Do You Really Need Threat Intelligence?

Reading time ~2 minutes

ā€‹From Beyond Whack-A-Mole ā€œIntelā€:

In all of this, after the hours spent finding it, ripping it apart, and figuring out which IP or domain it came from so you can write a signature, blacklist and block it, what have you learned about your enemy? Better yet, what have you converted from an observation into codified knowledge that can be used later ā€“ that is not an IOC? What do you know about their objectives, short and long term? What do you know about their resource needs, infrastructure, motivations (are they political or financial)?

To put it another way: you spend a lot of time figuring out what happened, but not why it happened. Not the technical reasonsā€“those are easyā€“but who was behind the attack, what was their motivation, what are they really after, and so on.

The author of this piece suggests a need to actually perform this researchā€“after whacking the mole, of course. I see a couple of problems with this suggestion:

  1. Most organizations are not actively targeted. They are merely collateral damage suffered from larger efforts to spread malware. These organizations lack the resources to do this sort of research anyway and, even if they did, barely have the resources to act on that information.
  2. The largest organizations that are actively targeted have the staff to do this (and they largely already are). Could they be better at it? Sure.

Iā€™m not saying threat intelligence is a bad thing, Iā€™m just saying in the hierarchy of information security needs, there are several base needs that must be satisfied first. Many organizations will never get to the point of needing this.

What I think would be useful to a larger percentage of organization are tools that leverage threat research others are already doing and actually act on that research automatically. And no, Iā€™m not talking about just IOCs (which will undoubtedly be part of this)

I know what youā€™re thinking: it sounds like an easy button for security. It doesnā€™t exist today, but I have no doubt someone will create it. Weā€™re going to need it to stay one step ahead.

Disclaimer: My employer, Check Point, may or may not be working on such a thing, I donā€™t know. These views, however, are my own.

A Couple Decades (And Change) of Working From Home

When the Covid-19 pandemic was declared in March of 2020 and most everyhigh-tech business became "all remote all the time" literally over...… Continue reading

Some Things Never Change at Palo Alto Networks

Published on October 20, 2020

My Two Check Point Decades

Published on February 01, 2019