Leveraging Threat Indicator Confidence

“Understanding the relevancy of a threat is a critical aspect of reducing risk in your environment”

The concept of Threat confidence is defined as a measure of threat relevancy to an organization. Threat confidence is a multi-faceted determination that encompasses multiple aspects of where and how threats can arise in the global Internet.

Determining threat confidence starts by having a model of the Internet and all communications that occur across it

                                             

Layer 1: Network Devices, Infrastructure and Connectivity

At the heart of the Internet model is the network itself. This includes both the endpoints (e.g. phones, laptops, servers) as well as the network infrastructure that those endpoints connect to and use to transport data between endpoints. Without devices or networks to connect devices, no communications would be occurring. But, without an understanding of how communications are transported between devices, the Internet is a black box that can be manipulated or subverted without organizations being aware of those negative impacts to their security.

Layer 1 is the basis of Threat confidence. A network device that never connects to your organization’s network is likely not relevant to any threat. Infrastructure that your organization uses to connect to the global Internet is extremely relevant to threat. Infrastructure that is insecure is likely a poor choice for your organization and will have a large impact on potential threats. Endpoints that connect to your network or communicate with your network are extremely relevant to threats.

Layer 2: Applications

The next layer in our model is the application layer and the (good or malicious) applications that run over the network devices and network infrastructure. Capturing which applications run on the network devices is vital to knowing what occurs on the network. Ability to identify applications and their associated behaviors (devices they communicate with, what ports and protocols are used, typical payloads exchanged, frequency of exchanges, etc.) contributes to a greater understanding and predictability of future events. Without this understanding, again the use of the Internet becomes a black box that can be manipulated and controlled from the outside. Botnets are examples of where an application has been created to take control of other devices and perform behaviors that are unexpected.

By characterizing applications and their expected behaviors, the lower layer of network threat confidence can be enhanced and then complemented with application threat confidence.

Layer 3: Users and Owners

Once we have built threat confidence for networks and applications, the next important artifact of global Internet use to determine is the user or owner information associated with the applications and network devices. Network infrastructure ownership is typically known due to the registration requirements when connecting devices to the global Internet. Both autonomous system and CIDR ownership can help organizations determine if those network entities should be communicated with and trusted. The reasons these technologies exist are legitimate but they can also aid threat actors. If an organization has determined a known malicious actor, then clearly any communications to or from that actor’s web site or server from their organization, irrespective of protocols or application, are likely worth further investigation.

Threat confidence is enhanced with greater knowledge of users or owners of networks.

Layer 4: Analyst

The role of the human threat analyst and the analysis they provide to enrich raw threat intelligence data cannot be overstated. Having automated means to gather network, application and user observations to provide to the humans for analysis is crucial. But there is a limit to automation as human knowledge and experience has yet to be captured by programmatic means. It is crucial to have human analyst as part of any threat confidence model that provides threat confidence for consumption by other security teams.

Many threat characteristics are known by organizations either verbally or orally that are not easily determined by programs. This type of information guides analysis and outcomes. Therefore having the analyst provide customization and annotations to the observations is a critical aspect of making the information relevant and actionable to an organization.

Threat confidence annotation and customization by the experienced human threat analyst is critical.

Layer 5: Workflow

The final layer for threat confidence is not really a layer in itself but a layer that connects and penetrates layers 1-4. It requires threat confidence to be integrated into an organization’s processes and security environment. Having threat confidence and relevant data has limited usefulness if the data cannot be acted upon quickly and effectively, without delays and dead ends. There are two factors that drive the usefulness of threat confidence:

Easy consumption of threat confidence by other systems and

Easily interpreted and actionable results.

Summary

Threat confidence can be an extremely powerful indicator to determine the relevancy of threat to an organization. To establish accurate threat confidence, a comprehensive approach encompassing network, applications, users, analysts and workflow is required.

Use Threat Intelligence to “Know More. Risk Less. Act Confidently.”

