ASSESSMENT: Corporate Threat Intelligence Versus Actual Intelligence Products

[InfoSec News <alerts () infosecnews org>]

http://www.infosecnews.org/assessment-corporate-threat-intelligence-versus-actual-intelligence-products/

By Scot Terban
Special to InfoSec News
March 10, 2014

Threat Intelligence:

Threat intelligence is the new hotness in the field of information 
security and there are many players who want your money to give you their 
interpretation of it. Crowdstrike, Mandiant, and a host of others all 
offer what they call threat intelligence but what is it really in the end 
that the customer gets when they receive a report? Too often what I am 
seeing is reports based on suppositions and little critical thinking 
rather than the traditional raison dartre of a threat intelligence report 
on actors that may have an interest in your environment. A case in point 
is the report from HP that was conveniently released right in time for 
this years RSA conference in San Francisco.

This report on the Iranian cyber threat was hard to read due to the lack 
of real product or knowledge thereof that would have made this report 
useful to anyone seeking true threat intelligence on an actor that may 
have interests in them. With a long winded assortment of Googling as Open 
Source Intelligence, this report makes assumptions on state actors 
motivations as well as non state actors who may, or may not, be acting on 
behalf of the Basij or the Iranian government altogether. While the use of 
Google and OSINT is indeed a valid way of gathering said intelligence, 
intelligence is not "intelligence" until proper analysis is carried out on 
it. This was one of the primary problems with the HP report, the analysis 
was lacking as was the use of an intelligence analyst who knew what they 
were doing.


Clients and Products:

When carrying out any kind of intelligence gathering and analysis you must 
first have a client for the product. In the intelligence game you have 
"products" that "clients" consume and in the case of the HP report on 
Iranian actors it is unclear as to whom the client is to be here. There 
are no direct ties to any one sector or actor for the intelligence to have 
any true "threat matrix" meaning and thus this report is of no real use. 
These are fairly important factors when generating an analysis of a threat 
actor and the threat vectors that may affect them when creating a report 
that should be tailored to the client paying for it. Of course the factors 
of threat actors and vectors of attack can be general at times and I 
assume that the HP analyst was trying to use this rather wide open 
interpretation to sell a report as a means to an end to sell HP services 
in the near future. I am also willing to bet that this report was a 
deliberate drop for RSAC, and they had a kiosk somewhere where they were 
hawking their new "Threat Intelligence" services to anyone who might want 
to pay for them.

In the case of this threat intelligence report ask yourself just who the 
client is here. Who is indeed really under threat by the alleged Iranian 
hackers that are listed. What sectors of industry are we talking about and 
who are their primary targets of choice thus far? In the case of Iran 
there has been also a great deal of supposition as to these actors and 
their motives. The report makes allusions to state actor intentions, but 
only lists known Iranian hacker groups that may or may not have 
affiliations with the government. The same can be said for their TTP’s and 
other alleged data within the report. The important bit about threat 
intelligence in the world of information security is that you need hard 
data to model the threats and the actors for your specific company and 
this report generates none of this. This fact makes the report not really 
threat intelligence at all, not in the aspect of either true intelligence 
nor corporate intelligence.

http://krypt3ia.wordpress.com/2014/03/09/assessment-corporate-threat-intelligence-versus-actual-intelligence-products/

[...]

--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/