figure this out. I don’t wanna call it threat data ’cause I think it’s more than data, but it’s the type of data that, you know, you purposely have collected either from outside or you collect it from your own case data, you collect it from your own malware ingestion pipeline, that type of thing where it’s not a marker, right? It’s not an IOC. You can’t just go this hash equals this. It’s things like, oh, the Astaroth malware uses bits admin to download things and they do it in this fashion. If you can mark that stuff down and it’s searchable or you can utilize that for things like in your detections and things. That’s what I consider threat data. Now, I don’t think a TIP is the place for that. The TIPs that I’ve seen, again, they’re focused a lot externally. They really don’t fit that bill, I think for threat data that I produce internally or some things that I get from externally. They’re really good on IOCs, they’re really good on some fluff that I don’t think you can really use in a machine fashion either. Best I’ve seen is actually . It’s a bear cat though, right? It’s a bear cat to run. But I think if you spend the time and honestly, where you should spend most of your time is your data models, figuring out what you’re gonna record, how you’re gonna record it, your taxonomy, I would buy that in a heartbeat if someone made it something simpler like that and get away from most of the TIPs that I’ve seen.

MATT B: I think the idea was really, you know, solid the idea of a threat intel platform, but it was just an implementation and then just the morphine of whatever it’s turned into. A lot of times what I’ve seen in TIP it’s just what we just talked about just a little bit ago. It’s just regurgitating something that someone’s already put out there, right? It’s just completely repeating the same garbage over and over again. And then that just gets multiplied throughout the industry.

MATT N: Well, you know, if I was gonna take a step back here and think about, you know, that type of data, it’s not necessarily one singular place. And I think that’s the problem we face is we think it has to be in one singular place. Again, I just recently wrote an article on our building a malware ingestion pipeline. I’m gonna plug that article. But the thing is, is that’s just a source of that type of data. You can have that data disparately. You can have it in your case data, which I’m gonna be writing another article on, but you know, your case data can be a data source. Your MIP can be a data source. Your TIP can be a data source. All these different things can be their own data source and you don’t have to slam ’em all together, but you gotta have a glue there somehow in one place that can handle the taxonomy. If those products can’t do it, there has to be a glue place that can handle taxonomy and labeling and tagging. And you know, doing things like that, which you know, could be a SOAR. SOAR products nowadays can do that for you to an extent. I would never consider it as a repo, but I’ve seen some that are getting there.

MATT B: You just broke the heart of every single SecDev right now that’s working on a data lake internally at an organization. Way to crush their dreams.

MATT N: Well, hey, data lakes can work.

MATT B: Well, singular one is what I’m talking about there. Right?

MATT N: Yeah, yeah.

MATT B: That’s all they’re doing.

MATT N: Right. Right. You know, they can work, but you gotta have ways to organize that data and take it. And that’s where the real work comes in.

MATT B: Yeah. So what do you think, is intelligence a service or a product or product size service in your opinion?

MATT N: I think it could be both. Again, that’s why I was talking about our cyber threat intel teams. They provide services, but you know, for us on the tactical side of cyber, we need a product from them. ‘Cause there’s gonna be a point where our cyber threat intel people are gonna have to be cyber people, not just analysts. And they have to understand the product that they’re putting out and giving to a detection type folks, because that’s the difference sometimes. And I would take it to this step, our cyber threat intel people should know the organization. They should know the systems we’re running just as much as my incident response and my threat hunters and my SOC people, like what applications do we have out there that maybe are utilizing product day. They don’t have to know all the ins and outs and they don’t have to know the vulnerability levels and all that stuff. But what I’m saying is they should probably have awareness of that, hey, we’re running, you know, Bob’s vulnerable web service.

MATT B: Do you need to having good idea of their battle space is what you’re saying?

MATT N: Exactly.

MATT B: Imagine that, if you don’t know your battle ways, you don’t know who you’re gonna shoot. Right? I agree with you. There’s a little bit of both, right? You did hit on something. I wanna just ping you real quick on this ’cause it’s something that’s interesting to me. You said analysts need to be more than just analyst work. They need to be cyber. Do you think, and you can say this ’cause you’re getting older now. So it’s okay. People just think you’re cute ’cause you’re getting old. Do you think our industry is really struggling with that overall, that you know, the real sexy thing to do now is cyber. It’s cool to be in there. Obviously, it’s gonna be something that kinda like healthcare. It’s a good industry to get into. But do you think they’re lacking in certain skills right now? And what I mean by that is our colleges and our universities are really struggling to catch up with the idea of getting degrees in cybersecurity. I saw that for a little bit myself and then I would get students, even in my own classes who would ask me, “How can I get a cyber intelligence job at X, Y, Z company?” And they’re working on their bachelor’s degree. And I would look at ’em and go, “Go apply and be a help desk minion. That’s how you start.” So do you think we’re kind of struggling in that area?

MATT N: It’s across the board, right? Is how do you break into that cyber security realm and things? You know, back in the day it was you did admin work. There wasn’t a security job per se. When I started out in security, it was, you were an information security engineer and you did all the things. You did security reviews, you did security design, you did incident response. Some folks would do forensics. But back in those days, a lot of forensics was more for really HR focused type of things, super secret squirrel things. But you did all of that. They didn’t have separate IR and separate SOC and all these things. It was everybody doing all the same things. So I think there are people that are smart enough that even if they aren’t cyber people can pick that up. I mean, I can pick up and do some woodworking. I’m not really great at it, but I can do it. I understand some of the concepts and things like that. And with the right tooling, I could probably be even better, but I’m never gonna be a carpenter probably not without years and years of doing stuff, you know, just like being a plumber. I mean, I can fake it and I can do some copper tubing and things like that, and I’m still not gonna be a plumber. I think you have to spend a little bit of time in IT before you can really be great and do things in security.

MATT B: Absolutely. Yeah, I agree with you, Matt, and not to minimize those who are trying to get in, that is not what I was trying to get at, ’cause I agree with you. I’ve always looked at it from a perspective of I’d much rather have aptitude and pedigree, because I love the email signature box with, you know, the 17 certificate people have gotten and good for them. Absolutely glad that they could do it, but I would much rather have someone who has the passion for security and the passion to go learn and then take the time. And maybe that’s for another podcast where we could talk about something like that. But I think about it in lieu of what you’ve said about the intelligence work.

MATT N: Yeah, absolutely. I mean, and that’s the thing. I think there’s a lot of a really smart cyber… Well, there’s a lot of smart intel people and they’ve been really smart people, but they don’t understand the entire picture of their own organization and what we’re running and how things work. So I think spending some time in the trenches and understanding that stuff would help ’em a lot.

MATT B: Yeah. That work is pain in a butt, but it definitely comes in long-term for you in your career. So, man, appreciate your time.

LANDON: For the latest subject matter expertise around manage intelligence, please visit us at nisos.com. There we feature all the latest content from Nisos experts on solutions ranging from supply chain risk, adversary research and attribution, digital executive protection, merger and acquisition diligence, brand protection and disinformation as well as cyber threat intelligence. A special thank you to all Nisos teammates who engage with our clients to conduct some of the world’s most challenging security problems on the digital plane and conduct high state security investigations. Without the value the team provides day in and day out, this podcast would not be possible. Thank you for listening.