Pawn moves. Pawn moves. Knight moves. Bishop takes knight.
OR
White pawn to king’s bishop 3. Black pawn to king’s 3. White knight to queen’s rook 3. King’s bishop takes white knight at queen’s rook 6.
The first example is ambiguous. Movements are imagined as best guesses, but may need to be reimagined as the subsequent information is revealed. You wouldn’t gamble on what the next move may be because the uncertainty is too great.
The second example is vivid. If you are a chess player, you may have followed every step; if not, you could reproduce the exact scenario on a diagram with little guidance. You may already be considering what moves could be made next, as well as how those moves would impact future ones.
Why, then, are some people willing to inundate security analysts with information that increases uncertainty more than it reduces it?
Stating that an IP address is “malicious” is subjective: malicious under what context? Claiming that a file hash is malware is equally subjective: what does the malware do and how is it delivered?
Information overload occurs when there is too much data or information for analysts to process raising the questions; how are the data and information processed? How will they be used? Some reports, such as Mandiant’s APT1 report, are highly detailed examples of how an intelligence product should look and what it should contain. There are many indicators of compromise distributed throughout the 70+ page report. Kaspersky and CrowdStrike have produced excellent research findings with numerous indicators of compromise, also. How are related data from distinct reports formed into an actionable, relevant, and timely product?
The truth is, an intelligence product itself should be actionable.
If your team does gather IP addresses, do those addresses go directly into a firewall or other device to “block” traffic? How will you recognize when a highly capable and motivated attacker is at your door or, worse, already in your bed?
Some articles on threat intelligence show chess pieces, as if to imply the strategic value of threat intelligence through an association with what some consider to be the ultimate game of strategy. Sir Laurence Freedman recounts the real-world strategic implications of chess in Strategy: A History; chess players have the advantage of seeing all of their opponent’s pieces at all times. Network defenders rarely have the luxury of knowing who their next opponent may be, let alone do they have foresight into what capabilities they may possess. The real world does not present all of the players or their pieces.
The author and strategist Karl von Clausewitz never explicitly referred to a “fog of war,” but the concept is derived from Clausewitz’s comparison of fog to uncertainty. Clausewitz also referred to friction. Where fog is uncertainty before and during an initiative, friction references the practical, “real world” application of strategy. Fog is not knowing how many troops are approaching. Friction is the inability for everything to fall into place “according to plan,” which may be a result of poor choices made while surrounded by the “fog of war.”
The comparison between chess and cyber threat intelligence is hardly as romantic as it is often publicized, and the similarities between the two end at “some decisions must be made.” There may be friction in chess, but there is little to no fog.
As romantic as it may sound, you do not play chess with your network. Global connectivity has formed a dense, heavy fog of uncertainty. Policies, user actions, security incidents, and other factors are analogous to Clausewitz’s friction. Either player may choose to take the offense at any time during a chess game, whereas you will typically not take offensive actions with your computer network. If you are playing chess with your network defense strategy, you are playing the wrong game.
External Threat Feeds
Texas Hold’em is a game more analogous to network defense. Bets in Texas Hold’em occur at each round as new cards are revealed. Although the cards displayed on the table are shared, the cards in the player’s hands are unknown to the other players. Texas Hold’em is shrouded in a fog. The straight flush missed by the river card after a large wager increase, or the reverse of what is needed on the flop, are examples of friction.
Game theory compensates for some of the strategic deficiencies of chess by acknowledging the unknown status of the adversary, which, in turn, affects one’s position against them. What is a player’s motivation for staying in the game with each successive round of betting? Does the player have strong cards? If so, what possible combinations might they have, and how do those compare with your current cards or the cards that you may receive?
Chess boards may be flat, but the world is not. To further complicate things, adversaries rarely face off head-to-head in dramatic isolation, with all of their vulnerabilities and strengths on display. The number of adversaries, their capabilities, and their intentions vary from round to round. The stakes change as calculations are adjusted with consideration to new information and the actions, or inactions, of opponents. Bluffs and deception are the norm. The decisive moment in which an opponent may be discharged from the game could occur in any round.
Certainty will almost never be 100%, but absolute certainty is not necessary for sound decision-making.
If we can accept that network defenders are playing a game with fog and friction, we can understand that there are many variables that must be taken into account. Do you notice the player rubbing her nose when she bluffs, or the other player scratching his neck when his cards do not appear on the draw? The information is there, but is it being used to build meaningful connections?
Research papers, FLASH alerts, and ISAC reports pile together, but how are they being used in a meaningful way to reduce uncertainty and inform decision-makers?
A Guardian is Born
Quadrant Information Security values quality over quantity. We recognize the fog and friction that plague network defenders, and we realize that heaps of information are useless if they are not actionable. External threat feeds are valuable, but only if they are used in a manner that provides value.
Sentinel is Quadrant Information Security’s system for ingesting and using external threat feeds. File hashes, IP addresses, domain names, CVEs, and other indicators are parsed from various threat feed. Each indicator is associated with the relevant threat actor and a “fingerprint,” which can then be used to identify clusters of activity. New reports are parsed and sorted by Sentinel, which feeds into BlueDot – Quadrant’s threat intelligence system. Sagan is near-instantly “aware” of potentially hundreds of new indicators, and security analysts have the ability to derive vulnerabilities, industries targeted, threat actors, registry entries, email addresses, operational notes, threat delivery methods, and other information for a holistic view of the threatscape as it relates to real life. Sentinel seeks to reduce fog and friction while providing security analysts with the “Who? What? When? Where? Why? How? and So What?” so that they can recommend the “What Next?” to your organization’s decision-makers. Sentinel reveals the other players in the tournament, shows which tables (i.e., industries) they are playing at, keeps track of their tells, and even lets us peek at their cards.
Quadrant Information Security wants to help you make the best decisions to protect your stakes.
Closing Gambit
An open source version of Sentinel is expected to be released in the coming months, as Quadrant believes that all organizations should have the ability to better defend themselves, as well as have the ability to make informed decisions on how to optimize economy of force.
Quadrant is in the process of deploying a unique instance of Sagan which will focus on archived data; meaning that Sagan will parse indicators from network and system logs (e.g., file hashes, IP addresses, etc.), query BlueDot, and allow analysts to look “back in time” when given new information.
Quadrant is all-in with BlueDot and Sentinel. Care to call our bluff?
