mnemonic security podcast

Misconceptions of Threat Intelligence

October 05, 2020 mnemonic
mnemonic security podcast
Misconceptions of Threat Intelligence
Show Notes Transcript

How do we go from data to information, and from information to intelligence in the cyber world?

Who better to try to explain this than the former Director of the national communications and security agency in the Netherlands, Job Kuijpers, and his colleague and trusted advisor for Threat Intelligence, Piet Kerkhofs. After more than 15 years in the Dutch government's cyber program the two of them founded the cyber security company EYE, and in their conversation with Robby they share from their vast and hands-on experience working with threat intelligence.

In this episode, you’ll hear about the most common misconceptions about threat intelligence that they’ve come across, and how much and what should be automated in threat intelligence – and what shouldn’t.

They also discuss what’s required by an organisation buying/receiving threat intelligence, and how to evaluate if your organisation actually needs threat intelligence tools for its security work.

Technical level: 2/5

Host: Robby Peralta

Unknown:

From our headquarters in Oslo, Norway, and on behalf of our host Robby Peralta. Welcome to the mnemonic security podcast.

Robby Peralta:

What do you think of when you hear the buzzword threat intelligence. If you're military minded, you may think of enemy troop positions and your knowledge about where they're located. If you're in the cybersecurity space, you may think of block lists with malicious IP addresses and domains. Or maybe you're just a golfer, and threat intelligence is knowing about how much wind and rain you have to deal with for the round. In all scenarios there's a difference between data and information, and from information to intelligence. And at least with the first two scenarios, humans should be involved to make the best decisions possible. In golf we just blame our equipment, which isn't quite an acceptable excuse in cyber military space. But how do we go from data to information and from information to intelligence in the cyber world? Who better to ask and the former director of the National communications security agency in the Netherlands, just to be sure, why not also invite his trusted advisor for threat intelligence as well? Job Kuijpers and Piet Kerkhofs, welcome to the podcast.

Unknown:

Thank you, you.

Robby Peralta:

So gentlemen, it is an honor to have you here in this virtual studio of ours. How about we start off with you telling us a bit about yourselves and your previous experiences prior to this podcast.

Job Kuijpers:

So I'm Job within the cybersecurity company EYE. During 14 years at the general intelligence and security service, the Dutch AIVD, we fell in love with with the power of technical operations. Within the intelligence service, I was working at the start of the joint second cyber unit. That's an intelligence unit, from both military and civil intelligence services in the Netherlands. And slowly through the ranks, I ended up being responsible for the whole cyber program within the Intelligence and Security Service cyber program that I'm proud to say, belongs to one of the better ones in the in the world. And as the program that defends the Dutch government and vital industries in the Netherland. With a group of intelligence professionals, we started a new cybersecurity company, EYE. We started EYE to help the vast amount of small and medium enterprises that have no knowledge on how to deal with cybersecurity, for small and medium enterprises, to profit from our knowledge and our experience, but then at SME pricing level, I would say,

Piet Kerkhofs:

Yeah, yeah. I'm Pete, I'm a former cyber specialist and to ditch cyber security and intelligence service. So what I what my previous job was supporting operational teams, fulfilling their threat intelligence needs, think of malware analysis, forming malware analysis, forming a threat Intel analysis, building IOCs and delivering the IOCs to the internal customers. So that's, that's my former job. Now, I'm working wtih Job at to build the tech pillar of the cybersecurity company EYE in the Netherlands.

Robby Peralta:

Cool. Awesome. Well, it's great to have you to with me here today.

Job Kuijpers:

Thank you very much, Robby.

Robby Peralta:

So today's topic of discussion is threat intelligence or cyber threat intelligence to be more specific. That being said, I just cannot help myself. But ask what goes on behind the closed doors of the intelligence services like what is threat intelligence in the eyes of your, your agents or secret agents out there?

Job Kuijpers:

First of all, we are punishable, punishable by law. We tell you what goes on behind closed doors, there's a reason why the doors are closed, because it's the best way to protect our society. But of course, we can give you a bit more generic overview on what happens within an intelligence service. Of course, I think in general, what intelligence services are doing in the cyberspace is they try to investigate some of the very aggressive state actors that are attacking these from outside the western open societies in a lot of different ways. And by investigating those aggressive actors, you stumble upon lots and lots of information, making that information usable to others. I think that's what crowd intelligence is from intelligence and security perspective.

