Bringing Collaboration to Real-Time Data Feeds

This is Recorded Future, inside threat intelligence for cybersecurity.

Dave Bittner:

Hello everyone, and welcome to episode 86 of the Recorded Future podcast. I’m Dave Bittner from the CyberWire.

Our guest today is Aaron Gee-Clough. He’s chief technology officer for King & Union, a company that aims to bring increased collaboration to threat intelligence analysts, allowing them to more easily visualize and manage threat data in real time.

We discuss the benefits and challenges in bringing meaningful, actionable threat intelligence to small and midsized organizations, what he thinks machine learning can and cannot bring to the table, the distinction between threat intelligence and just a list of bad IPs, and how many organizations are already exercising their impulse to collaborate and share information, even if they’re doing it in unofficial or inefficient ways. Stay with us.

Aaron Gee-Clough:

I’ve been doing information security since about ’99 or so. I bailed on grad school in physics for the first dot-com boom, partly because I was burning out on physics, and partly because I was looking around at the dot-com stuff, going, “I can triple my salary by going three blocks down the road,” and getting jobs as a grad or a post-grad student in physics was getting increasingly hard. And it’s only gotten worse.

Dave Bittner:

I see. So you jumped on that opportunity?

Aaron Gee-Clough:

Yeah, I bailed out for the dot-com boom and ended up at a web hosting company called Digex, who were notorious in the D.C. or Maryland area, as everybody went through them at some point.

Dave Bittner:

I remember them, sure.

Aaron Gee-Clough:

I ended up in the web hosting group. I was working, initially, in their server operations center, and one of the machines got hacked, and because I was sort of enthusiastic about chasing it down, I got pulled into the security group there. That started around summer of ’99. I’ve been doing security stuff since. I worked for NIH for quite a while after that, slowly becoming less and less of a network security guy and more and more of the programmer, process automation guy. To the point where I met the folks who started the company I’m at now, at some of the local D.C. conferences, where I was being the opinionated one, saying, “Elasticsearch can do that better than what you’re presenting.”

Dave Bittner:

You were that guy.

Aaron Gee-Clough:

I was that guy, unfortunately. So they approached me to say, “We want to do this thing based on talking to you at happy hours and seeing you at these various conferences. We think you’d be a good match for what we want to do. Do you want to try it?” I thought, “Someone’s just offering me a startup position and landing it in my lap. I would feel like an idiot if I passed it up. Let’s try this.”

Dave Bittner:

Yeah, so describe to us, what are you doing in your current position? And what is the company’s mission?

Aaron Gee-Clough:

We’re doing threat intelligence. We’re trying to take the threat intelligence process and make it a lot more collaborative. So you’re getting people away from working in a little corner, and then presenting a map saying, “Look what I’ve got.” We’re trying to take the network maps that people make, of attacker infrastructure, and make those into Google Docs-style, real-time collaboration platforms, so people can see each other’s edits in real time. They can chat with each other, busting things out of these little silos of work that they’re doing now.

My role in that is, I wrote the backend and project managed the beginning of it. Initially, we’d outsource it to a company, and I was the one managing that outsourcer and when we in-sourced it. Now, those folks report to me. So I’m doing less and less programming over time and more and more management.

Dave Bittner:

Can you take us through … What was the initial spark of an idea … You know, the itch that you and your team were trying to scratch, where you thought you could make a difference and contribute to this particular part of the industry?

Aaron Gee-Clough:

So the two founders came from two different areas, but they both saw the same thing. One of them came from the government’s Einstein E3A program. He was actually part of the CenturyLink contract that built it. Then, the other guy came from a contracting company that does a lot of work — a little bit on civilian side, a little bit on the military side — around security and threat intelligence, and they were complaining that they saw a lot of the same things happening, that there was a lot of manual labor. There’s a lot of people not talking to each other, stuff like that, and they thought, “There’s got to be a better way to do this.”

Dave Bittner:

So how do you come at that problem? What was the brainstorming session for your team to come up with a way to do a better job?

Aaron Gee-Clough:

I mean, the tool itself, we spent about a month or two after we started sitting in an office in Old Town, Alexandria, looking at the whiteboard. So what we initially proposed, even to the initial investors, is a lot different than where we landed. They teased our founders about that a little bit, actually. And really, it came down to … We’re looking at it and saying, “What can we do? Let’s look at how we work now.” Because a lot of us were analysts. I had done some threat intelligence work and worked with … A couple other folks in my team had done a bunch of threat intelligence work, and we looked around and said, “What can we do to make this better?”

