FTC Issues Alert on Earthquake Relief Email Scams

The Federal Trade Commission (FTC) has issued an alert warning users to be on the lookout for earthquake relief email scams.

In a post published on Wednesday, Colleen Tressler, a consumer education specialist at the FTC, highlights the growing need for aid following recent earthquakes in Japan and Ecuador.

Late last week, a series of strong earthquakes in Japan culminated in a 7.0-magnitude quake, killing nearly 50 people. Aftershocks as strong as 6.1 are still being felt by the survivors, who struggled with a shortage of food and water on Wednesday.

Last Saturday, a 7.8 magnitude earthquake struck Ecuador. At least 570 people were killed, with 155 people missing, 7,015 injured, and 25,000 currently placed in relief shelters. This is the worst natural disaster the country has seen in decades.

Many charities are now attempting to provide aid to the survivors. But as Tressler warns, those looking to donate should spend some time researching whether they are actually giving to a trusted organization.

“Unfortunately, legitimate charities face competition from fraudsters who either solicit for bogus charities or aren’t entirely honest about how a so-called charity will use your contribution,”

To help people avoid donating to fraudulent charities, the FTC has published the following list of tips:

• Donate only to reputable charities. People should avoid organizations that have sprung up overnight and that might not provide donors with the option to designate their gift of aid for a specific disaster.
• Never click on suspicious links or email attachments. If you know the sender personally, contact them by phone or in person to determine whether they actually sent you the link or attachment. Attackers might have hacked their account.
• Be wary of relief solicitations sent to you via social media or text message. It is safer to donate directly from a legitimate charity’s website.

TREASUREHUNT: A Custom POS Malware Tool

Threat Intelligence has observed the significant growth of point-of-sale (POS) malware families in underground cyber crime forums. POS malware refers to malicious software that extracts payment card information from memory and usually uploads that data to a command and control (CnC) server.

Although the PCI DSS rules changed in October 2015, leaving retailers who have not transitioned from existing “swipe” cards to EMV or “chip” enabled cards liable for card present fraud in more ways than before, many retailers are still in the process of transitioning to chip-enabled card technology. Criminals appear to be racing to infect POS systems in the United States before US retailers complete this transition. In 2015, more than a dozen new POS malware families were discovered. POS malware may be freely available, available for purchase, or custom-built for specific cyber criminals. Free tools are often a result of malware source code being leaked, and tend to be older and more easily detected by security software. POS malware available for purchase may be newly developed tools or modified versions of older tools. Then there is another class of POS malware that is developed for use exclusively by a particular threat group.

TREASUREHUNT, POS malware that appears to have been custom-built for the operations of a particular “dump shop,” which sells stolen credit card data. TREASUREHUNT enumerates running processes, extracts payment card information from memory, and then transmits this information to a command and control server. TREASUREHUNT would be implanted on a POS system through the use of previously stolen credentials or through brute forcing common passwords that allow access to poorly secured POS systems. When executed, TREASUREHUNT installs itself to the %APPDATA% directory and sets up a registry ‘run’ key for persistence.The malware will then initiate a beacon to a CnC server. The connection to the CnC server is via HTTP POST. The malware scans all running processes and ignores processes that contain System33, SysWOW64, or \Windows\explorer.exe in their module names. It searches for payment card data and, if found, sends the data encoded back to the CnC server.When payment card data is found, it is sent back to the CnC server. The operators control the compromised systems and harvest stolen payment card information through a web interface located on the CnC server.

                 
                           All of the TREASUREHUNT samples identified so far contain the same compilation timestamp of 2014-10-19 07:14:39. This is likely an artifact of the builder rather than the time the samples were actually compiled.Using this data, TREASUREHUNT appears to have been first deployed in late 2014 and was seen throughout 2015 and into 2016.
The relatively sparse sample set may indicate that TREASUREHUNT is being deployed in a targeted manner rather than being propagated indiscriminately.

                    In the world of POS threats, there has been a rise in both underground offerings as well as new malware found in active use. The demand is likely due to the ongoing transition to EMV chip and PIN technology in the United States, which will eventually render these techniques largely useless. While some cybercriminals are looking ahead in an effort to develop ways to exploit chip and PIN (as well as near-field communication technologies), many cyber criminals are looking take advantage of memory scraping POS malware while it still works.
With an increasing number of major firms transitioning to the more secure chip-enabled cards, we expect to see cyber criminals increasingly turn their attention to smaller retailers and banks that may not be as prepared for the transition.

Top Five Hacker Tools Every CISO Should Understand

As the role of the CISO continues to evolve within organizations towards that of an executive level position, we see a growing emphasis on traditional business administration skills over the more technical skills that previously defined the top security leadership job. Nonetheless, CISOs need to keep abreast of the latest tools and technologies that can benefit their organization’s security posture, as well as those tools that are widely available which could be misused by malicious actors to identify and exploit network security weaknesses.

“The following is list of tools every CISO should be on top of, and it was very hard to narrow it down to these few items with so many valuable tools out there,” Ouchn said. “My choices were driven by a combination of the tool’s value and their ease of use.”

