Nuspire released a report, outlining new cybercriminal activity and tactics, techniques and procedures (TTPs) throughout Q3 2020, with additional insight from Recorded Future.
Threat actors becoming even more ruthless
The report demonstrates threat actors becoming even more ruthless. Throughout Q3, hackers shifted focus from home networks to overburdened public entities, including the education sector and the Election Assistance Commission (EAC). Malware campaigns, like Emotet, utilized these events as phishing lure themes to assist in delivery.
“We continue to see attackers use newsjacking and typosquatting techniques to attack organizations with ransomware, especially this quarter with the Presidential election and schools moving to a virtual learning model,” said John Ayers, Nuspire Chief Strategy Product Officer.
“It’s important for organizations to understand the latest threat landscape is changing so they can better prepare for current themes and better understand their risk.”
Increase in malware activity
There has been a significant increase in malware activity over the course of Q3 2020; the 128% increase from Q2 represents more than 43,000 malware variants detected a day.
As Emotet made a significant appearance, new features in Emotet modules were discovered, implying the group will likely continue operations throughout the remainder of the next quarter to successfully gauge the viability of these new features.
“Keeping a vigilant eye on how threats evolve, grow and adapt over time helps us understand how threat actors have been retooling their tactics. It’s more important than ever to consistently have visibility into the threat landscape.”
- The ZeroAccess botnet made another big appearance in Q3. It resurged in Q2, coming in second for most used botnet, but then went quiet towards the end of Q2, coming back up in Q3.
- Office document phishing skyrocketed during the second half of Q3, which could be due to the upcoming election, or because attackers have just finished retooling.
- Ransomware attack on the automotive industry is on the rise. At the end of Q3 2020, references have already surpassed the 2019 total at 18,307, an increase of 79.15% with Q4 still remaining.
- H-Worm Botnet, also known as Houdini, Dunihi, njRAT, NJw0rm, Wshrat, and Kognito, surged to the top of witnessed Botnet traffic for Q3 from the actors behind the botnet by deploying instances of Remote Access Trojans (RATs) using COVID-19 phishing lures and executable names.
Some of the world’s most skilled nation-state cyber adversaries and notorious ransomware gangs are deploying an arsenal of new open-sourced tools, actively exploiting corporate email systems and using online extortion to scare victims into paying ransoms, according to a report from Accenture.
The report examines the tactics, techniques and procedures employed by some of the most sophisticated cyber adversaries and explores how cyber incidents could evolve over the next year.
“Since COVID-19 radically shifted the way we work and live, we’ve seen a wide range of cyber adversaries changing their tactics to take advantage of new vulnerabilities,” said Josh Ray, who leads Accenture Security’s cyber defense practice globally.
“The biggest takeaway from our research is that organizations should expect cybercriminals to become more brazen as the potential opportunities and pay-outs from these campaigns climb to the stratosphere.
“In such a climate, organizations need to double down on putting the right controls in place and by leveraging reliable cyber threat intelligence to understand and expel the most complex threats.”
Sophisticated adversaries mask identities with off-the-shelf tools
Throughout 2020, CTI analysts have observed suspected state-sponsored and organized criminal groups using a combination of off-the-shelf tooling — including “living off the land” tools, shared hosting infrastructure and publicly developed exploit code — and open source penetration testing tools at unprecedented scale to carry out cyberattacks and hide their tracks.
For example, Accenture tracks the patterns and activities of an Iran-based hacker group referred to as SOURFACE (also known as Chafer or Remix Kitten). Active since at least 2014, the group is known for its cyberattacks on the oil and gas, communications, transportation and other industries in the U.S., Israel, Europe, Saudi Arabia, Australia and other regions.
CTI analysts have observed SOURFACE using legitimate Windows functions and freely available tools such as Mimikatz for credential dumping. This technique is used to steal user authentication credentials like usernames and passwords to allow attackers to escalate privileges or move across the network to compromise other systems and accounts while disguised as a valid user.
According to the report, it is highly likely that sophisticated actors, including state-sponsored and organized criminal groups, will continue to use off-the-shelf and penetration testing tools for the foreseeable future as they are easy to use, effective and cost-efficient.
New, sophisticated tactics target business continuity
The report notes how one notorious group has aggressively targeted systems supporting Microsoft Exchange and Outlook Web Access, and then uses these compromised systems as beachheads within a victim’s environment to hide traffic, relay commands, compromise e-mail, steal data and gather credentials for espionage efforts.
Operating from Russia, the group, refered to as BELUGASTURGEON (also known as Turla or Snake), has been active for more than 10 years and is associated with numerous cyberattacks aimed at government agencies, foreign policy research firms and think tanks across the globe.
Ransomware feeds new profitable, scalable business model
Ransomware has quickly become a more lucrative business model in the past year, with cybercriminals taking online extortion to a new level by threatening to publicly release stolen data or sell it and name and shame victims on dedicated websites.
The criminals behind the Maze, Sodinokibi (also known as REvil) and DoppelPaymer ransomware strains are the pioneers of this growing tactic, which is delivering bigger profits and resulting in a wave of copycat actors and new ransomware peddlers.
Additionally, the infamous LockBit ransomware emerged earlier this year, which — in addition to copying the extortion tactic — has gained attention due to its self-spreading feature that quickly infects other computers on a corporate network.
The motivations behind LockBit appear to be financial, too. CTI analysts have tracked cybercriminals behind it on Dark Web forums, where they are found to advertise regular updates and improvements to the ransomware, and actively recruit new members promising a portion of the ransom money.
The success of these hack-and-leak extortion methods, especially against larger organizations, means they will likely proliferate for the remainder of 2020 and could foreshadow future hacking trends in 2021. In fact, CTI analysts have observed recruitment campaigns on a popular Dark Web forum from the threat actors behind Sodinokibi.
The growing volume and complexities of cyber threats present a compelling case for adopting threat intelligence platforms (TIPs), a Frost & Sullivan analysis finds.
These solutions help organizations navigate the ever-increasing threat landscape and allow for further analysis and threat intelligence operationalization.
The TIP market least affected by the pandemic
The yhreat intelligence platform market is one of the cybersecurity markets that will be least affected by COVID-19. It is estimated to reach $234.9 million by 2022 from $132.7 million in 2019, at a compound annual growth rate (CAGR) of 21%.
“The proliferation of TIP use cases indicates the convergence of the TIP space with adjacent markets,” said Mikita Hanets, Information & Communication Technologies Research Analyst at Frost & Sullivan.
“Vendors increasingly aim to offer some elements of TIP functionality in SOAR and SIEM platforms and vice versa. Going forward, solutions that enable businesses to operationalize threat-related data and set up workflows for cyber incidents will converge in the next three years.”
Hanets added: “North America will dominate the market and contribute the maximum revenue, followed by Europe, the Middle East and Africa (EMEA), Asia-Pacific and Latin America. Technology and telecommunications will be the fastest-growing vertical market for TIP vendors in the next two years, while banking and finance is expected to contribute the most by 2022.”
Growth prospects for market participants
The growing sophistication of attacks and the necessity of using threat intelligence for proactive cyber defense present immense growth prospects for market participants who:
- Increase their presence in geographical areas like EMEA, Asia-Pacific and Latin America, where the penetration rate is currently low.
- Expand the network of third-party SOAR integrations or develop native SOAR capabilities. Enterprises with mature cybersecurity practices need intelligence-powered SOAR.
- Develop SIEM capabilities to offer seamless, intelligence-driven solutions. TIP vendors can build on their data management experience and offer a fully consolidated solution.
- Develop threat detection and threat hunting capabilities to enable investigations of security incidents. Threat intelligence is instrumental in securing enterprises because it enables security teams to prevent cyberattacks in real time and identify a breach that might have occurred in the past.
- Develop or acquire intelligence-driven vulnerability and risk management technology. The ability to assess an organization’s exposure and the risk to its global threat data is a key feature of the next generation of solutions.
Cyber threat intelligence (CTI) sharing is a critical tool for security analysts. It takes the learnings from a single organization and shares it across the industry to strengthen the security practices of all.
By sharing CTI, security teams can alert each other to new findings across the threat landscape and flag active cybercrime campaigns and indicators of compromise (IOCs) that the cybersecurity community should be immediately aware of. As this intel spreads, organizations can work together to build upon each other’s defenses to combat the latest threat. This creates a herd-like immunity for networks as defensive capabilities are collectively raised.
