Journey to Threat Intelligence Analysis and Management

WHITEPAPER

It is apparent that the cyber landscape today favors attackers over defenders. Threat actors, operating as groups or individuals, are diverse. Hacktivists, cyber criminals, and state agents all leverage Internet anonymity to execute sophisticated attacks against their targets. Former top U.S. security officials have conceded that every organization with an Internet-facing presence has been hacked, is being hacked, or will be hacked1 2. Threat actors are using advanced tactics, techniques, and procedures (TTP) to obscure identification and attribution. With the advantage to the attackers, organizations need context over the intent and capabilities of their adversaries in order to improve their own cyber security postures.

Traditional Best Practices Remain In Place Legacy security solutions such as desktop and server anti-virus, firewalls, intrusion-detection/prevention systems (IDS/IPS), email gateways, URL filters, and web and database firewalls, all have their roles in preventing a range of what might be considered unsophisticated or previously observed attack patterns.

Inner and Outer View of Emerging ThreatsMore sophisticated attack mechanisms are developed every day, spawning a global Internet marketplace for sharing and advancing threats frequented by nation-state actors, organized crime syndicates and hacktivists. The result is more attacks on personally identifiable information (PII), intellectual property (IP) and all data that may have value. In response to worsening threats, traditional security vendors have responded with solutions to detect advanced malware, block network traffic based on previously observed exploits, or use behavioral analysis to inform decision-making processes.

Existing approaches to information security all rely on studying the effects of a breach or obtaining samples of existing malware. The result is a minimum of one or more “patient zero” infections being required before an adequate defense can be developed and deployed to protect from future attacks.

Better, more effective solutions are needed to rein in the escalating costs of attacks and mitigation.

Threat Intelligence Analysis and Management offers a universal view of threats seen globally and identifies the relationships between new observations and their historical predecessors, well beyond the current approach of viewing an organization from the inside. There are potential benefits of being able to see an organization from outside. Before you can defend your network you must know how it will be attacked. And the known universe of threats, including actors, tactics, techniques, procedures, geographies and associations is the only way to identify attacks before they target your organization. Preemptive action against threats leveraging the visibility provided by cyber threat intelligence has a tangible impact to the individuals maintaining the front line of defense. Threat intelligence driven

defenses reduces risk for the decision makers who are ultimately responsible for their organizational security posture.

From Threat Feeds to Threat Intelligence Management The fundamental charter of the cyber security threat analyst is to aggregate, synthesize, and distill collected information into usable intelligence. Threat information is available from government or other non-profit entities such as the education sector, as well as threat intelligence feed providers. Unfortunately, in many cases, the information provided by these entities is just that – information. It is occasionally referred to as “raw intelligence,” but any use of the word “intelligence” implies that the data will have some intrinsic value to the user. In his book Reducing Uncertainty, Dr. Thomas Fingar, the first Deputy Director of National Intelligence for Analysis, and the architect for the U.S. Intelligence Community’s overhaul of its intelligence tradecraft standards, made the distinction between information and intelligence clear:

“...until [that] information is assessed and interpreted by an analyst, it’s just data.”

“Raw intelligence” may be useful for the most sophisticated users able to use open source offerings to aggregate and normalize it, but most organizations need a supported solution to make raw intelligence useful.

Gathering threat information is fairly easy; understanding, interpreting and acting on it is the challenge, especially given the lack of experienced cyber security analysts with expertise adding industry vertical or organizational-relevant context to cyber threat analysis. Analysts must rely on their knowledge of the issue, and the quality and reliability of collected information. Most importantly, they rely on their knowledge of the assets they are protecting to be able to leverage intelligence effectively. The enormous volume of data and the corresponding threat analysis challenges present two crucial limitations: accurate threat criticality assessment and the required confidence to take action in advance of threats occurring. Threat Intelligence Analysis and Management addresses those limitations.

Threat Intelligence Needs Management Threat analysis depends first on the collection of relevant information that requires an ingestion process and data storage. After which, comprehensive analysis, insight and actionable outcomes depend on verified and accurate information. Threat Intelligence Analysis and Management provides these capabilities, facilitating analyst efforts to cull through large amounts of data, prioritize and interpret it, and present relevant findings and action recommendations to stakeholders.