ARMITAGE

“Metasploit has become over the years the best framework to conduct penetration testing on network systems and IT infrastructure. Nevertheless, I will focus on Armitage an open source effort to bring user-friendly interface to Metasploit,” Ouchn said.

Armitage demonstrations are very convincing and allow you to analyze weak and vulnerable machines in a network in just a few clicks. The compromised devices are depicted with a lightning round. This tool has brilliantly hidden the complexity of Metasploit (for a non-technical audience) in favor of usability, and is a great way to demonstrate the security in depth of an IT architecture. In fact, the framework has several capabilities to exploit vulnerabilities in almost any type of layer to therefore infiltrate (by pivoting) systems to reach the network’s nerve center. Armitage should definitely be part of the CISO’s Arsenal and his internal Red Tiger team.”

HASHCAT

There is constantly a battle between security folks and users when it comes to passwords. Although it is simple to deploy a Password Policy in a company, it’s also very difficult to justify it. Because in a perfect world from users perspective, the best password would be the name of the family cat with no expiration date, and this fact applies  to any system that requires authentication. HashCat has shown that the selection of a strong  password must be done carefully, and this tool allows us to demonstrate the ease with which a password can be recovered. A CISO should certainly incorporate this password cracking tool in his arsenal because it allows to check the complexity of the company password policy. Of course, the complexity of a password is not the only criterion for a well-constructed policy, as there are a plethora of criteria: Duration, length, entropy, etc… So HashCat is a must have for any CISO.

WIFITE

You know what you have connected to when using your hardwired network, but have you ever wondered if the air is playing tricks on you? To test your WiFi security, Wifite has the simplest way“. he grip is instantaneous. It is written in Python and runs on all platforms. CISOs should need only to supply the WiFi interface they use and it does the job, verifying that the corporate wireless networks are configured according to the applicable Security Policy, and better yet, it can be used to identify any open and accessible network that can potentially be harmful in terms of Phishing. Wifite allows the discovery of all devices that have an active wireless capability enabled by default (like some printers for example). Wifite is a very simple and convincing way for a CISO to validate the security of wireless networks.

WIRESHARK

“Known for many years as Ethereal, Wireshark is probably the best tool when it comes to sniffing for and collecting data over a network. On the one hand, WireShark has boosted its capabilities with the support of several types of networks (Ethernet, 802.11, etc.) and also in the simplicity of its use through a very friendly user interface. WireShark allows a CISO to demonstrate that outdated protocols such as Telnet / FTP should be banned from a corporate network, and that sensitive information should be encrypted to avoid being captured by a malicious user. “Beyond the sniffing features, WireShark is also a great way to validate the network filtering policy. When placed near filtering devices, it can detect the protocols and communication flow in use. WireShark should be considered by any conscious CISO to validate the filtering policy and the need for encryption.

SOCIAL ENGINEERING TOOLKIT (SET)

SET is a framework that helps the in creation of sophisticated technical attacks which operated using the credulity of the human. It can be used in the process of preparing a phishing attack mimicking a known website or trapping PDF files with the appropriate payload. The simplicity of use via an intuitive menu makes it an even more attractive tool. It is the dream of every CISO to drive security awareness campaigns without ruining the security budget. With SET, the team in charge of security audits can design attacks scenarios and distribute them internally to the targeted users.This will confirm the users security perception within the company and validate the best Awareness Policy to deploy. The SET tool is very well maintained.

Threat Intelligence Tweaks That’ll Take Your Security to the Next Level

Addictive, isn’t it?
Hunting threats. Remediating vulnerabilities. Tirelessly staying abreast of the latest Threat intelligence, And as your knowledge grows, you realize how much more you could be doing to keep your organization safe. So now that you have the fundamentals covered, what’s next?
With these three Threat intelligence tweaks, you can take your cyber security from the basics to the world-class level.

Sharpen Your Claws With Internal Hunting

Think of your security mechanisms like an army in peacetime. Just because nothing much seems to be happening right now, doesn’t mean you should sit back and wait.
Internal hunting is the process of aggressively tracking and eliminating threats. This includes things like device and network mapping, distinguishing between good and bad behavior, searching for anomalies, and setting up/monitoring honeypots.
This type of proactive security work has a whole host of benefits, including:

• Enhanced contextual threat intelligence.
• Better visibility of potential weaknesses.
• Early and accurate threat detection.
• Opportunity to control and minimize damage from unexpected threats.
• Improved defenses against identified threats.
• The ability to avoid fines and bad publicity.