Blue teams need to act more like red teams
A recent survey by Exabeam showed that 62 percent of blue teams have difficulty stopping red teams during adversary simulation exercises. A blue team is charged with defending one network. They have the benefit of knowing the ins and outs of their network better than any red team or cybercriminal, so they are well-equipped to spot abnormalities and IOCs and act fast to mitigate threats.
But blue teams have a bigger disadvantage: they mostly work in silos consisting only of members of their immediate team. They typically don’t share their threat intelligence with other security teams, vendors, or industry groups. This means they see cyber threats from a single lens. They lack the broader view of the real threat landscape external to their organization.
This disadvantage is where red teams and cybercriminals thrive. Not only do they choose the rules of the game – the when, where, and how the attack will be executed – they share their successes and failures with each other to constantly adapt and evolve tactics. They thrive in a communications-rich environment, sharing frameworks, toolkits, guidelines, exploits, and even offering each other customer support-like help.
For blue teams to move from defense to prevention, they need to take defense to the attacker’s front door. This proactive approach can only work by having timely, accurate, and contextual threat intelligence. And that requires a community, not a company. But many companies are hesitant to join the CTI community. The SANS 2020 Cyber Threat Intelligence Survey shows that more than 40% of respondents both produce and consume intelligence, leaving much room for improvement over the next few years.
Common challenges for beginning a cyber threat intelligence sharing program
One of the biggest challenges to intelligence sharing is that businesses don’t understand how sharing some of their network data can actually strengthen their own security over time. Much like the early days of open-source software, there’s a fear that if you have anything open to exposure it makes you inherently more vulnerable. But as open source eventually proved, more people collaborating in the open can lead to many positive outcomes, including better security.
Another major challenge is that blue teams don’t have the lawless luxury of sharing threat intelligence with reckless abandon: we have legal teams. And legal teams aren’t thrilled with the notion of admitting to IOCs on their network. And there is a lot of business-sensitive information that shouldn’t be shared, and the legal team is right to protect this.
The opportunity is in finding an appropriate line to walk, where you can share intelligence that contributes to bolstering cyber defense in the larger community without doing harm to your organization.
If you’re new to CTI sharing and want to get involved here are a few pieces of advice.
Clear it with your manager
If you or your organization are new to CTI sharing the first thing to do is to get your manager’s blessing before you move forward. Being overconfident in your organization’s appetite to share their network data (especially if they don’t understand the benefits) can be a costly, yet avoidable mistake.
Start sharing small
Don’t start by asking permission to share details on a data exfiltration event that currently has your company in crisis mode. Instead, ask if it’s ok to share a range of IPs that have been brute forcing logins on your site. Or perhaps you’ve seen a recent surge of phishing emails originating from a new domain and want to share that. Make continuous, small asks and report back any useful findings.
Share your experience when you can’t share intelligence
When you join a CTI group, you’re going to want to show that you’re an active, engaged member. But sometimes you just don’t have any useful intelligence to share. You can still add value to the group by lending your knowledge and experience. Your perspective might change someone’s mind on their process and make them a better practitioner, thus adding to the greater good.
Demonstrate value of sharing CTI
Tie your participation in CTI groups to any metrics that demonstrate your organization’s security posture has increased during that time. For example, show any time that participation in a CTI group has directly led to intelligence that helped decrease alerted events and helped your team get ahead of a new attack.
There’s a CTI group for everyone
From disinformation and dark web to medical devices and law enforcement, there’s a CTI segment for everything you ever wanted to be involved in. Some are invite-only, so the more active you are in public groups the more likely you’ll be asked to join groups that you’ve shown interest in or have provided useful intelligence about. These hyper-niche groups can provide big value to your organization as you can get expert consulting from top minds in the field.
The more data you have, the more points you can correlate faster. Joining a CTI sharing group gives you access to data you’d never even know about to inform better decision making when it comes to your defensive actions. More importantly, CTI sharing makes all organizations more secure and unites us under a common cause.
Instituting an in-house cyber threat intelligence (CTI) program as part of the larger cybersecurity efforts can bring about many positive outcomes:
- The organization may naturally switch from a reactive cybersecurity posture to a predictive, proactive one.
- The security team may become more efficient and better prepared for detecting threats, preventing security incidents and data breaches, and reacting to active cyber intrusions.
- The exchange of pertinent threat intelligence with other organizations may improve collaboration and preparedness.
But these positive results are dependent of several things.
Some may think that, for example, cybersecurity is directly proportionate to the amount of threat intelligence they collect.
In reality, though, threat intelligence information can only serve their organization to the extent that they are able to digest the information and rapidly operationalize and deploy countermeasures.
“You may collect information on an ongoing or future threat to your organization to include who the threat actor is, what are they going after, what is the tactic they will utilize to get in your network, how are they going to move laterally, how are they going to exfil information and when will the activity take place. You can collect all the relevant threat information but without the infrastructure in place to analyze the large amount of data coming in, the organization will not succeed in successfully orienting themselves and acting upon the threat information,” Santiago Holley, Global Threat Intelligence Lead at Thermo Fisher Scientific, told Help Net Security.
Working towards a threat intelligence program
Holley has worked in multiple threat intelligence and cyber positions over the past ten years, including a stint as a Threat Intelligence Lead with the FBI, and this allows him to offer some advice to security leaders that have been tasked with setting up a robust threat intelligence program for their organization.
One of the first steps towards establishing a threat intelligence program is to know your risk tolerance and set your priorities early, he says. While doing that, it’s important to keep in mind that it’s not possible to prevent every potential threat.
“Understand what data is most important to you and prioritize your limited resources and staff to make workloads manageable and keep your company safe,” he advised.
“Once you know your risk tolerance you need to understand your environment and perform a comprehensive inventory of internal and external assets to include threat feeds that you have access to. Generally, nobody knows your organization better than your own operators, so do not go on a shopping spree for tools/services without an inventory of what you do/don’t have.
After all that’s out of the way, it’s time to automate security processes so that you can free your limited talented cybersecurity personnel and have them focus their efforts where they will be most effective.
“Always be on the lookout for passionate, qualified and knowledge-thirsty internal personnel that WANT to pivot to threat intelligence and develop them. Having someone that knows your organization, its culture, people and wants to grow goes a long way compared to the unknowns of bringing external talent,” he opined.
The importance of explaining risk
To those who are still fighting to get buy-in for a TI program from the organization’s executives and board members, he advises providing contextualized threat intelligence.
“You must put potential threats in terms that are meaningful to your audience such as how much risk a threat poses in terms of potential damage alongside which assets and data are at risk,” he explained.
“Many times business managers are focused on generating revenue and may see threat intelligence as an unnecessary expense. It is important for security leaders to communicate risk to their business managers and how those contribute to unnecessary cost and time delays if not addressed.”
He also advises getting to know the people they are working with and start building a professional working relationship. “The success of the program correlates to the strength of your team and how successful they are in collaborating and communicating with business managers.”
Cyber threat intelligence is one of the key tools information security operation centers (SOCs) use to carry out their mission. While helpful, it’s also one of the many little things that add to the mounting pile of stress SOC teams often feel.
SOC analysts are tasked with keeping up with the organization’s security needs and getting end users to understand cybersecurity risks and change their behavior, but are often dealing with an overwhelming workload and constant emergencies and disruptions that take analysts away from their primary tasks.
Burnout is often lurking and ready to “grab” SOC team members, so Holley advises them to implement a number of techniques to manage stress:
- Identify the problem. Understand what is specifically causing your stress in the first place, a good way of doing this is via root cause analysis. Peel the layers of the problem and understand the root
- Control your time. Take control of your time by blocking your calendar and give yourself time to focus on your own tasks and avoid being oversaturated with meetings
- Pick your battles. If you are going to go to war, make sure it is worth it. Avoid being dragged into confrontations that ultimately do not matter
- Stay healthy. Working out has many benefits when it comes to stress reduction, it gives you the opportunity to focus on something for YOU.
“Today’s cyber security environment is challenging and requires analysts to react to changes quickly and effectively. It seems that there is a never-ending demand on flexible intellectual skills and the ability to analyze information and integrate different sources of knowledge to address challenges,” Holley noted.
