In the previous posts we’ve explored the TI buzzwords “real-time” and “AI”. We’ve ventured beyond the hype and learned how to understand whether or not a certain solution is suitable for you. Our buzzword this week is “actionable insights” - a term that has been beaten by tech marketers harder than a birthday piñata. We’ll take a deeper look at the definitions and how to qualify a solution that boasts “actionable insights”.
Eureka! Just Do It!
“Actionable insights” is the coolest kid in the SaaS party. Though not as tired as the obnoxious and overused boilerplate favorites like “innovation”, “data-driven” or “frictionless integration”, our cool kid is still venturing dangerously close to the morass of cyber gobbledegook. Still, in many cases, “actionable insights” do actually offer 1. information you didn’t notice and 2. actions you can take regarding the revelations from no. 1 to improve a situation by certain metrics.
But what exactly is an “actionable insight”? How is it different from plain insight? Or just good ol’ data? Let’s clarify:
My favorite definition (I actually have a favorite!) of “data” is Merriam Webster’s:
“Information output by a sensing device or organ that includes both useful and irrelevant or redundant information and must be processed to be meaningful”.
MW also defines insight as (among other things) “the act or result of apprehending the inner nature of things”.
So, our systems collect data (information output), which is then processed by a person or by a piece of software to make sense out of it and “apprehend its inner meaning”.
To make this distinction even clearer, I’ll use the 1987 cinematic masterpiece “The Predator”, starring the one and only former Mr. Olympia, Conan, the freakin’ Terminator, and Governor of California - Arnold Schwarzenegger. In one of the movie’s most famous scenes, Arnie gets shot by the Predator, knowing full well that the woman with him has no chance of fighting the Predator and making it out alive - that’s the data.
Our hero understands that the only way to save her is to stall the cold-blooded alien killer so she could run - that’s insight. Schwarzenegger then yells - ”Get to the choppa! Naow!” - that’s an actionable insight in all its glory.
Actionable Insights In Threat Intelligence
So how do actionable insights look in a threat intelligence paradigm? Glad you asked. Threat data, much like crime, is never created in a vacuum - even in the shadowy abyss of the dark web. Every IP has a “story”. Every post has an author. Every product sold has a customer base. Raw data collection, however, is not synonymous with intelligence. All collected data must be processed, structured, refined and cross-correlated, translating the meaningless zeroes and ones into clear and coherent intelligence. Let’s consider the following scenarios:
- A threat actor creates and distributes malware on the deep and dark web, which is then downloaded by another threat actor. Your actionable insights in this scenario would likely include blocking the hash, and, once having identified the threat actors involved in the creation and attempted deployment of the malware, tracking their IPs and blocking them.
- A threat actor compromises a domain infrastructure (let’s say an RDP connection) and sells access to the compromised domain on the deep and dark web. The compromised domain is then purchased and weaponized by a third party uploading C&C server, phishing page, malware server - you get the idea In this scenario, your actionable insights would probably include blocking the RDP connection, escalating it to the incident response team, and suggesting further investigation of both actors involved with the transaction.
- A threat actor creates and shares an exploit code for a CVE. The exploit code is then integrated into an exploit kit or a tool for easy deployment. In this case, your actionable insights might include checking against your asset inventory, assessing probability for exploitation, and patching.
If we go back to the over-simplified description I proposed, actionable insights point out things you hadn’t noticed in the data and suggest appropriate actions to take to improve the situation by certain metrics.
Asking The Right Questions
Evaluating actionable insights is about the quality, value, and impact they provide. When examining a threat intelligence solution from the vantage of actionable insights, ask yourself:
- Compatibility - Are the actions suggested compatible with your organizational profile, its people, workflows, capacity, maturity etc.?
- Threat Relevance - Which threats are directly relevant to you and your objectives? If you’re a bank, you probably don’t care about intelligence regarding a threat of drug trades within the vicinity of your branches. Threats regarding credit card fraud, however, would be at the top of your priority list.
- Time frames - What is a reasonable time-frame for you to remediate? How much time do you need to allow your team to address the risk? hThis time-frame is a function of resources and gravity of threats.
“I’ll Be Back”
The final question remains, how important are actionable insights to you? For Arnie, actionable insights mark the difference between falling prey to an extraterrestrial beast and living to fight in another movie. For threat, SOC, fraud, and vulnerability analysts, they may be just as significant. Maybe patching the right vulnerability at the right time won’t make you feel like you’re the terminator, but in the dangerous threatscape of the cyber underground, living to fight another day is no small feat. With each vulnerability terminated, you’re more connected to your “inner-Arnie”, earning the right to glare at the next potential CVE, and with your heaviest Schwarzenegger accent, promise - “I’ll be back”.