And on the face of it, these proactive activities seem like sensible security measures, which of course they are.
But there’s more to it than that.
During times of peace, armies don’t simply conduct exercises with the aim of maintaining skills in shooting, building clearance, and so on. They do it because it stops the troops from becoming soft and lazy.
When a war breaks out, you don’t just need soldiers with well-practiced skills, you need them to be mentally ready.
The same is true of your information security teams.
By engaging in internal hunting, your security teams will constantly hone and develop their skills. This is exactly what threat actors are doing, so why let your defenses fall behind?
They’ll also learn to work effectively as a team. People inevitably have strengths and weaknesses, which can be brought to the fore through enhanced teamwork and information sharing.
Last, and perhaps most difficult to quantify, is the tangible evidence of return on investment (ROI) to the organization. Executive teams are increasingly becoming aware of how damaging a successful breach can be, but very few security or threat intelligence activities can be reliably be measured in terms of ROI.
On the other hand, the success of an internal hunting operation is eminently measurable, and bound to be well received.

Realize Nobody Sees Everything — And Act Accordingly

When you start to take threat intelligence seriously, there’s one fact that should always be kept firmly in mind.
Nobody sees everything. Not even the NSA.
And knowing this, you’ll be able to approach vendors with realistic expectations. Their solutions can provide strategic threat intelligence, but they probably aren’t going to provide information about specific events within your network.
And this is not to say that you should avoid open source intelligence (OSINT) platforms. They provide a great deal of value, and will enable you to make informed, contextual decisions about both proactive and reactive security activities.
But what it does mean is that, under the right circumstances, an internal effort to create a proprietary threat intelligence capability can be an excellent use of resources.
Do you have a need that isn’t serviced by the market? Then perhaps it’s time to solve your own problem.
Imagine, for instance, that you develop a crawler to analyze the (Web) page code of the organization’s top 5,000 daily Internet destinations. Each day this crawler will provide tangible data points, which over time become an extremely effective mechanism for identifying drive-by attacks, or other anomalous activity.
This is the sort of valuable threat intelligence that you’ll never receive from an off-the-shelf solution, but which could potentially help you prevent (or minimize the impact of) future breaches.
Not only that, if you develop the solution in-house, you’ll be honing skillsets that could become extremely handy in the future.

Use Real-World Scenarios

Running real-world, or proof of concept (POC) exercises is truly a sign of next-level security.
You may technically be prepared for certain threat actor tactics, techniques, and procedures (TTPs), but until you’ve done it in practice you never really know.
That’s where your red team comes in.
The idea is to employ real-world TTPs in a controlled environment to see what affect they would have in your environment. And when you start doing this, you might be surprised by the results.
That malware you thought you were safe from? Turns out that when deployed in your environment it has a completely unexpected side effect that you might not be prepared to resolve.
By engaging in rigorous red team testing procedures, you can identify these little surprises ahead of time, and greatly improve your organization’s defensive capability.
Now, of course, building these real-world scenarios and measuring the effectiveness of your defensive controls requires time and resources. If you want real results, this is not something that can be dumped on already-busy security professionals.
But if you really want to develop a world-class security facility, rigorously and routinely testing your defensive capabilities is an absolute must.

Proactive Beats Reactive Every Time

You’ve noticed, no doubt, that each of the approaches suggested above is highly proactive.
And there’s a good reason for that.
Threat actor TTPs continue to evolve, and simply building a wall around your assets is no longer enough to keep them out. If you want to defend against determined, skilled attackers, you’re going to need to start thinking the way they do.
If you can manage to do that reliably, you’re a long way towards fielding a truly world-class cyber security facility.

Using Global Threat Intelligence to Improve Security Analysis Inside the Perimeter

One of the critical drivers that led us to create the Threat Indicator Confidence model was our realization that at the core of all security technologies is a goal to stop threats from manifesting. As a result, we believe that focusing on innovation and technologies designed around threats will naturally address all aspects of a threat’s life cycle.
How did we become threat centric? By characterizing threats we investigated how they are created, behave, and morph, as well as how they are distributed and manifested in target environments. Focusing on these aspects allowed us to deliver technologies that could provide threat detection and mitigation not solely based on Indicators of Compromise (IOC), but also on the full set of available intelligence.
Understanding what Internet threats are targeting your organization is a key part of the overall threat picture. Ideally, threats are stopped before becoming activated inside your perimeter but that is not always possible. A critical aspect of being threat centric is the ability to detect and mitigate threats that may have already breached the interior of your network.
Correlating network telemetry from inside the perimeter using network switches and routers that can collect telemetry data provides the security operations team a vital insight into threats. It’s important to note that today’s perimeter is a constantly changing boundary based on application and network virtualization occurring with cloud services and other externally available services.
Below are some steps to consider when correlating threat intelligence with network telemetry.

Step 1: Assess Organizational Threat Posture

Are any of my internal assets communicating with sites on the Internet that have been identified as having an elevated threat confidence score (i.e. higher risk)?
Your network telemetry data should be able to provide information such as what sites internal hosts are communicating with, protocols, ports, URLs, byte counts for each flow, and time of communication. By correlating the telemetry data with global threat intelligence that identifies IP addresses and domain names of malicious sites, an overall picture of the threats occurring in an organization’s environment is formed. Without the context that global threat intelligence provides, you are left with many questions of those communications.If any internal asset is found to be communicating with elevated threat confidence sites, move on to these next steps.

