Rapid7 Blog

Rebekah Brown  

AUTHOR STATS:

13

Survival of the fastest: evolving defenders with broad security automation

If you’ve read the news at all lately, you know that we're having some struggles with information security. Everything from elections to hospitals to Westeros is considered a target, and adversaries continue to learn and innovate—often faster than the defense can respond. It’…

If you’ve read the news at all lately, you know that we're having some struggles with information security. Everything from elections to hospitals to Westeros is considered a target, and adversaries continue to learn and innovate—often faster than the defense can respond. It’s not that they have better tools or work harder than the defense, so what gives? If you're struggling with these issues and happen to be coming Rapid7's annual United Summit, swing by the Detection and Response track on Wednesday, September 13 and hear Justin Pagano and I talk about how we are working on solving these problems! Turns out, the status quo is kind of the worst. Defenders are trying to work against the clock, to go back in time to deal with issues we thought were resolved decades ago...and on top of that, there aren’t nearly enough defenders out there (yet!). So what can we do against these types of odds? The key is automation—but not just any old kind of automation. Limited, silo-ed approaches to automation have helped put us where we are now. To move forward, we need broad security automation based on our understanding of the adversaries: how they operate, how they've targeted us in the past, and how they're likely to target us in the future. And that brings us to why I'm involved in this talk in the first place—the combination of broad security automation and threat intelligence! We need to automate what we should, not just what we can. This won’t look the same for every organization because organizations are protecting different types of information, defending against different types of adversaries, have different resources and constraints. What our talk will offer isn't a magical, one-size-fits-all solution, but instead a new approach to security automation. We will cover broad automation’s dependencies (e.g., scripting/programming skills, APIs, time, money, motivation, and prioritization), as well as what it takes to have worthwhile threat intelligence (sources, timely analysis, and expertise). We'll wrap it up with how to combine the two and develop a program that focuses on real threats, helps prioritize non-automated responses, and frees up the time needed to innovate and learn as defenders. We hope to see you there! If you haven't registered yet, do so here.

Rapid7 Threat Report: Q2 2017

We cannot believe that we're already into August! Time really flies when the internet is constantly on fire. When it came time to analyze data for our Q2 Threat Report and pull out threat trends and landscape changes, there was plenty to work with. Q2…

We cannot believe that we're already into August! Time really flies when the internet is constantly on fire. When it came time to analyze data for our Q2 Threat Report and pull out threat trends and landscape changes, there was plenty to work with. Q2 kept defenders on their toes—from the Shadow Broker's leaks at the beginning of April (was it really just four months ago?) to the Petya/NotPetya/but-something-crazy-is-definitely-going-on attacks in the final days of the quarter. There were quite a few significant lessons learned in Q2, both about the threat landscape and how defenders can adapt to changes. Some of our key takeaways from Q2:We can't respond based on how exciting or novel something seems. Many of the exploits leaked by the Shadow Brokers were old, and nearly all of them had patches available. They targeted services that are tried-and-true attack vectors—and we thought that we knew better than to have them exposed. Our initial response to the leaks was lackluster. Many of us moved on once the vulnerabilities were identified, because it seemed so obvious that we should have been protected. It turned out that many people were not, and attackers took advantage of that—though not full advantage, mind you, because there are plenty of exploits in the dump that haven't been leveraged yet, and our research with Project Sonar indicates that there is plenty of additional opportunity for attackers.Other attacks don't stop when there is a high-profile security event in the news. Multiple high-profile attacks occupied much of defender time this quarter, but the majority of incidents defenders responded to during that time were not related to the high-profile events. Understanding how to prioritize these breaking news events while still focusing on the threats impacting your organization was a key lesson we highlighted in the Q2 Threat Report.Understanding the factors that impact your threat profile will help make sure that you are focusing on the right threats. The industry you are in may dictate the types of attackers who target you and the tools that they are likely to use, but there are other factors as well. While we saw specific trends emerge on a per-industry basis, we also saw a handful of tactics that were used across all sectors. In addition, we identified key difference in attacker tactics against large organizations and small organizations.The full report is available here, with all of the data we used in our analysis and some amazing visualizations. If you want even more Q2 threat report goodness, sign up for the webcast Bob Rudis, Tod Beardsley and I are hosting on August 15th.

Using Threat Intelligence to Mitigate Wanna Decryptor (WannaCry)

Basics of Cyber Threat Intelligence Cyber Threat Intelligence is analyzed information about the opportunities, capabilities, and intent of cyber adversaries. The goal of cyber threat intelligence is to help people make decisions about how to prevent, detect, and respond to threats against their networks. This…

Basics of Cyber Threat Intelligence Cyber Threat Intelligence is analyzed information about the opportunities, capabilities, and intent of cyber adversaries. The goal of cyber threat intelligence is to help people make decisions about how to prevent, detect, and respond to threats against their networks. This can take a number of forms, but the one people almost always turn to is IOCs. IOCs, or indicators of compromise, are technical network artifacts that can alert a defender that their system is compromised. These include things like IP addresses, domain names, hashes, file names, etc. IOCs are often a good way to detect malicious activity, but they are not the only output of threat intelligence, and often they are not the best output. Threat Intelligence for WannaCry In the case of WannaCry (get an overview of the WannaCry vulnerability here) – the primary IOCs available are the hashes and file names of the ransomware samples. By the time you alert on those on your system, it is already too late: the system is already being encrypted. WannaCry also uses a cryptographic loading mechanism that prevents the malicious DLL from ever touching the disk, which means that antivirus will not detect or block it. The hashes are useful from a research perspective, such as identifying new variants or tracking changes to the malware, but they are not useful for detection. Likewise, there are a few blogs that have published IP addresses that are related to the campaign, but have not provided information as to the nature of those IPs. This makes it hard to know how to handle them or use them in incident detection and response scenarios. Many of the IPs associated with WannaCry are so associated because they have been seen scanning for port 445. We know that WannaCry must scan for that port to identify systems to compromise; however, Wanna Cry is not the only thing that scans the internet, and blocking or alerting on scanning IPs will create a large number of false positives. The kill switch domain is a good indicator that you have compromised systems on your network that should be remediated. Contact with this domain - which should be allowed to prevent encryption! – can be used as a way to track what systems are compromised and launch investigations accordingly. It is not a prevention method, but it can help identify hosts compromised with this variant. The InsightIDR threat community has a threat list that will alert (but not block) this domain to assist with identification of compromised hosts. A Better Approach IOC-based threat intelligence is not the best approach for dealing with WannaCry—a vulnerability-based approach is. The best indicator that you will be compromised is whether or not you are vulnerable to the ETERNAL BLUE exploit that WannaCry uses as an initial attack vector. One researcher put a SMB honeypot up with port 445 open and was exploited in less than 3 minutes. With the way that WannaCry is spreading, if you are vulnerable, you will be compromised. Ensuring that all of your systems are patched, port 445 is not open to the internet, and network segmentation is in place are all far better things to focus on than finding IOCs for WannaCry. For information on how to scan for, and remediate, MS17-010 with Nexpose and InsightVM, please read this blog. WannaCry is Just the Beginning... The reality is that we're likely to see more attacks leveraging this attack vector. The basic equation for threats is as follows: Threat = opportunity + capability + intent For the WannaCry Ransomworm, the equation looks like this: WannaCry = Unpatched flaw in SMB + ETERNAL BLUE with ransomware and worming capabilities + Desire for $$$ But we have an almost unending list of potential threats, since the opportunity and capability are both public. It is almost guaranteed that we will see other threats where: Opportunity = Unpatched flaw in SMB Capability = Some variation of ETERNAL BLUE Intent = Money, power, chaos, revenge, etc. We can monitor for new capabilities that are being developed, we can brainstorm potential threat actor intents to understand whom the threat may target, but what will remain the same across all of these threats is the opportunity that the attacks have. If we can remove that opportunity then the threats will not exist, and will become an insubstantial threat, as the attackers will have no way to leverage their capabilities. Want to learn more? Visit our resource page filled with relevant information around WannaCry.

