Jaime Blasco is the AVP Product Development at Alien Labs, part of AT&T Cybersecurity. At Black Hat 2019, Jaime sat down with Enterprise Times to talk about threat intelligence. It’s a subject that is high on a lot of organisations agenda. The problem, is that many organisations don’t know what to do with it. They are overwhelmed by the intelligence they gather and when they try and DIY, they lack the tools. But when they go to many vendors, what they get are a series of alerts which often lack an actionable element.
Blasco talked about how we start to make sense. Alien Labs creates two types of threat intelligence. The first, that Blasco describes as Tactical Threat Intelligence. This has all the details that IT teams need to detect and spot threats. They can use this to block domains, IP addresses, spot C&C servers that attacks rely on.
The second is Strategic Threat Intelligence. This does a deep analysis of the data and is focused on the threat actor. It looks to understand the motives, who is sponsoring or supporting them, what are they looking for when they get into the network.
To make sense of all the information coming in, AT&T has launched Open Threat Exchange. Blasco says that this allows other researchers to come in and look at the threat data. It provides them with tools to understand what is in the data and helps to improve identification of threats and, more importantly, reduces false positives.
Blasco‘ s group also spends a lot of time tracking and identifying threat actors. One of the key goals for any threat hunting team is to be able to anticipate what a threat actor will do. This allows them to predict behaviours, attacks and put in place mitigation strategies while waiting for the attack to develop.
To hear more of what Blasco had to say listen to the podcast.
Where can I get it?
obtain it, for Android devices from play.google.com/music/podcasts
use the Enterprise Times page on Stitcher
listen to the Enterprise Times channel on Soundcloud
listen to the podcast (below) or download the podcast to your local device and then listen there