Chasing Foxes by the Numbers: Patterns of Life and Activity in Hacker Forums

“Pattern of life analysis” is an effective counter terrorism technique that can be applied to cyber threat intelligence. Using patterns to classify adversary behaviors rather than relying on distinct Internet handles, like “UglyGorilla” or “Hassan20,” cyber threat analysts are able to look across multiple handles, posts, forums, and social media sites to identify signals of malicious activity.

During the recent Kaspersky Security Analyst Summit Recorded Future CEO, Christopher Ahlberg, shared why we should organize the Web for analysis rather than search. “Attribution,” he explained, “is many times based on sloppy handle usage.” What if a threat actor is cautious? “Handle hopping,” the act of switching between user names, is easy for the threat actor who is conscious of leaving a trail of Internet breadcrumbs. In traditional searching, where the username trail dies off, the lead to the threat actor or group does also.

Putting patterns to work, Recorded Future conducted a sample analysis across 500 hacker forums to find interesting signals. They used natural language processing to identify posts around vulnerabilities and exploits.

Interestingly, found that in 98.8% of over 742,000 posts, the handles used were unique (even though it’s likely hackers used multiple handles to cover their tracks, and groups of hackers working together each had distinct handles).

While it’s easy to change handles, it’s less easy to change behavior. By clustering patterns, They were able to find similar behaviors among various handles and identify groups working around a particular vulnerability or exploit. Focusing on pattern analysis across user handles allowed us to see the pods who share similar interests and actions online.

Is Your Threat Intelligence Platform Just a Tool?

“If the only tool you have is a hammer, you tend to see every problem as a nail.” Abraham Maslow

Throughout the enterprise there are security personnel using a variety of processes and tools to conduct their incident response, network defense, and threat and risk analysis. Generally speaking, either most security teams haven’t centralized their efforts at all, or they have done it incompletely, relying on rudimentary, outdated technologies such as email, spreadsheets, a SharePoint portal, or a ticketing system. These techniques, although better than nothing, do not scale as the team grows and as the number of malicious events and security processes increases. This same problem was once commonplace in other parts of the business, and platforms were created to address these concerns and to support the end user in their quest for automation, collaboration across use-cases, and better management processes. For example, PeopleSoft for human resources, Salesforce for sales, SAP for manufacturing, and Eloqua for marketing.

Tool, a Means to an End
Tools are purpose built and difficult to extend beyond the original purpose for which they were built. Platforms are extensible, transformative and make up the foundation of a solution. As an example, picture Legos. Each individual brick is a foundational building block (literally) of  countless different types toys, from a Disney castle to the Millenium Falcon. You can buy specific sets of Legos that include the building blocks of specific things.  So rather than buy a dinosaur, you could buy the dinosaur Lego set and that could be integrated together to form a larger structure. Like Legos, a platform allows the specific need to be solved while at the same time providing an integrated solution for longer term solution development.

Tool vs. Platform
There are new tools coming on the market every day, but many are just that – a simple tool and not a true platform. A tool may solve immediate needs, but you must evaluate your needs across multiple stakeholders throughout your organization (i.e., SOC, IR, Threat Team, CIO, CISO, Board) and look to a single platform to bring everyone together. The platform must support the integration of all the stakeholders and data that is relevant to each in such a way that all interested parties  can work together as a team. Customization of the platform is key, as each organization will have different processes, and the need for data customization across those processes for aggregation, analysis, and action.

Leveraging a Solution
Unlike a tool, a Threat Intelligence Platform (TIP) enables personnel throughout the enterprise to manage processes on the relevant security data that they care about. Additionally, other personnel processes such as incident response and event triage in the SOC can be uniformly integrated on top of that same threat data all within a single, adaptive platform. Different processes may take advantage of different features within the platform as well. Additionally, newer, more efficient  applications can take the place of inefficient or outdated applications. From a management perspective, the platform must present trends, supply real-time updates, as well as support threat-driven strategic prioritization of risk across the business.