Robby Peralta:

I guess I'll separate those two worlds right now, the secret agent world and the cyber threat intelligence world. But back in the day, before society was so digital, maybe threat intelligence was very much more "person to person" intelligence, whereas now these days, if you want to know your adversary, spy on them and figure out what they're doing - It's all cyber, because everything's going on digitally, or is that not the correct assumption?

Job Kuijpers:

Yeah, I don't think that would be a completely correct assumption. It's a lot cyber right now. There's a reason why most nation states have been investing heavily already in the past decade or longer in their cyber capabilities. But there's still the traditional security practice going on, and very much needed. And also, the tactics needed to counter espionage, terrorism, the more classic traps that these agencies are usually working on.

Robby Peralta:

So Mr. Kuijpers if you're allowed to, if you're allowed to tell us what, what nation states, what actors are you working most with, against? I should say?

Job Kuijpers:

Well, we work I have to say this in the past, I worked in house with friendly nation states in countering the threats. And we usually work against aggressive state actors behaving aggressively in cyberspace, I'll preach a few of them. The Dutch security services are very open, they write every year, the year reports and they mentioned them by name. Not all of them, but a few of them that are mentioned. They mentioned the Russians are they're quite aggressive cyber campaigns, the Chinese, etc.

Robby Peralta:

Are there any non nation-states that you're actually tracking? Financially motivated groups?

Job Kuijpers:

There's a reason why by usually secret services, talk about state actors, these are all actors that can behave like a state. So this could also be a large group or a large organization that's not yet defined by the United Nations as a nation state. But they have the means to act like one financial capability, technical skill set. Although I would say that that's at this moment, quite limited.

Robby Peralta:

All right. Well, thanks for that Job. I will, I will leave you alone now, because I know that you can't answer any any more of my questions. So I'll go over to you Piet. Why don't you tell us more about your world, and you could start off with how you define cyber threat intelligence these days.

Piet Kerkhofs:

We define it as the collection and correlation of information sources, a lot of information sources to generate contextual knowledge about cyber threats. But we think that every organization that is implementing threat intelligence themselves need to consider the definition that is applicable for their organization. So today, they have to discuss it internally, or write it down before they move on. Because first a lot we see at the cyber threat intelligence level, general intelligence level is all about information, digesting information. So that's, that's the same. And it's not actually intelligence, still, you add context to that information. For example, in general intelligence, the information the incoming information is consist of intelligence reports, mostly written down by analysts. And in threat intelligence, cyber threat intelligence context, is mostly structured information, for example, STIX, that are a PDF report from the internet. In that way, it's kind of the same, because one difference is, of course, the, the classification level and publicity level. So for cyber threat intelligence, you have commercial feeds and public feeds. And in the general intelligence is more at a closed community where the intelligence is shared. So another thing where cyber threat intelligence in general intelligence converge, is the fact that there's always a human involved to interprete the intelligence and assess its quality and share actionable Intel with consumers. So that's, that's one thing that that's quite important for us. Because we think you can automate threat intelligence a lot. So you can automate the ingestion the qualification and sharing the whole process, but the human interaction is always necessary in both scenarios. Yeah. And they are, of course, need to be empowered by automated tools that make the work of analysts easier. So that's quite important. It has to be efficient, and it makes it a lot more fun for analysts. So they can focus focus on the threat Intel analysis effectively. It's more just more fun for them. So that's where the two areas converge. We think,

Robby Peralta:

Cool. You mentioned that you are working with a lot of smaller and medium organizations? What are some of the common misconceptions about threat intelligence that you come across in your work with them?

Piet Kerkhofs:

Yeah, we can name two major misconceptions about threat intelligence. So, one of them is what we often see is a customer asking us to implement threat intelligence within their organization,

Robby Peralta:

here's some money, give me some threat intelligence.