The Shadow Brokers Leaked Exploits Explained

The Rapid7 team has been busy evaluating the threats posed by last Friday's Shadow Broker exploit and tool release and answering questions from colleagues, customers, and family members about the release. We know that many people have questions about exactly what was released, the threat…

The Rapid7 team has been busy evaluating the threats posed by last Friday's Shadow Broker exploit and tool release and answering questions from colleagues, customers, and family members about the release. We know that many people have questions about exactly what was released, the threat it poses, and how to respond, so we have decided to compile a list of frequently asked questions. What's the story? On Friday, April 15, a hacking group known as the “Shadow Brokers” released a trove of alleged NSA data, detailing exploits and vulnerabilities in a range of technologies. The data includes information on multiple Windows exploits, a framework called Fuzzbunch for loading the exploit binaries onto systems, and a variety of post-exploitation tools. This was understandably a cause for concern, but fortunately, none of the exploits were zero days. Many targeted older systems and the vulnerabilities they exploited were well-known, and four of the exploits targeted vulnerabilities that were patched last month. Who are these shady characters? The Shadow Brokers are a group that emerged in August of 2016, claiming to have information on tools used by a threat group known as Equation Group. The initial information that was leaked by the Shadow Brokers involved firewall implants and exploitation scripts targeting vendors such as Cisco, Juniper, and Topsec, which were confirmed to be real and subsequently patched by the various vendors. Shadow Brokers also claimed to have access to a larger trove of information that they would sell for 1 million bitcoins, and later lowered the amount to 10,000 bitcoins, which could be crowdfunded so that the tools would be released to the public, rather than just to the highest bidder. The Shadow Brokers have popped up from time to time over the past 9 months leaking additional information, including IP addresses used by the Equation Group and additional tools. Last week, having failed to make their price, they released the password for the encrypted archive, and the security community went into a frenzy of salivation and speculation as it raced to unpack the secrets held in the vault. The April 15th release seems to be the culmination of the Shadow Brokers' activity; however, it is possible that there is still additional information about the Equation Group that they have not yet released to the public. Should you be worried? A trove of nation state-level exploits being released for anyone to use is certainly not a good thing, particularly when they relate to the most widely-used software in the world, but the situation is not as dire as it originally seemed. There are patches available for all of the vulnerabilities, so a very good starting point is to verify that your systems are up to date on patches. Home users and small network operators likely had the patches installed automatically in the last update, but it is always good to double-check. If you are unsure if you are up to date on these patches, we have checks for them all in Rapid7 Nexpose and Rapid7 InsightVM. These checks are all included in the Microsoft hotfix scan template. EternalBlue EternalSynergy EternalRomance EternalChampion MS17-010 msft-cve-2017-0143 msft-cve-2017-0144 msft-cve-2017-0145 msft-cve-2017-0146 msft-cve-2017-0147 msft-cve-2017-0148 EmeraldThread MS10-061 WINDOWS-HOTFIX-MS10-061 EskimoRoll MS14-068 WINDOWS-HOTFIX-MS14-068 EducatedScholar MS09-050 WINDOWS-HOTFIX-MS09-050 EclipsedWing MS08-067 WINDOWS-HOTFIX-MS08-067 If you want to ensure your patching efforts have been truly effective, or understand the impact of exploitation, you can test your exposure with several modules in Rapid7 Metasploit: EternalBlue MS17-010 auxiliary/scanner/smb/smb_ms17_010 EmeraldThread MS10-061 exploit/windows/smb/psexec EternalChampion MS17-010 auxiliary/scanner/smb/smb_ms17_010 EskimoRoll MS14-068 / CVE-2014-6324 auxiliary/admin/kerberos/ms14_068_kerberos_checksum EternalRomance MS17-010 auxiliary/scanner/smb/smb_ms17_010 EducatedScholar MS09-050 auxiliary/dos/windows/smb/ms09_050_smb2_negotiate_pidhigh, auxiliary/dos/windows/smb/ms09_050_smb2_session_logoff, exploits/windows/smb/ms09_050_smb2_negotiate_func_index EternalSynergy MS17-010 auxiliary/scanner/smb/smb_ms17_010 EclipsedWing MS08-067 auxiliary/scanner/smb/ms08_067_check exploits/windows/smb/ms08_067_netapi In addition, all of the above exploits can also be pivoted to a Meterpreter session via the DoublePulsar implant. What else can you do to protect yourselves? If patching is still in progress or will take a little bit longer to fully implement (we get it) then there are detections for the exploits that you can implement while patching in underway. For examples of ways to implement detections, check out this blog post from Mike Scutt. Rapid7 InsightIDR, our solution for incident detection and response, has an active Threat Community with intelligence to help detect the use of these exploits and any resulting attacker behavior. You can subscribe to this threat in the community portal. For more on how threat intel works in InsightIDR, check out this 4-min Solution Short. It is also important to stay aware of other activity on your network during the patching and hardening processes. It is easy to get distracted by the latest threats, and attackers often take advantage of defender preoccupation to achieve their own goals, which may or may not have anything to do with this latest tool leak. What about that IIS 6 box we have on the public internet? It is very easy for commentators to point fingers and say that anyone who has legacy or unsupported systems should just get rid of them, but we know that the reality is much more complicated. There will be legacy systems (IIS 6 and otherwise) in organizations that for whatever reason cannot just be replaced or updated. That being said, there are some serious issues with leaving systems that are vulnerable to these exploits publicly accessible. Three of the exploits (“EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”) will remain effective on EOL systems and the impacts are concerning enough that it is really not a good idea to have internet-facing vulnerable systems. If you are in this position we recommend coming up with a plan to update the system and to keep a very close eye on the development of this threat. Due to the sophistication of this tool set, if widespread exploitation starts then it will likely only be a matter of time before the system is compromised. Should you be worried about the Equation Group? The threat from Equation Group itself to most organizations is minimal, unless your organization has a very specific threat profile. Kaspersky's initial analysis of the group lists the countries and sectors that they have seen targeted in the past. This information can help you determine if your organization may have been targeted. While that is good news for most organizations, that doesn't mean that there is no cause for concern. These tools appear to be very sophisticated, focusing on evading security tools such as antivirus and generating little to no logging on the systems that they target. For most organizations the larger threat is that of attackers co-opting these very sophisticated and now public exploits and other post-exploitation tools and using them to achieve their own goals. This increases the threat and makes defending against, and detecting, these tools more critical. We have seen a sharp decrease in the amount of time it take criminals to incorporate exploits into their existing operations. It will not be long before we will start to see more widespread attacks using these tools. Where should I build my underground bunker? While this particular threat is by no means a reason to go underground, there are plenty of other reasons that you may need to hide from the world and we believe in being prepared. That being said, building your own underground bunker is a difficult and time consuming task, so we recommend that you find an existing bunker, pitch in some money with some friends, and wait for the next inevitable bunker-level catastrophe to hit, because this isn't it.

