The Operational Case for an Intelligence-Driven Security Program (Part 2 of 2)
From an operations perspective, there are a few key points where enterprise security can benefit from threat intelligence as a platform. In my previous post I discussed prevention and detection, and why they are critical to your security program. In this post I will focus on the final operational aspects of threat intelligence: response and recovery.
It is no secret that many security operations teams struggle with meaningful response. Identifying an infection in-progress is a paralyzing feeling especially when security operations doesn’t have a clear response plan and operational cooperation from the broader IT and business. Furthermore, in low-maturity organizations, response tends to take the form of a vendor-tools-based remediation attempt or the dreaded “reload the system” directive. Anyone taking this approach of simply wiping infected systems quickly understands why this approach in the context of productivity and business service is so wildly unpopular. Beyond the massive loss of productivity, the responder has no guarantee that there are no secondary infection points or whether the wipe-and-reload worked.
It is here that we look to threat intelligence for what is termed purposeful response. What this means is being able to identify the infection vector with enough supporting information and certainty that the responder knows exactly how to respond. When the infection vector is malware that slipped through the prevention capability, a determination can be made to simply remove all the infection components, and monitor for further signs of intrusion. When the offending binary is identified as a component of a broader campaign or attack pattern it may be necessary to mobilize a much larger response and hunt through internal systems that did not exhibit signs of initial infection to find where the attacker may have gotten additional footholds, and spread.
Response must be proportional to the attack. Treating every response unilaterally is not effective and a tremendous waste of resources. It’s the nuclear option, every time, because we simply don’t know any better. Operational incident response benefits tremendously from threat intelligence capabilities, in both operational understanding and timely information shared from peers who are perhaps fighting the same adversary or attacker.
Recovery goes hand-in-hand with response, and threat intelligence supports recovery as much as it does response capabilities. Recovery isn’t just about removing the threat vector from the system and moving on. Intelligent recovery gives us insight into how to advance our defenses – whether that is prevention, detection, or response – to be more secure.
Recovery is effectively closing the loop, from identification of a threat, to its removal, to fully recovering to an operational steady-state. Some of the lessons learned from previous recovery operations include things like the necessary removal of Internet access for certain systems running (necessarily) ancient versions of Java runtime, and blocking “unclassified” web sites in forwarding proxies.
Recovery feeds prevention by helping build better early warning and stopping capabilities, detection by providing more indicators and signatures, and response by identifying shortcomings in processes and tools. Recovery is a critical step that is fed through both internal and external threat intelligence, and transforms internal tribal knowledge into actionable and shareable information.
Wrapping it Up
From an operational perspective, threat intelligence is essential to being better. Many of today’s static security measures were developed over a decade ago and continue to fail us, but they get a breath of new life when threat intelligence data is fed into their frameworks. Much like having an operationally effective threat and vulnerability management (TVM) program was essential to good security a decade ago, properly operationalized threat intelligence is becoming essential to good security today.
Whether your organization is seeking to improve its prevention, detection, response, or recovery capabilities – threat intelligence is essential to being a more effective security operations function.