His own preferred thinking process for making the most appropriate decisions as quickly as possible is the OODA loop (Observe, Orient, Decide, Act).
“Risk management and being able to sort through large amounts of information and prioritize what needs to be actioned right away helps with problem solving. Keeping a cool head during difficult situations aids critical thinking but also allows for professional interactions with coworkers and stakeholders,” he concluded.
As more organizations implement successful threat hunting operations, a SANS Institute survey finds that they are facing common challenges with employing skilled staff and collecting quality threat intelligence.
“Without a sufficient number of skilled staff, high-quality intelligence, and the right tools to get visibility into the infrastructure, success with threat hunting will remain limited,” says survey author Mathias Fuchs.
“A world where we’ll see a unified, widely accepted golden standard of threat hunting remains in the future, but we are headed in the right direction.”
Key challenges in threat hunting
The survey highlights key challenges, limitations, and successes that organizations self-identify about their approach to threat hunting. Results indicate that threat hunting has arrived in the majority of organizations:
- 65% of respondent organizations report they are already performing some form of threat hunting
- Another 29% are planning to implement threat hunting within the next 12 months
With the concept of threat hunting being relatively new for many organizations, however, only 29% of respondents consider themselves mature or very mature in their threat hunting, with nearly 68% self-identifying their threat hunting as immature or still maturing.
Struggling to attract qualified threat hunters
Many organizations indicate that one of their top challenges is finding and employing the right experts to enable them to maintain an advanced threat hunting operation. A second main challenge respondents face is the quality of threat intelligence upon which their threat hunting is based.
Even though many organizations struggle to attract qualified threat hunters, only 21% of respondents currently outsource their threat hunting activities to external parties. Despite that, the majority of respondents rely on externally produced threat intelligence, yet only one-third of respondents claim they are highly satisfied with their sources. This presents an opportunity for organizations to improve, as well-curated threat intelligence can be leveraged to augment inexperienced threat hunters.
Measuring the benefit of threat hunting
The survey data also showed that organizations are beginning to have methodologies in place that enable them to measure the benefit of threat hunting, which bodes well for broader industry.
“Measuring the benefits of threat hunting is important,” Fuchs says. “Good threat hunting means that you probably never hear from these teams. The only indication for upper management that threat hunting even exists is that they have to foot the bill. That might be a tough sell, so if we have more ways to express the benefit of threat hunting, funding might get better, which ultimately might advance the general maturity level of threat hunting in the industry.”
Since last December, over 136,000 new COVID-19-themed domains have popped up and, while many host legitimate websites, others have been set up to serve malware, phishing pages, or to scam visitors.
SpyCloud researchers have also discovered that existing community threat intelligence feeds such as Google Safe Browsing, OpenPhish or ThreatsHub flag only a small percent of the domains as malicious.
“One potential reason is that the feeds we used have a focus on threat intelligence specific to phishing and malware, not necessarily scam sites. In addition, these feeds are sometimes automatically ingested into security products, increasing the potential impact of false positives because they could cause service disruptions in corporate and private networks,” the researchers noted.
Other interesting findings
After gathering a list of of over 136,000 hostnames and fully qualified domain names with COVID-19 or coronavirus themes from a variety of open-source feeds (threat lists, datasets of SSL certificates, etc.), they “parsed, deduplicated, and enriched the data with HTTP, additional DNS analysis, and WHOIS data that was manually collected” and found that many of the domains have active web content, but some merely display “placeholder” content indicating they’ve been purchased and “parked” at the registrar.
They pointed out that not all the “parked” domains are likely to become malicious. “Domain scalping may account for some of these purchases; for example, someone might purchase domains related to COVID-19 cures or vaccines with the hope of eventually selling them to a pharmaceutical company.”
On the other hand, there are those that are undeniably (if not too obviously) malicious:
“Most likely, the threat actor was sending phishing messages ‘from’ Chase with some form of messaging about the bank’s COVID-19 response, making it seem plausible to users that their bank may have set up a dedicated page related to the virus,” they explained.
Other findings include:
- 78.4% of the COVID-19-themed domains use HTTP, the rest HTTPS
- GoDaddy, NameCheap, Google, Name.com, and Tucows are the most popular domain registrars used by registrants of COVID-19 themed sites.
Everybody can join the fight
Some domain registrars have pledged to step up their efforts to actively find and take down fraudulent sites and to prevent registrations with certain keywords.
SpyCloud researchers are urging the security community to contribute to public feeds such as that operated by the COVID-19 Cyber Threat Coalition or to activities of organizations such as the Cyber Volunteers (CV19) to make everyone a little bit safer.
They have also provided the dataset they compiled so other researchers can take advantage of it for their own research.
Finally, they pointed out, even individual users can help keep everybody safe by reporting suspicious messages to email providers and corporate IT.
“Though flagging a phishing message within your inbox may not feel like a big deal, that action helps providers identify malicious content and flag it for other users,” they concluded.
More than two-fifths (43%) of organizations experience false positive alerts in more than 20% of cases, while 15% reported more than half of their security alerts are false positives. On average, respondents indicated 26% of alerts fielded by their organization are false positives, a Neustar repot reveals.
In response to growing cybersecurity threats, enterprises are investing significant resources in network monitoring and threat intelligence technologies that create more alerts – and more false positives – for security teams.
Security tools contributing to data overload and alert fatigue
The survey found two-fifths (39%) of organizations have seven or more tools in place that generate security alerts, and 21% reported using more than ten.
“Security tools that simply produce large quantities of data to be analyzed, without contextualizing potential threats, are contributing to data overload, alert fatigue and burnout,” said Rodney Joffe, chairman of NISC and SVP and Fellow at Neustar.
“Cybersecurity teams are increasingly drowning in data and are overwhelmed by the massive volume of alerts, many of them false positives. To ensure these high-value employees in mission critical roles are well-equipped to separate the signal from the noise, enterprises need a curated approach to security data that provides timely, actionable insights that are hyper relevant to their own organization and industry.”
Threats continuing their upward trajectory
The report indicates that threats are continuing their steady upward trajectory across vectors. The International Cyber Benchmarks Index, which reflects the overall state of the cybersecurity landscape, reached a new high of 29.8 in January 2020.
In November–December 2019, the surveyed security professionals ranked distributed denial of service attacks as their greatest concern (22%), followed by system compromise (20%) and ransomware and intellectual property theft (both 17%).
During the same period, social engineering via email was most likely to be perceived as an increasing threat to organizations (59%), followed by DDoS attacks (58%) and ransomware (56%).
A serious disconnect exists between how decision makers (i.e., CISOs, CIOs and CEOs), and security practitioners (i.e., IT managers and directors, security architects and security operations analysts) perceive phishing prevention, according to a research by Ironscales.
The research is based on a detailed, cross-industry survey of 252 security professionals from the United States and the United Kingdom.
Among its key findings, the survey revealed that decision makers are four times more likely than security practitioners to consider email security the highest priority, suggesting that security personnel believe that they have a sufficient handle on phishing prevention while the C-Suite sees substantial business risk.
“The disconnect between security practitioners and decision makers is extraordinarily problematic for phishing prevention and incident response,” said Eyal Benishti, CEO at Ironscales.
“The cause for such a predicament – whether or not security professionals on the front lines don’t fully understand the long-term business impacts of a successful phishing attack or if the C-Suite is simply over-concerned – is irrelevant. What matters is that moving forward these two important constituencies get on the same page so that the proper time and attention can be allocated towards minimizing phishing risk.”
The survey revealed that there is a critical need for real-time threat intelligence to more thoroughly address the risk of phishing; that the security skills shortage is having a material impact on security teams’ ability to deal with phishing properly, and that most organizations are using several tools to combat phishing, with secure email gateways remaining the most common.
Key research findings
- 24% of a 40-hour work week is spent by security analysts investigating, detecting or remediating phishing emails.
- Only One in five organizations continuously updates and tweaks its corporate email security policies in a typical month.
- Nearly three in five organizations train their users on proper email security protocols no more than twice per year, while only a third of organizations do so much more frequently (at least monthly or continuously).
- More than 70% of organizations use only manual processes for reviewing user-reported phishing emails, making it far too labor and time-intensive to mitigate email threats at scale.