A platform is a foundational capability. It should be extensible, conducive to enterprise collaboration and evolve as your organization’s strategies shift. In addition to that put forth our spin on the features you want to look for in a Threat Intelligence Platform:

• Go Broad and Deep with Threat Intelligence Data: A Threat Intelligence Platform (TIP) must capture and aggregate all relevant data from across your internal network, partners, and vendors. This includes customizable data elements that require storage and management, processes and workflow capabilities across various teams, as well as the input fields that help staff more quickly support data entry tasks. Ability to extend the platform with compatible applications is also critical for extension of the platform to support new and evolving needs without requiring platform upgrades.
• Numbers Matter: The TIP should support the specific metrics you want to track, filter, and analyze via customizable reports to understand risk to the business and efficacy across organizational processes for risk avoidance. It should provide analytics that can be reported to your team members and to the organization as a whole.
• Go Beyond Sharing with Collaboration and Workflow: The TIP should mature with your security strategy with the ability to share data with your team, across the company, with the external supply chain, and in support of threat information sharing organizations, such as an ISAC. It should have the ability to coordinate intelligence informed action among your team which enables streamlined and efficient workflows. Access to the intelligence needs to be balanced with its operational sensitivity, so it must control data visibility with strong role-based access control to ensure data is given to only those who need to see it.
• Single Source: The TIP must be able to coordinate, track, and measure all security data from within the platform. This avoids wasting time jumping back and forth from inside and outside multiple tools to capture valuable information.
• Growth and Efficiency: The TIP should be able to integrate your security products across the organization. Verify that not only can the platform consume actionable information, but also that it can digest external information feeds for continued analysis and reporting of intelligence driven events across the organization. Additionally, a TIP should enable growth and automation across all aspects of your business.
• As security program matures, analysts must prioritize threat detection, threat response and risk mitigation, relying on the platform to dot the i’s and cross the t’s on their behalf. Moreover, team needs to spend that time focusing on the high priority information that a platform helps decipher, not spending time manually gathering information across multiple tools.
• Stop looking for tools to solve your problems, rather look for a platform to manage all of your problems.

Harnessing The Power Of Cyber Threat Intelligence

Here are six real-world examples of how changing your modus operandi from reactive to proactive can drive rapid response to the threats that matter

A core tenant of cyber threat intelligence or CTI is that it has to be “consumable” and “actionable” to be useful. Without these basic underlying concepts, the best CTI in the world, cultivated from the most beneficial sources, and containing the most informed analysis, is nothing more than interesting; and interesting doesn’t mean useful. So the real question is, how do you harness the power of CTI to drive decision advantage and proactive, informed decision making in an ever increasing threat environment?

There is a great deal of power that comes along with knowing your adversary. By mapping his (or her) past activities and capabilities, historical and current affiliations, and ability to influence within a real and aspirational community of like minded individuals,  understanding his current readiness and objectives, and anticipating his future ambitions, you can obtain a position of dominance that can drastically reduce his chances of success. 

 This knowledge also extends to both the technical and non-technical nature of the tools and tactics that he has or aspires to use to achieve a real impact.  The marriage of these concepts enables actionable knowledge of what defensive postures to take, and how to best position to recognize, detect, mitigate, or in some cases, completely avoid the impacts associated with malicious intent. 

Whether you are a sports club conducting scouting on an upcoming opponent, a Fortune 500 company conducting competitive research, or a nation state monitoring capabilities of a foe, the best way to win is to know your opponent – and the quickest way to lose is to walk forward in any engagement without that knowledge. Unfortunately, we’ve seen the latter play out far too many times over the past decade in information security, where a lack of deep intelligence on our adversaries has resulted in countless breaches.

“Know thy enemy” & improve every workflow 

Many of your peers are already using CTI to revolutionize and reinvigorate the relationship between security and the business – changing their operating models from reactive to proactive and risk based. True CTI (not raw information but intelligence) helps organizations prioritize better and drive rapid response to the threats that matter. It helps them get ahead of the curve on threats that are “over the horizon” by driving the right investments through risk-based security decisions that map to the needs of the business.

