With another pivot into the threat intelligence space recently, FireEye continues to make strides in the services side of security. One person who has rode through this progression is Director of Threat Intelligence Laura Galante.
Meeting Laura at the recent RSA Conference, she explained that “it’s a small world in cyber intelligence!” A former Mandiant threat analyst who came over in the 2014 acquisition, Galante now finds herself managing 115 analysts after more intelligence (in both senses of the term) was brought over in the acquisition of iSIGHT Partners.
“It came along with a total different approach of ‘we want to figure out how to sell our intelligence’ and we were selling their whole business as a service, and it is a different approach with different sourcing,” she said. “So there is a lot of cyber-criminal activity and we have deep sourcing in that area, and in hacktivism and we have the data and resources, and have been growing that for years.”
Galante called the addition of the iSIGHT Partners threat intelligence “a huge compliment to my team”. Galante herself was in the intelligence division of Mandiant, and the original team of core intelligence analysts identified the issue of cybercrime and said ‘how do we stop this problem’.
She said: “This huge thing was sitting there in the intelligence community and you get some really cool sourcing, but your visibility is on what is happening in governments. So we were sitting there – I was a Russian military analyst – and from a motivational and ability standpoint, the questions were ‘why were we not seeing this?’ and ‘why are we not seeing network activity across different countries?’"
“How are we not able to solve this problem? Because we don’t have visibility into it? The suspicion is the data is probably sitting there in the private sector because everyone is feeling this too. The perfect marriage was Mandiant sitting there with all of this investigation data and thinking, what if there is something huge here and IP is going out the door? We didn’t know how to think about it, and Mandiant needed intelligence so they hired a few of us out of government to figure out what the data was, how to model and analyse it and that is just what we did.”
Galante worked on the APT1 report that was released in February 2013, and this allowed her to see network data on the host side and not just on the network, and understand what malware is sitting there that sends out these alerts.
“Then we were focused on how to drive the lessons we were learning and intelligence we were gathering back into detection and into the product, and back into engagement for the investigators on how to process data and so on,” she said.
I asked her what the aims of FireEye’s intelligence team were, and she said that the driving work in intelligence is always analysis, and how many people are looking at and understanding this data.
“There are a lot of companies that want to do their own analysis, and some outside of the USA with interest in what FireEye/iSIGHT are reporting on different APT groups and how they can learn more, but there is more and my team’s submissions are making sure that they have the context to create an automated and programmatic approach into the products and services,” she said.
“What we have to think is by 2018/2019, no-one will be thinking about reading a report and putting in the action; you want the action taken and escalated based on the analytics based on the report - it is a manual process and entertaining the data in the right way, that is where the manual-ness of this intelligence has to be.”
Galante explained that the team of analysts will dedicate their time to how the data can be modeled most faithfully, and attribute and associate groups correctly. She said that what the industry read about APT1 was about attribution, and that was the most asked question.
“It has changed in the posture about the spending and priority in a corporation that it has to have and if you are highly at risk in these areas and this scenario, that particularly really helps to be able to quantify how to do this and intelligence has this posture and profile,” she said.
So what about the multiple threat actors, I asked Galante if three years on from APT1 whether things have changed? She said that a lot of changes are seen, and the writing was on the wall after they were identified, and that ‘certainly petered out’. Now the threat actor is looking for intellectual property and more standard state espionage, so with more intelligence feeds and information on cyber-criminals with intelligence on them, what the analysts are seeing is domain and network operations being used for activity that have exploded in the last three years.
“The parallel response to that is we have seen actors have to have more refined types of operations to achieve that,” she said.
“Actions change from group to group, but the refinement in mission is one we are seeing and we see a ton of activity and we are doing more investigations than we have ever done! The threat is not abating but how that activity occurs and the human element behind it has changed, and we have covered a large number of reports on what Russian state actors are doing and the industry’s ability to expose the threat and use it and talk about reality vs the FUD factor on the actor side, has changed the scope of what they are doing. In some cases it has improved the bad guys, as there have been a variety of reactions to that.”
Galante concluded by saying that bad stuff still happens, but the role that threat intelligence still has to play in this is an ability to be able to cut through the FUD, and as someone who is privileged to have great data and a great team looking at it, she said that she felt very responsible for how we portray the threat.
“What I am interested in getting is proof points on activity of the threat landscape as you’re only a few groups from having the whole visibility of what we do. With that power and visibility comes great responsibility!”