We’ve all been reading these past few weeks about secret political dossiers on targeted individuals of interest (ahem). If this is your first foray into the topic, then you will no doubt view the process as being a bit unsavory. The reality, however, is that deriving background threat intelligence on bad actors is a sobering, serious activity performed by national security and law enforcement experts. It is a process that helps protect nations.
The maturity of threat intelligence derivation – and note that intelligence is derived, not gathered – stems from literally centuries of government experience across the globe. This unique discipline has evolved gradually from both trial-and-error and scientific guidance on how to create an accurate profile of the activities and interests of some individual or group. This helps explain why commercial entities dealing with cyber security issues now want in.
I checked in this week with industry veteran Karen Kiffney from Recorded Future to learn more about how security tech companies are offering advanced cyber threat intelligence services. Founded in 2009, and now straddling the US, UK, and Sweden, Recorded Future focuses on delivering rich threat intelligence information to its clients. I asked Karen to explain to me how this process works – and here is what I learned:
“Security solutions generally come in three different types,” she explained. “There are threat feeds that involve data streams designed to be ingested by a client organization. There are threat intelligence platforms that are installed in a local environment to manage ingested feeds. And then, there are the solution providers, like Recorded Future, that deliver rich threat intelligence as a service to customers.”
CISO teams wondering how to use a threat intelligence service should partition use-cases into two categories: First, intelligence can be integrated via API into the local security infrastructure as a normal, day-to-day component of the protection architecture. Recorded Future tries to enhance their ability to deliver this type of support through algorithms that incorporate machine learning-type labeling of malicious activity categories.
Second, and this struck me as especially useful, the intelligence can be obtained on-demand, as part of a specific exploit, vulnerability, or even threat actor of interest. Recorded Future structures the information on a so-called Intel Card, which gives a real-time summary of relevant information on the area being investigated. This approach allows the customer to embed Intel Cards into their targeted research.
I asked Karen if customers frequently perform targeted searches on specific threat actors – and in my question, I happened to use the phrase “Googling for threat information.” She was enthusiastic in her response: “That is a good way to describe what we do,” she replied. “And yes, customers do investigate specific threat actors in their research activities. This helps provide contextual information for threat analysts.”
As one might guess, commercial cyber threat intelligence – since it is relatively new – will inevitably go through the growing pains that government intelligence services long since dealt with many decades ago. Counter-intelligence operations, and cyber adversaries using commercial feeds to learn how to evade such detection, are examples of issues that companies like Recorded Future will have to grapple with as they expand their scope and reach.
But for enterprise teams today with cyber analysts performing manually intensive tasks either proactively on indicators, or reactively on attack observation, the use of a commercial threat intelligence service like Recorded Future will make a lot of sense. I’d suggest that if your team is in this category – or if you’d just like to learn more about modern cyber threat intelligence, then give the folks at Recorded Future a call.
Let us know what you learn.