Threat Intelligence

The latest weapon in the war on cyber-crime isn’t revolutionary, but it is much more than just evolutionary.

popularity

The new buzz phrase in security is threat intelligence, a pre-emptive approach that combines forward-thinking, real-time awareness with both reactive and pre-emptive threat analysis philosophies.

“The principle purpose of threat intelligence is to inform decision making and mitigate risk,” says Adam Vincent, Founder, and CEO of Cyber Squared, in Arlington, Va. While specific definitions vary, Vincent’s organization defines it as “an emerging information security discipline that seeks to recognize and understand sophisticated cyber adversaries, specifically why and how they threaten data, networks, and business processes.”

This seems to be a fairly accurate definition based upon what it attempts to accomplish, but it’s also not a simple concept.

“Threat intelligence is a very complex idea,” he says. “There is tactical intelligence, which is more the fingerprint of the cyber-criminal, and there is the strategic threat intelligence. Strategic intelligence includes not only the fingerprint, but also intrinsic information about the bad guy who identifies the companies they go after and the methodologies they use, for example. By merging the two, one cannot only predict that you are on the bad guy’s radar screen, but you can start looking for their fingerprints in your lobby.”

Untitled
Source: Trend Micro

Put in perspective, threat intelligence isn’t something you just go out and buy. It’s a process of combining or aggregating all available data from both internal and external sources, and then applying analytics to it.

“This analysis process looks at the data in such a way as to be able to make decisions based upon it, and act upon it, relative to your mission,” adds Vincent.

Roberto Martinez, security researcher at Kaspersky Labs, defines it as, “the integration and correlation of information acquired from various sources and contexts about the threats and risks associated with an organization’s assets…using the collected information, organizations can create a report of situational awareness, and work on prevention and protection strategies. They can also create predictive models that it can be used to neutralize or reduce the impact of potential threats and attacks in the near future.”

On the other side of the world, Rui Serra, product manager for Anubis Networks in Portugal, sees threat intelligence “as about obtaining information from multiple locations and vectors, correlating it, removing irrelevant data, and adding context to create true knowledge. On top of that it must become a value to the security operations in an organization (customized for the organization, contain predictable intel[ligence], and real time threat events, and be delivered in clean, readable formats.”

And no matter who defines it, threat intelligence is a comprehensive approach that integrates large numbers of threat abatement tools. It is a complex evidence and knowledge-based concept that includes context, mechanisms, indicators, implications, and actionable recommendations, against existing or potential threats. It accomplishes this by real-time and continuous analysis and assessment of security data collected from a wide array of sources.

How it works
What makes the threat assessment such a useful tool is that not only addresses malware detection and tools. It places a priority on leveraging knowledge about adversaries by establishing a state of information preeminence. “Threat intelligence allows one to make better decisions, both tactically and strategically due to a better understanding of what is happening,” says Vincent.

One of the key concepts is to recognize and understand today’s sophisticated cyber adversaries, beyond simply analysis of past events, and specifically identify why and how they threaten the aforementioned data, networks, and business processes. The expected result is that, with enhanced and anticipated knowledge of such threats, better countermeasures can be developed to offer better and earlier protective measures against them.

With that understanding, one can diminish the adversary’s probability of success with each ensuing intrusion attempt. By utilizing all the tools of threat intelligence, the end user, or security manager, or whoever is the responsible party, gets a much more accurate, timely and detailed portrait of the threat environment.

“The main challenge is early detection of attacks and finding a way to capture all the data that is generated from different sources and formats, then normalize, integrate and correlate it to obtain valuable and useful information,” Martinez says. “The implementation must include tools and frameworks. These can be proprietary or even open source.”
(Among the tools: Collective Intelligence Framework, MANTIS Cyber-Intelligence Management Framework; Frameworks: Open Indicators of Compromise (OpenIOC), IODEF (RFC 5070), Cyber Observable eXpression, or CybOX, Trusted automated eXchange of Indicator Information, aka TAXII, Structured threat Information Expression, aka STIX.)

This environment is then used to monitor, continuously new and evolving attacks, in real time. The theory being that early detection, and armed with a global knowledge base will make countermeasures more effective, earlier and minimize losses or reduce the cost of cleanup, if the system does get infected with malware. Threat Intelligence provides a better defensive posture than otherwise would be possible.

threat2
The threat intelligence ecosystem (courtesy of Cyber Squared).

The real challenge—the advanced persistent threat
The Advanced Persistent Threat (APT) is the crème de la crème of malevolent cyber threats. It is categorized as the type of threat, as the name implies, that is persistent, both in attack vectors and approach variables.