We started talking about, “Well, how do we work?” Well, we generally … We’ll open a MultiGo or open up Excel, and then we’ll do a query here and then a query there and a query here. We’re listing stuff out and going, “Jesus, I can automate so much of this.” So we did, and then the next step for that was, “Well, that’s great, but we should go past that.” Everyone’s talking about, “We should be working together. Can we make this really collaborative? Can we make this really, real-time collaborative?” It took some thought, but we looked at it and thought, “Google Docs does it. Why can’t we?”

Dave Bittner:

So you actually are using Google Docs as part of how it all works?

Aaron Gee-Clough:

No, no. I use that as just an example because people get how Google Docs works.

Dave Bittner:

I see.

Aaron Gee-Clough:

If you say, “Multiple people can be editing a document at the same time,” people understand. You say, “Like Google Docs.” People get it because you’ve done that before. You had two people editing different paragraphs in Google Docs, and it just works.

Dave Bittner:

Right, right.

Aaron Gee-Clough:

That’s what we’re aiming for — the same thing. We’re aiming for the same thing for these network maps and threat intelligence investigations. We want multiple people to be working on this report, working on this map of attacker infrastructure at the same time. They see each other, and it’s happened in real time, and it just works.

Dave Bittner:

One thing we talk about on this show a lot is the importance of taking that incoming feed of threat intelligence and then making it actionable, making it so that you can actually do stuff with it. So how does the type of stuff that you’re doing here, how does that contribute to someone’s ability to make that intelligence actionable?

Aaron Gee-Clough:

A couple of things, and partly, what we’re trying to do is help the analysts get to the point of actually making judgment calls a lot faster. There’s no value in somebody typing “WHOIS” in a command line 500 times and copy-pasting stuff into a spreadsheet. We can automate all of that. The other part of it is we have a thing we call exports, where once you have a feel that a map is a good diagram of an attack or infrastructure, you can take that that graph and pull it back to your organization. You can pull it back in STIX format, or in XML, or in JSON, or something like that.

You can treat these export URLs kind of like threat feeds. So your tier-three guys can be making custom threat feeds for your tier-one guys, for your IDSes. They can say, “We’ve investigated this threat actor. Here is a threat feed for our results of that. Feed this to the IDS or the SIEM.”

Dave Bittner:

Now, again, describe to me how … When you’re talking about the collaboration here, different team members have different specialties, different things that they may be better or worse at. So are you able to dial in people’s specialties to how they can contribute?

Aaron Gee-Clough:

To an extent, yeah. I mean, we’re certainly focusing on a part of the process. We’re not doing the reverse engineering. I’d like to, but we’re not there. We’re really focusing on the internet-facing threat intelligence. But sure, if people have different specialties, they can be putting in, “I know something about these guys,” or, “I know that a lot about SSL certificates, and I’m pretty sure this particular certificate is not insightful in any way. Let’s remove it,” that kind of thing.

Dave Bittner:

Do you have any issues with — I guess, for lack of a better word — collisions? You know, multiple people working on the same thing?

Aaron Gee-Clough:

Oh, God.

Dave Bittner:

I feel like I struck a nerve.

Aaron Gee-Clough:

So here’s a whole body of research about this that you can talk about for hours. Google has something called operational transforms and other things called collision-free data types, I think they’re called.

Dave Bittner:

Wow.

Aaron Gee-Clough:

There’s a whole body of research around that. We haven’t gotten quite that far yet, though we need to. We’re doing a lot of what’s called opportunistic locking. So we think about it a lot because you’re right, It’s a challenge, and it’s a challenge that comes up almost as soon as you start doing this kind of thing. Actually, it’s funny. It’s a challenge that came up almost as soon as one person had a security product that was scanning their traffic. There was one guy who was testing the thing for us, who had an aggressive middleware box on his network where it was delaying his request by like five seconds.

So, interestingly, he started clashing with his own edits in some cases, because it would take so long for his edit to go back out to us and come back that he’d make another edit in the meantime.

Dave Bittner:

Wow.

Aaron Gee-Clough:

That’s part of the reason why I laugh is, we ran into these weird edge cases like that.

Dave Bittner:

Yeah, now, how do you dial in … If I’m subscribing to various threat feeds or different services, can I hose your system up to those and have them flow through?

Aaron Gee-Clough:

We try not to be a flow point, but you can certainly query stuff. If you have other data sources, like an Anomali or ThreatConnect or something, you can certainly give us your license key for them and then query them through us, yeah.

Dave Bittner:

I see. So in terms of how people are using threat intelligence these days, what is your take on that? Where do you feel we are in terms of maturity of people’s ability to effectively use threat intelligence?

Aaron Gee-Clough:

One of the real challenges right now is that there’s a real distinction between threat intelligence and just lists of bad IPs. Everybody needs the list of bad IPs. The intelligence some people need and some people use, other people don’t have the maturity to consume, and we don’t really make a distinction between those things. The APT1 report, the CrowdStrike report on the DNC hack — those are much more intelligence things, and those are fascinating things to read, but you don’t necessarily need those if you’re Joe’s Crab Shack.

