It’s that time of the year again!
It is the time where we look back over the past year to see what we accomplished, what we did well, what we can improve on for next year. In Cyber Threat Intelligence we had a lot going on this year, and I would say that we more or less kicked 2017’s butt. There was a lot less talk about indiscriminately using threat feeds and more talk about looking for the right information and context (it was my 2015 HaXmas dream come true).
We also had to overcome a lot of surprises thrown our way—and not the fun kind of surprises like Christmas Crackers or Secret Santas, but surprises like troves of national state-level exploits being dumped, worms straight out of the 1990s, and some of the largest data breaches to date. But in response to this craziness, there was a lot of collaboration, hard work, and focus on the right things: supporting network defenders, information leadership, and educating end users.
Even though we did well in 2017, there are still things we as a community need to improve and focus on to make 2018 an ever-better year.
1. Look at the big picture
2017 will (hopefully) go down in history as the last year that cyber threat intelligence analysts can claim they need only look at technical details when analyzing threats. Technical details give us a lot of information that we need to detect and prevent threats, but they won’t always help us understand the nature of the threat or how it is likely to evolve. The election hacking debacle (is there a better word for this?) and the Panama Papers showed us that just stealing money or information is not always the primary goal of cyber operations. Information and influence operations are a very real thing and they are part of our world. The NotPetya attacks showed us that looking at just the technical details without the surrounding context of who, what, when, where, and why can actually lead us down the wrong path. The recent WannaCry attribution shows us that Nation State Actors are not all alike.
We need to couple technical details with an understanding of what is going on in the world, because that shapes our adversaries’ actions more than we often realize.
2. Read more
There are more than enough breaking news stories, threat reports, and blog posts (yes, like this one) to take up our time, but that isn’t the type of reading I am talking about. All those methods will keep us informed and up to date on what is going on, but reading intelligence and technology fundamentals will give us the frameworks we need to interpret and act on all the breaking information. Without that baseline we will struggle to prioritize and properly understand how to respond to what is happening now.
If you are looking for some ideas of what to read, there are two great blog posts with recommended reading: the CTI Reading List from Scott Roberts, and the Active Response Reading Room from Sergio Caltagirone. Both lists are extensive, ranging from the history of cyber intelligence with The Cuckoo’s Egg by Cliff Stoll to Near and Distant Neighbors, a study of the Russian Intelligence Apparatus to With Microscope and Tweezers: An Analysis of the Internet Virus of November 1988 by Mark W. Eichin and Jon A. Rochlis, which given the way that old attacks are new again, we should probably all read (or re-read).
3. Slow down
When we rush, we make mistakes. Our adversaries are hoping and praying for defender mistakes far more than they are a new zero-day. We may think that we need to rush to stay ahead of the adversary, but when we don’t take the time to make sure that we have the information that we need or that we understand what is being presented, we will become our own worst stumbling block. That being said, there is often a need for expediency, and this is where the first two resolutions come into play. When we understand the threat landscape and what is going on in the world inside AND outside of our networks, then we will be able to know whether something needs to be prioritized or whether it can wait. If we have a fundamental understanding of the practices associated with threat intelligence then we will be able to act faster when it is needed because we will have frameworks to work within and streamline our analyses.
4. Mentor someone
In the crazy, often frantic world of information security there is almost always more work than there are people to do it. But sometimes the people are there, and the rest of us are so busy that we don’t take the time to mentor or guide those who are newer in our areas of expertise. When we do this we fail ourselves and we fail them, and failure is not fun for anyone. It is hard to stop what you are doing when you know it is important to explain what needs to be done to someone else, but that is the only way we will grow our field and give ourselves more time in the long run. Especially in the field of threat intelligence, where many people are either new to information security or new to intelligence, mentorship is needed. If we can stick to resolution #3 and learn to slow down and use the tools we have to be more efficient, we can then make sure that we prioritize mentorship.
We know that New Year’s Resolutions are hard to stick to. In fact they have an 82.4% chance of failure within the first three months (I just made that statistic up...don’t yell at me Bob). So the Threat Intelligence Team here at Rapid7 is here to help you out:
We are launching a “Look at the Big Picture/Read More/Slow Down/Mentor Someone” Book Club that is open to anyone. (We'll probably re-name it.)
We will choose one book each quarter to read, discuss CTI applications, and answer (and ask) questions about the general subject. The first book we will tackle is the classic of all CTI classics, and a darn good read: The Cuckoos Egg. Stay tuned for more information about how to get involved!
Happy New Year, Threat Intelligence Analysts! Let’s make it a good one!