Serra explains it this way, “From our point of view, this is a catch-all type of buzzword currently being used to distinguish ‘normal’ PC viruses and spam emails from more sophisticated threats that use multiple attack vectors (combining social engineering, phishing, and mobile drive-by downloads, for instance), and with the ability to remain stealth.” It also has the ability to mutate based on client, or server actions.” It is the most advanced, complex and well supported type of malware.”

Vincent puts it in perspective by saying, “Comparing a typical threat to an APT is like someone showing up at your house. If it is a typical threat and they find the door is unlocked, they rob you, but if it is locked, they just go away.” An APT is exactly the opposite. “If that same somebody shows up at your house and finds the door locked, they would check the windows for access. If they were locked and secure, then they would try to break one. If that didn’t work, they might try to dig a tunnel under your house. They would be relentless in finding some way to enter your house. And if they manage to gain entry, it is quite probable they would say for months, if not years, and steal everything they can get their hands on until there is nothing left to take.”

For high-tech companies that constantly create and refine intellectual property (IP), that provides a particularly nasty scenario. If a persistent threat manages to infiltrate a company’s IP vault, every time new or improved IP is developed, it would be stolen.

APT perpetrators are generally talented, well-funded black-hat types who use advanced tools and techniques designed to circumvent most conventional computer network defense mechanisms. They generally have either a strong personal, insurgency or corporate-backed agenda. They are usually after a specific target such as military systems, industrial espionage or government/utility/transportation systems. Their level of sophistication renders all but the best intrusion detection, anti-virus and traditional incident response approaches moot. Even the top-shelf systems are often out gunned. APT campaigns can be multi-year, multi-technology—think hardware from system down to semiconductor memory, firmware, embedded software and up the software stack to the network—and multi-channel, with multiple attach schemes, technologies and resources.

The Best of Breed Approach
Threat intelligence is, by its very nature, proactive. In the past, an organization would have some lead-time, generally from a few days to several months to patch a system in anticipation of a possible malevolent code release. That’s not true anymore. Today’s cyber world’s near-instantaneous capability to disseminate information coupled with super-high speed data transfer has compressed time to such an extent that a virus that once took days to spread now does the same in hours. There are even “zero-day, or zero-hour” circumstances where security experts have almost no time to block or disarm the threat. With such a short window of opportunity, intelligence tacticians have a fraction of the time to stay one step ahead of the hackers so edge-of-the-envelope strategies must be in place.

Successful threat analysis involves a multi-faceted approach. While each of these tools is a topic unto themselves, they will only be covered here cursorily. If the reader is interested, resources to delve further into them are plentiful.

The security segment has developed a homogenous approach that has a number of elements that come together to form a successful defense formula. They include such items as predictive analysis, principles of forecasting and crowd-sourcing. In addition, an understanding of how to disseminate the collected information and what is and what isn’t in reporting is part of the program.

There are also a number of physical tools, as well as policies, and even standards such as ISO 27001 and 27005 that can be part of the security section’s wheelhouse.

Among the best practices and tools:

  • Strong authentication.
  • Next-generation firewalls
  • Web application firewalls/database monitors
  • Network access control (NAC)
  • Network vulnerability scanners/Web app scanners
  • Intrusion prevention/detection systems (IPS/IDS)
  • UTMs (firewall, IPS, anti-malware, Web filtering, etc.)
  • Endpoint protection suites (anti-malware, host firewalling, filtering)
  • Message/Web hygiene filters
  • Data loss prevention policies and procedures
  • Security information and event management (SIEM)/log analysis
  • Policy and configuration management
  • Tight control of patching, updates, and new software deliver and installation procedures.
  • Penetration testing tools

There are others, of course, and there are variants on these tools as well as methodologies to implement them. While not all organizations may need all of these, the concept is to have the most applicable the tools in place, customized to the organization, so there is the right bubble of protection enveloping it.

However, even the best laid plans of mice and men can be waylaid and no matter what one has in place, there are technologies that challenge the best bleeding-edge defenses. And one of the most effective tools an attacker has is morphing code, which is the topic of the next iteration in this series.

Conclusion
Sophisticated morphing threats are the next iteration of maleficent manifestations coming down the pike. Threat intelligence is the answer because it presents a new model of preemptive, zero-hour, anti-malware philosophies that stand vigilant against a very fluid enemy.

Threat intelligence takes the track that the deeper the well of knowledge, the better the chance of preemptive mitigation. Therefore, the mantra of threat intelligence is vigilance. Keep your databases current, use all the cutting-edge tools available, leverage everything you can, from every source available and never, ever fall asleep at the helm.