Piet Kerkhofs:

And that's not how we look at it. Threat intelligence isn't a capability that you just buy and enroll within your company on a standalone basis. To create a threat intelligence pipeline within your organization, you have to have other parts of your IT network already in place, you need to be able to digest a lot of information on the incoming side, you need to have a lot a lot of computing power on the processing side. And the most important thing is need to have people within your organization analysts and need to qualify intelligence be to handle all the tools, manage all the tools all comes down eventually to the IT infrastructure already there and the people and if that's that's not in place, you have to work on that first. If you work in the first, then you can create a threat intelligence pipeline upon that.

Robby Peralta:

You have to have the foundation first.

Piet Kerkhofs:

Another misconception is that threat intelligence alone. If you implement that mitigates the risk of compromise in our sense its more an add on to the current cyber operation, you do need, the organization needs to have a lot more than threat intelligence alone to mitigate the risk of compromise. This is more reactive. In a phishing email, it takes a millisecond or maybe some seconds to arrive at an a mailbox or user. And if you have threatened tennis is great, too. Great way to detect that in a later phase. But it's not a good way to stop it upfront for of course, so

Robby Peralta:

Threat intelligence doesn't help you in milliseconds, basically,

Piet Kerkhofs:

No, no, it's more an add-on to other tools that you might might have like email security, tooling, or EDR kinds of solutions. Endpoint detection response capability. antivirus, that other tools that threat intelligence also can be a feature.

Robby Peralta:

Maybe it's more more helpful for enrichment purposes for after the fact under analyzing to make sure that to help you confirm your belief that something actually happened.

Piet Kerkhofs:

Exactly. So its more for enrichment purposes yeah.

Robby Peralta:

After the fact enrichment purposes, so I catch your drift here. I mean, it's you have to have the sort of foundation in place, you can't just expect to buy some threat intelligence feeds and expect to be note to be safe. But what would you say is, you know, the concrete criteria, then for actually investing your time and developing a strategy for threat intelligence,

Piet Kerkhofs:

a fundamental question is, why do we need the contextual information about cyber threats? But what's our goal with that? And what actual cyber risk do we do we mitigate using threat intelligence? Are we just involved in a cyber intelligence train? Or do we need really need to add intelligence to enrich our cybersecurity pipeline? Then we ask about the other two criteria, is it infrastructure in place? And do you have personnel to go to and do something with the threat intelligence to make it actionable? Or if we make it actionable to do something with that?

Robby Peralta:

So I mean, taking into account everything we just discussed, what should companies be doing I'm thinking of threat intelligence platforms, and then things like that. So it sounds like not all companies need that or do they? Well, maybe they just don't need to do it themselves?

Piet Kerkhofs:

Exactly. That's roight on point. We think that not all companies need threat intelligence depends of course on their size and their capabilities and their

Job Kuijpers:

Maybe just an example when I was responsible for the the the Dutch cyber program of the intelligence service. I used to talk a lot in small venues all over the country, about cybersecurity. And sometimes these were special meetups for entrepreneurs, and there used to be small and medium enterprises. And always before or after me there would be one of the major Dutch cybersecurity companies talking about threat intelligence. And then all of a sudden, you see the complete mismatch between companies that want to sell threat intelligence and threat intelligence technology. And you see businesses with 100-200 employees, and they just have no clue what it is our how to implement it. With a security perspective, we talk about managed security is about managed managed security. And that's where you get to a level where you need to come with a much more complete package, how you help them on which choices to make between technology, products and services. We talked about. Security and threat Intel is just a very small part of that.

Robby Peralta:

Do you think that in threat intelligence, as you know, as a product or as a not necessarily a product or service, but threat intelligence in general, it can be helpful to all organizations, but they don't have to do it themselves?

Job Kuijpers:

It's definitely helpful, but you need a step in etween. Where you use this in elligence in a way that as sm

Robby Peralta:

What are those steps usually look like? Okay ll medium enterprises can al o benefit from it, but it ne ds that extra step. fine you have a conversation with that small or medium business that doesn't necessarily need the world's largest security team, nor need all the fancy tools? What do you usually tell them? What are the first couple meetings like?

Piet Kerkhofs:

Yeah, that's a good one. So what we usually like to discuss is their risk appetite. What risks do you want to mitigate? And what which risks do you accept. What we try to do is try to take measures that mitigates 80% of the risks that they want to mitigate. And the other part of the risks try to cover with insurance, cyber insurance.

