Operational threat intelligence leans on facts, less anecdotal evidence

Dive Brief:

A company must understand its unique requirements — such as industry, internal infrastructure and threats of interest — before the security operations center (SOC) can gather or understand adversary intelligence, according to Robert Lee, co-founder and CEO of Dragos, during a virtual Accenture OT summit Wednesday.
Companies have to outline high level, functional and capability requirements of what they want to see before coming up with a plan to secure it, according to SANS Institute. But Lee argues vendors cannot do that for them. "I fundamentally believe that most security professionals have no idea what intelligence is, and they're getting used to vendor feeds," said Lee. An indicator feed, the stream of threats or hints of compromises, is not intelligence but the "exhaust fumes of an intelligence process."
In operational technology (OT), threat intelligence should begin with an understanding of existing, "ground truths" of threats, said Lee. Those will shape the resilience and preparedness of security systems, which eventually can extend to the unknown.

Dive Insight:

Threat intelligence is based on data that organizations have already collected from previous threats or cyberattacks. It's not engineers placing themselves in the shoes of a potential attacker because the engineer has "a lot of insights into this company that the adversary doesn't," said Lee. It matters what the adversaries are already doing.

Operational threat intelligence narrows the scope of an advanced persistent threat's nature, intent and timing of a specific attack, according to Recorded Future. "In many cases, however, only partial context can be obtained."

Though limited, operational threat intelligence is still a powerful tool for thwarting likely attacks as anecdotal analysis begins to move toward facts. "As we get those insights, we start engaging more of an instant response when things happen to go wrong," which then shapes incident response measures, said Lee.

While it's an important component of a mature SOC, threat intelligence is not the solution for basic security hygiene, said Zachary Tudor, associate laboratory director, national and homeland security directorate, at the Idaho National Laboratory, during the summit.

Like other security solutions and threat intelligence, most organizations' SOCs are not mature enough to use them, according to Tudor. Those organizations may not be able to understand threats exactly as Lee recommends; it goes beyond what they know about their own environments, he said.

Companies should at the very least get to a place where they are capable of consuming threat intelligence and can understand its timing. Because incidence response is part of the intelligence loop, any gaps between detection and response can be catastrophic.

Intelligence in OT attacks is growing, but compared to intelligence collected in IT, it's significantly smaller, said Jason Holcomb, security innovation principal director of OT security at Accenture, during the summit.

"That's not to say that one is going to totally supersede the other — we need both," to understand an APT's tactics, techniques and procedures (TTPs) across environments, said Holcomb. In OT SOCs, making the leap from anecdotes to reality, comes back to knowing a company's unique requirements.

"It's one thing to hear a story about what happened in Ukraine, or what happened somewhere else," and a SOC knowing how those same actions could happen in its company, said Holcomb. From there, the SOC should be able to have visibility to understand the TTPs used or where action is needed.