3 Things We Learned From the Joint Analysis Report

2016 kept us on our toes right up to the very end - and its last curveball will have implications lasting well past the beginning of the new year. Speculation on Russian hacking is nothing new, but it picked up notably with the DNC hack…

2016 kept us on our toes right up to the very end - and its last curveball will have implications lasting well past the beginning of the new year. Speculation on Russian hacking is nothing new, but it picked up notably with the DNC hack prior to the presidential election and the subsequent release of stolen emails, which the intelligence community later described as an information operation aimed at influencing the election. And then on December 29th we saw the US government's response, the coordinated release of a joint report detailing the hacking efforts attributed to Russian intelligence agencies, economic sanctions, and the expulsion of Russian diplomats. This blog is not going to discuss the merits – or otherwise - of various political actions, nor whether cyberespionage should warrant different responses to other types of espionage. Instead, I'm going to focus on the learnings we can take away from the Joint Analysis Report (JAR). The report is not perfect, but nonetheless, I believe it can be valuable in helping help us, as an industry, improve, so I'm choosing to focus on those points in this post. The Joint Analysis Report won't change much for some defenders, while for others it means a reevaluation of their threat model and security posture. But given that the private sector has been tracking these actors for years, it's difficult to imagine anyone saying that they are truly surprised Russian entities have hacked US entities. Many of the indicators of compromise (IOCs) listed in the JAR have been seen before -- either in commercial or open source reporting. That being said, there are still critical takeaways for network defenders. 1) The US government is escalating its response to cyber espionage. The government has only recently begun to publicly attribute cyberattacks to nation states, including attributing the Sony attacks to North Korea, a series of industrial espionage-related attacks to Chinese PLA officers, and a series of attacks against the financial sector to Iran-backed actors. But none of those attack claims came with the expulsion of diplomats or suspected intelligence officers. The most recent case of a diplomat being declared persona non grata (that we could readily find) was in 2013 when three Venezuelan officials were expelled from the US in response to the expulsion of US diplomats from Venezuela. Prior to that was in 2012, when a top Syrian diplomat was expelled from the Washington Embassy in response to the massacre of civilians in the Syrian town of Houla. Clearly, this is not a step that the United States take lightly.These actions are more significant to government entities than they are to the private sector, but being able to frame the problem is crucial to understanding how to address it. Information and influence operations have been going on for decades, and the concept that nations use the cyber domain as a means to carry out these information operations is not surprising. This is the first time, however, that the use of the cyber domain means has been met with a public response that has previously been reserved for conventional attacks. If this becomes the new normal then we should expect to see more reports of this nature and should be prepared to act as needed. 2) The motivation of the attackers that are detailed in the report is significant. We tend to think of cyber operations as fitting into three buckets: cyberespionage, cybercrime, or hactivism. The actions described in the JAR and in the statement from the President describe influence operations. Not only do the attackers want to steal information, but they are actively trying to influence opinions, which is an area of cyber-based activity we are likely to see increasing. The entities listed in the JAR, who are primarily political organizations (and there are far more political organizations out there than just the two primary parties' HQ), as well as organizations such as think tanks, should reevaluate their threat models and their security postures. It is not just about protecting credit card information or PII, anything and everything is on the table. The methods that are being used are not new – spear-phishing, credential harvesting, exploiting known vulnerabilities, etc. – and that fact should tell people how important basic network security is and will remain. There was no mention of zero-days or use of previously undetected malware. Companies need to understand that the basics are just as, or even more, important when dealing with advanced actors. 3) We need to work with what we have – and that doesn't mean we just plug and play IOCs. It's up to us to take the next step. So, what is there to do with the IOCs? There are a lot of people who are disappointed about the quality and level of detail of the IOCs on the JAR. It is possible that what has been published is the best the government could give us at the TLP: White level, or that the government analysts who focus on making recommendations to policy makers simply do not know what companies need to defend their networks (hint: it is not a Google IP address). We, as defenders, should never just take a set of IOCs and plug them into our security appliances without reviewing and understanding what they are and how they should be used. Defenders should not focus on generating alerts directly off the IOCs provided, but should do a more detailed analysis of the behaviors that they signify. In many cases, even after an IOC is no longer valid, it can tell a story about an attacker behavior, allowing defenders to identify signs of those behaviors, rather than the actual indicators that are presented. IOC timing is also important. We know from open source reporting, as well as some of the details in the JAR, that this activity did not happen recently, some of it has been going on for years. That means that if we are able to look back through logs for activity that occurred in the past then the IOCs will be more useful than if we try and use them from this point in time forward, because once they are public it is less likely that the attackers will still be employing them in the way they did in the past. We may not always get all of the details around an IOC, but it's our job as defenders to do what we can with what we have, especially if we are an organization who fits the targeting profile of a particular actor. Yes, it would be easier if the government could give us all of the information we needed in the format that we needed, but reality dictates that we will still have to do some of our own analysis. We should not be focusing on any one aspect of the government response, whether it is the lack of published information clearly providing attribution to Russia, or the list of less-than-ideal IOCs. There are still lessons that we, as decisions makers and network defenders, can take away. Focusing on those lessons requires an understanding of our own networks, our threat profile, and yes, sometimes even the geo-political aspects of current events so that we can respond in a way that will help us to identify threats and mitigate risk.