Problems with phishing prevention
The survey also found that phishing emails continue to take organizations a substantial amount of time to detect, investigate and remediate. In total:
- 70% of organizations take more than 5 minutes to remove a phishing attack from a corporate mailbox even though the average time-to-click is 82 seconds.
- 75% of organizations cannot act on phishing intelligence automatically in real-time.
- 90% of organizations cannot orchestrate phishing intelligence from multiple sources in real time in the context of their overall email security solution(s).
“The survey’s findings reinforce the significant challenges that email phishing attacks incur on organizations of all sizes,” said Michael Osterman, principal analyst at Osterman Research.
“Most immediately, decision makers and cybersecurity practitioners must work to overcome the disconnect that exists so that time, budget and resources can be properly allocated to reduce email phishing risk.”
The Bandura Cyber Threat Intelligence Protection Platform:
- Aggregates IP and domain threat intelligence from multiple sources including leading commercial providers, open source, government, and industry sources.
- Integrates IP and domain threat intelligence from any source in real time including from Threat Intelligence Providers & Platforms (TIPs), SIEMs, SOARs, endpoint, and network security solutions.
- Acts on IP and domain threat intelligence proactively filtering network traffic in real-time at near line speed.
Here’s a transcript of the podcast for your convenience.
We are here today with Todd Weller, Chief Strategy Officer of Bandura Cyber. First question for the podcast, Todd, what is open threat intelligence and what is driving it?
It’s a great question. Let’s start with the latter point, what’s driving it. What we’re seeing is all organizations of all sizes and sophistications are increasing their use of threat intelligence. And what’s driving them to do that is the threat intelligence you get in your existing security controls alone is insufficient. And the reason that is, is that threat intel tends to be proprietary, driven by the vendor, driven by their threat intelligence team, further fueled by what they see within their customer bases. And what organizations are finding is they need a broader view of threat intelligence. It’s got to span multiple commercial sources, open source industry, and government. That’s really what is driving this movement, a desire to have a broader and more open view of threat intelligence.
The first question, what is open threat intel? That’s a great question. I actually googled it, coming in, and what you find is a lot of the results are open source threat intelligence, and they’re not exactly the same, but there are some similarities between those concepts. If I summed it up from a characteristic perspective, open, right? It’s not controlled by any one entity. There’s a community approach, anybody can contribute. And that ties importantly into a big team of collective cyber defense. We can’t do things alone.
The second would be flexible. It’s threat intelligence that can easily change. You can use the threat intelligence you want. And then I think the third characteristic of open threat intelligence is it’s portable. This threat intel is easy to move, it’s easy to integrate into your environment anywhere you choose.
That’s a really interesting distinction. I think the next question that leads out of that is why is threat intelligence hard to integrate into existing security controls?
There are two key factors there. It starts with the fundamental point that many of those solutions are closed, as I mentioned, so there’s an inherent bias. The value that those solutions provide is their ability to detect and block threats. And again, they do this through their own proprietary threat intelligence, so that powers their core value proposition. There’s really not an incentive to share that or to be open. There’s also not an incentive to really want to incorporate others’ threat intelligence into your solution. That’s the first factor.
The second factor, I would say, is technology limitations. Again, those solutions are built to do a certain thing. We tend to play or get more exposure on the network security side of the fence. And if you look at next generation firewalls, for example, they’re architected to be a firewall and today they’re doing much more than being a firewall. They’re doing intrusion prevention. They’re doing deep packet inspection and other areas of URL. They’re doing sandboxing and you add on increasing encrypted traffic on top of that. They’re doing a lot already that’s putting a lot of burden on the resources of that solution.
There are just significant limitations as a result of that. Many next generation firewalls simply limit the capacity of third-party threat intelligence that you can put into it. Another kind of factor we’ve seen, even if you take away the capacity limitations, policy management in lot of cases for next generation firewalls is cumbersome. That’s another kind of a limitation there.
Todd, going back to open threat intelligence, how would you say the industry is responding to open threat intelligence as a movement?
I’ve seen two fronts there, two responses. First has been a few years back. You saw some of the vendors band together with what is called the Cyber Threat Alliance, which continues to persist today. I think Palo Alto was a key founding member there, Palo Alto Networks, Symantec, and I’m sure there’s others. The goal there was to be able to share threat indicators back and forth.
I think that’s had limited success. Frankly, we don’t hear a lot about Cyber Threat Alliance and actually preparing for this, I was like, does it still exist in all honesty? And again, it goes back to those vendors all trying to provide protection solutions that’s fueled by their own threat intelligence. While it’s nice to say on paper, these big companies are going to share, there tends to be a lack of incentives to do so.
I think you’ve also seen vendors, specific vendors, make moves to try to enable the integration of third-party threat intelligence, to try to make their systems more open. There are some examples of that I would highlight. Palo Alto Networks has an open source project called MineMeld, which will aggregate threat intelligence from multiple sources, they’re helping to automate that.
I think McAfee has been pretty progressive with what they call their DXL, which is a way to tie together not only the whole McAfee portfolio of solutions, but also to make it easy for third-party solutions like ours to integrate in. And then the other dimension you’d have here is the security orchestration, automated response (SOAR) players. They’re trying to facilitate that movement of threat Intel between disparate systems.
The challenge with that approach gets back to, again, the limitations of the controls themselves. So, if we take, not to pick on Palo Alto Networks, but they are the market leading firewall provider, right? And they have made moves to do this aggregation of third-party threat Intel. It doesn’t get over the fact that you can only put a small number of third-party indicators into a Palo Alto Networks firewall. So, whether that’s being done by MineMeld, or whether it’s done being a SOAR, there’s just a significant limitation.
When it comes down to it, the two biggest issues are theses bias towards proprietary detection, which takes away incentive to open up. And then again, the architectures of those solutions are full, they’re geared to doing what they’re doing.
You mentioned Bandura Cyber being integrated into some of those other products and solutions. Tell us what is Bandura Cyber’s role in the open threat intelligence movement today?
Being open is at the core of everything we do, right? So, we offer what we call the Threat Intelligence Protection Platform. There we aggregate threat intel from multiple sources. We’re partnering with many commercial threat intelligence providers. We’re pulling in open source; we’re pulling in government industry through ISEC, ISAO integrations.
For us, we don’t produce our own threat intelligence today, we’re not dependent on that. We’re partnering, we want customers to be able to use the threat intelligence they want. And so we’re taking a proactive step to aggregate and to deliver threat intel out of the box from leading providers and all those sources. But then we’re also integrating threat intelligence from any source. If you’re a sophisticated customer, and we do see large enterprises spending millions and millions of dollars on threat intelligence feeds from all these sources, and then a lot of those will look at a solution like ThreatQuotient, to aggregate those, the threat intelligence platform.
We’re doing integrations like that. We’re partner with ThreatQuotient, we’re partner with Anomali, we’re partner with Recorded Future, ThreatConnect, SOAR, SIEM systems are going to be important integrations. And then the critical piece is acting on threat intelligence.
We aggregate, we integrate, but then we’re taking that action piece and that’s where I think it becomes very interesting for us. And you can think of us really as an open threat intelligence enforcement platform. So again, we’re going to be able to take action on threat intelligence from any source. We’re not biased to our own threat intelligence and we want to be open and flexible, but it doesn’t mean over time we’re not going to also have some of our own threat intelligence, but it’s not going to take us away from the heart of what we’re about, which is open and flexible threat intelligence. Let the customer use what they want, because cyber is dynamic and great sources of threat intelligence today are going to be very different than what they are tomorrow, and five years from now, and 10 years from now.
The U.S. Department of Justice’s Cybersecurity Unit has released guidelines for organizations that want to gather cyber threat intelligence from dark web forums/markets but, at the same time, want to stay on the right side of the (U.S. federal criminal) law.
The document focuses on “information security practitioners’ cyber threat intelligence-gathering efforts that involve online forums in which computer crimes are discussed and planned and stolen data is bought and sold. It also contemplates situations in which private actors attempt to purchase malware, security vulnerabilities, or their own stolen data—or stolen data belonging to others with the data owners’ authorization—in Dark Markets.”