Step 2: Identify Potential Compromised Assets

What threat intelligence is available on the external site regarding its malicious behavior? Is it a command & control (C2) server? Is it a web server hosting malware? What protocols did the internal asset access that site using?
As shown below, the internal host (in blue) was communicating with a site site (in red) that was acting as a C2 server for a known botnet. The threat intelligence provides information on that site as well as an elevated threat indicator confidence score.

Step 3: Understand the Full Context of Communication Between the Compromised Asset and the Internet

Were other external sites communicated with after the initial communication with the compromised site? Are there any indications of what those other sites do?

By investigating the sequence of flows it may be possible to understand the nature of the threat.

Step 4: Identify Any Data Exfiltration or Impact on the Compromised Asset

How much traffic has been sent and received between that asset and the identified site?
Was there a large amount of data communicated? Were there small amounts of long-running sessions? Who initiated the connections (user datagram protocol [UDP], transmission control protocol [TCP], etc.) and were there any obvious holes in external firewalls?
When did this traffic start, and end?
Is this threat active or has it only been active in the past? A critical aspect of threat detection is having the capability to do both real-time and historical analysis of threat intelligence.
Threat intelligence about the global Internet is most likely different from what you discovered in the past 30 or 60 days. Is there intelligence that shows previous communication from an internal asset to the potentially malicious site?

Step 5: Identify the Spread of Any Threat Within the Perimeter

For an identified internal host, with whom are they communicating internally? Did that communication occur before or after the identified risky communications?
After identifying that an internal asset has been compromised, security operations teams must understand the extent of the threat to plan a response. This includes understanding if an infected asset could have spread their infection to other internal assets.
Having a global perspective of all communications from internal assets to the Internet and correlating that with threat intelligence, a threat analyst can determine if there were any other internal assets communicating with those sites.

Step 6: Repeat Steps 2-5 for Each Compromised Asset

Here’s an example of the power of global threat intelligence correlation.

Impact of Threat Intelligence Correlation

For an organization with 1,000-networked assets, global threat intelligence can reduce threat analysis across the network telemetry from 115,000,000 flows down to 180,000 flows for an 8-hour period, a 99.999% reduction in traffic inspection based on threat correlation with threat intelligence and enhanced by Threat Indicator Confidence.
Without knowledge of global threat intelligence and internal perimeter telemetry, the threat team is left to assess all flows that communicate with the global Internet. This can be a significant task, and without some automation to identify relevant threats, will likely result in analysts being unable to identify threats.

Six Ways to Enhance Physical Security with Open Source Threat Intelligence

As hacking incidents such as the U.S. government’s office of presonal management data breach continue to dominate the news, many companies are taking note and ramping up their cybersecurity protocols. However, what is often overlooked is the online or cyber component of an organization’s physical security strategy, including executive protection. The role of threat intelligence here can be just as critical as it is in the more headline-grabbing areas of cyber risk.

Scoping Your Intelligence Needs
Priorities and responsibilities will vary based on your organization, but a typical physical security portfolio will often include:

·        Disaster preparedness

·        Emergency response and evacuation

·        Employee safety

·        Environmental risks

·        Executive protection

·        Facility security

·        Investigations

·        Infrastructure/Asset protection

·        Physical access control

·        Situational awareness

The first step in evaluating the value and applicability of threat intelligence stems from defining your priorities and assessing your risk profile in different areas. For example, energy producers may have significant concerns around assets and employees in far-flung locations, whereas a hedge fund might be primarily focused on the physical safety of a few key individuals and their families. Understanding your priorities, and allocating resources correctly, is a key first step to understanding where and how to best apply open source threat intelligence.

Types of Open Source Data
There are many types of open source data, ranging from global news, search accessible sites, and social media, to the deep and dark web. Information can also be gathered via public record and aggregator sites, through government data feeds, and non-web sources such as Internet relay chatrooms (IRC).

Let’s take a moment to discuss some details here, as there is much confusion about what exactly defines the deep web and the dark web. By our definition, these are not the same thing at all, though they are sometimes treated interchangeably. The deep web, while hard to find unless you know the specific URL of your destination, is publicly accessible. It houses what some estimates say are up to 75 percent of public web content that is open but is not indexed by search engines. The dark web, also known as Darknet, is one step beyond that, and can only be reached with specific tools such as a special browser or client software. This includes Tor/.Onion sites, and I2P. The dark web is the hardest for white hats – computer security experts – to monitor.

Six Things You Can Do Right Now
Once you’ve determined your organization’s needs and which sources are best for intelligence gathering, it’s time to put that information to work. Here are some best practices for implementing threat intelligence to enhance your physical security program:

1. Assess online exposure – What are your employees’ online footprints? Where are the biggest areas for potential issues? For example, do you have key executives who are very active on social media?

2. Claim online real estate – Don’t be like carly fiorina. Register personal domain names of key executives, as well as brand names in relevant generic top-level domain and country-code top-level domain extensions before a threat actor or detractor does.

3. Expunge personal data – Hide or remove online personal data that may appear on sites like Spokeo or social media accounts that might be open to anyone to view.

