SANS Cyber Threat Intelligence Summit Roundup

April 26, 2013
CND Tools: Post by Reid Gilman

SANS held its first Cyber Threat Intelligence Summit, bringing together network defenders confronting advanced cyber adversaries. Presenters and panelists shared the latest approaches to intelligence in the face of an ever-advancing cyber adversary. I had the privilege of speaking at this event and want to share my thoughts on it.

I realized by the end of this focused one-track gathering, that there is a great need for standardized threat data representation, good quality data (via packet capture, host instrumentation, and other sources), and enabling toolsets. Tools make data actionable and useful but by themselves are not a silver bullet. Cyber intelligence analysts need a toolset that they can use to easily correlate and deduce the information necessary to inform defense. Tools and data are not the only components of effective defense. A strong defensive posture relies upon an understanding of the threat, good data, effective tools, and a dedicated team.

As I spoke with disparate teams all struggling with the same problems, the benefits of sharing and collaboration could not have been clearer. If one analyst in an organization develops a new signature or technique and has the ability to share it, along with supporting data in a standard form, then the wider community can benefit.

This is not a spectator sport, as one panelist noted. Big name companies and small businesses are being compromised. For some companies, the summit was a realization that they are targets and that they need to pay attention to the threats actively targeting them.

This first summit really was a wake-up call that as a community we must come together to share our experiences, create open source tools, and develop the means to move this ball down the field so we're all in a better position to anticipate and defend. Given the inter-connectedness and inter-dependent nature of the Internet and business, we cannot go this alone and expect to have success as a community.

As I said in my talk, tools feed intelligence, and intelligence drives tools. It's not just defender and analyst tool sets that count, it's the adversaries' too. I believe that a deep understanding of adversary tool capabilities and how adversaries use those tools is key to an effective cyber intelligence program. Building the tools to help MITRE understand the threat has helped us, but by sharing those tools we hope to help other organizations defend themselves. I hope that this community will continue to develop and release tools like CRITs so that we can transform cyber threat intelligence into a team sport.