It was compiled based on input from the US DOJ’s various divisions, the FBI, the U.S. Secret Service and the U.S. Treasury Department’s Office of Foreign Asset Control. In it, DOJ’s Cybersecurity Unit advises organizations on how to avoid becoming a perpertrator (consult with legat counsel, ask the FBI’s opinion before engaging in some legally murky activities) and a victim (institute security safeguards and adhere to cybersecurity practices that will minimize the risk of being victimized).
DOs and DON’Ts
- Gather cyber threat intelligence passively
- Access forums lawfully (by obtaining login credentials legitimately, for entirely fake personas)
- Ask questions and solicit advice on the forum (but document that they are doing that just for the purpose of gathering info, not committing a crime)
- Access forums unlawfully (by using stolen credentials, impersonating the identity of an actual person, including a government official, or using an exploit)
- Surreptitiously intercept communications occurring on a forum
- Provide the forum operator with malware or stolen personal info in order to gain access to the forum or provide other forum participants with useful information, services, or tools that can be used to commit crimes in order to get their trust
- Solicit or induce the commission of a computer crime
- Assist others engaged in criminal conduct (through advice or action)
- Involve their legal department in operational planning
- Share information about an ongoing or impending computer crime uncovered during intelligence gathering activities with law enforcement
Cybersecurity companies that monitor dark markets for specific types of information as a service to their customers – whether that’s stolen customer records offered for sale, malware or security vulnerabilities that target their customers’ networks or products – have additional specific things to take into consideration when attempting to purchase it (e.g., buying the data from a foreign terrorist organization is unlawful, and so is buying malware that is designed to intercept electronic communications surreptitiously).
In this podcast recorded at RSA Conference 2020, we’re joined by the ThreatQuotient team talking about a threat-centric approach to security operations, the evolution of threat intelligence and the issues surrounding it.
Our guests are: Chris Jacob, VP of Threat Intelligence Engineering, Michel Huffaker, Director of Threat Intelligence at ThreatQuotient, and Ryan Trost, CTO at ThreatQuotient.
Here’s a transcript of the podcast for your convenience.
We are here today with the ThreatQuotient team to talk about all things security operations, the human element of cybersecurity, and the evolving landscape of threat intelligence. I am joined by Ryan Trost, Chris Jacob and Michel Huffaker. Will you all please introduce yourselves?
Ryan Trost, co-founder and CTO at ThreatQuotient. Ultimately kind of a SOC dweller for most of my career – from system administration, up to security analyst, up to incident response and then SOC manager. Most formally at General Dynamics.
Michel Huffaker, I’m the Director of Threat Intelligence at ThreatQuotient. I started my career in the air force and kind of moved up through government, eventually landing in the private sector at iSIGHT Partners for five years, and then ultimately came to ThreatQuotient.
I’m Chris Jacob. I’m the Vice President of Threat Intelligence Engineering. I’ve been on the cyber side of things for about the last five or six years, before that grew up more in the infosec side of the world, spending most of my time at Sourcefire.
The first question for today’s discussion is about customer challenges. I know at ThreatQuotient you hear a lot about, and this is a direct quote I believe, your “customers struggle with ingesting all the stuff”. Let’s dissect this a little bit. What is the stuff that these customers are referring to that they’re challenged by?
Ryan: From my experiences, threat intelligence teams that didn’t come through the military and didn’t have formal training, ultimately ended up being pack rats and basically getting their hands on anything and everything they could, which has its benefits but also has a lot of deep dark skeletons from a collection standpoint, how to sort through it.
And I think teams have to really set goals on “this is my objective, this is what I want to do, this is the data that I need to do it”. You start to really look at data from a “nice to have” versus a “must have”. And then as you meet those objectives, you can widen that net, as they say, versus just trying to boil the ocean, which gets teams in lots and lots of trouble.
Michel: Yeah, I agree. There are a lot of data hoarders. People just wanted to have as much information as they could, but it’s very difficult to operationalize that. I think it you still need as much information as you can get, but it needs to be the right information. I think that as the industry has matured over time, people are really starting to understand, you still have to deal with a lot of data, but you have the relevant data, you get the right data, and you can actually take action on that.
Chris: Unsurprisingly, I agree with both these guys. I think it’s not a bad thing to have all the data, as long as you can get to the data you need easily, as long as it’s not masked by, you know, it’s got to be the needle in the haystack and not which haystack do I even look in? So as long as you can get to the data quickly, having it all can be good in some instances because, depending on the tools that you’re using to operationalize the data, if you’re using SIEMs for instance, you can cast a much wider net. They handle big pieces of, or large amounts of data.
But if you’re dealing person to person, or you’re dealing with tools that are firewalls, things that have a lower threshold for the amount of data they can handle, you need to make sure that you’re sending the right data there and using that lens. It’s capture it all, but make sure you can bubble up to the top what’s really important to your organization.
So, all of these points remind me a lot of the highly debated “which came first, the chicken or the egg” discussion as it relates to threat intelligence. So, when it comes to security operations, which should a company be implementing first, the threat intelligence feeds or an actual platform? Or does that even matter?
Ryan: Optimally, both. However, teams have to have somewhat of a strategy and a roadmap to it. In previous lives we had the same build it or buy it. And you need to really create those milestones or justification to get the approval to buy certain things and certain tools. So, a lot of teams ultimately focused on “okay, let’s start with open source”. It’s, it’s free, it’s widely available, there’s so many open source feeds out there, and they’ll have to figure out where to put that stuff.
Early analysts were putting it just into a spreadsheet, so every analyst had their own spreadsheet and it got to the point where there’s benefit in that. However, you quickly reached the ceiling of value and you hopefully hit a couple milestones that you can really get traction on with the executives, and then escalate to buying something. In conclusion, it’s ultimately both, but it ultimately kind of depends on the team and the logistics, and so forth.
Chris: I think we focus so much on incoming information, and that being the purpose for having a platform. But I think we need to spend some more time talking about the delivery of it. That’s the reason that a platform like this is so important, isn’t just for the analyst to have a tool to store things in and to work in, but ultimately for them to deliver that product, that intel that they’ve refined and sort of polished up.
How do they get that to the security teams? That’s an important part of the platform that, I think, gets overlooked quite a bit. In my opinion, you have to start with a platform. Obviously, they’re intel feeds out there, whether they’re open source all the way up to very expensive types of feeds. But you have to have the infrastructure in place for the analyst to be able to work in number one, but also, again, ultimately be able to deliver that finished product to their customers, which would be the security teams.
Michel: I agree that bringing external information and intelligence in is important, but at the same time it’s often overlooked – the wealth of information you have internally. If you have the right tools, the right platforms to pull that kind of metadata out of your own security stack, that’s the best way to understand who’s actually coming after you, who are the people who’ve been there before.
If you, like Ryan was saying, if you don’t have the budget tolerance to do both, if you bring the platform in first, then you can at least see what’s happened in your organization in the past, and then kind of predict based on that. Then you kind of create your own feed at the same time that you bring the platform in.
Michel, I heard you say “knowing who’s coming after you”. On that note, attribution has always been a hot topic related to threat intelligence. To some of us, it’s more important to know the motivation behind an attack rather than know exactly who that attacker is. What, between three of you are your thoughts on this, and how does the theme of the human element tie into that topic of attribution?
Michel: Attribution matters to some people. There are some organizations that have the maturity to care, and I say that because in the end it doesn’t matter. If you’re head down and you’re looking at your organization, you’re trying to figure out who’s coming after you, that’s less important than what they’re after, what their motivations are.
There are some benefits to it, in the sense of an internal marketing effort. If you could put a scary face or a scary mascot on top of something as a threat intel team, it gives you the ability to communicate internally really well. You can say scary guy one, two, three is after us, and that means something to your C-suite.
But on the whole, there’s a huge level of effort for very little gain, in terms of just finding out who that is. From the human perspective, it’s easy for us in the industry to batch all these actions together under one adversary group. But I think it’s important to remember these are humans on the other side, right? It’s humans fighting humans in this weird cyberspace.
If you think about it in that sense, it gives you a little bit of a leg up understanding operational patterns and things like that. It’s important to remember that they’re actually people.
Ryan: I completely agree with Michel. I think adversaries are just human by nature, and humans are creatures of habit. A lot of the adversaries, they’ll become experts in one attack vector, maybe one or two, and they’ll stick with that because that’s benefited them and that’s what they know.
