Over the weekend I was talking with a close friend who started asking me about about Internet of Things (IOT) devices for the home. The discussion started out pretty simple: what would I recommend; what are the pros and cons of each; how best to integrate my suggestions together. At the end I mentioned that no matter what you go with you need to exercise good security practices because IOT devices are becoming prime targets for malicious actors to target for nefarious purposes. My friend was unaware of how target rich IOT devices had become for groups to leverage into vast botnet operations. Being the overly informed individual I am, I started to tell him about the Marai malware that targeted IOT devices specifically and how it’s caused havoc including recently being used to leverage an attack against WannaCry’s “sinkhole” or killswitch web address. Eyes both glazed over and with a hint of fear, I think I scared him more than I intended. Yet something like this brings attention to something I have experienced overall in dealing with clients.
I tend to spend a good solid hour to hour and a half of my day getting a recap of cyber events that occurred in the world the prior day from various feed sources. The feeds vary from the written reports generated by security focus companies to mainstream media sources to Twitter feeds of noted malware and cybersecurity professionals to updated podcasts from trusted and recommended sources. From ingesting these streams of data on a consistent and regular basis, I am able to develop threat intelligence to help understand the current cyber battlespace, who the current threat actors are, what are the motives for the current operations being conducted, how the threats are being implemented from the technical perspective, how do these threats impact the operational and strategic posture of clients and customers, and what would be the recommended courses of action for proceeding forward in mitigating the risks to prevent becoming susceptible to exploitation. I base all my decisions for tech integration in my personal and professional life based on this constant iterative cycle I engage in on a daily basis.
Given my past background working with multiple Service and Department of Defense agencies this is pretty natural for me. I am used to dealing with organizations where the value of intelligence across the entire threat spectrum is critical for commanders and senior leadership to make informed decisions on what requires focus and attention in the current environment. The value of intelligence within the military goes back well over a millennium and its importance within the overall military hierarchy can be found even today in the Continental Staff System that is used by NATO countries. In this structure, intelligence is placed after the administrative staff and before the operations staff denoting its level of importance based on prior military tradition dating back to Napoleon’s Grand Armée.
Yet while governments and their militaries have come to recognize how importance intelligence is to their success, it is very rare and uncommon to find this within commercial business settings. Even if you do find units within businesses labeled to be threat intelligence units, they are generally composed of technical individuals who are not intelligence practitioners nor do they understand the intelligence cycle, especially in matters related to planning and direction. What ends up generally happening in my experience are teams implementing haphazard actions to mitigate risks that are not well understood by senior management and lack proper planning and direction with respect to the business. As Anton Chuvakin presented what quantifies for most businesses as threat intelligence is akin to grabbing an AK-47 and firing blindly at any target that moves.
Going back to my friend and his quest for integrating tech into his home environment for a minute, my discussion with him about the current landscape of threats with respect to IOT devices was not to scare him. Rather my intent was to inform him from a threat intelligence perspective, that there are threats targeting IOT devices and much like your desktop, laptop, smartphone, and tablet devices. These too require the understanding that they need to be secured on your home network and updated regularly but due to the nature of these devices they need to be replaced regularly as companies move on to the next new device to present to market. Looking at this from a threat intelligence perspective, this means my intelligence analysis cycle remains the same but the time component becomes faster due to the disposable nature of these devices.
Knowing how to incorporate threat intelligence to your business environment is both a technical process and a cultural mind shift. At its most high level, though, it requires that the value of threat intelligence to the organization is understood by senior leadership from a qualitative perspective vice a quantitative perspective. Much like R&D efforts, threat intelligence does not always yield immediate results to bottom lines. Yet its value in shaping and guiding business decisions moving forward can mean the difference between recognizing and mitigating risks posed by threats vice becoming the next lead story regarding data breach and loss in the media.
In a future post I plan on going into detail on the overall intelligence cycle as it relates to Joint Publication (JP) 2-0: Joint Intelligence dated 23 October 2013, it’s lessons learned from over a century of US military engagement, and how it can be adapted for commercial business. As always if you have questions regarding cyber security and threat intelligence feel free to reach out.