Posted September 27, 2018
Why LookingGlass is commercializing Goldman Sach’s Sentinel™ Threat Intel Platform.
Operationalizing uncertainty, automating for speed and tackling the top of the ‘Pyramid of Pain’.
“It’s tough to make predictions. Especially about the future.”
– Yogi Berra
Before I was in the cyber threat intelligence market, I spent a good number of years working on Wall Street in the equity markets. You might think equity and threat intelligence are completely different – and in many ways, you are correct. But in one key aspect they are remarkably similar: The central role of analysis and therefore how a talented and well-trained analyst could be your success… or failure.
From the trading desk to the security operations center (SCO) – the analytic process and goal is really the same: collect data from the best and broadest sources, organize by relevance into intelligence and insight, and form a hypothesis/make predictions, so you can take proactive actions.
Over the years, Wall Street developed an incredibly rich and competitive data ecosystem. From the Rothchild’s carrier pigeon and sentiment analysis feeds, to Twitter headlines, primary and secondary data sources are rich and varied. Similarly, the success of threat intel is premised on great collection and good data inputs – IP reputation data, sinkholes, malware, hashes, command & control, ISAC reports (the list goes on). As the amount of data available has grown, the use of technology and data analytics to ingest, organize, score, and report is critical.
A myriad of solutions to aggregate and organize this plethora of information have emerged to fill this void. Some are features, some are products, and hopefully, a few are long-term businesses.
The rush to commercialize threat intelligence offerings has yielded uneven results: doing many things well, but also exhibiting some shortcomings. Specifically, many threat intelligence platforms (TIPs) in the industry don’t yet fully provide the features and capabilities that support the most valuable work of intelligence analysts. Chief among those is addressing uncertainty, threat modeling, and information handling that is a part of almost every threat analyst’s work.
So how do we fix that and focus more on the analyst? While many elements of modern attacks are automated, at the beginning and end sits a human actor driving the commands. Determining what they are up to and what they might do with the access they gain is the domain of the threat analyst, who must combine data from a wide range of sources and then make assertions about whether a threat is real. David Bianco authored a post which has made a significant contribution to the threat intelligence community. Known as the Pyramid of Pain (not this ’94 SNL clip of the Pyramid of Pain), the idea is simple – not all intelligence is equal and the really valuable intelligence is at the top of the pyramid. As David writes in his post:
“After seeing how these indicators were being applied, though, I came to realize something very interesting: almost no one is using them effectively….. The entire point of detecting indicators is to respond to them, and once you can respond to them quickly enough, you have denied the adversary the use of those indicators when they are attacking you. Not all indicators are created equal, though, and some of them are far more valuable than others.”
Regarding the most valuable intelligence of TTP’s: “When you detect and respond at this level, you are operating directly on adversary behaviors, not against their tools. For example, you are detecting Pass-the-Hash attacks themselves (perhaps by inspecting Windows logs) rather than the tools they use to carry out those attacks. From a pure effectiveness standpoint, this level is your ideal. If you are able to respond to adversary TTPs quickly enough, you force them to do the most time-consuming thing possible: learn new behaviors.”
Modern threat intelligence services need to go far beyond providing raw threat data “feeds” that customers are left to decipher on their own. Effective solutions need to be full-fledged incident detection and response platforms that help users identify and then remove active threats. And analysts need a way to easily collaborate and grade and assign confidence scores to threats so that they can prioritize an organization’s resources where they are the most effective. Ingesting, sorting, and presenting threat intelligence data from disparate sources is the foundation, but balancing both technology and human intelligence tradecraft is required to meet today’s and future challenges.
The human element – and the human operator – are of equal importance, analyzing and interpreting data to figure out what actions to take. Remember, computers do not attack each other – there is always someone on the other side of the keyboard. In my experience, many threat intelligence platforms are not built to support both aspects or to help threat analysts address the uncertainty that is an important part of their work.
This is why LookingGlass made the decision to acquire and commercialize Goldman Sach’s threat intelligence platform, Sentinel™. When Sentinel was developed, analyst tradecraft was built into the software to significantly empower both the novice as well as advanced analyst. Sentinel will further enhance LookingGlass’ intelligence management solutions, focusing on orchestration of both investigations and response. The goal is to allow organizations across a variety of verticals to understand the threats arrayed against them in more fine-grained detail, focus on the top of the Pyramid of Pain, and to take appropriate actions that go well beyond “block” and “allow.”
Properly used, threat intelligence platforms like ScoutPrime™ and Sentinel embrace the uncertainty that is part and parcel of threat analysis with responses that can express caution about a particular actor or traffic source, if not outright hostility. Quarantines, throttling, evasion, as well as mitigation and remediation are all part of the mature response toolkit that LookingGlass will offer a maturing threat intelligence industry.