Cb Connect 2018 | Power of You | Register Now


Sharing ‘Effective Intelligence’ Empowers the Entire Security Community to Unite

June 1, 2016 / Ben Johnson

“Join or Die.”

That’s the famous rallying cry coined by Benjamin Franklin that the colonies used to band together before America was officially a nation. Without working together, there was no chance of survival for the colonies during the tumultuous American Revolution. 

Fast forward to the U.S. conflict in Iraq. The Joint Special Operations Command (JSOC), the organization that directs our special forces, had to change the way its teams worked together. We were losing to a loosely coupled, fast-moving opponent who could never match our military might. In JSOC, we had the world’s best soldiers but the opponent was demonstrating that it could be more agile. Information flowed more freely and quickly among them. We had to adapt. “Adapt or Die.”

Cyber security faces a similar challenge today. We are ostensibly losing the battle against motivated attackers. These enemies re-use code, share account credentials and simply get things done. They don’t get paid unless they win. As a result, they often do.

The Evolution of the Cyber Security Battle

In the early days, cyber security was a “human vs. human” fight. It was essentially “spy vs. spy,” where security technologies were, for the most part, still on the drawing board and books such as “The Cuckoo’s Egg” captivated us. But we changed. To some extent, we got lazy.

We started building security technology and saying: “Here, you fight evil.” The attackers shifted as well, changing their economics to worms and viruses that were largely about the quantity of victims they could target. It quickly become a “machine vs. machine” battle.

Now, the shape of the battle has shifted again. It’s returned  to “humans vs. humans.” People conduct attacks. People do security. So, wow do we make our people more effective on defense? And the answer is, oddly enough, technology.

So you’re probably saying: “Wait, you just said it used to be technology and now it’s people, and yet you’re telling me we need more technology. Please explain.”

Similar to our special forces and JSOC, cyber security doesn’t put people in harm’s way with nothing to help them. They need technology. They need intelligence. They need feedback loops to see how the battles are going. The technology is about making people more effective. Navy SEALs have weapons, communications equipment and night-vision goggles. They talk to each other and to other teams, working as individual units and as a collective whole.

“Unite or Die”

In cyber security, we must unite to combat our day-to-day cyber threats. These threats could be extremely hierarchical and militaristic or loosely coupled and fast moving. Or both.

Uniting first starts with uniting your team. If they’re not moving quickly, exchanging information, responding together, hunting together and orchestrating tactics under a unified strategy, it’s not an effective defense. The bad guys only get paid if they win, so they remove friction as much as possible. Among other tasks, your team attends meetings, writes RFPs and waits for legal redlines. The defenders are often waiting for the play to be called while the attackers are already dancing in the endzone.

Once your team is united with itself, uniting your team with your technology is the next move. If your technology is not making your team more effective (much like special forces with their weapons and equipment) what is it actually doing?

Effective Intelligence

In reality, “actionable intelligence” should be called “effective intelligence.”  A lot of sharing in the intelligence realm is not adding much value. Sharing is great, but let’s think about how to make it more effective.

With threat intelligence, it’s critical to capture the right story for detection or prevention with “Patterns of Attack (POAs)” These patterns are crucial to modern defense because they are effective.  However, you must leverage your intelligence for it to have value.

As one of my friends in the cyber trenches said: “POAs or TTPs are great in theory, but if they’re hard to use and hard to apply, you’re not really changing the cyber economics.” You want to move higher in the “Pyramid of Pain,” but if you cannot easily leverage the higher parts of the pyramid, then you’re not really winning.  

Uniting your team with the ability to apply POAs is the goal. That’s when threat intelligence  becomes “effective intelligence.”

Collective Defense

The final step is uniting your team with other teams. The attackers don’t work in silos, so why are we defending in them?  

Sharing your collective, effective intelligence with others and consuming what they share is the end goal. With each attack, the security industry gets better through sharing. Another way of saying that is: “The more attackers attack, the stronger we, as defenders, become.”

As our organizations increasingly work together, we can start to build a cyber security all-star team where the “big” guys greatly accelerate the knowledge of the “little” guys. The little guys can contribute to the larger community by seeing and sharing edge cases that the big guys don’t have time to look at. This sharing system grows organically with agility. What works rises to the surface. What doesn’t is discarded.

Looking Forward

Are you setting your environment up for “effective intelligence?”  Can your team move quickly?  Are you trying to remove friction by truly letting your humans engage in the battle?

Attackers are hitting different organizations using the SAME tactics they have used successfully time and again. We can fight back, even with small teams, by sharing the lessons we’ve learned along the way.  As a result, the entire community becomes stronger. Effective intelligence is key, and effective intelligence beyond your individual organization truly changes the equation. No more excuses. Let’s go. “Unite or die.”


What is “Collective Defense?” Click here to learn more. 

TAGS: Carbon Black / Patterns of Attack / threat intelligence / Unite