The more the defenders know about that person, that human element, and what they gravitate towards, it’s much easier to defend against. So, I think that it’s very important to know who it is. Maybe not the attribution, unless you’re prosecuting, in that capacity, it doesn’t really make any sense. But again, it’s helping you organize your defense and organize your tools and technologies, to stop the adversary left of boom.
Chris: I think to that point, who it is, doesn’t really matter. To be able to put a box around it, to be able to say: “This is the container I’m using to track the tactics and techniques that I see here”. That allows you to test your theories: “This looks familiar to me. I think it’s this adversary and let me deploy these countermeasures to defend.” And also, the test proved that this is in fact the same group, the same organization or this is someone different.
I think the vast majority of people in the commercial world aren’t directly facing named adversaries. That said, you shouldn’t minimize it. Again, it’s good to be able to group things together so that you can recognize the patterns and know how to protect your organization from specific types of threats.
Pulling on that thread a little bit more. When we actually talk about a security incident as it’s unfolding, who is responsible for coordinating actions within a company? Is this more of a human response or an automated response from technology? Is it both putting ThreatQ into the conversation at this point? Can you guys walk us through what that process might be like internally? How does a tool like ThreatQ Investigations play into this? Who is responsible for those security incidents as they’re happening?
Ryan: In my experience, it ranges drastically based on the team, the budget, the technologies involved, and so on and so forth. In two previous roles, largely the incident is triggered or the event is triggered from a SIEM correlation or some type of hunting expedition. The technology raises the red flags, as this is suspicious.
That’s ultimately going to trigger an analyst to really look at it and dive in information gathering, to see if their spidey sense is triggered, or potentially an automated playbook will gather that information, whether it’s snapshotting the host and running it through a couple of smoke tests, and so forth.
Ultimately, an analyst is going to see it and review the information to determine does this event or alert need to be escalated to an incident. Once that handoff is given, then the incident response team usually gets involved, and then that’s run through a team lead who ultimately runs it for the life cycle of the case, and so forth. But again, it ranges drastically whether your team is two, whether your team is 50, geographically spread out, it really unfortunately is all over the place.
Chris: The better question there to dig into is how this is all coordinated, right? Because there are multiple teams involved, and those teams don’t necessarily communicate well with each other. Having a platform that allows those teams to just perform their work but capture all that information so that all of them are singing off the same sheet of music.
If the SOC is going through SIEM matches and adding color, adding information, then the incident response team has that information at their fingertips through using a platform and having integrations. Because ultimately, it’s all about the context. Team A might have this piece of information that doesn’t mean anything to them, so they don’t think to share it with the team down the hall that’s working the same incident. But if the team down the hall had that little piece of information, it would change their view of the incident altogether.
It’s about really coordinating across the teams because, you talked about the human element, people don’t communicate with each other well. So if we can do it machine to machine, it works out a lot better. And then to get into investigations TQI, that is a chance for all those teams to come back together, after each one has worked their incidents separately. Let’s get together and build out the evidence map of how we’re going through the incident and uncover those little pieces that we may not see if we work in our own silos.
Ryan: And Chris is absolutely right, where you get multiple teams working together, and this is where IR tabletop exercises really are critical for a team success, because a lot of times the IR coordinating it, but they don’t have access to the financial databases. So, they need to go to the financial team, or they don’t have certain access to the apps, or certain things that require you to reach out to a completely different department that isn’t security focused and ask for help. And usually they’re completely open, especially when it’s wrapped around an incident. It’s essential.
Michel: And there’s a pacing element to that as well. All these teams work at different paces, right? If you think of the difference between emergency responder from a fire perspective, there’s the people that come in and put the fire out, and then there are the people that do the investigation to see what caused it. And those are two drastically different paces to address two drastically different problems that ultimately come together.
When you’re talking about who handles things, having a place where people can work at their own pace, but still benefit from each other’s work at the pace that’s necessary for their specific job function is critical. Because if you allow that investigation to go on too long from the threat intelligence perspective, you lose sight of the urgency where you can get the cooperation from the other business units. So, you need those people who can go out and tactically respond, and then those that come in overarching and do the in-depth investigation.
What I’m hearing you all talk about is really how security operations help internally orchestrate all of the technology, all of the people, and ultimately help an organization make better business decisions. So, changing gears a bit, let’s talk about another important piece of that, which is most security teams have to do some sort of reporting. How has this evolved over the years? Where is the process of reporting metrics to executive leadership today? And how important is the ability to generate metrics from threat intelligence tools that organizations are using?
Ryan: From my experience, reporting is a huge benefit to an organization or a tool when it’s done correctly. I think a decade ago, reporting was purely quantitative. How many alerts, how many incidents, how many investigations, how many vulnerabilities, so on and so forth, and that was it. And it only got to the director level, it never went up.
However, with more security in the focus and more “okay, why and what next?”, a lot of reporting has matured to the sense of you get the traditional quantitative stuff. But now it’s “okay, let’s break down those numbers of alerts” based on the attack vector or based on the adversary attribution. So, it’s a lot more of trending versus a point in time. And that’s making it up to the C-levels, if not board of director levels. And that’s huge.
And a lot of security teams, historically, again, it wasn’t a primary focus for them. I was running a government SOC, and literally we had two FTEs dedicated to reporting to the point where the reports were beautiful brochures. But that’s what the government wanted. They wanted that sexy eye candy and eye charts that were in the reports, the infographics and stuff like that. That’s what spoke to them.
I think a lot more teams need that little bolster and something that escalates in visibility, and really shows the larger organization “this is what I’ve done for you lately, this is how I’m helping, this is when I’m predicting”. And hopefully hit a couple of those milestones.
Chris: I think reports, in my mind, fall into two different buckets. You have on one side, the more human consumable where you’re writing about a trend, maybe you are tracking a specific adversary or TTPs. And those are more human consumable type reports. But the other side that I think could be very interesting is reporting on the efficacy of the tools.
It’s interesting to do a before and after report based on implementing a threat intelligence platform. “What effect am I having on the efficacy of my security tools? I had X amount of alerts before I started to apply this threat intelligence. Now do I have Y? Did it get better? Did it get worse?” That’s an interesting side of reporting that I don’t think people spend a lot of time thinking about.
Michel: Going back to what Ryan was saying a little bit, the curse of well-done security just like with well-done intelligence is that you don’t hear anything about it. If everything is effective, there’s nothing to say. It’s just all quiet, everything’s good. It’s expensive to implement a really well-done security operations team including threat intelligence.
For a lot of time there were C-suite that were questioning this huge investment without any sort of feedback and what was happening. And I think that view of security as a cost center has changed a lot with people actually being able to say: “Look at the loss that we prevented, had this incident occurred within our network. It didn’t, because we have these platforms, we have this intelligence in play, but look what it would have done. Look what we saved you.”
I think changing it from a cost center to a loss prevention perspective has really helped. And that’s all built around qualitative metrics of how effective is your threat intelligence program, how effective are your tools, and how well is everything operationalized and working together.
Thank you all so much for the discussion today. Before we wrap up, is there anything else that you would like to add or share with the listeners?
Chris: If you’re interested in learning more, we’ve actually broken down different use cases for different teams, and have that all written up on our website. Whether you’re live in the SOC, whether you’re an incident response person, check out the different use cases, different write-ups, and the different videos that we have for each of those personas.
Group-IB is a known quantity in the information security arena: in the sixteen years since its inception, the company – now headquartered in Singapore – has detected and detailed many high-profile threats, performed over a thousand successful investigations across the globe and gained widespread recognition for helping private and public entities and law enforcement worldwide track down and prosecute cybercriminals.
To be able to do that, it has been steadily building an international infrastructure for threat detection, hunting and investigating cybercrime around the world. This infrastructure includes, among other things:
- The largest computer forensics laboratory in Eastern Europe
- An early warning system for proactive cyber defense based on their own threat intelligence, attribution and incident response practices
- A certified emergency response service (CERT-GIB), which is member of the Forum of Incident Response and Security Teams (FIRST) and Trusted Introducer
- Databases containing extensive threat and threat actor information
The company was, at the beginning, mostly a provider of digital forensics and cyber investigation services. In time, though, they realized that the solutions available to organizations were not keeping pace with the ever-morphing threat landscape, so they decided to work on and offer their own.
