From Beyond Whack-A-Mole “Intel”:
In all of this, after the hours spent finding it, ripping it apart, and figuring out which IP or domain it came from so you can write a signature, blacklist and block it, what have you learned about your enemy? Better yet, what have you converted from an observation into codified knowledge that can be used later – that is not an IOC? What do you know about their objectives, short and long term? What do you know about their resource needs, infrastructure, motivations (are they political or financial)?
To put it another way: you spend a lot of time figuring out what happened, but not why it happened. Not the technical reasons–those are easy–but who was behind the attack, what was their motivation, what are they really after, and so on.
The author of this piece suggests a need to actually perform this research–after whacking the mole, of course. I see a couple of problems with this suggestion:
- Most organizations are not actively targeted. They are merely collateral damage suffered from larger efforts to spread malware. These organizations lack the resources to do this sort of research anyway and, even if they did, barely have the resources to act on that information.
- The largest organizations that are actively targeted have the staff to do this (and they largely already are). Could they be better at it? Sure.
I’m not saying threat intelligence is a bad thing, I’m just saying in the hierarchy of information security needs, there are several base needs that must be satisfied first. Many organizations will never get to the point of needing this.
What I think would be useful to a larger percentage of organization are tools that leverage threat research others are already doing and actually act on that research automatically. And no, I’m not talking about just IOCs (which will undoubtedly be part of this)
I know what you’re thinking: it sounds like an easy button for security. It doesn’t exist today, but I have no doubt someone will create it. We’re going to need it to stay one step ahead.
Disclaimer: My employer, Check Point, may or may not be working on such a thing, I don’t know. These views, however, are my own.