Written by Jon Cumiskey, Head of Information Security at SEP2.
Connect on LinkedIn.
The “Bakery Problem”
Ask a room of security professionals to define “threat intelligence” in a few words and you’ll most likely end up with a chaotic scene within a few minutes – likely a white board chocked full of differing definitions and someone in the corner is probably nursing a black eye.
Part of the challenge with defining threat intelligence use cases has been what I’ll call here the “bakery problem”. A bakery can offer to a customer many types of baked goods, many of which are only subtly different. I was at a bakery recently and just found myself pointing to the item asking ineloquently for “one of those” as I couldn’t remember the name of what I was asking for. I think Threat Intel can have a similar “identification” issue. Continuing the analogy, does the organisation want a baguette? Or do they want an iced finger? A hot cross bun? Or a fruit loaf? Or does the organisation want a bakery of their own to be able to make their bread?
Tailoring Threat Intel to Your Taste
In the Threat Intelligence world, we have a combination of curated, community sourced & open-source data, looking either at a strategic angle through to purely technical & short-lived IOCs, focused against a specific business or industry, with varying levels of confidence and attribution. We have posture views via deep/dark web/open web, security research, external views of attack surface and more! As such, to many organisations, it is a hard thing to express which of those is important to them over the other. Perhaps they are asking for a crumpet when they actually wanted a pikelet.
We’ve been working hard to see how we can simplify this for our customers looking to improve their posture via our Wingman service – lets abstract some of that away and turn it into just a small number of simple packages that our customers can benefit from. The important part here is the outcomes and how we help deliver those for our customers.
Layers of Insight with GTI
Going further into our layer cake; since our internal acquisition of Google Threat Intelligence, us having access to Mandiant’s strategic threat reporting and vulnerability intelligence has been an eye opener – I can now see and focus on the actual TTPs (Tactics, Techniques and Procedures) that are being used in the wild by threat actors against organisations like us and use it to add some actual external validation to the assumptions that we had built up in our organisation’s risk management framework. This is alongside it removing a few blindspots or incorrect or outdated assumptions we had. A specific cool example of this is that, like many organisations, we use Microsoft Intune to push updates, policies and software to devices. I had a curiosity of whether Intune has been used as an attack vector anywhere, entered some search terms into Google Threat Intelligence and lo-and-behold, I had the written output of a Mandiant red-team engagement that had been performed that described how lateral movement using InTune’s management plane was certainly possible under the right conditions. All actionable and something I can build a defensive/detective strategy with. Very cool.
The best part of this is that I can’t wait to see what our team are going to do with this over the next few years as well – even if our customers are not buying into this specifically, I have no doubt it is going to transform how we respond to incidents and continue to build out our detection library.
Affordability is the Key Ingredient
Finally, to point out the obvious, one of the key objectives is actually getting pricing into the correct order of magnitude for more organisation’s threat intelligence budgets. If the “really good stuff” can be accessible more widely, it can provide defensive one-ups to more organisations. We’ve been able to invest as an organisation to open it up to a pricing that is accessible to most of our customers.
Fancy a slice?
Follow us on LinkedIn to keep up to date with SEP2 news and updates.