It all started with the creation of Group-IB Threat Intelligence (TI), an attack attribution and prediction system and service that’s based on data collected from a wide variety of sources (investigations, network sensors, honeypots, OSINT, card shops, and much more), automated information extraction and correlation technologies, and is supported by expert analysts, incident responders and investigators around the world.
It was followed by:
- Group-IB Threat Detection System (TDS) – A threat-actor-centric (instead of malware-centric) detection and proactive threat hunting solution
- Secure Bank – A fraud and attack prevention solution for the financial services industry, which detects threats like account takeovers, credit fraud, malicious web injections, banking trojans, remote access software, social engineering, etc. (keeps more than 100 million banking customers secure by monitoring 16 million online banking sessions every day)
- Secure Portal – A fraud and attack prevention solution for ecommerce websites and online services (prevents account takeovers, identifies fake accounts and blocks bots, fraudulent activities, fraudulent ticket sales, and so on)
- Brand Protection – A service designed to detect and eliminate threats to one’s brand on the Internet (brand abuse, Internet fraud, copyright infringement, counterfeiting)
- Anti-Piracy – intelligence-driven protection of content online
Most of these solutions are powered by Group-IB TI. More recently, though, they gained another thing in common: an integrated Graph Network Analysis system for cybercrime investigations, threat attribution, and detection of phishing and fraud.
Graph Network Analysis
Many threat intelligence solutions have graph-making capabilities and the company has considered a number of graph network analysis providers before finally deciding to develop their own tool for mapping adversary infrastructure, Group-IB CTO and Head of Threat Intelligence Dmitry Volkov told Help Net Security.
None of the considered solutions gathered and used the wide variety of data and historic data Group-IB experts deem crucial for creating a complete picture for better visibility. None of them had the automated graph creation option and were able to reliably identify and exclude irrelevant results. Finally, none allowed operators to specify the ownership timeframe of the entered suspicious domain, IP address, email or SSL certificate fingerprint.
“Domain name and IP addresses change ownership – today they are used by a threat actor, tomorrow by a legitimate company or a random individual, so the timeframe within which the threat actor owned the suspicious domain name or IP address is very important information for the creation of a relevant and accurate graph,” Volkov explained.
The interface of the graph network analysis tool
The user decides how wide they want to cast the net by specifying the number of steps the tool should take when identifying direct links between elements, but the tool’s automated mode builds the graph of the links to the searched element. And, if they switch on the “refine” option, it will automatically remove from the resulting graph all the elements it deems irrelevant.
The graph network analysis tool attributing the search element to a specific threat actor
Analysts and investigators who don’t trust the tool to create a graph that contains all the crucial elements can always turn “refine” off and specify one step to build the graph themselves and then remove irrelevant elements from it.
Though, Volkov pointed out, after performing numerous manual checks and consistently seeing that the tool did a great job when allowed to do it automatically, their own experts have come to trust and prefer that option.
Improving graph accuracy
“The initial goal was just to create a useful tool for our internal analysts, and we didn’t plan to incorporate it in our products. But some of our clients saw how we were using it to do our research in-house and wanted to be able to do the same, so we decided to share it,” Volkov shared.
The company’s developers and experts have been working on the Graph Network Analysis tool for the past few years. The first version was good, but very slow. In time, they managed to improve both the speed and the effectiveness by experimenting with different types of data and different approaches to data enrichment, processing and correlation.
There are still two versions of the tool: a standalone one that’s used by Group-IB’s experts and one that’s incorporated in the company’s products. New features are first added and tested on the former, then incorporated in the latter if they prove useful.
Group-IB is constantly working on enriching the tool with data and designing new algorithms using machine learning to improve the graph’s accuracy.
“All of Group-IB’s products are being constantly fine-tuned thanks to the permanent monitoring of the cyberspace for new threats and our incident response operations and cyber investigations,” Volkov pointed out. “And we’re always analyzing existing solutions on the market, pinpointing their weak spots and shortcomings, thinking of ways to eliminate them and striving to provide the best technologies to our customers.”
The tool’s capabilities
Mapping adversary infrastructure and (hopefully) identifying the threat actor has many advantages for the targeted organization and its customers, but also for other organizations, their customers and, in general, the wider populace.
“The main goal of network graph analysis is to track down projects that cybercriminals carried out in the past — legal and illegal projects that bear similarities, links in their infrastructure, and connections to the infrastructure involved in the incident being investigated,” Volkov explained.
If the users are very lucky and a cybercriminal’s legal project is detected, discovering their real identity becomes simple. If only illegal projects are detected, that goal becomes more difficult to achieve.
But even if the identity of the attacker remains elusive, discovering details about their previous attacks can help pinpoint their preferred tactics, techniques, procedures, tools and malware, and that information can be handy for disrupting ongoing attacks or even preventing those that are yet to be launched (e.g., by identifying attacker infrastructure at the preparation stage).
The tool can be leveraged by SOC/CERT analysts, threat hunters, threat intelligence analysts and digital forensic specialists, and it’s great for improving the speed of incident response, fast cybercrime investigations, proactive phishing and global threat hunting, and pinpointing malicious servers hidden behind proxy services.
It’s also used for IoC enrichment and event correlation (i.e., discovering when certain attacks are linked and are likely different stages of a single multiphase attack).
Group-IB Graph Network Analysis was designed based on indicators of compromise discovered and collected by the company’s cybercrime investigators, incident responders and malware analysts in the last 16 years.
To this have been added or made available through data-sharing agreements and subscriptions many other data sets containing:
- Domain registration data
- DNS records (domain records, files, profiles, tags)
- Service banners (domains, redirections, error codes)
- Service fingerprints on IP addresses (which services are running and which ports are open)
- Hidden registration data (IDs, hosting providers)
- Historic registration data and that related to hosting transfers
- SSL certificate registration data.
They have also made an effort to come up with new methods of extracting data that is not available using ordinary means. “We cannot reveal details for obvious reasons, but in some cases, mistakes made by hackers during domain registration or server configuration help us discover their emails, pseudonyms, or backend addresses,” Volkov said.
An advantage for all threat hunters
The tool queries both the company’s internal databases and external sources of information (e.g., WHOIS, public sandboxes, etc.) and the whole network graph creation happens in mere seconds.
And everybody wins in the scenario where the tool is used by Group-IB’s clients.
“By giving visibility to our clients, we reduce our analysts’ load and get interesting feedback from our clients. When they do the analyses themselves, they may achieve results that are more interesting and relevant to them, and when they share those results with us, we have a better understanding about the threats that target organizations in their industry, sector or geographic region,” Volkov concluded.
“This allows us to tune our research capabilities and detection engines to improve our whole ecosystem and, on a global scale, it improves our detection, prevention and hunting processes for every client.”
Amid significant increases in both malware and network attacks, multiple Apache Struts vulnerabilities – including one used in the devastating Equifax data breach – appeared for the first time on WatchGuard’s list of most popular network attacks in Q3 2019.
Massive fallout from the Equifax breach
The report also highlights a major rise in zero day malware detections and, increasing use of Microsoft Office exploits and legitimate penetration testing tools.
Apache Struts 2 Remote Code Execution enables attackers to install Python or make a custom HTTP request to exploit the vulnerability with just a few lines of code and obtain shell access to an exposed system. This threat was accompanied by two additional Apache Struts vulnerabilities on the top ten network attacks list in Q3 2019, as overall network attacks increased in volume by 8%.
The massive fallout from the Equifax breach put the severity of this vulnerability on full display and should serve as a reminder of how important it is for web admins to patch known flaws as soon as possible.
“Our latest threat intelligence showcases the variability and sophistication of cybercriminals’ growing playbook. Not only are they leveraging notorious attacks, but they’re launching evasive malware campaigns and hijacking products, tools and domains we use every day,” said Corey Nachreiner, CTO, WatchGuard Technologies.
“As threat actors continue to modify their tactics, organizations of every size must protect themselves, their customers and their partners with a set of layered security services that cover everything from the core network to endpoints, to the users themselves.”
Attackers continue to favor Microsoft Office exploits
Two malware variants affecting Microsoft Office products made WatchGuard’s top ten list of malware by volume, as well as the top ten most-widespread malware list last quarter. This indicates that threat actors are doubling down on both the frequency with which they leverage Office-based attacks, as well as the number of victims they’re targeting.
