Blog Black Hat 2019 Recap: Strategies for Understanding Your Attacker

Black Hat 2019 Recap: Strategies for Understanding Your Attacker


Newsletter Headers (dragged)

Last week the security analyst community descended upon Black Hat for its 22nd consecutive year in Las Vegas. Over the course of this week-long gala, major players in the cybersecurity space showcased their new innovations, unveiled findings, and shared insights with attendees.

A recurring theme across the week’s numerous talks highlighted how suboptimal organizational structure leads to cumbersome workflows, making cyber defense a nearly impossible task. Jamil Farshchi, the new CISO of Equifax, echoed this sentiment during his talk at this year’s Black Hat conference.

Two of TruSTAR’s thought leaders, CEO and Co-founder Paul Kurtz and Chief Intelligence Architect Doug Helton, have dedicated their professional lives to alleviating these issues. Ahead of Paul’s panel hosted by DarkReading, Paul and Doug sat down to discuss a few of their insights about this recurring theme.

Paul Kurtz, CEO and Co-founder of TruSTAR: Over the years, there’s been a lot of discussion about whether the defender really needs to know the identity of the attacker, or whether it’s sufficient to just understand their practices and TTPs (tactics, techniques, and procedures). For a typical organization, how much do they really need to know about the attackers themselves?

Doug Helton, Chief Intelligence Architect at TruSTAR: Most organizations are better-served focusing on those items in threat modeling that they can influence and control. Identifying their own critical assets and crown jewels, and taking inventory of the security controls based on a behavior-based model such as MITRE ATT&CK would be two examples of this. 

Once these areas are sufficiently mature, an organization can move onto identifying and tracking threat groups based on motivation and capability to target their organization. The benefit with this prioritized approach is that defenders can now build security strategy and prioritize intelligence collections around those control gaps with a nexus to both the business as well as the identified threat groups.

Paul Kurtz, CEO and Co-founder of TruSTAR: In general, what are the best sources for information about attackers and potential attackers?  CERT? ISACs? Commercial threat intelligence feeds? Where can I get the most reliable information, in a format that my team can ingest and use?

Doug Helton, Chief Intelligence Architect at TruSTAR: “Best” is a very subjective term best broken down into a few components such as timeliness, relevance, and reliability. 

First, did my team receive the intelligence in time to prevent an attack or at least accelerate a response? Relevance will be determined by the organization’s threat model, the risk exposure, and related threats. These will be much different for a retailer than they will be for a medical device manufacturer. 

In terms of reliability, intelligence sources should be selected to address threats for your particular company. Some companies may require commercial, premium intelligence feeds, whereas for other companies, open source intelligence feeds and sharing communities will suffice. 

Paul Kurtz, CEO and Co-founder of TruSTAR: We’ve talked about how to learn about your attacker and how to collect information about potential threats. Once an organization has all of this information, what should they be doing with it? Should enterprises have at least one analyst who’s tasked with reviewing threat intelligence data and then forming an action plan? Are there ways to automate incoming threat telemetry so that if a certain threat occurs, I can institute an automated response?

Doug Helton, Chief Intelligence Architect at TruSTAR: Having at least one dedicated analyst is ideal, but also not realistic for most organizations. Regardless of maturity or resources, the focus should be on producing intelligence from the inside out. Acquiring paid or free intelligence is as easy as it has ever been, but at the same time, it’s also wildly inefficient if an organization can’t produce insights and intelligence from its own incidents, events, and data so that it may then be enriched by other sources.

Second, knowing what intelligence you actually need based on that internal data and awareness will yield significantly higher ROI than just buying what you think you need in the absence of that understanding. Automating where appropriate is great for teams of any size, even if that automation is the ingestion, normalization, and correlation of the massive amounts of Listserv intel that goes unread or unevaluated.


TruSTAR’s intelligence management platform automatically enriches organizations’ threat data and integrates the data directly into dozens of different security tools. Download the whitepaper or book a 1:1 with us to learn how TruSTAR can keep your organization safe by integrating enriched data into every stage of an analyst workflow.

The Good, Bad, and Ugly of Threat Intelligence with Patrick Coughlin Recently Co-Founder and CEO of TruSTAR, Patrick Coughlin, sat down with Ron Eddings and Chris Chocran from Hacker Valley Podcast to discuss how ... Read More
The Evolution of Intelligence in Security Operations In the last decade, threat intelligence catapulted to the forefront of security operations as companies like Mandiant and iSight Partners started to ... Read More
Toward MTTD & MTTR as North Star Metrics Data-centric security leaders from across industries have embraced Mean-time-to-Detection (MTTD) and Mean-time-to-Resolution (MTTR) as key metrics ... Read More
How TruSTAR Uses MTTD and MTTR as North Star Metrics The north star metrics for Data-Centric Security Automation are the minimization of MTTD (Mean Time to Detection) and MTTR (Mean Time to Resolution). ... Read More