Who Are the Stars of a Threat Intel Team?

A threat intel team, just like any other team of specialists, is an organized and coordinated group composed of experts in specific areas. While managed detection and response (MDR) is an overall cyberthreat prevention service, it is actually a conglomeration of security skillsets. These roles, such as vulnerability scanning, network-based analysis, reverse engineering, malware analysis, data science and others, together form a formidable MDR force.

An MDR provider is quite different from other kinds of security firms. For example, in a company specializing in firewalls, you would only need one kind of expert. A different type would be required for a company specializing in the detection and removal of endpoint malware. An MDR provider, however, is a broader “soup-to-nuts” approach to security and must include a whole gamut of expertise. At Alert Logic, this is the approach we have taken in providing a threat intel team for any organization.

In a previous blog post, I defined threat intelligence as “cybersecurity professionals with expert training, knowledge, and skills, monitoring the threat landscape and conducting continuous research to gather information about emerging digital threats.” Now let us fully look over the specific members of a threat intel team, and then how various products from this workstream fit together.

The Team Stars

Malware Analysts

A malware analyst is an expert in taking apart malware programs such as Trojan horses, viruses, rootkits, worms and bots, to gain a full understanding of how they work. Additionally, they monitor the malware landscape and how it is evolving, and research techniques being utilized by malware for persistence and lateral movement within organizations. A malware analyst is an expert in the ways and means malware uses to get itself installed and executed. The majority of their work is dedicated to preventing malware spread before it happens, as opposed to dealing with damage after the fact.

Network Security Experts

A network security expert must have a thorough understanding of the attacks at the network layer to create effective detection techniques using network traffic. Network security experts must also be expert in various network protocols, so that they can then monitor protocols for anomalies.

Reverse Engineers

A reverse engineer is expert in taking apart any kind of software program, Windows patch, or Linux patch. By reverse-engineering these, they figure out how a particular vulnerability works. When Microsoft, or any vendor, releases a patch, they don’t reveal the details of how a particular vulnerability was solved within that patch. They might say that a vulnerability, for example, was a buffer overflow, but no other details are provided. As an example of how this works, at Alert Logic we discovered a specific Microsoft SMB vulnerability by reverse-engineering it using Alert Logic’s intelligence.

Security Developers

A security developer is someone who is not only capable of having a security mindset but is also capable of writing production code. They develop security software, and also integrate security into software while it is being developed. It is the skill of a security developer which translates security research and hypotheses into actual working products. These individuals make it possible for research to be employed in the real world.

Vulnerability Researchers

Every year, there are tens of thousands of vulnerabilities that are discovered. A vulnerability researcher is one who examines vulnerabilities as they come on the scene – how a specific vulnerability can be detected and exploited in customer environments. Vulnerabilities are detected from many different angles: They are scanned for in customer environments, allowing vulnerable systems to be detected as early as possible. They are also detected through many other methods including scanning, log detection, and mapping adversaries and their tactics, techniques and procedures (TTPs).

SecDevOps

DevOps, which is a common word these days, is a combination of software development (Dev) and IT operations (Ops). SecDevOps adds security into the mix, embedding security into the development process, just as DevOps has incorporated development with operations. SecDevOps focuses on managing the stacks involved with security detection—the integrated sets of security services. The benefits of SecDevOps include increased automation and use of quality control testing with regards to security efficacy and quality.

Data Scientists

Data scientists generally gather large data sets, structured and unstructured. They then analyze, process and model data, interpreting results for the creation of actionable plans. When it comes to specializing in security, a data scientist works by creating generalized frameworks for detecting various classes of attacks. This modeling also helps in automating certain security services provided by security analysts. The common “garbage in, garbage out” adage applies here, and a Data Scientist needs to understand salient features of security hacks in order to create good models that produce actionable outcomes.

Security Architects

From an MDR perspective, security architecture is highly important. It is a path forward of how security information comes together for a customer. A security architect needs to think like a hacker, anticipating hacker tactics. A security architect’s skillset goes beyond system architecture, as it’s not just about the scalability or usability of the system, but about the security outcomes that a customer needs, and have a data architecture that makes it future proof—as best as possible—against a constantly evolving security landscape.

Again, the above roles are the stars of an ideal MDR team, and the exact type of team we put together at Alert Logic.

Data science in action

At Alert Logic, we’re well into developing technology that takes common security analyst tasks and makes it possible for these tasks to be performed with data science, rendering outcomes with high confidence and accuracy.

As an example, PCI-DSS (Payment Card Industry Data Security Standard) compliance mandates that daily log reviews be conducted. Traditionally, such reviews had to be conducted by humans, and now tools can be utilized. At Alert Logic, however, we’re taking it much further than just reviewing with tools, utilizing machine learning to produce actual outcomes of anomalies seen in these logs. 

Security architecture weighs heavily into this technology, as there is a multitude of log sources. The problem to be solved is to perform security on these many log sources in a scalable fashion. Competent security architecture has a direct impact on the quality of outcomes.

This particular project will reach an 80 percent completion this quarter.

Security Operations Center (SOC)

While complex technology such as machine learning is enabling numerous security innovations, we must remember to equally enable the security operations center (SOC), the human touchpoint for security within an organization. If a business must continue to add security analysts, this is not a scalable proposition. Therefore, we must utilize machine learning in the SOC as well as other areas, so that their common analysis tasks can be automated. When this is done, the SOC is free to engage with customers, rendering their true value.

It Takes a Team Effort

Threat intelligence plays a crucial role in effective managed detection and response. The efforts of the threat intel team provide essential insight and information that helps organizations identify attack trends and understand the potential impact of emerging threats. Threat intel is not a single role or function, though. It takes a team effort of dedicated specialists to deliver actionable threat intelligence and provide value to the overall MDR solution.

About the Author

Rohit Dhamankar - Vice President, Threat Intelligence Products

Rohit Dhamankar

Rohit Dhamankar is Vice President of Threat Intelligence Products at Alert Logic. Dhamankar has over 15 years of security industry experience across product strategy, threat research, product management and development, and customer solutions. Prior to Alert Logic, Dhamankar served in Product roles for Live Oak Venture Capital at Infocyte and Razberi Technologies. Dhamankar has previously worked in senior roles in several start-up companies in the areas of security analytics, intrusion detection/prevention, end-point protection, and security risk and compliance. These include VP, Click Labs Solutions at Click Security, acquired by AlertLogic, and he was a Co-Founder of Jumpshot, acquired by Avast. He has spoken at several security conferences and customer events world-wide including BlackHat and RSA, and has been quoted in many industry publications including the Wall Street Journal and USA Today. Dhamankar has also worked with the SANS Institute for a number of years to drive awareness around the latest security vulnerabilities and attacks. Dhamankar holds a Master of Science in Electrical Engineering from the University of Texas Austin and a Master of Science in Physics from IIT in Kanpur, India.

More Posts by Rohit Dhamankar