12 Days of HaXmas: New Years Resolutions for the Threat Intelligence Analyst

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts…

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them. You may or may not know this about me, but I am kind of an overly optimistic sunshine and rainbows person, especially when it comes to threat intelligence. I love analysis, I love tackling difficult problems, connecting dots, and finding ways to stop malicious actors from successfully attacking our networks. Even though 2016 tried to do a number on us (bears, raccoons, whatever...) I believe that we can come through relatively unscathed, and in 2017 we can make threat intelligence even better by alleviating a lot of confusion and addressing many of the misunderstandings that make it more difficult to integrate threat intelligence into information security operations. In the spirit of the new year, we have compiled of a list of Threat Intelligence Resolutions for 2017. Don't chase shiny threat intel objects Intelligence work, especially in the cyber realm, is complex, involved, and often time-consuming. The output isn't always earth-shattering; new rules to detect threats, additional indicators to search for during an investigation, a brief to a CISO on emerging threats, situational awareness for the SOC so they better understand the alerts they respond to. Believe it or not in this media frenzied world, that is the way it is supposed to be. Things don't have to be sensationalized to be relevant. In fact, many of the things that you will discover through analysis won't be sensational but they are still important. Don't discount these things or ignore them in order to go chase shiny threat intelligence objects – things that look and sound amazing and important but likely have little relevance to you. Be aware that those shiny things exist, but do not let them take away from the things that are relevant to you. It is also important to note that not everything out there that gets a lot of attention is bad – sometimes something is big because it is a big deal and something you need to focus on. Knowing what is just a shiny object and what is significant comes down to knowing what is important to you and your organization, which brings us to resolution #2. Identify your threat intelligence requirements Requirements are the foundation of any intelligence work. Without them you could spend all of your time finding interesting things about threats without actually contributing to the success of your information security program. There are many types and names for intelligence requirements: national intelligence requirements, standing intelligence requirements, priority intelligence requirements – but they are all a result of a process that identifies what information is important and worth focusing on. As an analyst, you should not be focusing on something that does not directly tie back to an intelligence requirement. If you do not currently have intelligence requirements and are instead going off of some vague guidance like “tell me about bad things on the internet” it is much more likely that you will struggle with resolution #1 and end up chasing the newest and shiniest threat rather than what is important to you and your organization. There are many different ways to approach threat intelligence requirements – they can be based off of business requirements, previous incidents, current events, or a combination of the above. Scott Roberts and Rick Holland have both written posts to help organizations develop intelligence requirements, and they are excellent places to start with this resolution. (They can be found here and here.) Be picky about your sources One of the things we collectively struggled with in 2016 was helping people understand the difference between threat intelligence and threat feeds. Threat intelligence is the result of following the intelligence cycle - from developing requirements, through collection and processing, analysis, and dissemination. For a (much) more in depth look into the intelligence cycle read JP 2-0, the publication on Joint Intelligence [PDF]. Threat feeds sit solidly in the collection/processing phase of the intelligence cycle - they are not finished intelligence, but you can't have finished intelligence without collection, and threat feeds can provide the pieces needed to conduct analysis and produce threat intelligence. There are other sources of collection besides feeds, including alerts issued by government agencies or commercial intelligence providers that often contain lists of IOCs. With all of these things it is important to ask questions about the indicators themselves: Where does the information come from? A honeypot? Is it low interaction or high interaction? Does it include scanning data? Are there specific attack types that they are monitoring for? Is it from an incident response investigation? When did that investigation occur? Are the indicators pulled directly from other threat feeds/sources? If so, which ones? What is included in the feed? Is it simply IOCs or is there additional information or context available? Remember, this type of information must still be analyzed and it can be very difficult to do that without additional context. When was the information collected? Some types of information are good for long periods, but some are extremely perishable and it is important to know when the information was collected, not just when you received it. It is also important to know if you should be using indicators to look back through historical logs or generate alerts for future activity. Tactical indicators have dominated the threat intelligence space and many organizations employ them without a solid understanding of what threats are being conveyed in the feeds or where the information comes from, simply because they are assure that they have the "best threat feed" or the "most comprehensive collection" or maybe they come from a government agency with a fancy logo (although let's be honest, not that fancy) but you should never blindly trust those indicators, or you will end up with a pile of false positives. Or a really bad cup of coffee. It isn't always easy to find out what is in threat feeds, but it isn't impossible. If threat feeds are part of your intelligence program then make it your New Year's resolution to understand where the data in the feeds comes from, how often it is updated, where you need to go to find out additional information about any of the indicators in the feeds, and whether or not it will support your intelligence requirements. If you can't find that information out then it may be a good idea to also start looking for feeds that you know more about. Look OUTSIDE of the echo chamber It is amazing how many people you can find to agree with your assessment (or agree with your disagreement of someone else's assessment) if you continue to look to the same individuals or the same circles. It is almost as if there are biases as work - wait, we know a thing or two about biases! This Graphic Explains 20 Cognitive Biases That Affect Your Decision-Making>Confirmation bias, bandwagoning, take your pick. When we only expose ourselves to certain things within the cyber threat intelligence realm we severely limit our understanding of the problems that we are facing and the many different factors that influence them. We also tend to overlook a lot of intelligence literature that can help us understand how we should be addresses those problems. Cyber intelligence is not so new and unique that we cannot learn from traditional intelligence practices. Here are some good resources on intelligence analysis and research: Kent Center Occasional Papers — Central Intelligence Agency The Kent Center, a component of the employee-only Sherman Kent School for Intelligence Analysis at CIA University, strives to promote the theory, doctrine, and practice of intelligence analysis. Congressional Research Service The Congressional Research Service, a component of the Library of Congress, conducts research and analysis for Congress on a broad range of national policy issues. The Council on Foreign Relations The Council on Foreign Relations (CFR) is an independent, nonpartisan membership organization, think tank, and publisher. Don't be a cotton headed ninny muggins Now this is where the hopeful optimist in me really comes out. One of the things that has bothered me most in 2016 is the needless fighting and arguments over, well, just about everything. Don't get me wrong, we need healthy debate and disagreement in our industry. We need people to challenge our assumptions and help us identify our biases. We need people to fill in any additional details that they may have regarding the analysis in question. What we don't need is people being jerks or discounting analysis without having seen a single piece of information that the analysis was based off of. There are a lot of smart people out there, and if someone publishes something you disagree with or your question then there are plenty of ways to get in touch with them or voice your opinion in a way that will make our collective understanding of intelligence analysis better.

Cyber Threat Intelligence: How Do You Incorporate it in Your InfoSec Strategy?

In the age of user behavior analytics, next-gen attacks, polymorphic malware, and reticulating anomalies, is there a time and place for threat intelligence? Of course there is! But – and it seems there is always a ‘but' with threat intelligence – it needs to be carefully applied…

In the age of user behavior analytics, next-gen attacks, polymorphic malware, and reticulating anomalies, is there a time and place for threat intelligence? Of course there is! But – and it seems there is always a ‘but' with threat intelligence – it needs to be carefully applied and managed so that it truly adds value and not just noise. In short, it needs to actually be intelligence, not just data, in order to be valuable to an information security strategy. We used to have the problem of not having enough information. Now we have an information overload. It is possible to gather data on just about anything you can think of, and while that can be a great thing (if you have a team of data scientists on standby), most organizations simply find themselves facing an influx of information that is overwhelming at best and contradictory at worst. Threat intelligence can help solve that problem. What is Threat Intelligence? As Rick Holland and I mentioned in our talk at UNITED Summit 2016, there are a variety of definitions and explanations for threat intelligence, ranging in size from a paragraph to a field manual. Here's the distilled definition: “Threat Intelligence helps you make decisions about how to prevent, detect, and respond to attacks." That's pretty simple, isn't it? But it covers a lot of ground. The traditional role of intelligence is to inform policy makers. It doesn't dictate a particular decision, but informs them with what they need to make critical decisions. The same concept applies to threat intelligence in information security, and it can benefit everyone from a CISO to a vulnerability management engineer to a SOC analyst. All of those individuals have decisions to make about the information security program and threat intelligence arms them with relevant, timely information that will help them make those decisions. If intelligence is making it harder for you to make decisions, then it is not intelligence. When Threat Intelligence Fails Threat Intelligence can be a polarizing topic –  you hate it or you love it. Chances are that if you hate it, you've probably been burned by threat feeds containing millions of indicators from who-knows-where, had to spend hours tracking down information from a vendor report with absolutely no relevance to your network, or simply fed up by the clouds of buzzwords that distract from the actual job of network defense. If you love it, you probably haven't been burned, and we want to keep it that way. Threat Intelligence fails for a variety of reasons, but the number one reason is irrelevance. Threat feeds with millions of indicators of uncertain origin are not likely to be relevant. Sensationalized threat actor reports with little detail but lots of fear, uncertainty, and doubt (FUD) are not likely to be relevant. Stay away from these, or the likelihood that you end up crying under your desk increases. So how DO you find what is relevant? That starts with understanding your organization and what you are protecting, and then seeking out threat intelligence about attacks and attackers related to those things. This could mean focusing on attackers that target your vertical or the types of data you are protecting. It could mean researching previously successful attacks on the systems or software that you use. By taking the time to understand more about the source and context behind your threat intelligence, you'll save a ton of pain later in the process. The Time and Place for Threat Intelligence Two of the most critical factors for threat intel are just that – time and place. If you're adding hundreds of thousands of indicators with no context and no expiration date, that will result in waves of false positives that dilute any legitimate alerts that are generated. With cloud architectures today, vendors have the ability to anonymously collect feedback from customers, including whether alerts generated by the intel are false positives or not. This crowdsourcing can serve as a feedback loop to continuously improve the quality of intelligence. For example, with this list, 16 organizations are using it, 252 alerts have been generated across the community, and none have been marked as false positives. The description also contains enough context to help defenders know how to respond to any alerts generated. This has served as valuable threat intelligence. The second half is place – different intelligence should be applied differently in your organization. Strategic intelligence, such as annual trend reports, or warnings on targeted threats to your industry, are meant to help inform decision makers. More technical intelligence, such as network based indicators, can be used as firewall rules to prevent threats from impacting your network. Host based indicators, especially those from your own incidents or from organizations similar to yours, can be used to detect malicious activity on your network. This is why you need to know exactly where your intelligence comes from, as without it, proper application is a serious challenge. Your own incident experience is one of the best sources of relevant intelligence – don't let it go to waste! To learn about how you can add threat intelligence into InsightIDR, check out the Solution Short below. Threat intelligence isn't as easy as plugging a threat feed into your SIEM. Integrating threat intelligence into your information security program involves (1) understanding your threat profile, (2) selecting appropriate intelligence sources, and (3) contextually applying it to your environment. However, once completed, threat intelligence will serve a very valuable role in protecting your network. Intelligence helps us understand the threats we face – not only with identifying them as they happen, but to understand the implications of those threats and respond accordingly. Intelligence enables us to become persistent and motivated defenders, learning and adapting each step of the way.