Robby Peralta:

So we've touched into a little bit here about sharing threat intelligence, and the perfect world, how can we, for example, mnemonic and EYE, how would we combine our efforts to be put our customers in the best position possible against the, against our adversaries?

Piet Kerkhofs:

So great question. In a perfect world, I think in a perfect world, Technically speaking, we would be able to share intelligence nowadays using protocols like STIX, or open source software like MISP. But then we have to, we all have to comply to, to using the same protocols, the same software? And I don't think that exists yet. That is why that is called a perfect world. Yeah, and in the perfect world, if you share the threat, intelligence all has to be actionable, right? So you need to do something with intelligence. So one thing you can do, for example, you can feed it into your IDS system, your intrusion detection system, and to detect threats on your networks. But then, in a perfect world, every organization, any party would need an capable IDS solution, or SIEM solution. So that would be great. If we have that. One thing, what isn't solved in that perfect world is, the more we have learned, we have learned is that the more valuable data becomes, the harder is to share it with other parties. So it can be because of commercial interests. Of course, within the cybersecurity community classifications applied by, for example, governments, the more valuable the data becomes her hardest is to share. So you can set up a whole sharing scheme with platforms and sharing it. But when you have to assess every every freeze, or every entity that you want to share with another party politically or commercially, then that's a huge bottleneck. So why are we sold that don't actually share the intelligence with a lot of parties or organizations or customers, for example, or more you want to share with your customers, how harder that gets our unless you can share? Actually, we apply it in the backend. And you have we create solid trust partnerships with organizations like mnemonic to share an applied actionable intelligence to our sensors in the backends and present it to the customers as an incident, or any order event that we detect as a managed service provider. So that's that's how we are we try to deal with it with trust relationships we have with other organizations and governments to not share it with all our customers, we because we also think that they don't actually know what to do with it soon.

Robby Peralta:

Just give them more work that they're not able to really work with.

Piet Kerkhofs:

Now, you can see that as well. Yeah.

Robby Peralta:

So you just touched into public private collaboration on threat intelligence. I would assume you two have some more opinions about that. Want to share some of those?

Job Kuijpers:

Yeah so both now as in the past, were pretty heavily involved in it. But basically, a safe, secure IT is paramount, for a robust functioning of the the society and economy, both for government and companies. I think in countries like the Netherlands, but also Norway. We live in a highly digitalized society and our all our economic power is built on intellectual property and knowledge to defend our capability, to make money with with intellectual property and with knowledge. We cannot act alone anymore. It's not just a cybersecurity company, or a large corporation or a government entity functioning by itself, that can solve the issue of very aggressive state actors trying to steal intellectual property, larger and larger criminal organizations,

Robby Peralta:

it would at least be very expensive for everybody to try to do that themselves.

Unknown:

Well, it's not

Job Kuijpers:

only expensive, it's just virtually impossible. So try to imagine that you have a state actor that that is attacking several hundreds of organizations within Norway or the Netherlands, and an intelligence service or police department has knowledge about that. They're just not able to deal with all these organizations, and incident response and all these organizations. So the only way to be scalable as a government is to work with the private sector. in cybersecurity, especially the government is quite a small part of the cybersecurity world. So at least in the Netherlands, we have a very efficient, high tech Crime Unit within the police departments, we have the intelligence services, both military and civil, we have the public prosecutor with a good cyber capability. And those organizations together, there's only so much they can do. So by declassifying threat intelligence, fast increase intelligence to cybersecurity companies, to secure operating centers in large corporations, you can be much more scalable and much more efficient and much more effective if you work together. And the other part is that governments, at least intelligence services tend to attract high quality staff, they learn a lot from international cooperation. So so the level of the quality level cybersecurity specialist is very high within government agencies, from that corporations can benefit highly if they cooperate with. So there's a lot of ways that this this cooperation is not only necessary, but very helpful to all parties. So a big challenge always is also within the government is and Peter really touched a little bit on that before, is declassifying the most important information and how to do that. There usually it is that the more interesting information is, the harder it is to declassified because it's still part of ongoing investigations into criminal actors or into state actors. And that's still a very difficult part to solve. How to do that, and I think governments service good companies together are getting better at that. But there's still some steps to be made there.