You need a safe or reliable list of, “Things that I shouldn’t be talking to,” and, “Things I should be blocking.” We call that threat intelligence also, which is a problem for the industry, that we should probably be making a distinction there. But that’s one of the real challenges we run into is, for threat intelligence, how do you make this usable for a smaller [or] midsized organization?

Dave Bittner:

Right. Yeah, how do they deal with that potential fire hose of information?

Aaron Gee-Clough:

Not just the fire hose, but how do you make it meaningful for them? Joe’s Crab Shack is going to look at — and I keep using them as a demo just because it’s a great name — you know, is going to look at something like CrowdStrike and go, “I have no idea what this is.” Not to say anything against CrowdStrike — It’s a super valuable tool. But if you’ve got two IT guys, that kind of thing is just not in your purview. They don’t need CrowdStrike; they need to know that they shouldn’t be talking to X, Y, and Z.

Dave Bittner:

What about collaboration outside of the bounds of my organization? I’m thinking, particularly, if I’m a small company like that, is there anything to be gained by teaming up with Bob’s Crab Shack down the way so we can coordinate?

Aaron Gee-Clough:

There is. The challenge is having something to contribute and having something to consume. The bigger companies — your Fortune 500s, your Fortune 100s — have stuff to contribute to each other, and a lot of them are starting to work this out. I’m aware of a couple that are already doing this. They’re already calling each other, emailing each other. They have private discussion groups where they share information. It’s done very ad hoc right now. I have heard rumors that there’s a couple of Fortune 100s, I think, who all have a telephone call each morning and read indicators to each other, which — it works.

I think that’s awful if you’re trying to read some letter salad domain out to 23 people on a phone call. That’s not ever going to be effective. But if they’re doing it, that’s great, because it’s better than not. I mean, yeah, the challenge for something like your neighborhood Crab Shack is going to be, do they even have the skill to recognize the difference between some random scan of the internet and something that’s really, uniquely attacking them? That’s one of the big challenges of the industry is, the people who have the staff and the skills to consume this stuff and create this stuff are in a different world than the folks who are just trying to hang on with their own IT.

Dave Bittner:

What sort of things are you seeing from the folks who are using this sort of collaboration? What’s the feedback? What are the benefits that they’re seeing?

Aaron Gee-Clough:

There’s a couple, and different people are doing it in different ways, and they want to collaborate in different ways. Some are large companies who want to collaborate with them in many ways. They have a team of 20 people, and maybe they’re geographically dispersed, and rather than having conference calls all the time, they want to be able to collaborate with themselves. They want to have their own organization be able to talk to itself better.

Others are interested in what I think is collaborating in the future. If you have a lot of staff turnover, they want to have a record of, “This is what we did when we investigated this,” and be able to have it written down somewhere. That use case, frankly, hadn’t even occurred to me when we built it, but a couple of organizations said they found that useful.

When you have others that are talking about collaborating either between companies, or we have a couple of MSSPs … You’re talking about using it to collaborate with their customers, where if a company has outsourced their security to an MSSP, the MSSP could be using this to say to them, “We’ve done some work on this thing that we think you’re being attacked by. Here’s what we have. Let’s talk about what you’re seeing.”

Dave Bittner:

Now, in terms of looking at the future, toward the horizon, where do you think threat intelligence has to go? Where are we headed?

Aaron Gee-Clough:

The fire hose has got to get under control somehow, and I don’t know what the answer to that is at the moment, but we can’t keep fire hosing people because they’re going to turn off. We’ve tried a couple ways to automate that, like STIX and TAXII were one effort for it. Everyone’s talking about machine learning as the next step. I’m not entirely convinced that’s going to be effective, but it’s worth a try.

But frankly, we’re going to have to do something to get this better focused because right now, nobody can consume all the information that’s being generated, never mind evaluated, to see whether or not it’s appropriate. Hoping against hope that machine learning will save them from that … If it does, more power to them. I’m, like I say, as you heard from my last comment, I am not optimistic how that’s really going to work.

Dave Bittner:

Well, how come?

Aaron Gee-Clough:

Machine learning is great at saying, “I have 500 pictures of dogs. These are the things that are common about those 500 pictures of dogs. This thing you just handed me matches those things pretty well, so I think this is a dog.” But that’s not what you’re trying to do in security. It’s hard to say this thing matches these five other properties of this last attack. Therefore, this is also an attack, because once an attack changes so rapidly, what the processes that people do change, what they’re attacking, how they’re attacking change. So you can’t just say, “This looks like an attack from last year,” and expect that to be enough.