4. Limit sharing – Check device and account settings to minimize data you may be unintentionally providing to the public, such as geolocation data for photos, or sharing detailed personal information such as travel plans on social media.

5. Educate executives and their families – Family members, especially teens, are the most common source of problems for executives. In one case, a well-known CEO’s security precautions were foiled by their teen daughter’s postings on Instagram, which revealed where the family was vacationing to a wide audience.

6. Visualize the data – Represent your intelligence in an understandable and easy-to-digest form. This could be via maps in your Security Operation Center, or through an online platform that incorporates multiple data feeds and sources.

With all of the different sources available for information gathering, both on and off the Internet, companies need tools that help them efficiently aggregate, asses, and comprehend all of the data. Cyveillance’s Cyber Threat Center provides an easy-to-use platform that combines all of the necessary tools for physical and cyber security threat intelligence.

4 Rules for Successful Threat Intelligence Teams

Threat intelligence is quickly becoming a core element of risk management for many enterprises.

To truly understand risk, though, the enterprise must grasp and have the capability to handle emerging information security threats to its environment. Other areas of risk — financial risk, operational risk, geopolitical risk, risk of natural disasters — have been part of organizations’ risk management plans since time immemorial; it’s only these last few years that information security has bubbled to the top, and now companies are starting to put weight behind security threat intelligence programs.

Putting a team in place to manage threat intelligence, however, isn’t as easy as other, more established areas of information security. First, it’s newer, and second, organizations might not yet have the right skills and tools in-house. With that in mind, we’ve identified four simple rules that will help organizations build and maintain a successful threat intelligence team.

( The rules are simple, but we do realize that implementation is not!)

Tailor Your Talent

It goes without saying that any team — threat intelligence or otherwise — is run by people, so hiring the right people with the right skills is critical. In some cases organizations can groom threat intelligence staff from within, from security operation center (SOC) teams to incident responders. Central skills like log management, networking expertise, and technical research (scouring through blogs, pastes, code, and forums) often come after years of professional information security experience.

Certain parts of threat analysis, however, necessitate distinct and practiced skill sets. Intelligence analysis, correlating and making predictions about threats based on (sometimes seemingly disparate) data, requires highly developed research and analytical skills and pattern recognition.

When building or adding to your threat intelligence team, especially concerning external hires, personalities matter.

Existing teams might feel threatened by new staff who appear to be “taking over” roles and responsibilities. Disgruntled employees are not productive employees. Thus, when forming or adding to the threat intelligence team, pay close attention to the “soft skills” of candidates.

Make sure that teammates can not only all “play nicely in the sandbox,” but that you, as a manager, are communicating frequently, clearly, and honestly about expectations. The interaction and workflow between teams should be pre-planned, and data sharing should facilitate easy integration for the teams responsible for making security verdicts.

Architect Your Infrastructure

Threat intelligence vendors provide strategic intelligence, but organizations should consider building in-house proprietary capabilities that deliver consistent, relevant, and actionable threat data.

Proprietary threat intelligence platforms (TIPs) have the advantage of being tailored to the organization’s specific needs, and often come with a smaller price tag than commercial, off-the-shelf solutions. These custom-engineered solutions should integrate with external vendor systems to automatically collect, store, process, and correlate external data with internal telemetry such as security logs, DNS logs, Web proxy logs, Netflow, and IDS/IPS.

Of course, building powerful proprietary capabilities requires an experienced data architect.

This individual is responsible for designing fast and nimble data structures with which external tools integrate seamlessly and bi-directionally. The data architect should understand not only the technical needs of the organization, but he or she should be involved in a continuous two-way feedback loop with the SOC, vulnerability management, incident response, project management, customer-facing fraud (where applicable), and red teams. This collaborative process facilitates control changes and allows the architect to deliver threat data in a format and on a timeline appropriate for each group.

Notably, threat analysts should never spend time manually processing operational data, and the architect fills that important role of providing the data upon which the analyst draws conclusions that ultimately decrease strategic business risk.

Enable Business Profitability

The goal of every threat intelligence program should be to find emerging threats before they impact the business. Reducing the number of direct threats drives down risk, which in turn increases profitability. Threat intelligence teams must therefore know what the business identifies as levers of profitability in order to prioritize the identification and dissection of threat events and sources.

At the center of profitability are the business’s strategic assets (customers, employees, infrastructure, applications, vendors). Protecting strategic assets is priority number one, and defensive controls need to be managed as threats emerge.

To ensure protection for key assets, threat analysts must be able to examine the larger threat picture and identify such things as general industry threats, trends, attacker TTPs (tactics, techniques, and procedures), and commodity malware. While an attack on one industry organization, for instance, might not result in a direct threat to your own organization, knowing that several enterprises have been been victims of a similar type of attack could indicate the need for hardened internal controls.

The ability to see the larger trends and drill down to direct threats against strategic assets means the threat intelligence team must understand what data it has available internally and what data it needs to source. Information gathering for an unknown purpose other than vague future applicability is a waste of resources, so set your sights on the information directly tied to the business and its levers of profitability.