Here are six examples of how CTI is working right now:

Better Board & Business Communications: Look for intelligence that isn’t just deep into the technical weeds. Keep in mind that you can harness the power of threat intelligence to drive strategic decisions. Provide executive summaries written in layman’s language with reporting on adversaries, vulnerabilities and exploitation, and security trends geared specifically towards business leaders. These types of reports help CISOs communicate to the rest of the business, providing tools to highlight the need for action and when required even debunk hype in the industry.

Improved Patch Management Process: True CTI can help GRC teams streamline patch management processes. Using actionable vulnerability and exploitation data, these teams are able to better prioritize which vulnerabilities to patch and on what time schedule.

More Effective “Attack Surface” Protection Systems: CTI plays a key role in making existing security tools better. Many legacy security protection tools are blind to today’s threats. Further, even when tools can be configured to automatically block based off of data in raw threat feeds, network operations often does not turn this feature on for fear that they will block the wrong things and adversely impact the business. With highly validated CTI, organizations that are otherwise reticent to turn on automatic blocking can now block with confidence.

Situational Awareness & Event Prioritization: High fidelity CTI enables SOC teams to prioritize which events are most important by delivering more power to security information and event management (SIEM) systems.

IR Attribution & Messaging: CTI can help incident responders understand who is targeting their organization and improve communications across the business – resulting in better informed response. CTI changes the discussion from “We were hit with malware variant x” to “an actor group from Eastern Europe is targeting us, and others in our sector, and actively trying to steal personally identifiable information (PII). They can use this PII to take out credit cards in our customer’s names.”

Find & Fix Everything: True CTI helps forensic teams determine incident attribution and make sure they find and fix everything. Figuring out who is attacking you is impossible without adversary-focused intelligence. Further, if you don’t know who attacked you or what else they may have used against you in the past, you or your third-party forensic team many not find and fix everything.

How to Avoid the Common Pitfalls While Browsing the Web

Web browser exploits are on the rise due to the ease with which they are executed. Too often, the user starts with the browser that ships with their device and then downloads from the pre-installed browser their favorite browser.

The problem?

The default configuration on the original browser is probably not secure in the first place, plus it’s rarely removed after the preferred browser is subsequently installed, leaving opportunities for exploitation. The downloaded browser, too, may not have a secure default configuration, and every time it’s used, new vulnerabilities are waiting.

“Click to install” is very convenient, but it can lead to troublesome vulnerabilities, including malware, remote code execution, violations of privacy, stolen data, or even escalation of privileges.This last point is especially concerning for security professionals, since their organization’s typical user isn’t concerned with security when using their favorite browser to surf the Web, but it can lead to disastrous consequences for the organization.

Here are a few tips security pros can pass along to users (and family and friends) to keep Web browsing activities secure.

Disable Third-Party Cookies

Websites use cookies that store data about a user’s browsing activity to enhance the user’s experience.

For instance, data about search habits, geolocation, or site preferences are used to help tailor the content the user sees or remember what the user last did when visiting the site. Cookies are saved as little packets of data on the user’s machine and sent back to the browsed site each time the user returns. Cookies are designed to be readable only by the website that created them.

This goes for advertisements placed on the host Web page, too. Any advertiser who embeds an ad on a Web page — and there are many which is why so much content is served up for free — has the ability to track a user’s habits, location, and preferences.

These third-party cookies are helpful to the advertiser, but in the hands of a malicious adversary, a user’s privacy and security can be compromised. In addition, some websites use cookies for authentication, which means that if an attacker gains access to credentials, he can gain unauthorized access to the site and/or other areas of the user’s system, unbeknownst to the user.

A stealthy attacker can build a profile of a user if he is persistent enough, and this is dangerous to the user and potentially the organization to which the user’s system is connected.

Fortunately, most modern browsers allow for control of privacy settings and users can disable third-party cookies and keep their browsing habits more secure. Because most browsers allow third-party cookies by default, the user should adjust the settings as soon as the browser is installed.

Enable “Click to Play” for Third-Party Content

PDF and Flash are two well-known vulnerable content delivery mechanisms that are also ubiquitous. Websites use Flash to enhance the user’s experience, and the more interactive Web content becomes, the more it is used by businesses that want to engage customers and create stickiness for their brand.

