Threat Intelligence at Akamai

Akamai differs from most companies in that their sprawling infrastructure generates a lot of threat data that can be distilled into intelligence. Akamai has deployed more than 233,000 servers in 130+ countries that are seeing traffic from 1,600 networks around the world. Very few organizations have a better global view of Internet traffic than Akamai.

Studying this data falls under the purview of Eric Kobrin, Akamai’s Director of Security Intelligence, who leads Akamai’s Security Intelligence Response Team (SIRT). The SIRT is responsible for distilling the petabytes of data into actionable intelligence that Akamai can use to protect the organization and its customers. The SIRT is managed by Lisa Beegle and Mike Kun, who report to Eric.

The SIRT is one of many teams responsible for intelligence at Akamai. Eric’s responsibility is for internal intelligence, but those lines can often be blurred. His team is responsible for ensuring that the customers’ services are safe and that the customers themselves are safe. Other teams are responsible for directly driving product direction based on threat research.

Defining Intelligence at Akamai

It is always a good idea to start with a baseline definition of intelligence, since the terms means different things to different organizations. To Eric, threat intelligence is “…non-public information about the Tactics, Techniques, and Procedures (TTPs) of attackers as well as insight into what attacks are coming and who the likely targets of those attacks are.”

This is a great definition because it moves beyond the traditional indicators of compromise and focuses on information that is actionable and provides context. Eric provides the following example of something that he considers threat intelligence: A security researcher finds a vulnerability in software that Akamai uses and reaches out to alert the team at Akamai.  That vulnerability may be in software that Akamai built or something they use (e.g. a particular library on which Akamai is very reliant). This type of responsible disclosure means that Akamai can get a patch released or in place before any potential damage occurs to their organization or their customers.

Of course, threat intelligence is not just reported by third parties or collected from network traffic, SIRT also monitors underground forums for information related to upcoming attacks. They look for attackers targeting specific organizations, learn the attacker’s timeline, monitor for the attacks, and warn Akamai’s customers of the coming attack, as well as monitor for potential collateral damage. As Eric says, given the extent of their reach they are able to use underground data to say, “Here’s the attack, it is coming at this time, and we can set up to watch the attack.”

Threat Intelligence Sources

As mentioned, Akamai produces a great deal of internal and external threat intelligence as part of their day-to-day operations. But Akamai does not see every part of the Internet, so they also rely on third parties to supplement their threat intelligence. In fact, there are four sources that Akamai uses for threat intelligence:

• Active observations
• Passive observations
• Information sharing: both formal and informal
• Malware analysis

Quite a bit of Akamai’s intelligence is informal, and informal information sharing tends to have a lot more impact than formal sharing. When your friends tell you something, they know; and they are not going to waste your time.

Informal sharing doesn’t happen automatically, it takes years of cultivating relationships and requires hiring the best analysts, who will have strong relationships with analysts in other organizations. It also means being willing to share information as well, whether that is through informal channels or through more formal channels, such as presenting at security conferences and providing training to other organizations.

Eric encourages his team to present at conferences around the world, and Akamai supports its employees by providing education reimbursement. Building a stronger team and encouraging them to constantly challenge themselves and improve their skills means that Akamai’s respect within the industry will continue to grow.

Formal sharing agreements, whether through an ISAC or a third-party threat intelligence provider can also be very valuable. The problem with these sources is that they can be subject to too many false positives. In Eric’s view, context is important in these cases. The better the context the third-party provider can present around their intelligence, the easier it is for the analyst team to work with. Another important aspect of third-party threat intelligence relationships is reliability over time. A provider who consistently provides good intelligence with context around the threats is more valuable than a provider who presents a lot of intelligence with no context and too many false positives.

The Akamai Team

Eric’s security intelligence team at Akamai has several overlapping skill sets, working together to fuse data to produce a threat intelligence stream that the entire company can use. The different roles are:

• Reverse engineering specialists: The more obfuscated and hidden the malware is, the better. If you give them a problem, they will work on it until they are finished. Sometimes he wonders if they go home.
• Dark web research specialists: Underground experts who spend time talking to bad guys
• Industry research specialists: Well-connected analysts who spend time talking to industry experts
• Threat analysis specialists: They spend time analyzing Akamai data and looking for patterns—reviewing traffic, logs, and other data that helps them understand the threats hiding in the dataflow.  
• Writing specialists: One of the most important roles, they are responsible for communicating the findings of the other teams in a clear, concise, and accessible manner.

There are a couple hundred people working in security across Akamai at any given time.  The number of people dedicated to intelligence is not as important as the number of resources that Akamai can bring to bear to resolve a problem. But security is everyone’s concern, and if there is a security problem, his team will reach out across the company to try to find someone who can help resolve it.

Education is an important role for Eric’s group. They train both Akamai employees and other organizations in security architecture and secure development. Eric’s group offers several internal education programs, both self-taught and in person. They will also fly out to a customer site to educate their staff. As discussed, Eric’s team speaks at industry events as well as Akamai’s own EDGE conference, and Eric personally trains new hires on how Akamai approaches security as a company, which includes a call to action akin to “if you see something, say something.”

Lack of Standardization Challenges

One frustration that Eric has is the lack of standardization around information sharing across the industry. Transparency and willingness to share information between organizations is still a challenge. He understands why it is done, but one of the things that is harmful is when intelligence is shared under onerous agreements. This happens when an external group or organization provides direct actionable intelligence but dictates with which internal groups it can be shared.

Every organization has their own story around information sharing, but there has to be less differentiation between information sharing agreements.

As Eric says, “Akamai wants the Internet to be a better place, and the work we do in this space is to make the internet safer.” He wants people to find more efficient ways to share information with each other with less restriction on how the information can be shared in the defense of the internet. While it is understandable that organizations want to keep sensitive intelligence from being used by sales or marketing teams, overly restrictive sharing agreements makes it hard to get intelligence to the people who need it.

A better standardized sharing and redistribution framework is necessary going forward. Eric expects that there will be a new standard developed in the near future. There almost has to be.

Final Word

Setting up a threat intelligence program from scratch or revamping an existing program is challenging. There are a lot of challenges and pitfalls that can hinder the ability of a good threat intelligence team to be as effective as possible. That shouldn’t stop an organization from trying.

The goal of this book was to provide a framework that allows organizations to get started, as well as some practical advice to assist during the launch of a threat intelligence team. The next step is to actually get started—make the leap from being reactionary to threats to getting ahead of them. There are a lot of great resources, outside of this book, to assist in the process. SANS has published several excellent white papers on the topic of threat intelligence. A number of good threat intelligence articles also regularly appear on Dark Reading and SC Media.

Beyond reading material, organizations should not be afraid to reach out to industry-specific groups to find out what other organizations in the same vertical are doing to build threat intelligence programs. If there is no industry-specific group, organizations can talk to their security vendors about what other organizations in their vertical are doing about threat intelligence.

The point is, the best way to improve threat intelligence posture is to start doing something. Even if that something turns out to be the wrong direction, it will make a good lesson learned and the team can move forward. Again, it will take a lot of work, but the payoff in terms of better security is worth the effort.