By Christopher Taylor, Security Consultant, Taksati Consulting –
“Offense informs defense” has been a driving security tenet for a long time and nothing epitomizes this more than threat intelligence.
“Threat intelligence” refers to the knowledge of tools and methods used to identify and track attackers across multiple victims. Consider this: The FIN7 APT crime group is responsible for attacks against hundreds of victims for a combined total of losses well over $1 billion dollars.
Earlier this year, the APT28 state-sponsored attack group unleashed the VPNFilter botnet malware causing nationwide headlines telling us to reboot our home routers. APT28 was also the group responsible for breaching TV5Monde, costing the French TV network €15 million in damages. The Dark Overlord crime group made national headlines when it attempted to extort money from Netflix over a breach that ended in pre-release content and confidential data being released on the internet. Prior to that breach, it was already known for similar attacks against multiple other victims in education, healthcare, manufacturing and many other industries. Each of these attack groups attacked countless victims using the same tools and techniques over and over again.
Knowing what an attack looks like enables defenders to identify attacks more quickly, and the more quickly defenders can respond, the less negative impacts the incident will have on the business. As a vital step in any incident response, network defenders must identify indicators of compromise (IOCs) that can be uniquely searched for to identify compromised systems.
These indicators usually take the form of file names or file hashes for malware, IP addresses or DNS names of systems the malware communicates with, or anomalies in network or process activity. Once these indicators are identified, the defenders can then search the rest of the enterprise to find other compromised systems. Once the incident is contained, the defenders further use these indicators to tune defensive tools, such as firewalls and antivirus, to prevent the same type of incident from occurring a second time.
When companies have a way to share these indicators, it enables recently attacked companies to warn their neighbors about attacks taking place elsewhere on the internet. This enables the recipients of threat intelligence to know how to tune their defensive tools to prevent these attacks before they have been attacked themselves. In effect, properly used threat intelligence enables a company to immunize itself from new threats. Through threat intelligence sharing, companies can enable entire industries to become immunized from attacks affecting their peers. Through this herd immunization, enterprises are able to protect themselves from attacks they have yet to personally experience, thwarting attacks before they happen. The result is that security can finally become proactive instead of reactive.
The most basic form of threat intelligence is antivirus signature update files. By receiving regular signature updates, the antivirus software is able to detect and block new threats that are coming out every day. But threat intelligence goes way beyond antivirus signatures and creates an infrastructure for sharing every other type of indicator of compromise. This includes IP addresses or domain names known to be associated with the delivery or control of malware.
These IP addresses can be loaded into firewall block rules and the domain names can be loaded into a web proxy or a DNS blackhole zone to block access to these domains in order to prevent the installation or remote control of malware. It includes email addresses known to be sending spam or phishing emails that can be added into spam filter block list, keeping new spam out of your inboxes. There are dozens of different types of indicators that network defenders use to identify attacks, and most of these indicators can be used by some defensive tool to detect, disrupt, deny, or degrade an attack.
Threat intelligence sharing is most effective when it is consumed in an automated way as a machine-readable feed that security tools can use to automatically update block lists. This way threat data can be directly applied to block lists with minimal human interaction in order to shorten the exposure window between when an indicator is confirmed to be associated with malicious activity and the network being inoculated against that activity.
There are numerous sources of threat intelligence data available. Various departments of the government focused on cybersecurity issues — including the FBI, DoD, DHS, NSA, and US-CERT — provide indicators of attacks they have observed. There are free and open source feeds provided by companies like Facebook, AlienVault, EmergingThreats, Team Cymru and many, many others. There are companies whose entire business model is based around providing threat intelligence for a fee, such as LookingGlass, FireEye, RecordedFuture and many others. To make sense of all this data and to combine, correlate, deduplicate and manage all of these data sources requires the use of a security tool known as a Threat Intelligence Platform (TIP).
The best place to get threat intelligence is from your industry’s Intelligence Sharing and Analysis Center (ISAC). The concept of an ISAC was formed at the direction of the federal government as a way to centralize all of the threat intelligence related to protecting our country’s critical infrastructure. Each ISAC is specialized to focus on the threats specific to its industry. Businesses in a particular industry can join their industry’s ISAC to receive curated threat intelligence feeds, reports, and analysis, as well as training, guidance, collaboration, and other services.
Threat intelligence is by no means the endall solution to cyberthreats. First off, threat intelligence is only beneficial if the business has a means to act on the data. The basics of cybersecurity must be in place first. It is pointless to know what an attack looks like if there is no network monitoring capability in place to look for those attack signatures. Businesses must first invest in a baseline of security that provides a way to monitor their environment through centralized logging, network security monitoring and endpoint detection and response. Once the business has adequate visibility of its network and blocking capabilities, then threat intelligence becomes the way to make these tools more effective and meaningful.
Threat intelligence is a vital, required component of cybersecurity. Defending a network without threat intelligence is like boxing blindfolded. You may have your guard up, but without knowing when and from where a punch is coming, it is impossible to properly block. Defending a network with threat intelligence enables businesses to properly drive their cybersecurity tools, making their monitoring and blocking tools exponentially more effective, increasing the return on investment from the entire toolset.
By receiving up-to-date data on current threats active on the internet, businesses are able to immunize themselves from these threats before they become victims, reducing damages and response costs. This effectively means instead of waiting to be attacked and then responding, businesses are able to block incoming punches before they get hit. Through threat intelligence, businesses are able to transition their security posture from reactive to proactive.