Balancing proprietary and open-source tools in cyber threat research
In this Help Net Security interview, Thomas Roccia, Senior Security Researcher at Microsoft, discusses how threat research drives faster, better decision-making in cybersecurity operations.
Roccia provides insights into balancing internal and external research strategies, the influence of AI and geopolitical events, and how organizations can strengthen their security posture to counter threats.
Could you discuss how threat research contributes to faster and better decision-making in cybersecurity operations?
Threat research is all about understanding the operating methods of threat actors: how they penetrate your network, how they trick users, and what exploits, tools, or malware they use to achieve their goals. There is also a global dimension that influences cyberspace. Geopolitical events such as wars or elections, economic factors such as fluctuations in BTC prices, and global races such as the AI race all influence how attackers operate.
All that information, transformed into intelligence, can be used to guide cybersecurity operations, to adapt defenses, to make the right decisions regarding hiring, product selection, and overall strategies, and to adopt a proactive security posture. At the end of the day, threat research is a tool that contributes to the security of an organization, to ultimately protect its assets.
What are the advantages of conducting in-house threat research versus outsourcing to third parties?
Conducting in-house threat research allows an organization to tailor their needs and focus on the threats that might impact the company. However, it requires a solid maturity in terms of understanding the needs and requirements, as well as advanced personnel capable of building and running a threat research program.
On the other hand, outsourcing threat research allows an enterprise to dedicate their security exposure to a specialized organization that may have a broader visibility on the threat landscape.
There is no one-size-fits-all solution, but effective threat research often requires a mix of both an internal team capable of understanding the threats from various signals and transforming the information to meet the organization’s needs. And of course, the budget allocated is also something to consider.
How do you balance proprietary versus open-source tools in your threat research workflow?
Balancing proprietary and open-source tools in a threat research workflow mostly requires consideration of needs, budget, and team expertise. First, it is important to assess the requirements of an organization by identifying the capabilities needed, such as threat intelligence platforms or malware analysis tools. Next, evaluating open-source tools which can be cost-effective and customizable, but may require community support and frequent updates. In contrast, proprietary tools could offer advanced features, dedicated support, and better integration with other products.
Finally, think about scalability and flexibility, as future growth may necessitate scalable solutions.
What are your thoughts on the impact of AI and machine learning in automating threat research, and how can CISOs evaluate effectiveness?
I think the security industry and the work we are doing in threat research is changing and evolving with generative AI technology, but the security industry is still catching up.
The technology is not magic, but it is a powerful tool to speed up processes and bolster security procedures while also reducing the gap between advanced and junior analysts. However, as of today, the technology still requires verification and validation.
Globally, the need for security experts with a dual skill set in security and AI will be in high demand. Because the adoption of generative AI systems increases, we need people who understand these technologies because threat actors are also learning. In the near future, if you encounter an incident involving this kind of system, how do you respond to it? How do you investigate the breach? These are some of the events organizations need to be prepared for.
If a CISO needs to evaluate effectiveness of these tools, they first need to understand their needs and pain points and then seek guidance from experts. Adopting generative AI security solutions just because it is the latest trend is not the right approach. Understanding the technology and where it can practically be applied is the key to evaluating its effectiveness.
In your experience, how do geopolitical events shape the focus and methodology of threat research?
Geopolitical events have a critical impact on the focus of threat research. For example, threat actor profiling or attribution must be adapted to understand the changing motivations and tactics of state-sponsored actors or politically motivated groups. Resources may need to be reallocated to focus on threats more likely to target organizations due to their geographic location, industry, or affiliations.
Threat landscape prioritization changes because certain threats become more prominent in response to geopolitical tensions. Organizations at the center of tensions may also adopt a more aggressive cyber defense posture that may impact on the way, how attackers operate. Collaborative efforts can improve defense capabilities and require coordinated threat research methodologies.
Geopolitical events may lead to targeted research efforts, such as language-specific studies or region-specific malware analysis. Researchers also need to adapt their methodology and extend their focus to include misinformation and influence operations which are more and more often conducted in synergy with cyberattacks and field operations.
There is a multi-dimensional aspect today in threat research that needs to be addressed differently with the right tools, methodology, and focus.