As the wheels lift up on my latest flight I am left reflecting on another year in #infosec. We are moving towards 'something' and some days I can't figure out if that something is disaster or safety.
The tea leaves become hard to read as the raging cyber war shifts into the mainstream. I consider the risks of flying and the lack of control one has in life. I can't control the engines. I can't control the schedule, but what I can do is focus on myself and what I can control.
Which leads me to the SANS Threat Hunting IR Summit and my keynote address: 'Determining evil from benign in the normally abnormal world of InfoSec.'
We can't control our adversaries, although we can choose to control them once in our environment. We have little or no control over when the 'big attack' happens. For too long I think we have focused so hard on finding the adversary that our internal threat intelligence has suffered as a result.
Sharing threat intelligence has become easier. Vendors have done lots to allow teams to cultivate and exchange threat intel, yet while there is always more work we have abandoned the one thing we have a hope of controlling - the home field advantage.
I have heard major CISOs sit in a room and say 'asset management is impossible, so why try?' Why would a leader say this? Yes, what we do isn't easy but giving up is a sure fire way never to achieve a strategic goal.
How much do we know about bad actors and attackers? MITRE has done a great deal this year to help infosec teams not only understand attacker behaviour but keep it up-to-date and overlay the tactics where they fall on the kill chain.
This is awesome, but it is still focused externally. Teams are still dealing with noise. They are still trying to understand what normal is and drive some semblance of control into their environment. Most vendors haven't helped. 'Buy more threat intel!' 'You must have threat intel!'
I agree that attackers' behaviours of really important. Threat intel is important, but have we put so much emphasis on it we have ignored the intel we have today?
My talk results from years of our company's work trying to better understand normal, not evil. We believe if you can actually know 'normal' faster, you can focus on the evil. Which is what we need!
I shall refer to this as 'normal intelligence.' Much like threat intelligence, this needs to be contributed by the community, maintained and exchanged over time. A team should be experts at the intelligence generated by their organisation. As a community, we have underserved this aspect of intelligence. Vendors have hoarded this information to drive down false positive rates in their own products. Which is OK.
I would argue that defenders, regardless of toolset, have some of the best tools they have ever had to perform their job. All this is better and OK, but I didn't start infosec to do OK. I did so hoping to change this game in some small way. It's time we stopped making small leaps and start making massive ones. We all have useful information on what a normal approved application looks like. We also know they look like applied predictive technology (APT) all the time.
It's time we came together as a community and started to exchange this intelligence. What's more important: an IOC that changes in minutes, or knowing that Adobe updater is doing something abnormal from a behavioural perspective?
We have not only seen what happens when this exists (do you love fewer false positives and reduced investigation times?) but we also understand the impact the lack of this resource has had for us. We have also seen the impact a rapid exchange of information can have on the community.
It has truly been humbling and amazing to see a community focus on issues and exchange the right information.
It's time to bring this to all defenders, not just customers of a certain organisation. Advanced vendors are on a mission to make the world safe from cyber attacks. To achieve this mission, we need every one of us sharing and helping to reduce the noise. We need application developers and threat hunters on the same page. We need to unite as a community.
Current estimates say cyber crime is a $1 trillion market. Cyber security? $96 billion. Understand we are being outspent 10-to-1 and if we have any hope of changing this, we all need to realise that regardless of company, we are all in this boat together and we better start rowing together soon.
The adversaries are training each other. They are sharing massive amounts of TTPs and here we sit as defenders competing on security and things like 'normal intelligence.' It's time foir us all to get better together. It's time to quieten the noise so that the defenders and hunters can focus solely on evil.
We cannot graduate qualified defenders fast enough. Should we choose to do the same as we have always done, or try to change tactics to drive better strategy. My company believes it's time for all of us to commit to helping each other out. We are all on the same team.
Committed to its mission, we are putting ourselves out there for the community. We invite everyone to hear our proposal with open ears and new eyes. The time for action is now. Enough competing on security. The adversary doesn't care about any of the politics or heartache from vendors on trying to achieve a common goal. It's time to put all these considerations aside and move forward together.
If we don't, I fear the past few years are just a small preview of the next few and I am sure we would all like less noise and more focus. Imagine a normal threat intelligence exchange. Imagine being able to have a resource to ask questions regarding what's normal.
We think it's time to link normal and attacker behaviour to help drive less noise and save time. We are fighting to make everyone's life easier, we are fighting to quieten the noise. We invite everyone to help us.