Journey to Threat Intelligence Analysis and Management

1 http://www.zdnet.com/article/richard-clarke-china-has-hacked-every-major-us-company/ 2 http://www.businessinsider.com/fbi-director-china-has-hacked-every-big-us-company-2014-10

Threat data can come from a variety of sources that ultimately provide individual,and in some cases, interrelated pieces of the larger threat picture. Fusing threat data sources with global Internet context greatly enhances visibility across the universe of cyber threats with the inclusion of:

» Threat Data Feeds The vast amount of technical indicators and data supplied by proprietary and free feeds presents a big data challenge to aggregate, extract and normalize into a coherent picture. In cyberspace, where attacks happen in milliseconds and persist for months and years, an analyst must expeditiously synthesize and identify pertinent data clusters in a wash of noise. More importantly, these clusters must be evaluated and verified. Analyst confidence depends on both authentication and corroboration of threat data, which otherwise creates the risk of diversions, false positives or mitigation steps that exacerbate rather reduce vulnerabilities. Misinterpreted analysis based on an incomplete data set does not provide stakeholders with the insight required to make the right decisions.

» Entity Historical Data The history of an IP address, autonomous system (ASN) or domain’s (FQDN) participation in the global threat landscape provides the required foundation for threat modeling that determines the likelihood of the cyber threats an organization will. An organization cannot defend itself without first knowing how attackers will target it.

» Contextual Threat Intelligence Analysts must understand threat data feeds as well as their own assets, and how they are interacting with each other. Mapping global assets to the Internet, and being aware of their public Internet presence, are vital elements of a comprehensive Threat Intelligence Analysis and Management system.

» Internal Information and Correlation Internal network telemetry, correlated with external threat intelligence, delivers the final piece of organizational-specific insight into their current security posture and risk exposure leading to informed decisions, proactive mitigation and expedited incident response.

Fusing data feeds, history and context can help analysts assess criticality and provide proactive recommendations with confidence.

Threat Intelligence Analysis and Management Use Cases

» Organizational Outside In Threat Analysis Threat Intelligence Analysis and Management utilizes fused information to provide a view of risks to the organization originating from beyond their perimeter with a global aggregation of correlated, third-party feeds. This outside-in view is a force multiplier for all existing security processes-

-from periodic penetration testing to continuous intrusion detection and prevention, security event correlation using a SIEM, and incident response should a data breach occur.

» Third Party Monitoring A large 2013 retail breach revealed the potential vulnerability third party partners pose to an organization. According to available public analysis of the incident, attackers were able to breach a third party (an approved vendor) and compromise credentials that allowed them access to the primary target’s networks. Organizations that permit third party partner access into their networks are at risk to similar compromises, especially if they do not implement proper access policy controls. Threat Intelligence Analysis and Management delivers the ability to monitor the threats targeting third party partners, industry peers, or supply chain vendors to help identify preventative steps based on visible risks or to prevent unintentional compromise from trusted parties.

» Enhanced Incident Response In addition to Threat Intelligence Analysis and Management enabling an organization to potentially get ahead of threats and attacks, it also assists with the inevitable incidents that occur in even the best-protected organizations. Threat Intelligence Analysis and Management delivers insight on threat actors, tactics, techniques, and procedures along with historical views of IP addresses, domains, CIDRs, and autonomous systems. When correlated with internal network telemetry, a complete view of the breach, including compromised hosts and external destinations, is available to help with immediate cleanup operations and ongoing forensic investigations.

ConclusionIn today’s world of anonymous threat actors leveraging ever evolving capabilities, every organization must find ways to reduce their risks. Cyber security analysts devote precious time aggregating, correlating, and analyzing enormous quantities of cyber threat information.

Threat Intelligence Analysis and Management automates data aggregation, extraction and correlation to deliver organizational and industry-relevant context to threat information, saving time and giving security analysts the information required for comprehensive risk assessments and confident recommendations.

Threat Intelligence Analysis and Management strengthens the security posture of an organization by delivering real-time threat indicators and empowering executives to make informed security decisions. Finally, Threat Intelligence Analysis and Management creates a knowledge base for security analysts and their stakeholders to deploy proactive defenses and develop forward-looking cyber security strategies.

© 2015 LookingGlass Cyber Solutions, Inc. All Rights Reserved

LookingGlass Cyber Solutions, the leader in threat intelligence and dynamic

threat defense, enhances security operations through verified multi-source threat

information fused with real-time Internet intelligence. LookingGlass delivers threat

intelligence analysis, management, and mitigation systems that empower customers

with comprehensive risk insights to confidently enable effective security decisions

and efficient security operations.

Visit www.lgscout.com for more information.Or call 888.SCOUT.93