Imagine that you are at your workplace, turn on your computer and realize that your company's website is down, the cargo is stuck at the customs and cannot reach the warehouse. To add insult to injury, the accountant approaches you, saying that some of your organization's funds have been withdrawn and employees' personal data has been spilled all over the Internet. At this point, you get it – you fell victim to a data breach.
You could avoid this if you used a threat intelligence (TI) system. Let us figure out how TI works and protects.
Threat intelligence is intended to collect and analyze information on relevant threats in order to predict and prevent possible cyber-attacks. It includes the following stages: collecting threat data from diverse sources, enriching and analyzing this data, and then using the obtained knowledge.
The following tools and techniques facilitate the process of harvesting threat information:
Crawlers – automated systems that scour various online sources for data about known threats.
Sandbox – an isolated environment allowing you to safely execute suspicious code in order to identify and analyze malicious software.
Botnet monitoring – keeping track of computer networks supervised by perpetrators' Command & Control servers.
Honeypot – a network fragment segregated from the organization's IT infrastructure that serves as bait for the attacker.
Sensors – agent programs that harvest valuable data from corporate devices.
Open-source intelligence (OSINT) provides additional feeds that span the following types of information:
CERT analytic centers and independent researchers' blogs also can provide helpful information. These sources can give you the lowdown on existing vulnerabilities, the appropriate detection rules, and the investigation workflows.
The system can also be augmented with information on past data breaches and sensitive details that ended up on the Internet illegally. These can include account credentials for systems and services, email addresses, credit card details, passwords, etc.
The threat intelligence system can also be supplemented with data on vulnerabilities and attack vectors recently discovered by partners, vendors, and contractors.
The entire harvested data is accumulated within a single platform that allows for enriching, analyzing, and using threat information.
The information collected on specific threats is augmented with contextual details. Data enrichment is an important milestone here. It denotes a process of retrieving additional technical attributes for known attacks, including:
During the analysis phase, the system combines events and attributes related to an attack using the following properties: territory, timeframe, targeted industry, criminal group, etc. The threat intelligence solution performs a correlation of different events.
To process the feeds, it is necessary to select their source depending on the targeted sector's specificity, the types of attacks relevant for the specific company, as well as the attributes and IOCs (indicators of compromise) that bridge the gap in addressing the risks unattended by the rules of the protection system. The next stage is to determine the feeds' value and prioritize them based on the following criteria:
The following instruments can be used to classify feed data:
Analysts uncover the attackers' TTP characteristics, overlay data and events upon the system intrusion model, and build chains of attack deployment. It is important to form a general view of the compromise, considering the overall architecture of the system being protected ,as well as the ties between components. It is also worth taking into account the probability of a more complex attack, one that will affect most hosts and exploit several vulnerabilities at a time.
Prediction is the essential task to perform based on the conducted analysis. The TI system determines the most likely attack vectors given the industry peculiarities, geolocation, timeframe, offensive tools, and degree of severity. The discovered threats are subject to prioritization depending on the potential damage.
Threat intelligence data helps detect leaks of the organization's proprietary information that may have ended up on the Internet. It also allows for managing risks to the brand emanating from discussions of attack plans on darknet forums, illicit use of the brand name for phishing campaigns, disclosure of trade secrets, and the abuse thereof by competitors.
The aggregated knowledgebase can be applied to create attack detection rules for information security systems and conduct incident response and investigation within the SOC (Security Operations Center).
Security experts should regularly review the threat model and reassess the risks based on new circumstances.
Such a multilayered approach will allow you to thwart breaches at their early stage when the adversaries are only attempting to infiltrate the information system. The TI platform can also help your enterprise comply with security regulations. Overall, taking advantage of cyber intelligence professionals' experience in harvesting, processing, and applying threat data allows IT security departments to take their companies' data protection mechanisms to a new level.
Alex Vakulov is a cybersecurity researcher with over 20 years of experience in malware analysis and strong malware removal skills.
No entries found