Meet Me in the Middle: Threat Indications and Warning in Principle & Practice – SANS CTI Summit 2019
https://www.ispeech.org
Discussions on threat intelligence often get bogged down between “machine speed” ingestion of atomic indicators and in-depth analysis of activity taking weeks (or months) to produce. Left in the cold in such debates is a very important but seldom considered middle ground: time-sensitive and incomplete but enriched threat intelligence. In the U.S. Navy and similar services, this is referred to as threat “indications and warning” (I&W) – a step beyond a simple observable refined to ensure accuracy and timely receipt. The goal of I&W is to get actionable, important information to those in need of it most as quickly, efficiently, and accurately as possible, even if as a result some context or other insights are lost. As a result of this activity, consumers are better armed and equipped to deal with and counter threats as they emerge, rather than either reacting to items with no context whatsoever or only reading about their challenges weeks after the fact in a complete intelligence report.
This discussion will explore the concept of threat I&W within the context of network security generally and threat intelligence specifically to identify this topic as a shamefully ignored middle ground between extremes. The presentation will explore the conceptual background behind this idea, then transition to real-life examples of I&W drawn from the speaker’s past activity in threat intelligence, incident response, and military operations. Attendees will walk away with two key lessons: first, do not let “perfect” (finished, complete intelligence) be the enemy of the “good” (actionable, if incomplete, information) when it comes to network defense; second, network defense consists of multiple phases of activity, from tactical to strategic, but ignoring the spaces “in between” results in fractured and incomplete operations. As a result of this discussion, attendees will be better armed and equipped to ask critical questions of their threat intelligence providers and have an enhanced set of expectations for what threat intelligence can do to support defensive operations.
Joe Slowik (@jfslowik), Principal Adversary Hunter, Dragos Inc.
source
Gloss