Today, the cybersecurity world is in a very different place than it was five years ago. But that’s because it had to keep up with cybercriminals. The underground is certainly not where it was five years ago: closed groups, encrypted messaging apps and other closed sources made it impossible for any organization to track, monitor and digest the unfathomable volumes of information and activity in the underground.
When you have a hammer
Abraham Harold Maslow, the American psychologist who was best known for creating Maslow's hierarchy of needs, is known for another law - “the law of the instrument”, also known as “law of the hammer”, “Maslow's hammer (or gavel)”, or “golden hammer”. Maslow’s hammer is a cognitive bias that involves an over-reliance on a familiar tool, or as Abraham Maslow himself said so eloquently: "I suppose it is tempting, if the only tool you have is a hammer, to treat everything as if it were a nail."
Vendors rely on various intelligence feeds for enrichment and detection. Most of these feeds claim to be “automatic” when in fact they are not. They claim to collect “deep and dark web intelligence” when in fact they go mainly after open source and a small group of “commodity” forums. In reality, they cover less than 10% of what’s out there (on the underground).The lack of effective collection, extraction and enrichment of data led to a misconception among leading cybersecurity vendors that “there is not enough value to merit investing in deep and dark web intelligence collection” or, in simpler words, “there is nothing worth finding in the deep and dark web”, “it’s a nice-to-have but not a must” and “anyways, everything can be found eventually in open sources”.
They couldn’t be more wrong.
By looking for the golden nugget under the streetlamp, security teams learned to rely on irrelevant and often obsolete information - simply because they had a hammer, and data collection suddenly started to look a lot like nails.
Maslow’s hammer in IT
While the concept is attributed both to Maslow and to Abraham Kaplan, the hammer and nail line may not be original to either of them. In fact, it has been attributed to everyone from Buddha to Barack Obama. 32 years after Maslow’s (alleged) famous quote, this notion made its way to information technologies literature: "a familiar technology or concept applied obsessively to many software problems", was introduced into information technology literature in 1998 as an anti-pattern: a programming practice to be avoided.
Software developer José M. Gilgado observed that developers often "tend to use the same known tools to do a completely new different project with new constraints". The problem with using the same tools every time you can is that you don't have enough arguments to make a choice because you have nothing to compare to and are limiting your knowledge.
And this is especially true in threat intelligence: many enterprises are missing the tools to compare and gain understanding as to the depth and breadth of various TI vendors’ DDW intelligence collection, which led them to rely on obsolete, manual and clearly unscalable reconnaissance. Combined with the confusion and the blurring of lines between the deep and dark web and open source worlds, this led to the false focus on open source (OSINT) instead of dealing with the underground. While OSINT is an important source of intelligence, it is only one piece of the intelligence puzzle, and should be used under the right perspective. As Gilgado summarized in his argument, “we need to keep looking for the best possible choice, even if we aren't very familiar with it".
The right tool for the job
Emmert Wolf wrote that "a man is only as good as his tools", and it couldn’t be any truer when it comes to threat intelligence. If you have ever tried to fix something and not had the right tools for the job, you know how it feels: the sheer frustration and time wasted on sub par performance follows a great sense of inadequacy and annoyance. The struggle is real.
Fortunately, the maturity of technologies such as big data, natural language processing, and machine learning has enabled breakthroughs in automation of reconnaissance, resulting in the ability to provide meaningful intel and insights in real-time. These new technologies and methodologies bring us to a point in time where security vendors find themselves in a (figurative) underground intel candy-store. Smart security vendors can illuminate the realms they need in the deep and dark web in order to create purposeful product customization for their end-users. Meaningful collection from deep and dark web as well as open sources, combined with the relevant methodologies, experience, and insights, will allow vendors to provide their end users with the right intelligence where, when and how they choose to consume it. This means having feeds that integrate with your SOC tools, APIs, or, once building a new product, as an OEM.
By adding the right cyber threat intelligence tools to their toolboxes, security vendors such as SIEM, SOAR and EPP platforms can enhance every product they offer and drop the proverbial hammer on threat intelligence.