Save 37% off PRO during our Black Friday Sale! »

Tactical threat intelligence gotcha down? There is a better way.

F0c9efd79ff9ea97a28f8552fae3b645?s=47 Rick Holland
September 12, 2016

Tactical threat intelligence gotcha down? There is a better way.

Presented at Anomali Detect conference. Many organizations are taking the wrong approach when it comes to their threat intelligence programs. Indiscriminate investment has yielded anything but actionable intelligence and Indicators of Exhaustion (IOEs) are overwhelming us all. In this talk, former Forrester analyst Rick Holland will discuss shifting from the consumption of “tacticool” intelligence to the production of your own meaningful threat intelligence. Rick will focus on critical people, process, and tradecraft components required to elevate you threat intelligence program maturity.


Rick Holland

September 12, 2016


  1. Tactical threat intelligence gotcha down? There is a better way.

    Rick Holland, VP Strategy @rickhholland
  2. 2 Are you ready for some football!

  3. Masters of espionage 3

  4. Masters of OSINT 4

  5. Countermeasures 5 “At least five teams have swept their hotels,

    locker rooms or coaches’ booths in New England for listening devices, sometimes hiring outside professionals.”
  6. Looking back over the past 4+ years 6

  7. 7 Long form intelligence reporting

  8. 8 Self licking ice cream cones

  9. 9 Difficult to operationalize

  10. 10 Ain’t nobody got time for that!

  11. 11

  12. 12 Expense in Depth

  13. 13 Consumption focused

  14. Indicators of Exhaustion (IOEs) 14 There’s too many of them!

  15. Relevancy? 15   My vertical?   My geography?   My

    threat model?
  16. Uncle Rico threat intelligence (unrealistic) 16

  17. 17 Getting strategic with intelligence 1.  People 2.  Process 3. 

    Tradecraft @rickhholland
  18. 18 Analysts

  19. 19 Build?

  20. 20 Or buy?

  21. 21 6 year $114.5M contract

  22. 6th round pick 22

  23. 23 Better grow your own analysts

  24. Growing your own analysts 24   Join advisory boards to

    guide university programs   Expect 2-3 years out of entry level analysts   A well understood career path is critical   Complement your junior staff with seasoned analysts
  25. Recruit in San Antonio 25   Air Force cyber  

    Air Force intelligence   NSA Central Security Service   University of Texas San Antonio
  26. Recruit in Augusta 26   Military Intelligence   NSA Central

    Security Service   ARCYBER relocation
  27. 27 Getting strategic with intelligence 1.  People 2.  Process 3. 

    Tradecraft @rickhholland
  28. Intelligence cycle 28 Source: JP 2-01, Joint and NaBonal Intelligence

    Support to Military OperaBons
  29. Coach Bear Bryant 29 “It’s not the will to win

    but the will to prepare to win that makes the difference”
  30. Planning and Direction 30 “The determination of intelligence requirements, development

    of appropriate intelligence architecture, preparation of a collection plan, and issuance of orders and requests to information collection agencies.” Source: JP 2-01, Joint and NaBonal Intelligence Support to Military OperaBons
  31. Intelligence requirements 31 “Any subject, general or specific, upon which

    there is a need for the collection of information or the production of intelligence.” Source: JP 2-01, Joint and NaBonal Intelligence Support to Military OperaBons
  32. 32

  33. Sample requirements 33   Who has targeted our organization in

    the past? _  How can we get indications and warnings of future attacks? _  How can we get evidence of previous attacks?   Who are the actors that target our vertical?   What TTPs do our adversaries employ?
  34. Sample requirements continued 34   Which adversary campaigns affect us/our

    vertical?   Which global events could impact our business/vertical?   What critical business activities must we protect?
  35. 35 Collection

  36. Collection activities 36   Identify ability to address requirements  

    Identify gaps in collection capabilities   Internally or externally source capabilities   Measure collection results against ability to answer requirement
  37. 37 Who has targeted our organizaBon in the past?

  38. Who has targeted our organization in the past? 38  

    Nothing more relevant that your own intrusions   Build dossiers on your intrusions   Key for your collection strategy Source: The Diamond Model of Intrusion Analysis: hLp:// content/uploads/2013/07/diamond.pdf
  39. 39 Which criBcal business acBviBes must we protect?

  40. 40

  41. 41 Maintain a relevant and reliable experience

  42. 42 Significant disruption in our computer systems

  43. 43 Protect the security of information

  44. 44 Interruptions in our supply chain

  45. What is the digital footprint for these risks? 45  

    Application   End user   Network   Server   3rd party   Internal and external
  46. Which entities are associated with these risks? 46   Administrative

    staff   Business owners   End users   3rd party business partners
  47. 47 Collection What situational awareness do you have into these

  48. 48 Planning for 2017?

  49. 49 What does your business have planned for 2017?

  50. 50 Getting strategic with intelligence 1.  People 2.  Process 3. 

    Tradecraft @rickhholland
  51. 51 Tradecraft fails with weak analysis

  52. Tony Romo 52

  53. This year 53

  54. Tony Romo 54 “I feel good about the fact that

    was probably as tough of a hit I've taken on the back as I've had in the last five years. From that regard, I feel very lucky that it can hold up and I can keep going."
  55. Homer Sports Fan 55 A cognitive bias that results in

    a tendency to hold one’s favorite sports team in irrational high regard regardless of legitimate ability to deliver and win games. It typically wanes as a season progresses.
  56. Old School Confirmation Bias 56

  57. Be Careful: New School Confirmation Bias 57

  58. Absence of Evidence 58   “Intelligence analysts should be able

    to recognize what relevant evidence is lacking and factor this into their calculations.”   “Consider whether the absence of information is normal or is itself an indicator of unusual activity or inactivity.” Source: hLps:// intelligence-analysis/PsychofIntelNew.pdf
  59. Recommended Reading 59

  60. Structured Analytic Techniques for Improving Intelligence Analysis 60 Source: hLps://

  61. Analysis of Competing Hypotheses Tool 61 Source: hLp:// ACH doesn’t

    seek to prove hypotheses; it instead disproves them
  62. 62 Strategic Intelligence ProducBon

  63. 63

  64. 64 Must be tailored in terms leadership cares about ($$$)

  65. Formalize an Intelligence Product Portfolio 65   Continue with operational

    products _  E.g.: Dossiers, Technical analysis Daily threat summaries   Create tailored ad hoc summaries for relevant threats
  66. Formalize an Intelligence Product Portfolio 66   Create your own

    version of Verizon DBIR   Forecasts: _  Regional threats in new areas of operations _  Threats to specific product launches
  67. Do Now 67   Apply significant effort to developing and

    retaining talent   Include structured analytic techniques in your assessments   Create intelligence products that are tied back to critical business risks
  68. Go Cowboys! 68 Twitter: @rickhholland Speaker Deck: rick_holland Blog:

    https:// blog-and-research/profile/ rick-holland/