The State of Cyber Threat Intelligence

The SANS State of Cyber Threat Intelligence Survey has been released and highlights some important issues with cyber threat intelligence:Usability is still an issue - Almost everyone is using some sort of cyber threat intelligence. Hooray! The downside – there is still confusion as…

The SANS State of Cyber Threat Intelligence Survey has been released and highlights some important issues with cyber threat intelligence:Usability is still an issue - Almost everyone is using some sort of cyber threat intelligence. Hooray! The downside – there is still confusion as to the best ways to implement and utilize threat intelligence, and the market is not making it any easier. We believe that the confusion is related to the initial push by threat intelligence vendors to sell list-based threat intelligence – lists of IPs, lists of domains, etc – with little, or even worse, no context. This type of threat feed is data, not intelligence, but it is easy to put together and it isn't too difficult to integrate with security tools that are used to receiving blacklists or signature based threat data. That…well…to put it nicely, doesn't exactly work. The survey shows that over 60% of respondents are using threat intelligence to block malicious domains or IP addresses, which contributes to high false positives and a nebulous idea of what threat intelligence is actually supposed to be doing. However, nearly half use threat intelligence to add context to investigations and assessments, which is a much better application of threat intelligence and even though it uses some of the same data sources, it requires the additional analysis that actually turns it into intelligence. A smaller number of respondents reported that they use threat intelligence for hunting or to provide information to management (28 and 27 percent, respectively), but it appears that these areas are growing as organizations identify the value they provide.Threat Intelligence helps to make decisions - 73% of respondents said that they felt they could make better and more informed decisions by using threat intelligence. 71% said that they had improved visibility into threats by using threat intelligence. These are both key aspects of threat intelligence and indicate that more organizations are using threat intelligence to assist with decision making rather than only focusing on the technical, machine to machine aspect of threat intel.  One of the overarching goals in intelligence work in general is to provide information to decision makers about the threats facing them, and it is great to see that this application of CTI is growing. CTI can be used to support every aspect of a security program, from determining general security posture and acceptable level of risk to prioritizing patching and alerting, and threat intelligence can provide insight to support all of these critical decisions.More isn't necessarily better – the majority of respondents who engage in incident response or hunting activities indicated that they could consume only 11-100 indicators of compromise on a weekly basis, and can only conduct in-depth research and analysis on 1-10 indicators per week. Since there are approximately eleventy-billion indicators of compromise being generated and exchanged every week that puts a lot of pressure not only on analysts, but on the tools we use to automate the collection and processing of data. Related – two of the biggest pain points respondents had with implementing cyber threat intelligence are the lack of technical capabilities to integrate CTI tools into environments, and the difficulty of implementing new security systems and tools. In order to automate the handling of large amounts of indicators in a way that allows analysts to zero in on the most important and relevant ones, we need to have confidence in our collection sources, confidence in our tools, and confidence in our processes. More of the wrong type of data isn't better, it distracts from the data that is relevant and makes it nearly impossible for a threat intelligence analyst to actually conduct the analysis needed to extract value. Download the SANS State of Cyber Threat Intelligence Survey here. To learn more about our approach to integrating threat intelligence into incident detection and response processes, come join us for an IDR intensive session at our annual conference, UNITED Summit.

Threat Intelligence Foundations: Crawl, Walk, Analyze - Part 3

This is the third post in a three-part series on threat intelligence foundations, discussing the fundamentals of how threat intelligence can be used in security operations. Here's Part 1 and Part 2.Intelligence Analysis in Security OperationsIn the first two parts of this series we…

This is the third post in a three-part series on threat intelligence foundations, discussing the fundamentals of how threat intelligence can be used in security operations. Here's Part 1 and Part 2.Intelligence Analysis in Security OperationsIn the first two parts of this series we talked about frameworks for understanding and approaching intelligence: the levels of intelligence (strategic, operational, tactical) as well as the different types of intelligence (technical, current, long-term, etc). Regardless of the level or type of intelligence, the consistent theme was the need for analysis. Analysis is the core of intelligence, it takes data and turns it into intelligence that we can use to help us make informed decisions about complicated issues. Analysis: The Missing PieceI recently gave a talk at RSA where I compared the traditional intelligence cycle: to what the intelligence cycle often looks like in cyber threat intelligence:     We are good at collection and processing, and we are good at dissemination, however we tend to leave a lot of the critical parts of the cycle out which results in overwhelming alerts, excessive false positives, and really, really confused people.It's easy to joke about or complain about, but here is the thing...analysis is hard. Saying that we should do more/better/more timely analysis is easy. Actually doing it is not, especially in a new and still developing field like cyber threat intelligence. Models and methods help us understand the process, but even determining what model to use can be difficult. There are multiple approaches; some work better in certain situations and others work best in others.What is Analysis?The goal of intelligence analysis is to evaluate and interpret information in order to reduce uncertainty, provide warnings of threats, and help make informed decisions. Colin Powell gave perhaps the most succinct guidelines for intelligence analysis when he said: “Tell me what you know, tell me what you don't know, tell me what you think. Always distinguish which is which”. This statement sums up intelligence analysis.Analysts take what is known—usually information that has been collected either by the analyst themselves or by others—identify gaps in the knowledge that might dictate a new collection requirement or may present a bias that needs to be taken into consideration, and then determine what they think that information means. Before you begin any analysis you should have an idea of what it is that you are trying to figure out. Ideally this would be driven by requirements from leadership, teams you support, or some other form of standing intelligence needs. There are many situations in CTI, however, where those requirements are not as well defined as we might hope. Understanding what it is that the organization needs from threat intelligence is critical. Therefore, step one should always be to understand what problems, concerns, or issues you are trying to address.Analytic ModelsOnce you understand what questions you are trying to answer through your analysis, there are various analytic models that can be used to conduct analysis. I have listed some good resources available to help understand some of the more popular models that are often used in threat intelligence.Different models are used for different purposes. The SWOT method is good for conducting higher-level analysis to understand how your own strengths and weaknesses compared to an adversary's capabilities. F3EAD, the Diamond Model, and the Kill Chain and are useful for analyzing specific instructions or how different incidents or intrusions may be related. Target Centric Intelligence is a lesser known model, but can help with not only understanding individual incidents, but provides a collaborative approach to intelligence including the decision makers, collectors, and analysts in an iterative process aimed at avoiding the stove-piping and miscommunications that are often present in intelligence operations. SWOT (Strengths, Weaknesses, Opportunities, Threats) Find, Fix, Finish, Exploit, Analyze, Disseminate by @srobertsTarget Centric IntelligenceDiamond Model for Intrusion AnalysisAnalysis of Adversary Campaigns and Intrusion Kill ChainsA final note on collectionIn many cases, analysis can only be as good as the information that it is based off of. Intelligence analysts are trained to evaluate the source of information in order to better understand if there are biases or concerns about the reliability that need to be taken into account. In cyber threat intelligence we, by and large, rely on data collected by others and may not have much information on its source, reliability, or applicability. This is one of the reasons that analyzing information from your own network is so important, however it is also important that we, as a community, are as transparent as possible with the information we are providing to others to be used in their analysis. There are always concerns about revealing sources and methods, so we need to find a balance between protecting those methods and enabling good analysis.

