Asking around: When does ransomware threat intelligence become noise?

Like your dad’s travel itinerary, threat intel has a lot of extra detail that you probably don’t need. Even ransomware defenders have their own version of TMI.

During a recent IT Brew event, “Trend Watch: The Latest in Ransomware and What That Means for IT Teams,” an attendee asked Grant Smith, president of Phantom Security Group: “At what point does threat intelligence become noise? We’re drowning in alerts, and I’m not sure our team knows what to escalate anymore.”

Smith advised companies to learn about the groups targeting companies in their sector, research their tactics, and then ensure defenses cover the areas those groups are targeting.

“You really have to filter out the information based on the market segment that you’re in,” he told the attendees.

After the event, we posed the same question to other security pros, who shared how to turn down the noise and make the most of all that data.

The responses below were from separate interviews and have been edited for length and clarity.

There’s lots of info

Nick Hyatt, principal threat intelligence analyst at cybersecurity consultancy GuidePoint Security: What a lot of organizations will do is they will buy a threat intelligence feed—something to help, maybe, enrich their SOC [security operations center] alerts, and then they’ll have that data coming in and they won’t know what to do with it.

Nick Biasini, head of outreach at threat-intel research org Cisco Talos: When you’re talking about threat intelligence, historically, it would be a feed of IOCs [indicators of compromise]. Now a lot of it is based on curated reports. So, there’s a lot of private reporting that you’re potentially reading.

Do an asset inventory

Hyatt: Understanding the asset inventory in an environment can actually help filter out a lot of the alerts and a lot of the noise that comes in. Because if you don’t run VMware in your environment, and there’s a new VMware exploit out there: Do you need to worry about it? You should acknowledge it, but it’s not something that you need to have an alert on.

If there’s a new Node.js vulnerability out, but none of your developers use Node.js then, yeah, it’s good to be aware of that, and maybe you need to do some supply-chain analysis to see, do any of our vendors use Node.js? Does any of our tooling have that built in? But if you don’t specifically develop with this specific language or have this specific technology, you can acknowledge the alert and then just disregard it because it doesn’t actually apply to you.

Figure out your likely adversaries

Biasini: If you’re a toy manufacturer somewhere in the middle of America, you’re probably not super concerned about what the latest and greatest state-sponsored groups are doing in espionage attacks. But a lot of your threat intelligence could very well be focused on that exact thing.

Hyatt: If you are a law firm, well, what threat actors are attacking law firms? If you’re just a very small, local shop that has a web presence? Are you really concerned about North Korean threat actors? Maybe not. But are you concerned about ransomware? Absolutely. Same thing for healthcare. And so understanding what the potential is for being attacked is a key part of actually making that data work for you.

Biasini: [Referring to the toy manufacturer example] If you’re interested in ransomware, what ransomware groups, like Qilin and some others, have gone specifically after manufacturing? Those are the groups that I would focus on first. Build as much tooling as you can around what’s known about them. What are their TTPs [tactics, techniques, and procedures]? What tooling do they use? How do they get into environments? And then start focusing your threat intelligence around curating and building those defenses.

Prioritize

Hyatt: You can add prioritization to alerts…And so if you say, well, these five technologies are our key technologies that we use, anything that comes across the wire that has [those five technologies] in there, we need to take a deeper look.

Leeann Nicolo, director of incident response, North America for cyber insurance provider Coalition: I think threat intel becomes noise when it’s not tied to your attack surface and financial risk. So, I think providing a list of indicators of compromises is way less valuable than telling somebody your firewall is unpatched, it’s internet facing, policyholders like you are four times more likely to be hit with ransomware that could cost you $1.5 million—giving that data to put the stress on what is happening, why it impacts you, and what you need to do, rather than, “Here’s a list of indicators of compromise,” because they’re never-ending.