Communicate Continuously

Enabling business profitability requires an understanding of the business’s goals and roadmap.

To effectively set the roadmap, the executive layer also needs insight into current and future threats. If, for example, the business wants to acquire a partner but the partner is currently being targeted by hacktivist groups for what they deem unfair business practices, the executive team should have that intelligence before determining a market valuation and extending an offer. During a vendor evaluation, as another example, it is important to know if industry-specific malware, like BlackEnergy or Zeus, is emerging. Aligning one’s business with a risky proposition is not a decision to be taken lightly.

Executives need to hear from the threat intelligence team how and why some of those threats translate to risk, and then learn if and how the risk of those threats can be mitigated. Organizational threats will always exist, and it’s up to the business to decide its risk tolerance. Threat teams can aid the process by keeping executives informed but not spreading FUD (fear, uncertainty, and doubt). Delivering the message should be approached in a thoughtful, practical manner; do not overwhelm executives with technical details they neither care about nor understand. Their eyes are on the bottom line, and threat intelligence should be provided that supports moving in an upwards trajectory.

Conclusion

With these four pillars in mind, organizations can run an effective Threat Intelligence Team which contributes to the success of the business. People and tools are important parts of the process, but equally important are cross-functional collaboration and communication.

Leveraging Threat Indicator Confidence

“Understanding the relevancy of a threat is a critical aspect of reducing risk in your environment”

The concept of Threat confidence is defined as a measure of threat relevancy to an organization. Threat confidence is a multi-faceted determination that encompasses multiple aspects of where and how threats can arise in the global Internet.

Determining threat confidence starts by having a model of the Internet and all communications that occur across it

                                             

Layer 1: Network Devices, Infrastructure and Connectivity

At the heart of the Internet model is the network itself. This includes both the endpoints (e.g. phones, laptops, servers) as well as the network infrastructure that those endpoints connect to and use to transport data between endpoints. Without devices or networks to connect devices, no communications would be occurring. But, without an understanding of how communications are transported between devices, the Internet is a black box that can be manipulated or subverted without organizations being aware of those negative impacts to their security.

Layer 1 is the basis of Threat confidence. A network device that never connects to your organization’s network is likely not relevant to any threat. Infrastructure that your organization uses to connect to the global Internet is extremely relevant to threat. Infrastructure that is insecure is likely a poor choice for your organization and will have a large impact on potential threats. Endpoints that connect to your network or communicate with your network are extremely relevant to threats.

Layer 2: Applications

The next layer in our model is the application layer and the (good or malicious) applications that run over the network devices and network infrastructure. Capturing which applications run on the network devices is vital to knowing what occurs on the network. Ability to identify applications and their associated behaviors (devices they communicate with, what ports and protocols are used, typical payloads exchanged, frequency of exchanges, etc.) contributes to a greater understanding and predictability of future events. Without this understanding, again the use of the Internet becomes a black box that can be manipulated and controlled from the outside. Botnets are examples of where an application has been created to take control of other devices and perform behaviors that are unexpected.

By characterizing applications and their expected behaviors, the lower layer of network threat confidence can be enhanced and then complemented with application threat confidence.

Layer 3: Users and Owners

Once we have built threat confidence for networks and applications, the next important artifact of global Internet use to determine is the user or owner information associated with the applications and network devices. Network infrastructure ownership is typically known due to the registration requirements when connecting devices to the global Internet. Both autonomous system and CIDR ownership can help organizations determine if those network entities should be communicated with and trusted. The reasons these technologies exist are legitimate but they can also aid threat actors. If an organization has determined a known malicious actor, then clearly any communications to or from that actor’s web site or server from their organization, irrespective of protocols or application, are likely worth further investigation.

Threat confidence is enhanced with greater knowledge of users or owners of networks.

Layer 4: Analyst

The role of the human threat analyst and the analysis they provide to enrich raw threat intelligence data cannot be overstated. Having automated means to gather network, application and user observations to provide to the humans for analysis is crucial. But there is a limit to automation as human knowledge and experience has yet to be captured by programmatic means. It is crucial to have human analyst as part of any threat confidence model that provides threat confidence for consumption by other security teams.

Many threat characteristics are known by organizations either verbally or orally that are not easily determined by programs. This type of information guides analysis and outcomes. Therefore having the analyst provide customization and annotations to the observations is a critical aspect of making the information relevant and actionable to an organization.

Threat confidence annotation and customization by the experienced human threat analyst is critical.

Layer 5: Workflow

The final layer for threat confidence is not really a layer in itself but a layer that connects and penetrates layers 1-4. It requires threat confidence to be integrated into an organization’s processes and security environment. Having threat confidence and relevant data has limited usefulness if the data cannot be acted upon quickly and effectively, without delays and dead ends. There are two factors that drive the usefulness of threat confidence:

Easy consumption of threat confidence by other systems and

Easily interpreted and actionable results.

Summary

Threat confidence can be an extremely powerful indicator to determine the relevancy of threat to an organization. To establish accurate threat confidence, a comprehensive approach encompassing network, applications, users, analysts and workflow is required.