Threat Intelligence Foundations: Crawl, Walk, Analyze - Part 2

This is the second post in a three-part series on threat intelligence foundations, discussing the fundamentals of how threat intelligence can be used in security operations. Read Part One here. Tinker, Tailor, Soldier, Spy: Utilizing Multiple Types of IntelligenceJust as there are different operational levels…

This is the second post in a three-part series on threat intelligence foundations, discussing the fundamentals of how threat intelligence can be used in security operations. Read Part One here. Tinker, Tailor, Soldier, Spy: Utilizing Multiple Types of IntelligenceJust as there are different operational levels of intelligence—discussed in detail in the first post of this series—there are also different types of intelligence that can be leveraged in an organization to help them better understand, prepare for, and respond to threats facing them.Don't laugh—but a great basic resource for understanding the types of intelligence is the CIA's Kid Zone, where they break intelligence down for the 6-12th graders that we all are at heart (or K-5, no judgement here).They break intelligence down into several different types:Scientific and Technical – providing information on adversary technologies and capabilities.Current – looking at day-to-day events and their implications.Warning – giving notice of of urgent matters that may require immediate attention.Estimative – looking at what might be or what might happen.Research – providing an in-depth study of an issue.While most organizations may not work with all of these types of intelligence, or do so in the same way that the CIA does (and please don't tell me if you do), it is useful to understand the spectrum and what each type provides. The different types of intelligence require varying levels of human analysis and time. Some, like technical intelligence, are easier to automate and therefore can be produced at a regular cadence, while some, like threat landscape research, will always rely heavily on human analysis.Technical IntelligenceIn information security operations, technical intelligence is used to understand the capabilities and the technologies used by an adversary. It can include details such as IP addresses and domains used in command and control, names and hashes of malicious files, as well as some TTP details such as vulnerabilities that a particular actor targets or a particular callback pattern for a beaconing implant.Technical intelligence is most often used in machine-to-machine operations, and is therefore automated as much as possible to handle the large volume of information. In many cases, technical intelligence does not contain much context, even if context is available in other places, because machines do not care as much about the context as their humans do. A firewall doesn't need to know why to block traffic to a malicious domain, it just needs to do it. The human on the other end of that firewall change might want to know, however, in case the change ends up triggering a massive amount of alerts. Technical intelligence must have been analyzed prior to consumption, otherwise it is just data or information at best. For more information see Robert Lee's post on the data vs information vs intelligence debate.If you are not using technical intelligence that you generated yourself, it is critical that you understand the source of the technical intelligence and how it was analyzed, especially if it was analyzed using automated means. I am going out on a limb here by stating that there is a way to analyze and produce threat intelligence in an automated fashion that can be utilized machine-to-machine. Do NOT prove me wrong—do the analysis!Current IntelligenceCurrent Intelligence deals with day-to-day events and situations that may require immediate action. I have heard several people say that, “news isn't intelligence,” and that is a true statement; however, threat information in the public domain, when analyzed for implications to your specific organization, network, or operations, becomes intelligence.An example of the use of current intelligence is a report that an exploit kit has integrated a vulnerability that was just announced three days ago. If you know that you are on a thirty-day patch cycle that means (best case) you have twenty-seven days where you will be vulnerable to these attacks. Understanding how this threat impacts your organization and how to detect and block malicious activity associated with it is an example of current intelligence. Current intelligence can also be generated from information within an organization's networks. Analyzing an intrusion or a spearphishing attack against executives can also generate current intelligence that needs to be acted on quickly.When you do generate current intelligence from your own network, document it! It can then contribute to threat trending and threat landscape research, which we will discuss shortly. It can also be shared with other organizations.Threat Trending (Estimation)All of the intelligence gathered at the tactical level (technical intelligence, current intelligence) can be further analyzed to generate threat trends. Threat trending takes time because of the nature of trending, you are analyzing patterns over time to see how things change and how they stay the same. Threat trending can be an analysis of a particular threat that has impacted your network repeatedly, or it can be an analysis of how an actor group or malware family has evolved over time. The more relevant a threat trend is to your network or organization, the more useful it will be to you.Threat trending allows us to move from an analysis of something that we have seen and know is bad towards predicting or estimating future threats.Threat Landscape ResearchSpeaking of trending, there has been a long trend in intelligence analysis of focusing on time-sensitive, current intelligence at the expense of longer term, strategic research. Consider how many tactical level, technical IOCs we have in the community compared to strategic intelligence resources. How many new programs are focused on providing “real-time intelligence” versus “deliberate, in-depth analysis.” There are legitimate reasons for that: there are not enough analysts as it is, and they are usually focused on the time-sensitive tasks because they are, well, time sensitive. In addition, we don't always have the right data to conduct strategic level analysis, both because we are not accustomed to collecting it from our own networks and most people who are willing to share tactical indicators of threats are not as willing to share information on how those threats impacted them.We need to change this, because you cannot (or should not) make decisions about the future of your security program without a strategy, and you cannot (or should not) have a security strategy without understanding the logic behind it. Threat landscape research—which is a long term analysis of the threats in your environment, what they target, how they operate, and how you are able to respond to those threats—will drive your strategy. The tactical level information you have been collecting and analyzing from your network on a daily basis can all contribute to threat landscape research. Current intelligence, yours and public domain information, can also contribute to threat landscape research. One framework for capturing and analyzing this information is VERIS—the Vocabulary for Event Recording and Incident Sharing, which the DBIR is based off of. Just remember, this type of intelligence analysis takes time and effort, but it will be worth it.Information SharingThere is currently an emphasis on sharing IOCs and other technical information, however any of the types of intelligence we have discussed in this post are good candidates for information sharing. Sharing information on best practices and processes is also incredibly beneficial.Sharing information on what has been seen in an organization's network is a good way to understand new threats as they emerge and increase situational awareness. Information sharing essentially generates intelligence to warn others of threats that may impact them. Information sharing is becoming increasingly automated, which is great for handling higher volumes of information, however, unless there is an additional layer of analysis that focuses on how this information is relevant or impacts your organization then it will stay information (not intelligence) and will not be as useful as it could be. For more information see Alex Pinto's presentation on his recent research on measuring the effectiveness of threat intelligence sharing.Even if you are not yet convinced of the value of generating your own intelligence from your environment, consuming threat intelligence still requires analysis to understand how it is relevant to you and what actions you should take. A solid understanding of the different types of intelligence and how they are used will help guide how you should approach that analysis.

