Reality Check: Real-Time Intelligence
The lofty goal of real-time intelligence in security is often misleading. In the context of Business Risk Intelligence (BRI), it’s an especially deceptive misnomer.
Data culled from breaches or Deep & Dark Web (DDW) chatter about vulnerabilities that is crafted into threat intelligence is meant to give decision makers inside the enterprise an advantage over potential adversaries and keep assets and people secure.
Real-time intelligence, information ready for consumption at the point in time malicious activity happens, however is a difficult challenge, and limitations in current offerings blunt how well they address threats. More is required, and here’s why:
Automation and IOCs Useful, but Limited
Automated data collections from DDW forums and marketplaces are only a segment of the complete picture required by the most successful intelligence programs whose outcomes rely on information about relevant events before they have an impact on business or people.
Many real-time intelligence offerings are automated collectors aggregating indicators of compromise (IoCs) such as IP addresses involved in an attack, malware signatures and more information that is relevant and useful, but by nature, strictly reactive.
IoCs are tactical and insightful only about malicious activity that has already occurred. They’re a great enhancement to network defenses and perimeter security tools but should never be regarded as a singular source of intelligence in any security program.
Little Value without Context
IoCs, which make up the bulk of today’s real-time intelligence offerings, are abundant in any large organization fending off thousands of attempted intrusions per day. Collecting IoCs is an important forensic activity, but they offer limited context and value to organizations trying to understand the why of an attack.
Assessing the full context and relevance of an IoC will likely require an analyst to conduct additional research and deeper analysis, which can be a time-consuming, inefficient process for many organizations.
For example, let’s say an IoC is the URL of a popular website that has been infected with malware. In many cases, this IoC would automatically trigger a countermeasure that prevents the URL from being accessed within an organization’s network. But what if the website is only infected with malware for a short amount of time? Or what if a company employee tries to access the website from a mobile network? Is blocking the URL indefinitely the most effective way to combat the threat? Since IoCs in and of themselves tend to be static and lacking in full context, they rarely provide enough insight into the full extent and potential impact of a threat.
Real-Time Intelligence Blurs Macro View of Risk
Real-time intelligence made up of IoCs provides organizations a micro view of risk, while often ignoring the macro view of threats and how enterprises may be affected.
It’s fairly straightforward to look through IoCs to understand what phishing campaigns are in the wild, but they can’t address strategic, risk-focused questions that could help a business raise awareness of phishing in a manner that strengthens the company’s overall security posture.
It’s crucial to remember that the most effective teams focus not just on aggregating IoCs and blocking threats, they strive to understand why these threats exist in the first place and what can be done to enhance the organization’s overall management of that threat moving forward.
Although real-time intelligence offerings can play a valuable role in an organization’s tactical network defense initiatives, they should never be viewed as a panacea to all threats. Organizations seeking to gain a true decision advantage over a broad spectrum of relevant threats and adversaries need to look beyond just IoCs and work to integrate intelligence that is finished, actionable, and relevant into their security and risk strategies.
Josh Lefkowitz is the Chief Executive Officer of Flashpoint, where he executes the company’s strategic vision to empower organizations with Business Risk Intelligence (BRI) derived from the Deep & Dark Web. He has worked extensively with authorities to track and analyze terrorist groups. Mr. Lefkowitz also served as a consultant to the FBI’s senior management team and worked for a top tier, global investment bank. Mr. Lefkowitz holds an MBA from Harvard University and a BA from Williams College.