While the concept is great, actually discussing threat intelligence is a huge roadblock for some firms
All this week, Salted Hash will be walking the halls of the RSA Conference in California. The running theme this week is threat intelligence; what it is and what it isn't, the vendors who produce it, and the people who use it.
You'd think there would be an abundance of sources and source material given the topic, but that wasn't the case at all.
For two weeks, Salted Hash attempted to locate security practitioners in various market segments to talk about threat intelligence, incident response, and how the two areas overlap. It wasn't easy.
First, while most were willing to share their experiences, they wouldn't or couldn't share proof of those experiences, such as redacted screenshots of the product, or anything that would confirm they were a customer of a given vendor. It may seem extreme to require proof, but given the topic, we felt it was important to confirm first-hand knowledge of the product it possible, and avoid speculation.
Second, there was another segment of people willing to talk, but only in a general sense, because the threat intelligence vendor was holding non-disclosure agreements over their heads.
And that's understandable. Most people aren't allowed to talk to the media, and those who do often request that their name and employer be left out of the official record. But it's strange that a threat intelligence vendor would have a non-disclosure agreement preventing a company from discussing perceived value or sharing information on the types of data they see.
We reached out to FireEye, one of the better-known and widely used threat intelligence vendors on the market, and asked if they used non-disclosure agreements to prevent customers from talking about the intelligence they get, its scope, or its value, etc.
An incident response manager shares his experiences:
The image on the left is Falcon Host, the endpoint protection offering from threat intelligence vendor CrowdStrike.
The Falcon platform was launched by CrowdStrike during the 2013 RSA Conference. The image was shared with Salted Hash by a practitioner working in the finance sector – we’ll call him Jason.
According to CrowdStrike:
"Falcon Host provides real-time visibility into adversary activity on every endpoint – everything is captured, nothing is missed. The lightweight Falcon sensor immediately detects attacks and protects your data without having to rely on ‘sweeps and scans’ of the environment."
Jason’s image shows the adversary part of the portal; an actor from China is highlighted (Samurai Panda). According to the write-up, nothing is known about this actor other than it targets organizations in Japan, and spear phishing is the likely delivery method of any malicious payloads. There are a few C2 domains listed, but that's it.
When asked for details, Jason said the threat actor profiles don't really relate to his organization. It's frustrating at times he said, because a majority of the information on actors in the portal don't pertain to financial threat actors he’s seen. It’s as if those actors are considered less important by CrowdStrike than nation state actors.
But the adversary portal isn't a large part of his job; in fact he rarely needs to use it.
Just a typical day:
When an endpoint that's being monitored by Falcon Host trips an alert, Jason gets an email, and thus his day begins.
The email contains a login link to the Falcon Host portal, as well as the hostname of the system that triggered the alert and a severity rating. Nothing more is offered, and no matter what the severity, the notice still arrives via email, so there’s no special alert for high-level events.
During a demo of Falcon Host, which Salted Hash registered for in order to verify Jason's claims, it was confirmed during the Q&A section that email alerts could be somewhat customized and delivered to individuals or groups. There was no mention of special alerts for leveled events.