Robby Peralta:

Is there anything specific that the the intelligence services or the government can get out of working with private companies? The goal of any government is to protect their citizens and protect their companies. But is there anything that makes you know, that they that specific value that they receive from from this cooperation,

Job Kuijpers:

the biggest value is, as I mentioned, is the scalability. So they are in itself relatively small in this highly digitalized world. So sc lability is a very important pa t getting thret intel to la ge corporations to cy ersecurity companies, that's a eally big working together on cr ating enough incident re ponse capability in your co ntry, making sure that th re's enough new talent coming up in your country. Why is a sm ll country like the Ne herlands, playing in the Ch mpions League of cy ersecurity, when we talk ab ut the intelligence services is because in the Netherlands, we have some very good technical un versities, we have quite a lo of large corporations, like AS L, Heineken, Philips shell, an that together breeds enough te hnical talents, that even th ugh we're relatively small, an also the intelligence se vices are relatively small, we are reading enough of the ta ent to have enough response from going up. Still large companies. So what we're saying is that breeding talent is also something that you do together, both public and private, and by talent, being able to go from companies to have their first training in high quality companies, move on to the government together to that expertise level, and from there, move back again into helping larger corporations. Again, cybersecurity companies. That's also how you work together. And that's and that's it, that's what's in it for intelligence services, huh.

Robby Peralta:

So what about small medium organizations who simply don't have the capabilities needed? How could they benefit and give back to the threat intelligence community?

Job Kuijpers:

That's a very good question. What you'll see is that they usually don't have the technical capabilities to work with threat intelligence, and they don't have any intel feedback loops coming from these organizations. They hardly exist, and if they exist, it's probably through police organizations, but but the feedback capabilities are very low. And by creating more solutions for that kind of information from small and medium enterprises, as we're doing with EYE, you also have that benefit of working together. And but small and medium enterprises are still the biggest issue in cybersecurity, the gap. The cybersecurity gap between large corporations and SMEs is growing every year. The difference then years ago between a financial institution and an SME on cybersecurity was already big. By now it's it's two completely different worlds that they don't even touch anymore. How do we get the the SMEs back on track and more at the level where they should be because at least here in the Netherlands, and then I guess it's the same in Norway, it is the basis of your economy, your societies where most people work, it's what we're most dependent on. But still, every year we have more ransomware attacks, they are facing more costs, more SMEs are going bankrupt because of cybersecurity issues. So they're very few good and strong solutions out there for the SMEs. So to benefit from intelligence is that they still have a way to go. And EYE would definitely try to help them to get on the right path. And to make that affordable for them by having a very scalable platform that it is still a serious issue. Just an example last two weeks ago, we were working with a smaller company, 15 employees, they got a ransomware attack company spent almost 150,000 Euros on the ransomware incident, that's a small company, if they would have invested that money in the platform like we offered, they would have been pre protected for 30 years, or longer. But to still go from doing very little, you know, to just have your virus scanner and some small steps to go to decent protection, a lot of them still have a long way to go. Unfortunately, that's a serious risk for society.

Robby Peralta:

But luckily for them, you're here for them. That's good. You guys, you just mentioned antivirus and some"small steps". And Piet earlier you mentioned cyber insurance. So my last question here was if you look into your crystal ball for the future of threat intelligence and the factors that are going to influence it, how does cyber insurance fit into that? That the first time I've heard somebody mention threat intelligence and cyber insurance in the same sentence.

Job Kuijpers:

