At TruSTAR we are always looking for ways to improve the balance between security automation and the human security analyst experience. We are big believers in security automation as evidenced by our REST API and workflow integrations, but our core mission is to serve the community of infosec professionals who work every day to protect networks against cyber attacks.
Recently, we sat down with Curt Buchanan, senior cyber security analyst for Rackspace Managed Security. Curt recently published an article about Cyber Hunting and the Importance of Threat Intelligence and we wanted to learn more about his perspective on cyber security, threat intelligence, and how we can always do better.
What is the biggest challenge you believe enterprise security teams face today?
In today’s world, one of the hardest things to achieve is clearly defining network boundaries. With such dynamic environments and cloud computing being the big player, organizations can spin up or down as many servers as they choose within a moments notice, and since information sits on shared resources this makes things complex. First, you have to address the challenge of keeping a handle on such dynamic environments. Then, once you have a lay of the land, you need to figure out where to look to find the bad guy in any given environment. Giving security teams the tools they need to look beyond the obvious, to really be able to pinpoint the anomalous activity, can be a daunting task.
When you hear ‘Threat Intelligence’ what’s the first thing that comes to mind?
Buzzword bingo is the first thing that comes to mind. Threat intel is becoming a real thing and security teams still aren’t quite sure how to use it, or where to get it, but everyone claims they have it. Threat intelligence sounds cool and there are so many organizations popping up that claim to be the best source of Threat Intel. It can be overwhelming when trying to figure out where to get the best intel. A lot of organizations think Indicators of Compromise, or IOCs as they’ve been called, equal Threat Intel. I’m not on that ship. IOCs are factual and great resources, but there is so much more to Threat Intel. Finding out the who, what, why, and how, and then translating that to a variety of organizations and environments to produce actual usable information is the real meat of it, in my opinion. I think one of the best sources of intel comes from your own data. Obviously you need to enrich with some raw and processed intelligence from outside sources, but when you can study each piece of a breach from beginning to end, that is of so much value, it cannot be understated.
Do you participate in intel sharing groups (formal or informal)? If so, which ones? Do you use TruSTAR to engage with intel from these groups? If so, how?
We use TruSTAR as our main stage for sharing information at this point. Working with TruSTAR has been so beneficial (I think on both ends!) because we can learn how others are sharing data. I think data sharing is becoming more prevalent in recent months, as more organizations are learning that we (the good guys) can’t win if we don’t share information. When working in the government sector, I have worked with some sharing groups, but the rice bowl effect is huge in the DoD. I think this has bled over into the corporate world some, as each wants to protect their own fiefdom.
How do you engage with Threat Intel today? Do you use TruSTAR for that? If so, how?
We are still trying to figure that out, really. Our organization is still very young. We collect data from an array of sources. TruSTAR has become part of our reporting process. Everything we report gets loaded into TruSTAR Station for analysis before it is sent to our customers. We are working with TruSTAR to help us more quickly pinpoint key information. It is a great way to visualize data points.
If you were running TruSTAR’s roadmap, what would you focus on next?
One of the things I think would be extremely helpful would be adding the ability to place our own entities and elements of information within TruSTAR’s graph. Additionally, I’d like to see some variation in hits from VirusTotal and other sources to quickly determine if there is a presence of bad. Currently, it requires clicking on each individual hit from VT, but if I only had to click on the ones that were ‘known bad’, it could help speed up the process.
Additionally, if TruSTAR could associate vulnerabilities to adversaries and exploits would be game changing. We’d like to see some sort of “selective correlation” ability. Let’s use SQL injection for example. Sometimes there are sample SQL statements in the alert itself. TruSTAR inherently tries to correlate on that and can pull in a bunch of reports that have that same sample statement in it — but, sometimes we want to ‘turn that off’. In the absence of that, perhaps creating transforms to easily push data in and out of tools like Maltego might help streamline the kind of analysis I do even more.
Curt Buchanan is a team lead and senior cyber security analyst for Rackspace Managed Security. He has 20 years of intel experience in and around the NSA and Department of Defense. Over the last eight years, Curt has focused specifically on cyber intelligence and cyber defense and has done everything from collection to analysis and reporting. He spent two and a half years as a cyber defense analyst for the DoD and more than five years as a cyber threat intel analyst. Curt joined Rackspace in September 2015 where he built and now leads the threat intelligence and reporting cell for the customer security operations center.
Rackspace, the #1 managed cloud company, helps businesses tap the power of cloud computing without the complexity and cost of managing it all on their own. Rackspace engineers deliver specialized expertise, easy-to-use tools and Fanatical Support® for leading technologies including AWS, Google, Microsoft, OpenStack and VMware. The company serves customers in 150 countries, including more than half of the FORTUNE 100. Rackspace was named a leader in the 2017 Gartner Magic Quadrant for Public Cloud Infrastructure Managed Service Providers, Worldwide.
The TruSTAR Spotlight Series champions the innovative ways security operators are integrating threat intelligence in their daily SOC operations. This interview has been lightly edited and condensed for clarity.