Machine learning is great at identifying things it’s already seen, and the whole problem with security is, it’s a constantly ratcheting race, and machine learning is not great at identifying things it hasn’t seen before.

Dave Bittner:

Yeah, it’s an interesting insight. I mean, I think … I was just talking with someone recently about how it’s hard to compete with that human sense of intuition. When you have a funny feeling that something’s not right, you might not be able to put your finger on it, but you sense that something needs a little more attention than it’s getting.

Aaron Gee-Clough:

There are some things that machine learning is fantastic at, and there’s going to be some good use cases for it. I mean, we’re certainly looking at, can we use machine learning to say, “I think that’s a web host,” or, “I think that’s just noise,” or, “I think that’s a default certificate.” Identifying these things that don’t change very much and are probably false positives. In those areas, I think machine learning works well because those aren’t things that are trying to hide from you. I think machine learning is going to have a real problem in identifying things that are actively trying to hide.

Dave Bittner:

What are your recommendations for organizations that are trying to get started with threat intelligence? I’m thinking, particularly, of those midsized organizations. Any advice for them?

Aaron Gee-Clough:

It’s a real challenge. I mean, the unemployment in the field is basically negative. So you can’t say to them, “Yeah, just hire somebody and see what they do.” I would say, actually, I wouldn’t necessarily start with threat intelligence, and my sales guys are going to smack me for saying this. I would start with threat hunting, actually, because the threat intelligence process can serve and feed the threat hunting process well, and they knit really well together.

But the threat hunting stuff is something that’s much easier for a small organization to get their head around quickly, and to say, “I’m going to go actively looking for busted things in my network.” You should already know your network. You should already control it. You should already have access to it. If you don’t, well, here’s a big laundry list of things you should be doing. Then once you have that put together, then you can say, “My input to that is coming from this threat intelligence discussion.”

Dave Bittner:

That’s interesting, sort of a crawl before you walk thing, I guess.

Aaron Gee-Clough:

Yeah, and that’s not to say that threat intelligence is not useful for these organizations, which is why I was saying that my sales guys are going to smack me. But you want to make sure that it really is meaningful to you. If you want to just buy a feed of malicious IPs or domains, do that. But to be able to consume threat intelligence, have it be meaningful, I would say, you want somewhere for it to go. You want somewhere to consume the data meaningfully. You want some part of your process that’s looking for it as an input. If you don’t have that, then starting threat intelligence is going to go nowhere.

Dave Bittner:

Right. You’ve got to have a firm foundation before you can go ahead and build that house.

Aaron Gee-Clough:

Yeah. I mean, think of threat intelligence as a data source for your organization. If there’s nothing to consume that data source, you’re wasting your time. But there are a couple of interesting things that are happening in the industry right now, about how people are sharing right now, because it’s not just happening company to company. There’s dozens, possibly hundreds, of little Slack channels with people who know each other, sharing information. One of the other reasons why we are so convinced that the collaboration thing is a big deal is people are trying to do it.

In a lot of cases, it’s under the table. Their bosses may not know that they’re talking to some other giant company in the same area, but it’s happening all over the place, and it’s happening through things like Slack or these sorts of pirate email lists and stuff.

Dave Bittner:

Right.

Aaron Gee-Clough:

Right now, it’s happening mostly through word of mouth that, “This guy knows this person. This person knows this person,” and then they do these mutual introductions, and they join this Slack channel, and they do other introductions. They all attest to each other that they know who they are, and they’re going to handle the data properly. So these things grow over time, but they all get touchy about knowing who they’re talking to and all these interesting questions about, “How do you handle collaborating with somebody that you don’t necessarily know?”

And that’s something that I’m wrestling with right now. How do I do that? How do I give someone the confidence that the person they’re collaborating with is a), knowledgeable, and b), able to handle the data safely and correctly? Right now, that’s being done with a lot of word-of-mouth Slack channels.

Dave Bittner:

So that impulse, that desire. is absolutely there.

Aaron Gee-Clough:

Oh yeah, yeah, it’s happening. It’s happening right now. It’s happening ad hoc right now. Unfortunately, it leads to the same problem that I was just mentioning earlier about Bob’s Crab Shack, because even if Bob’s Crab Shack does have a good security team, if they don’t know anybody to get them into one of these Slack groups, they’re frozen out. It’s an interesting situation for how you break into these things.

Dave Bittner:

Right. How do you get your street cred?

Aaron Gee-Clough:

Or even get an introduction to be able to join one of these collaboration groups.

Dave Bittner:

Our thanks to Aaron Gee-Clough from King & Union for joining us.

If you enjoyed this podcast, we hope you’ll take the time to rate it and leave a review on iTunes. It really does help people find the show.

Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive the top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.

We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Producer Peter Kilpe, and I’m Dave Bittner.

Thanks for listening.