So one thing Piet has been already mentioned, but what we do is we go to small and medium enterprises, we don't believe in 100% protection. By giving them some kind of small box that you plug in your network, and now you're protected 100%, that just doesn't exist. That doesn't even exist for large corporations, let alone for small organizations. So you have to accept some kind of risk. And you have to find the right balance between deciding which ricks you take measures for because you want to keep your company running, you don't want to lose client data, and which kind of risk falls under entrepreneurial risk, you know that that's part of being an entrepreneur, and what kind of risk is deadly to your company, and you should cover with insurance. So what we do in our SME proposition is we have a platform that's combined with cyber insurance to make sure that the last 20% is also covered. But what you see in the insurance market is that's still a market that is operating, we're talking about cyber insurances in kind of a black box, they seem to be very interested in taking large proportions of the market. So to sell as much cyber insurance as possible, but they don't have a lot of data points. So they don't really know which risk they're taking on. So every year they just look at okay, what happened last years, and maybe we either we raise the premiums or we change our policies, and probably do both, because coming too expensive. But we see now it's very interesting for us is to combine data points. So to combine data points of what measures Do you take what is the effect, which stress levels are there in certain sectors of SMEs and combine that with insurance we already see that's very interesting. And we believe that that's going to be a serious part of the future for the SMEs. Pretty much comparable to insurance of a car or your motorbike where it's much more based on data and risk profiles. That's the that's where we see the combination and that's where we are ready combining there's

Piet Kerkhofs:

an interesting thing to add upon is the threat intelligence definition we talked about earlier. The main fundamentals are collecting a lot of information, a lot of events, and then correlating a lot of events in an efficient and smart way to create contextual information. So what we are doing with the SMEs and the events that are occurring cybersecurity events that are occurring at SMEs at our customers are very valuable, but not individually, but as a collaborative, so in a community. So if you all combine to combine all those events together, then you also can apply threat intelligence methodologies and skill sets on that. So that's what we're doing right now. And that's that combination with cyber insurance metrics, and providing those cybersecurity metrics to both our customers and the cyber insurance brokers in this world. We think that that one major gap that isn't out there yet, and that's a gap we are trying to, to fill with EYE with our platform right now.

Robby Peralta:

Hmm. Yes, I'm sure the insurance companies would love to have a lot of that information so they could actually set better models and be able to, yeah, charge better price. I know that my dad, he used to work in insurance. And he told me that he said that they basically, you know, they know how to price things. Because everybody's seen a fire. They know, you know, people steal cars in the car more than that. But he actually was, you know, we were talking about how cyber insurance right now should be the cheapest it ever will be because companies don't know how to charge it. They don't want to overcharge. They only ask you know, a few questions if you have antivirus or firewalls or not. So right now, maybe company should just be going out and buying as much as a bunch of cyber insurance. What are your thoughts about that?

Job Kuijpers:

Well, that's exactly why we have it in the package. Because we see it as when when you look at the whole of risk approach that we do that that's an affordable part of the package. And the companies that we see that do take these kind of decisions are companies that want to rely on more than just insurance, for example, a law firm or a trust office, or a high tech production company, they have reasons, more than just the damage to take measures. So of course, it's good to have damages paid when they occur. But if you are a highly reputation law firm, you just don't want to lose your client data, period. And even t ough there's an insurance c mpany that will cover some of t e expenses afterwards, you j st don't want to lose them. If y u are a high tech production c mpanies, you can afford to be c osed down for one week, the i surance itself is not going to s ve you doing more than that. S what we see is that the c mbination of both it's a very i teresting market, especially w en we talk about SMEs where y u take proper measures up f ont where you cover risks in t e end, and that makes a more p oper complete package. So we do hink it's interesting there def nitely at this moment, at least hen we see the Netherlan s, they're priced ridiculou ly cheap. Just saw the other day we had a high tech productio company I think they did. If t ey have a cyber incident nce every hundred years, th insurances on the bad side of t e deal.

Unknown:

Pretty good. I would think that deal. Right?

Robby Peralta:

Well, I'll make sure tinsurance don't come companies don't hear this podcast, they're gonna go raise their prices.

Job Kuijpers:

People take the proper measures, they don't need to raise the price. Exactly. Yeah.

Robby Peralta:

Well, gentlemen, thank you very much for your insights and sharing your opinions with us. And I am gonna have to check in with you guys next year to see how much you've learned over the past year with cyber insurance and threat intelligence. So thank you very much.

Piet Kerkhofs:

Thank you. Thank you.

Robby Peralta:

Well, that's all for today, folks. Thank you for tuning in to the mnemonic security podcast. If you have any concepts or ideas that you would like us to discuss on future episodes, please feel free to send us a mail to podcast@mnemonic.no Thank you for listening, and we'll see you next time.