http://www.infosecnews.org/assessment-corporate-threat-intelligence-versus-actual-intelligence-products/
By Scot Terban
Special to InfoSec News
March 10, 2014
Threat Intelligence:
Threat intelligence is the new hotness in the field of information
security and there are many players who want your money to give you their
interpretation of it. Crowdstrike, Mandiant, and a host of others all
offer what they call threat intelligence but what is it really in the end
that the customer gets when they receive a report? Too often what I am
seeing is reports based on suppositions and little critical thinking
rather than the traditional raison dartre of a threat intelligence report
on actors that may have an interest in your environment. A case in point
is the report from HP that was conveniently released right in time for
this years RSA conference in San Francisco.
This report on the Iranian cyber threat was hard to read due to the lack
of real product or knowledge thereof that would have made this report
useful to anyone seeking true threat intelligence on an actor that may
have interests in them. With a long winded assortment of Googling as Open
Source Intelligence, this report makes assumptions on state actors
motivations as well as non state actors who may, or may not, be acting on
behalf of the Basij or the Iranian government altogether. While the use of
Google and OSINT is indeed a valid way of gathering said intelligence,
intelligence is not "intelligence" until proper analysis is carried out on
it. This was one of the primary problems with the HP report, the analysis
was lacking as was the use of an intelligence analyst who knew what they
were doing.
Clients and Products:
When carrying out any kind of intelligence gathering and analysis you must
first have a client for the product. In the intelligence game you have
"products" that "clients" consume and in the case of the HP report on
Iranian actors it is unclear as to whom the client is to be here. There
are no direct ties to any one sector or actor for the intelligence to have
any true "threat matrix" meaning and thus this report is of no real use.
These are fairly important factors when generating an analysis of a threat
actor and the threat vectors that may affect them when creating a report
that should be tailored to the client paying for it. Of course the factors
of threat actors and vectors of attack can be general at times and I
assume that the HP analyst was trying to use this rather wide open
interpretation to sell a report as a means to an end to sell HP services
in the near future. I am also willing to bet that this report was a
deliberate drop for RSAC, and they had a kiosk somewhere where they were
hawking their new "Threat Intelligence" services to anyone who might want
to pay for them.
In the case of this threat intelligence report ask yourself just who the
client is here. Who is indeed really under threat by the alleged Iranian
hackers that are listed. What sectors of industry are we talking about and
who are their primary targets of choice thus far? In the case of Iran
there has been also a great deal of supposition as to these actors and
their motives. The report makes allusions to state actor intentions, but
only lists known Iranian hacker groups that may or may not have
affiliations with the government. The same can be said for their TTP’s and
other alleged data within the report. The important bit about threat
intelligence in the world of information security is that you need hard
data to model the threats and the actors for your specific company and
this report generates none of this. This fact makes the report not really
threat intelligence at all, not in the aspect of either true intelligence
nor corporate intelligence.
http://krypt3ia.wordpress.com/2014/03/09/assessment-corporate-threat-intelligence-versus-actual-intelligence-products/
[...]
--
Find the best IT Security talent without breaking your recruiting budget.
Jobs cross-posted to Simply Hired, Facebook and LinkedIn.
Hot InfoSec Jobs - http://www.hotinfosecjobs.com/
