🚀 DARKSIDE OF THE THREAT INTELLIGENCE PLATFORM

Intelligence has been playing a vital role in the field of warfare even from ancient times. Spies and decoys are now the so-called Social Engineering and Honeypot. And so Cyber Threat Intelligence (CTI) Platform has become popular these days to fill the gap on the security postures of every organization.

However, most of us have been lured by the overwhelming of vendors’ elevator pitches which we have forgotten that they are just as reactive as other technologies. Perhaps, what should they be selling are the speed of information retrieval from the OSINT, Darknet, and the Darkweb which makes the defenders productive.

The proactive people with the right strategies are the ones that truly complete the defense-in-depth of the company. Even the strongest lock could still be broken if no one is guarding the perimeter and monitoring the CCTVs in real-time.

MYTH #1: Pre-NVD
100% of the vulnerability scanners are dependent on CVSS and CWE. No score means nothing to them. Thus, the Threat and Vulnerability Management (TVM) program is reactive to the exploit if already been surfaces on the internet for their patching prioritization. Hence, zero-day vulnerabilities were coined, and breached occurs every day.

MYTH #2: Typosquatting
Is it not, this is just running few tools from Kali Linux (dnstwist, urlcrazy, etc) with Bash script and send a notification in your mailboxes once a new domain is listed?

MYTH #3: Data and Code Leaked
Have you not heard and used the “Google-Dorking”? Try it and you will discover things that the CTI platform has not alerted you.

MYTH #4: Indicators of Compromise (IOCs)
Command-and-Control IPs and Domains(C2s) are like clinical face masks that we use to protect us from COVID-19 pandemic which is only as effective for half-an-hour and then we changed it after. C2s are just like that, it is no longer pingable after been detected and reported to abuse database of IPs. Some more, this should have been covered by your million dollars “Next Gen” Firewall.

Malware and Ransomware hashes, same with your Firewall. This should have been covered by your expensive Endpoint Detection & Prevention (EPP/EDR) tools.

Hence, Indicators of Action (IOA) is more important than IOC. Watch out on my future talk about this: “Quantum Leap to the Top of the Pyramid of Pain”.

MYTH #5: Threat Landscape
Since some of the defenders are taking an hour break in the morning, almost 2 hours during lunch, and another hour in the afternoon — why not take the reading with you on security news of incidents and breaches so you will have an idea on what is the global threat.

Then check your EPP/EDR, SIEM, and Email Protection dashboards to see the numbers of detected attacks in your environment and sum it with the global threat. Somehow, you will get a picture of your Threat Landscape.

Does your CTI platform give this? I bet not! This is a manual effort that put together in a slide deck.

MYTH #6: Threat Actors
Many of the CTI platforms will brag about this. The question is, will you be able to put them behind bars? Perhaps, the important is; their TTPs. This way you would be able to visualize a risk or threat modeling and map with your current defense state.

So, therefore MITRE ATT&CK framework is a better focus for every defender that can be used on their threat hunting through behavioral-based rather than convincing yourselves that you will be able to catch the malicious actors. This would also cover insider threats which the CTI platform does not.

MYTH #7: Supply Chain Risk
Heard about NIST framework, for sure! They have one for this. Align it with your GRC and TVM program.

MYTH #8: Tech-Stacks
Just take for example on this WFH scenario due to the pandemic, what are the means of telecommunication that globally are using? Is it not, that should be the one which defenders are closely monitoring — Zoom, WebEx, GoToMeeting, Google, Discord, Teams, and others?

MYTH #9: Zero Days
Zero-day malware is not truly covered. Unless a CTI provider has integrated sandbox on their platform to detonate file to perform dynamic malware analysis. However, Zero-day vulnerabilities like CVEs will not. No one will ever disclose such gem in social networks and instead sell it to a bug bounty platform or “Zerodium”.

MYTH #10: CTI Platform is for All
When was the last time you inhaled so deep like you were going for freediving in a 100 meter open water and then sigh all the frustration because the intel that you are providing to your TVM and Security Operations team were not acknowledged at all?

The reason being is, the CTI program itself is meant to be for a mature and security-oriented environment. They will not see the value of your intel as they thought that you are 100% protected by your Firewalls, AV, EDR, dlp, Anti-Spam, and other technology.

CONCLUSION
API for integration and speed of intelligence being provided is the true value of a CTI platform that can be integrated with SOAR or SIEM solution for detection and incident response.

At the end of the day, it is the “right” people (defenders) with the process in place are the key success of the defense-in-depth which makes the talent gap’s root caused. Cybersecurity after all is not just a job, but a calling.


❗️ DISCLAIMER
My intention as of this article is not to spearfish any particular CTI platform provider but to empower the so-called Blue Teamers to be more proactive and be agile for them to be truly able to defend their turf against cyber-attacks from different directions of the globe including insider threats.

This specifically a sharing of experienced and providing use cases in a manner of busting myths that CTI platform vendors boasting about their products until we fall on their marketing sales pitches and lock us down on their expensive pricing which we thought we got jackpot but actually we have been deceived.

⚠️Discretion is advised.

💡Note: Article was originally posted in Peerlyst — May 23, 2020