Threat Intelligence and Operational Agility

I sometimes say that “threat intel doesn’t help people who don’t help themselves.” Here is one particular example: if you buy the best threat intelligence possible – mixed strategic and tactical, with full actor information, detailed indicators, and with revelations about future attacks targeted to your organization, can you really benefit from it? Those who procure such intel from the likes of “eyeVision”, “eyeProtection” and “ThrongHit” 🙂 – real intel, not just indicator lists – need to be able to act on the results and sometimes such ability to act is just operationally infeasible for a less mature organization.

For example, at my Threat Intel roundtable at Gartner Catalyst 2015, the conversation turned to this subject: “if you hear 3 days in advance that you will be hit with a colossal DDoS attack of a particular type, will it help you?” Some people answered “yes” and pointed at specific things they can do in the time they have; others said “sort of” – they would still take heavy damage, but may be able to reduce panic and avoid some mistakes in responding (after all, “unpleasant surprise” is usually worse than just “some unpleasantness”). A few said that they will be able to do a few things only… and if such “3 day attack warning” costs them $100K, they won’t sign for it.

The situation is even ‘worse’ with targeted attacks. If you hear that “Bearlike Mammal of Death” group will try to steal your critical data using lethal APT tactics, knowing this is unlikely to help if you don’t have the defenses, tools, people and effective processes already in place. You can target your defenses much better with such valuable intel, but it won’t save you on its own….

In other words, remember that intel alone does NOT win wars. The actual warfighters (= skilled security professionals) with weapons (=security tools) as well as threat intel do. Telling armed peasants and spearmen that a ballistic missile is coming does not help – even if you know the exact model and who launched it…

Blog posts related to threat intelligence:

• My Threat Intelligence and Threat Assessment Research Papers Publish
• Threat Assessment – A Tough Subject (And Sharks with Fricking Lasers!)
• On Threat Intelligence Management Platforms
• How to Use Threat Intelligence with Your SIEM?
• On Internally-sourced Threat Intelligence
• Delving into Threat Actor Profiles
• On Threat Intelligence Sources
• How to Make Better Threat Intelligence Out of Threat Intelligence Data?
• On Threat Intelligence Use Cases
• On Broad Types of Threat Intelligence
• Threat Intelligence is NOT Signatures!
• The Conundrum of Two Intelligences!
• On Comparing Threat Intelligence Feeds
• Consumption of Shared Security Data
• From IPs to TTPs