Threat Intelligence Foundations: Crawl, Walk, Analyze - Part 1

This is the first post in a three-part series on threat intelligence foundations, discussing the fundamentals of how threat intelligence can be used in security operations. There is a consensus among many in threat intelligence that the way the community has approached threat intelligence in…

This is the first post in a three-part series on threat intelligence foundations, discussing the fundamentals of how threat intelligence can be used in security operations. There is a consensus among many in threat intelligence that the way the community has approached threat intelligence in the past -  i.e, the “Threat Data → SIEM → Magical Security Rainbows” approach has left something to be desired, and that something is usually analysis. Rick Holland (@rickhholland) warned us early on that we were on the wrong track with his 2012 post My Threat Intelligence Can Beat Up Your Threat Intelligence where he wrote “The real story on threat intelligence is your organization's ability to develop your own."There are ways that we can take advantage of the threat intelligence that currently exists while learning how to better leverage the threat intelligence in our own networks. Doing this requires an understanding of intelligence fundamentals and how they can be applied in security operations. This series is designed to help those interested in threat intelligence -whether just starting out or re-evaluating their existing programs - understand the underlying fundamentals of threat intelligence and intelligence analysis.In the first part of this three-part series we will discuss the levels of intelligence and the various ways threat intelligence can be utilized in operations.Threat Intelligence Levels in Security Operations: CrawlWhen an organization is determining how to best integrate threat intelligence into their security operations it is helpful to have a framework detailing the different ways that intelligence can be effectively utilized.Traditionally, intelligence levels have aligned to the levels of warfare: strategic, operational, and tactical. There are several reasons for this alignment: it can help identify the decision makers at each level; it identifies the purpose of that intelligence, whether it is to inform policy and planning or to help detect or deter an attack; it can help dictate what actions should be taken as a result of receiving that intelligence.At any level of intelligence it is critical to assess the value to your organization specifically. Please answer this for yourself, your team, and your organization, “How does this information add perspective to our security program? What decisions will this information assist us in making?”Strategic intelligenceStrategic intelligence is intelligence that informs the board and the business. It helps them understand broader trends that are facing their organizations and other similar organizations in order to assist in the development of a strategy. Strategic Intelligence comes from analyzing longer term trends, and often takes the shape of analytic reports such as the DBIR and Congressional Research Service (CRS) reports. Strategic intelligence assists key decision makers in determining what threats are most impactful to their businesses and future plans, and what long-term efforts they may need to take to mitigate them.The key to implementing strategic intelligence in your own business is to apply this knowledge in the context of your own priorities, data, and attack surface. No commercial or annual trend report can tell you what is important to your organization or how certain threat trends may impact you specifically.Strategic intelligence - like all types of intelligence - is a tool that can be used to shape future decisions, but it cannot make those decisions for you.Operational IntelligenceOperational intelligence provides intelligence about specific attacks that may impact an organization. Operational intelligence is rooted in the concept of military operations - a series of plans or engagements that may take place at different times or locations, but have the same overarching goal. It could include identified campaigns targeting an entire sector, or it could be hacktivist or botnet operations targeting one specific organization through a series of attacks.Information Sharing and Analysis Centers (ISACs) and Organizations (ISAOs) are good places to find operational intelligence.Operational intelligence is geared towards higher-level security personnel, but unlike strategic intelligence it dictates actions that need to be taken in the near to mid-term rather than the long term. It can help inform decisions such as whether to increase security awareness training, how to staff a SOC during an identified adversary operation, or whether to temporarily deny requests for exceptions to the firewall policy. Operational intelligence is one of the best candidates for information sharing. If you see something that is going on that may impact others in the near term, *please* share that information. It can help other organizations determine if they need to take action as well.Operational intelligence is only useful when those receiving the intelligence have the authority to make changes to policies or procedures in order to counter the threats.Tactical IntelligenceTactical Intelligence focuses on the the “what” (Indicators of Compromise) and the “how” (Tactics, Techniques, and Procedures) of an attacker's actions with the intent of using that knowledge to prevent, detect, or respond to incidents. Do attackers tend to use a particular method to gain initial access, such as social engineering or vulnerability exploitation? Do they use a particular tool or set of tools to escalate privilege and move laterally? What indicators of compromise might allow you to detect these activities? For a good list of various source of tactical intelligence check out Herman Slatman's list of threat intelligence resources.Tactical intelligence is geared towards security personnel who are actively monitoring their environment and gathering reports from employees who report anomalous activity or social engineering attempts. Tactical Intelligence can also be used in hunt operations, where we are looking to identify attacker behaviors that vary only slightly from a typical user's behavior. This type of intelligence requires more advanced resources, such as extensive logging, user behavioral analytics, endpoint visibility, and trained analysts. It also requires a security-conscious workforce, as some indicators may not be captured or alerted on without first being reported by an employee. You will always have more employees than attack sensors…listen to them, train them, gather the information they can provide, analyze it, and then act upon it.Tactical threat intelligence provides specific, but perishable, information that security personnel can act on.Understanding how threat intelligence operates at different levels can help an organization understand where it needs to focus their efforts and what it can do with the threat intelligence it has access to. It can also help guide how the organization should approach intelligence in the future. The intelligence you can generate from your own network will always be the most actionable intelligence, regardless of the level.For more information on the levels of intelligence and the levels of warfare, check out these resources:The State of Security: Cyber Threat IntelligenceJoint Publication 2-0: Joint Intelligence INSA Operational Levels of Threat Intelligence CIA Library: The State of Strategic Intelligence

How to Build Threat Intelligence into your IDR Strategy: Webinar FAQ

Thanks to everyone who joined our webinar on How to Build Threat Intelligence into your Incident Detection and Response Program. We got so many great questions during the session that we decided to follow up with a post answering them and addressing the trends and…