Use Threat Intelligence to “Know More. Risk Less. Act Confidently.”

Chasing Foxes by the Numbers: Patterns of Life and Activity in Hacker Forums

“Pattern of life analysis” is an effective counter terrorism technique that can be applied to cyber threat intelligence. Using patterns to classify adversary behaviors rather than relying on distinct Internet handles, like “UglyGorilla” or “Hassan20,” cyber threat analysts are able to look across multiple handles, posts, forums, and social media sites to identify signals of malicious activity.

During the recent Kaspersky Security Analyst Summit Recorded Future CEO, Christopher Ahlberg, shared why we should organize the Web for analysis rather than search. “Attribution,” he explained, “is many times based on sloppy handle usage.” What if a threat actor is cautious? “Handle hopping,” the act of switching between user names, is easy for the threat actor who is conscious of leaving a trail of Internet breadcrumbs. In traditional searching, where the username trail dies off, the lead to the threat actor or group does also.

Putting patterns to work, Recorded Future conducted a sample analysis across 500 hacker forums to find interesting signals. They used natural language processing to identify posts around vulnerabilities and exploits.

Interestingly, found that in 98.8% of over 742,000 posts, the handles used were unique (even though it’s likely hackers used multiple handles to cover their tracks, and groups of hackers working together each had distinct handles).

While it’s easy to change handles, it’s less easy to change behavior. By clustering patterns, They were able to find similar behaviors among various handles and identify groups working around a particular vulnerability or exploit. Focusing on pattern analysis across user handles allowed us to see the pods who share similar interests and actions online.

Is Your Threat Intelligence Platform Just a Tool?

“If the only tool you have is a hammer, you tend to see every problem as a nail.” Abraham Maslow

Throughout the enterprise there are security personnel using a variety of processes and tools to conduct their incident response, network defense, and threat and risk analysis. Generally speaking, either most security teams haven’t centralized their efforts at all, or they have done it incompletely, relying on rudimentary, outdated technologies such as email, spreadsheets, a SharePoint portal, or a ticketing system. These techniques, although better than nothing, do not scale as the team grows and as the number of malicious events and security processes increases. This same problem was once commonplace in other parts of the business, and platforms were created to address these concerns and to support the end user in their quest for automation, collaboration across use-cases, and better management processes. For example, PeopleSoft for human resources, Salesforce for sales, SAP for manufacturing, and Eloqua for marketing.

Tool, a Means to an End
Tools are purpose built and difficult to extend beyond the original purpose for which they were built. Platforms are extensible, transformative and make up the foundation of a solution. As an example, picture Legos. Each individual brick is a foundational building block (literally) of  countless different types toys, from a Disney castle to the Millenium Falcon. You can buy specific sets of Legos that include the building blocks of specific things.  So rather than buy a dinosaur, you could buy the dinosaur Lego set and that could be integrated together to form a larger structure. Like Legos, a platform allows the specific need to be solved while at the same time providing an integrated solution for longer term solution development.

Tool vs. Platform
There are new tools coming on the market every day, but many are just that – a simple tool and not a true platform. A tool may solve immediate needs, but you must evaluate your needs across multiple stakeholders throughout your organization (i.e., SOC, IR, Threat Team, CIO, CISO, Board) and look to a single platform to bring everyone together. The platform must support the integration of all the stakeholders and data that is relevant to each in such a way that all interested parties  can work together as a team. Customization of the platform is key, as each organization will have different processes, and the need for data customization across those processes for aggregation, analysis, and action.

Leveraging a Solution
Unlike a tool, a Threat Intelligence Platform (TIP) enables personnel throughout the enterprise to manage processes on the relevant security data that they care about. Additionally, other personnel processes such as incident response and event triage in the SOC can be uniformly integrated on top of that same threat data all within a single, adaptive platform. Different processes may take advantage of different features within the platform as well. Additionally, newer, more efficient  applications can take the place of inefficient or outdated applications. From a management perspective, the platform must present trends, supply real-time updates, as well as support threat-driven strategic prioritization of risk across the business.

A platform is a foundational capability. It should be extensible, conducive to enterprise collaboration and evolve as your organization’s strategies shift. In addition to that put forth our spin on the features you want to look for in a Threat Intelligence Platform:

• Go Broad and Deep with Threat Intelligence Data: A Threat Intelligence Platform (TIP) must capture and aggregate all relevant data from across your internal network, partners, and vendors. This includes customizable data elements that require storage and management, processes and workflow capabilities across various teams, as well as the input fields that help staff more quickly support data entry tasks. Ability to extend the platform with compatible applications is also critical for extension of the platform to support new and evolving needs without requiring platform upgrades.
• Numbers Matter: The TIP should support the specific metrics you want to track, filter, and analyze via customizable reports to understand risk to the business and efficacy across organizational processes for risk avoidance. It should provide analytics that can be reported to your team members and to the organization as a whole.
• Go Beyond Sharing with Collaboration and Workflow: The TIP should mature with your security strategy with the ability to share data with your team, across the company, with the external supply chain, and in support of threat information sharing organizations, such as an ISAC. It should have the ability to coordinate intelligence informed action among your team which enables streamlined and efficient workflows. Access to the intelligence needs to be balanced with its operational sensitivity, so it must control data visibility with strong role-based access control to ensure data is given to only those who need to see it.
• Single Source: The TIP must be able to coordinate, track, and measure all security data from within the platform. This avoids wasting time jumping back and forth from inside and outside multiple tools to capture valuable information.
• Growth and Efficiency: The TIP should be able to integrate your security products across the organization. Verify that not only can the platform consume actionable information, but also that it can digest external information feeds for continued analysis and reporting of intelligence driven events across the organization. Additionally, a TIP should enable growth and automation across all aspects of your business.
• As security program matures, analysts must prioritize threat detection, threat response and risk mitigation, relying on the platform to dot the i’s and cross the t’s on their behalf. Moreover, team needs to spend that time focusing on the high priority information that a platform helps decipher, not spending time manually gathering information across multiple tools.
• Stop looking for tools to solve your problems, rather look for a platform to manage all of your problems.

Harnessing The Power Of Cyber Threat Intelligence

Here are six real-world examples of how changing your modus operandi from reactive to proactive can drive rapid response to the threats that matter

A core tenant of cyber threat intelligence or CTI is that it has to be “consumable” and “actionable” to be useful. Without these basic underlying concepts, the best CTI in the world, cultivated from the most beneficial sources, and containing the most informed analysis, is nothing more than interesting; and interesting doesn’t mean useful. So the real question is, how do you harness the power of CTI to drive decision advantage and proactive, informed decision making in an ever increasing threat environment?

There is a great deal of power that comes along with knowing your adversary. By mapping his (or her) past activities and capabilities, historical and current affiliations, and ability to influence within a real and aspirational community of like minded individuals,  understanding his current readiness and objectives, and anticipating his future ambitions, you can obtain a position of dominance that can drastically reduce his chances of success. 

 This knowledge also extends to both the technical and non-technical nature of the tools and tactics that he has or aspires to use to achieve a real impact.  The marriage of these concepts enables actionable knowledge of what defensive postures to take, and how to best position to recognize, detect, mitigate, or in some cases, completely avoid the impacts associated with malicious intent. 

Whether you are a sports club conducting scouting on an upcoming opponent, a Fortune 500 company conducting competitive research, or a nation state monitoring capabilities of a foe, the best way to win is to know your opponent – and the quickest way to lose is to walk forward in any engagement without that knowledge. Unfortunately, we’ve seen the latter play out far too many times over the past decade in information security, where a lack of deep intelligence on our adversaries has resulted in countless breaches.

“Know thy enemy” & improve every workflow 

Many of your peers are already using CTI to revolutionize and reinvigorate the relationship between security and the business – changing their operating models from reactive to proactive and risk based. True CTI (not raw information but intelligence) helps organizations prioritize better and drive rapid response to the threats that matter. It helps them get ahead of the curve on threats that are “over the horizon” by driving the right investments through risk-based security decisions that map to the needs of the business.

Here are six examples of how CTI is working right now:

Better Board & Business Communications: Look for intelligence that isn’t just deep into the technical weeds. Keep in mind that you can harness the power of threat intelligence to drive strategic decisions. Provide executive summaries written in layman’s language with reporting on adversaries, vulnerabilities and exploitation, and security trends geared specifically towards business leaders. These types of reports help CISOs communicate to the rest of the business, providing tools to highlight the need for action and when required even debunk hype in the industry.

Improved Patch Management Process: True CTI can help GRC teams streamline patch management processes. Using actionable vulnerability and exploitation data, these teams are able to better prioritize which vulnerabilities to patch and on what time schedule.

More Effective “Attack Surface” Protection Systems: CTI plays a key role in making existing security tools better. Many legacy security protection tools are blind to today’s threats. Further, even when tools can be configured to automatically block based off of data in raw threat feeds, network operations often does not turn this feature on for fear that they will block the wrong things and adversely impact the business. With highly validated CTI, organizations that are otherwise reticent to turn on automatic blocking can now block with confidence.

Situational Awareness & Event Prioritization: High fidelity CTI enables SOC teams to prioritize which events are most important by delivering more power to security information and event management (SIEM) systems.

IR Attribution & Messaging: CTI can help incident responders understand who is targeting their organization and improve communications across the business – resulting in better informed response. CTI changes the discussion from “We were hit with malware variant x” to “an actor group from Eastern Europe is targeting us, and others in our sector, and actively trying to steal personally identifiable information (PII). They can use this PII to take out credit cards in our customer’s names.”

Find & Fix Everything: True CTI helps forensic teams determine incident attribution and make sure they find and fix everything. Figuring out who is attacking you is impossible without adversary-focused intelligence. Further, if you don’t know who attacked you or what else they may have used against you in the past, you or your third-party forensic team many not find and fix everything.