Both attacks were primarily delivered via email, which highlights why organizations should increasingly focus on user training and education to help them identify phishing attempts and other attacks leveraging malicious attachments.
Zero day malware instances spike to 50%, as overall malware detections rise
After stabilizing at around 38% of all malware detections over the past several quarters, zero day malware accounted for half of all detections in Q3. The overall volume of malware detected increased by 4% compared to Q2 2019, with a massive 60% increase over Q3 2018.
The fact that half of malware attacks in Q3 were capable of bypassing traditional signature-based solutions illustrates the need for layered security services that can protect against advanced, ever-evolving threats.
Cybercriminals may be leveraging legitimate pentesting tools for attacks
Two new malware variants involving Kali Linux penetration testing tools debuted on WatchGuard’s top ten list of malware by volume in Q3. The first was Boxter, a PowerShell trojan used to download and install potentially unwanted programs onto a victim’s device without consent.
The second was Hacktool.JQ, which represents the only other authentication attack tool besides Mimikatz (which dropped in prevalence by 48% compared to Q2, and 16% compared to Q3 2018) to make the list.
It’s unclear whether the rise in these detections comes from legitimate pentesting activities or malicious attackers leveraging readily available open source tools. Organizations must continue to leverage anti-malware services to prevent data theft.
Malware attacks targeting the Americas increase drastically
More than 42% of all malware attacks in Q3 2019 were aimed at North, Central and South America; up from just 27% in Q2. This represents a significant geographic shift in focus for attackers compared to last quarter, as EMEA and APAC (which were tied for the top regional malware target in Q2) accounted for 30% and 28% of all malware attacks in Q3, respectively.
Although the specific motivations are unclear, this trend indicates attackers are bringing new malware campaigns online that specifically target users in the Americas region.
With the holiday season upon us, it can be all too easy to get swept up in the festivities. As soon as the Halloween hangover starts to finally wear off, you’re already preparing for Thanksgiving, and then it’s Black Friday and Cyber Monday and then there’s Christmas lights and menorahs everywhere and you’re buying presents and plane tickets and… deep breath… calm down… put some Frankie Goes to Hollywood on and just relax. We need to remember that the holidays can actually be a pretty dangerous period for cybersecurity. To riff off Andy Williams, it’s the most vulnerable time of the year.
The Cybersecurity and Infrastructure Security Agency (CISA) recently warned the public of malicious cyber campaigns where bad actors attempt to send emails and e-cards with malware infected links or attachments. A main driver for risk during the holiday season is the spike in online shopping. These days, more and more people are opting to skip the chaos of Black Friday for the safety and comfort of Cyber Monday. While many are worrying about trusting online companies to deliver their gifts on time, a growing number of customers are also worrying about trusting companies to safeguard their personal information.
With over 1,244 million recorded data breaches in 2018 in the United States alone, and more than 446.5 million records becoming exposed, consumers have a right to be concerned. Deloitte recently found that 56% of shoppers feel little to no control over their consumer data and 79% of shoppers are concerned about shopping at retailers with either multiple data breaches or data breaches within the last year.
For those of us managing security operations, this season of heightened risk requires heightened alertness. Not only do more people shop online, but they’re using even more devices than ever to do so. The proliferation of connected devices has led to more vulnerabilities, making our jobs that much more difficult. Fortunately, there are new solutions as well. One trending response has been the adoption of Security Orchestration, Automation and Response (SOAR) platforms as a new category of security tools.
Threat intelligence management
Batman and the Joker, Neo and Agent Smith, stormtroopers and trees – rule number one of dealing with any threat is to know your enemy. Threat intelligence is the knowledge of a threat’s capabilities, infrastructure, motives, goals, and resources. It allows you to identify and contextualize bad actors, and it’s the first requirement for a safe and effective cyber security defense.
SOAR platforms build upon traditional threat intelligence platforms (TIPs) by taking vulnerability and threat data from multiple sources and then enriching that data with threat intelligence. In other words, they aggregate and validate data from a wider range of sources, and then more efficiently integrate it into an intelligence management system. Businesses are striving to keep up with the current threat landscape with a lack of resources, skills and budgets, and an abundance of tedious manual processes. SOAR solutions are improving the efficiency and quality of work for security operations.
Information is useless unless it can be put to action – it just becomes noise. SOAR sifts through the racket to identify attackers’ tactics, techniques and procedures (TTPs), as well as indicators of compromise (IOCs). With proper management of the information, security analysts are better equipped to contextualize incidents, make more well-informed decisions, and accelerate incident response.
The retail industry frequently suffers from vulnerabilities and gaps in coverage. Centralizing threat intelligence and correlating IOCs with your organization’s Priority Intelligence Requirements (PIRs) is crucial for analyzing and responding to the most pertinent vulnerabilities.
There’s a reason people use GUIs instead of text-based interfaces – being able to view information in a more practical and organic way facilitates its usage. Filtering raw data into a more manageable form allows it to be more appropriately aggregated and understood. Like Cypher, you might be able to just see the code, but why would you want to? Analysts’ time is better spent letting the platform do the work for them.
A good SOAR platform presents the data in an easily visualizable manner, allowing security analysts to gain a better understanding of the threats their organizations face. If a retailer invests in curating a cohesive aesthetic for their Instagram profile and followers, shouldn’t they also make sure their security dashboards are just as easy to follow and share with stakeholders? The best platforms have flexible and dynamic dashboarding capabilities, allowing SOC departments to tailor it to their own needs.
What’s more, this aids users by allowing them to tailor it to the needs of others as well. Many in the security industry have long faced the issue of how to illustrate the value that they provide in a concrete way – it can be difficult to explain to others that are less tech savvy what exactly we do. Fortunately, with access to ROI data, tracking, and custom metrics, that value can be made a bit more tactile and apparent. The more effectively we communicate our value, the better it will ultimately be for both our security teams and the companies we work within.
There are days where being in cybersecurity operations feels like a warzone. Bombs are going off all around you, tickets are flying in non-stop, and it’s all you can do to triage as much as you can while trying to keep up. By the end of the day, you and your team are overworked, stressed, and burnt out. Security teams are regularly tasked with fixing all things, all the time, 24/7, without the tools or resources necessary to do so.
An effective SOAR platform helps to deal with this by orchestrating and automating responses. Analysts can employ their knowledge through “playbooks” to automate redundant, tedious, stressful tasks. By working at a higher level, analysts can translate their experience and knowledge into more effective processes and smooth over their workflow. Instead of having to deal with everything on a case-by-case basis, they can leverage their understanding of the relevant threats and indicators to create a steadier day-to-day flow.
The point here is to put the analyst in the captain’s seat, think more Picard, less Data. Just write the playbook and set it on its path – you’ll be humming “Make it So” just in time for the holidays. And if you’re worried about missing critical information while your “Out of Office” message is set, a platform with capabilities to provide instant updates is critical. Team-based notification systems can allow teams to stay in touch even when half the office is taking a “work from home” day after the annual holiday party.
Holiday cybersecurity risks
Security breaches are not only costly for the company’s profits, they are costly for the brand’s reputation. With the holidays approaching, cyber analysts face their most hectic time of the year. Bad actors are seeing green, and the sheer increase in activity will be sure to lead to a concomitant increase in work for cyber analysts. We need to make the best use of our resources to not only relieve security analysts of unnecessary stress, but to arm them with the most efficient way to deal with threats.
The holidays are going to be stressful enough – venturing out of the house in the cold, finding the right presents, helping grandma with her IT problems even though you’re on vacation from your IT job. Why not take some of the edge away by destressing our professional life and let technology lend a helping hand?
Let this National Computer Security Day not only serve as a reminder of the data you need to protect, but as inspiration for your holiday wish list when searching for new software and platforms now available to help keep privacy protected.
Organizations reported an average 32% reduction in threat responder workload when they deployed a managed SIEM solution, according to CenturyLink and IDG. Improve incident response The research shows security leaders are turning to managed security services to help augment limited internal resources and bridge the security technology gap. “Security is an inherent ingredient in networking today; however, limited resources and budget constraints make it difficult for companies to develop with their own staff,” says Chris … More
The post To improve incident response, you need to consider 3rd party solutions appeared first on Help Net Security.