In the dynamic realm of cybersecurity, threat intelligence emerges as a crucial element for organizations striving to fortify their defenses against ever-evolving cyber threats. This blog post delves into the nuances of Active and Passive Threat Intelligence, two fundamental approaches that, despite their differences, are integral to a comprehensive cybersecurity strategy. Our goal is to demystify these concepts, highlighting their unique characteristics, applications, and how they complement each other in the cybersecurity ecosystem.
Of late, I have been looking at req’s for jobs in the CTI space and it feels like, looking at the asks for positions in the analyst space, much more of the threat intelligence space (and I could be misreading this with one dimensional reqs on the job boards) seems to be more about automation and hunting for known IOC’s than more nuanced threat intelligence that takes on more of a patina of “defense in depth” out there today. So, I thought that this post might be a good thing for some out there to get a sense of what options there are one you get a program up and running.
What is Active Threat Intelligence?
Active Threat Intelligence refers to a proactive approach in cybersecurity. It involves actively engaging with the cyber environment to gather information about potential threats. This method is akin to a reconnaissance mission, where information is not just passively received but actively sought out. Techniques such as deploying honeypots to lure attackers, conducting penetration testing to identify vulnerabilities, and red team exercises to simulate real-world attacks are quintessential to this approach. Active Threat Intelligence is about stepping into the attacker’s shoes, understanding their tactics, and preemptively countering them.
One of CTI’s lesser talked about areas, and one that is a more thorny legal area for many corporations, is that of HUMINT collection of intelligence. This is the arena where the threat intelligence program is not only carrying on the more technical means of trying to bait attackers with honeypots, or performing red/purple team functions, but, also that of true intelligence collection by being out there on the darknet or the more hidden areas of the internet actually talking to and watching adversaries where you can.
I will discuss this more in depth further down in the post, but, this area of practice, along with the threat hunting/purple/red team types of work are important to your practice and if they are not being carried out, then you are not getting the complete picture of your orgs potential threatscape.
What is Passive Threat Intelligence?
Conversely, Passive Threat Intelligence adopts a more reactive stance. It focuses on gathering and analyzing data that comes from existing sources without direct interaction with the threat actors or environments. This intelligence is often sourced from open-source intelligence (OSINT), threat intelligence feeds, log analysis, and SIEM systems. Passive Threat Intelligence is about observing and learning from the wealth of information that flows from various sources, helping organizations stay informed about the latest threats and trends without exposing themselves to undue risk.
Now, many places seem to be happy with just getting a set of feeds, maybe access to an ISAC, and leverage a SIEM and perhaps EDR solutions and that is the extent of their practice. This, in my opinion is likely only to end up with failure in the end and compromise due to things that had the practice been also watching, might have prevented. In this post, I propose that you perform all of the functions if possible, but, if you don’t have the money or the human capital to do it, at least post this blog post, you might have a better idea of what to attempt to pitch to your executive set in asks down the line to bolster your program for the future.
Use Cases for Active and Passive Threat Intelligence
Integrating Active and Passive Threat Intelligence
Challenges and Best Practices
Implementing both Active and Passive Threat Intelligence comes with its set of challenges, including resource allocation, expertise requirements, and data overload management. Best practices suggest a balanced approach, tailored to an organization’s specific needs and capabilities, and a continuous process of learning and adaptation.
Primarily though, most orgs I think, will balk at this idea of using all these tactics and processes on two grounds.
To whit, the cost will come from more team members on staff which will cost more. They will cost more on just a headcount level and they will cost more potentially if you hire trained or seasoned people who have been in the business a while and know what they are doing. The other potential cost, is directly related to that HUMINT part of the picture, that’s where the legal team comes in and they likely will have some headaches in covering for activities that the analysts will have to carry out.
Primarily, the HUMINT portion will entail the analysts actually talking to threat actors (mind you, this is more likely criminal actor groups and not nation state types for obvious reasons) which means that your staff will have to be very careful with OPSEC (Operational Security) as well as be very careful not to stray into activities that could cross the line on the law. Often times, the criminal groups have challenges and ask for bonafides before they will even talk to you, this means you have to give them some idea that you are one of them as well as pass on intel or code or data that will make them trust you, and this can lead to a lot of complications.
It can be a hard sell, and of course there are now companies out there selling this kind of data in their TIP’s that they have collected by having their own staff of trained collectors and analysts. It’s all a matter of how much your org wants to spend, but, if you are not at least getting this kind of data from a TIP, then you are going to remain blind to activities and mentions that might be directed at your org, and end up in trouble.
Final thoughts
In conclusion, both Active and Passive Threat Intelligence play pivotal roles in the cybersecurity domain. While each has its strengths and limitations, their combined use can provide a more nuanced and effective defense against cyber threats. As the cyber landscape continues to evolve, so must our approaches to understanding and countering these threats, making the role of comprehensive threat intelligence more critical than ever.
So, take a look at your org and consider what kinds of CTI you are carrying out, and if you don’t have a mix of the two kinds of collection and analysis (Active and Passive) then you might want to make some recommendations. It may be as simple as getting a TIP like a Recorded Future, or joining an ISAC for your vertical. Of course you could shoot the moon and attempt to improve your practice by paying for those things as well as upgrading your program to collect this kind of information for yourselves.
K.