PDF is used constantly and consistently across businesses to create more official, professional-looking, and unalterable documents. Unfortunately, Adobe vulnerabilities are also well known . Patches for Adobe vulnerabilities are issued regularly, but often it’s after an exploit, and, as all security pros know, patching doesn’t occur as frequently as it should.

Adobe isn’t the only concern; Java, HTML 5, and other markup languages are commonly the basis for interactive Web-based content. This content, along with USBs and other removable media, are typically set to Auto Play — a feature that can introduce malicious code on a user’s system. For example, an infected USB was the source of infection for the stuxnet virus, which illustrates the disastrous effects Auto Play can cause.

To eliminate the problem of Auto Play, disable it through the settings in your control panel. Additionally, be sure to update old versions of tools and apply patches regularly.

Use an Add-On Like No Script

JavaScript, also known as ECMAScript, is a dynamic scripting language used to make websites more interactive and user friendly.

JavaScript is also responsible for several malicious attack types like cross-site scripting (XSS) and cross-site request forgery (XSRF). These vulnerabilities can occur because JavaScript is embedded in an HTML page so the site can perform specific functions, like serving up an online form, for example. The problem with JavaScript, however, is that it interacts with the Web page Document Object Model (DOM) and executes malicious content or obtains unauthorized permissions from the site.

To keep sites that use JavaScript safer, users should employ add-on services like noscript, which only allows executable content if the site is trusted and has been white listed.

NoScript is a free, open source status bar that is installed on the user’s computer after download and appears on every page the user visits. As with disabling AutoPlay, a service like NoScript gives the user more granular control of what can and cannot run on his or her system.

Don’t Ignore Browser Updates

Browser updates are bothersome but can be one of the best ways to keep Web browsing secure.

Old, outdated browser versions may not have the ability to discover current vulnerabilities, which are issued daily. Malicious websites take advantage of out-of-date browsers because it’s an easy and low-cost way to compromise a user’s machine.

Many browsers will prompt the user when it’s time for an update, but users can also check their own versions:

Internet Explorer: To turn on automatic updates, click the Internet Explorer icon on the task bar, select the Tools option (or click Help in the menu bar), and then click About Internet Explorer. Select the Install new versions automatically check box, and then click OK.

Mozilla Firefox: At the top of the Firefox window, click the Help menu and select About Firefox. The About Mozilla Firefox window will open, and Firefox will begin checking for updates. If an update is available, it will begin downloading automatically.

Chrome: Open Google Chrome on your computer. In the top right, click the Chrome menu and select Help > About Google Chrome. The current version number is the series of numbers beneath the “Google Chrome” heading. Chrome will check for updates when you’re on this page. Click Relaunch to apply any available update.

Safari: You can keep Safari up to date by keeping OS X up to date. To get the most recent version of Safari, install the latest version of OS X from the Mac App Store and keep an eye out for all available Safari and OS X updates.

Limit Browser Extensions

Browser extensions offer users new ways to interact with their browser and to access other features not available through the browser alone and can increase the functionality of a website.

For instance, the recorded future look up extension allows users to dig into the details of technical indicators of compromise by simply right-clicking on a piece of information on the Web page. Some extensions add fun functionality, like installing a toolbar that gives the user access to new types of emojis, or offers plug-ins, like the Pinterest plugin, that enables users to create an online interest board by clicking on the little logo in their browser.

Like any Web tool, though, extensions are not 100% bug free. Malicious extensions can install malware, snoop on your browsing, or even steal sensitive data when you interact with various websites.

To keep your browser safe, install extensions only from trustworthy sources after conducting a bit of research. Some browsers provide a list of the permissions required to download the extension. Whenever possible, check permissions before downloading and limit permissions to only those that are necessary to run the extension. Adding a toolbar with emojis, for example, shouldn’t require access to the user’s contacts database.

Conclusion

The Web is a risky place — there’s no getting around that. It’s also core to our daily personal and business lives. With just a little effort, however, users can increase their browsing security and keep their activities more private from prying eyes.