Threat Management: Does Intent Matter?

I’ve become a bit obsessed with threat intelligence lately. “Obsessed” may be a strong word, but not by much - this stuff is really important. I’ve heard from quite a few IANS clients and Forum participants that gathering good threat intelligence that is actionable and practical is almost impossible these days. Even large organizations that have Information Sharing and Analysis Centers (ISACs) seem to be asking for more data to get ahead of security threats.

There’s a lot that goes into threat intelligence and analysis. Some of the more specific data points organizations want and need include:

• Who the attackers are (employees, competitors, “hacktivists”)
• Where attacks will originate (internally, externally, countries, etc.)
• What kinds of attacks are coming, including signatures if possible
• The types of data attackers would be likely to seek

The list could certainly continue. One thing conspicuously absent on this list, however, is intent. I’m of the opinion that intent matters less than the other information for which we’re looking, and it may not really matter at all, truth be told. The only reason I can see intent being useful, really, is as a scare tactic or motivational factor for organizations who need to invest more in security and are looking for internal leverage. For example, a chemical company could make the case that terrorist organizations want to steal Formula X and use it for mass chaos and destruction.

Here’s the reason I say this (for most of you, at least) - what will you do differently now that you know the intended purpose of the attack or data theft? In most cases, based on my experience, the answer is NOTHING. It’s still an attack on your infrastructure. It’s still data theft. You are still going to use the same tools and tactics whether someone wants to post your emails on Pastebin or sell your credit card numbers in an underground forum.

So all the hand wringing and teeth gnashing that went on in 2011 about LulzSec and Anonymous, asking ourselves “Why are they doing this?” and “What do they want?” is pointless. They want to break in, get your stuff, and then…who cares? If they succeed in the first two, you’re done anyway. So focus on protection, regardless of motive. If you know what your sensitive data is, and have a reasonable plan to protect it and defend against intrusions, motive just won’t matter as much.

Some other interesting news this week:

• The US Federal government is planning to strengthen security for the power grid (finally!). The Department of Energy (DOE) and Department of Defense (DOD) have developed the Electric Sector Cybersecurity Risk Management Maturity Model (say that 10 times fast) to evaluate both public and private sector controls. This sounds promising, and we’ll be paying close attention to the work that goes on in this area here at IANS. Full article can be found here at the InformationWeek site.

• Speaking of threat intelligence, it sounds like some of the major banks are starting to collaborate more on identifying and detecting online fraud and attack data. In an article at the Wall Street Journal site, many of the biggest financial firms in the US are planning to start gathering quarterly and discussing threats, attacks, and new security ideas. Sounds like a great idea!

• Microsoft has graciously offered to start providing a free real-time threat feed to partners, customers, law enforcement, and government agencies. Microsoft gets attacked a lot, and has been successful in taking down and observing numerous large botnets over the past few years. Providing useful intelligence about these threats will be a great service to the community, and we’re definitely looking forward to seeing more about this. The full article can be found here on ThreatPost.