Thanks to everyone who joined our webinar on How to Build Threat Intelligence into your Incident Detection and Response Program. We got so many great questions during the session that we decided to follow up with a post answering them and addressing the trends and themes we continue to see around threat intelligence. TL/DR for those of you who don't have time to read all of the responses (we got a lot of questions): Threat intelligence is a process, not something you buy. That means you will have to put work in in order to get results. Threat intelligence works best when it is integrated across your security operations and is not viewed as a stand-alone function Strategic, Operational, and Tactical threat intelligence (including technical indicators) are used differently and gathered using different methods. Do you see threat intelligence as a proactive approach to cyber monitoring or a just a better way of responding to cyber threats? If you see it as proactive, how, since the intelligence is based on events, TTPs,that have already occurred? A misconception about threat intelligence is that it is focused exclusively on alerting or monitoring. We talked about indicators of compromise and how to use them for detection and response, but there is a lot more to threat intelligence than IOCs.  When threat intelligence is properly implemented in a security program it contributes to prevention, detection, and response. Understanding the high level, strategic threats facing your organization helps determine how to improve overall security posture. All intelligence must be based on facts,( i.e. things that have already occurred or that we already know), but those facts that allow us to create models that can be used to identify trends and assess what controls should be put in place to prevent attacks.  As prevention comes into alignment, it is important to maintain awareness of new threats leveraging operational and tactical intelligence,taking actions to protect your organization before they are able to impact you. I can see the usefulness of tactical, operational and technical intelligence. How would you be able to establish strategic intelligence? Strategic Intelligence is intelligence that informs leadership or decisions makers on the overarching threats to the organization or business. Think of this as informing high level decision making based on evidence, seeing the forest without being distracted by the trees. Information that contributes to strategic intelligence is gathered and analyzed over a longer period of time than other types of threat intelligence. The key to utilizing strategic intelligence is being able to apply it in the context of your own data and attack surface. An example would be intelligence that financially motivated cyber criminals are targeting third party vendors in order to gain access to retail networks. This information could be used to assess whether a business would be vulnerable to this type of attack and identify longer term changes that need to take place to reduce the risk, such as network segmentation, audits of existing third-party access, and development of policies to limit access. What is the difference between Strategic and Operational Intelligence? Strategic intelligence focuses on long term threats and their implications while operational intelligence focuses on short term threats that may need to be mitigated immediately. Implementing strategic and operational intelligence often involves asking the same questions: who and why. With strategic intelligence you are evaluating the attackers - focusing on their tactics and motivations rather than geographical location - to determine how those threats may impact you in the future. With operational intelligence you are evaluating who is actually being targeted and how so that you can determine if you need to take any immediate actions in response to the the threat. What is positive control and why is it important? Positive control is the aspirational state of a technical security program . This means that only authorized users and systems are on the network, and that accounts and information are accessed only by approved users. Before you start assessing your network to understand what “normal” looks like, take care and be sure that you are not including attacker activity in your baseline. If you are being targeted by an identified entity, what should you do to build intelligence on possible attacks? Active and overt attacks fall into the realm of operational intelligence. You can gather intelligence on these attacks from social media, blog posts, or alerts from places like US-CERT, ISACs, ISAOs other sharing groups. Some questions you should be asking and answering as you gather information are: Who else is being targeted? Can we share information with them on this attack? How have the attackers operated in the past? What are we seeing now that can help us protect ourselves? What is done in Tactical Monitoring? Tactical Intelligence tends to focus on mechanisms- the “how” of what an attacker does. Do they tend to use a particular method to gain initial access? A particular tool or set of tools to escalate privilege and move laterally? What social engineering or reconnaissance activities do they typically engage in prior to an attack? Tactical intelligence is geared towards security personnel who are actively monitoring their environment as well as gathering reports from employees who report strange activities or social engineering attempts. Tactical Intelligence can also be used by hunters who are seeking to identify a behavior that may be a normal user behavior but is also a behavior that is used by an attacker to avoid detection. This type of intelligence requires more advanced resources, such as extensive logging, behavioral analytics, endpoint visibility, and trained analysts. It also requires a security-conscious workforce, as some indicators may not be captured or flagged by logs without first being reported by an employee. Can you point me to resources where to gather information regarding strategic, tactical and operational intelligence? Before you start gathering information it is important to have a solid understanding of the different levels of threat intelligence. CPNI released a whitepaper covering four types of threat intelligence that we discussed on the webinar: https://www.cpni.gov.uk/Documents/Publications/2015/23-March-2015-MWR_Threat_Int elligence_whitepaper-2015.pdf - Or - if you are an intelligence purist and find that four types of threat intelligence is one type too many (or if you're just feeling rambunctious) you can refer to JP 2-0, Joint Intelligence, for in-depth understanding of the levels of intelligence and their traditional application. http://www.dtic.mil/doctrine/new_pubs/jp2_0.pdf Once you are ready, here are some places to look for specific types of intelligence: Strategic Intelligence can be gathered through open source trend reports such as the DBIR, DBIR industry snapshots, or other industry specific reports that are frequently released. Operational Intelligence is often time sensitive and can be gather by monitoring social media, government alert like US-CERT, or by coordinating with partners in your industry. Tactical Intelligence can be gathered using commercial or open sources, such as blogs, threat feeds, or analytic white papers. Tactical Intelligence should tell you how an actor operates, the tools and techniques that they use, and give you an idea of what activities you can monitor for on your own network. At this level understanding your users and how the normally behave is critical, because threat actors will try to mimic those same behaviors and being able to identify a deviation, no matter how small, can be extremely significant.  What is open source threat intelligence? Open Source intelligence (OSINT) is the product of gathering and analyzing data gathered from publicly available sources: the open internet, social media, media, etc. More here: https://en.wikipedia.org/wiki/Open-source_intelligence For more information on the other types of intelligence collection disciplines: https://www.fbi.gov/about-us/intelligence/disciplines Open source threat intelligence is OSINT that focuses specifically on threats. In many cases you will be able to gather OSINT but will still have to do the analysis of the potential impact of the threat on your organization. What are ISACs and ISAOs? Where can I find a list of them? Most private sector information sharing is conducted through Information Sharing and Analysis Centers organized primarily by sectors (usually critical infrastructure, a list is located here: http://www.isaccouncil.org/memberisacs.html. In the United States, under President Obama's executive Order 13691, DHS was directed to improve information sharing between the US government's National Cybersecurity and Communications Integration Center (NCCIC) and private sectors. This executive order serves as the platform to include those outside the traditional critical infrastructure sectors, Information Sharing and Analysis Organizations. What specific tools are used for threat intelligence? This is a great question, and I think underscores a big misunderstanding out there. Threat Intelligence is a process, not a product bought or service retained. Any tool you use should help augment your processes. There are a few broad classifications of tools out there, including threat intelligence platforms and data analytics tools. The best way to find the right tools is to identify what problem you are trying to solve with threat intelligence, develop a manual process that works for you, and then look for tools that will help make that manual process easier or more efficient. Can a solution or framework be tailored to support organizations at different levels of cyber security maturity and awareness, or is there a minimum requirement? There is a certain level of awareness that is required to implement a threat intelligence program. Notice that we didn't say maturity - we feel that any level program can benefit from threat intelligence, but there is a lot that goes into a organization being ready to utilize it. At the very basic level an organization needs to understand what threat intelligence is, what is isn't, understand the problems that they are trying to solve with threat intel, and have a person or a team who is responsible for threat intel. An organization with this base level understanding is far ahead of many others. When discussing the more technical implementations of threat intelligence such as threat feeds or platforms then there are some barriers to entry. Aside from those situations, nearly any organization can work to better understand the threats facing them and how they should start to posture themselves to prevent or respond to those threats. Regardless of where you are, if you understand how threat intelligence works and start to implement it appropriately then you will be better off regardless of what else you are dealing with. How do you stop an attacker once discovered? ACL IPS etc? Scoping the attack is the first stage, which requires both investigation and forensics. The investigation team will identify various attributes used in the attack (tools, tactics, procedures), and then will go back and explore the rest of your systems for those attributes. As systems get added, the recursive scoping loop continues until no new systems are added. Once scoping is done, there are a number of actions to be taken- and the complexity involved in deciding exactly what happens (and when) grows exponentially. A short (and anything but comprehensive) list of considerations include: Executive briefing and action plan signoff Estimate business impact by the recovery actions to be executed Isolate compromised systems Lock or change passwords on all compromised accounts with key material in the scoped systems Patch and harden all systems in the organization against vulnerability classes used by the attacker Identify exactly what data was impacted, consult with legal regarding regulatory or contractual required next steps Safely and securely restore impacted services to the business Obviously there are a lot of variables at play here, and every incident is unique. This stuff is extremely hard, if it was easy- everyone would be doing it. Call us if you need help. When I find a system that has been compromised, can you tell me where it came from? You're asking the right question here- getting a sense of the attacker's motivation and tactics is extremely valuable. Answering “who did this” and “where did they come from” is a lot more difficult than simply pointing at the source IP for initial point of entry or command and control. Tactical Intelligence from the investigation will help answer these questions. What should be the first step after knowing that the host has been compromised by zero day attack? Run around, scream and shout. In all seriousness, you won't start off with the knowledge of zero-day being used to compromise an asset. Discovering that 0day was used in a compromise, by definition, means that an investigation was performed when the root-cause identified at the point of infection was, in fact, 0day. At that point you will hopefully have gathered more information about the incident that you can then analyze to better understand the situation you are facing.

12 Days of HaXmas: Charlie Brown Threat Intelligence

This post is the third in the series, "The 12 Days of HaXmas." “Get the biggest aluminum threat feed you can find, Charlie Brown, maybe painted pink.” It has been a few years now since the term “cyber threat intelligence” entered mainstream, and…

This post is the third in the series, "The 12 Days of HaXmas." “Get the biggest aluminum threat feed you can find, Charlie Brown, maybe painted pink.” It has been a few years now since the term “cyber threat intelligence” entered mainstream, and since then it has exploded into a variety of products, all claiming to have the biggest, the best, the shiniest, most aluminum-est threat feed, report, or platform. Much of the advertising and media surrounding threat intelligence capitalizes on fear and uncertainty, “you must have threat intelligence or there is a 100% chance you will get hit by OMG-APT-Cyber-Poodle-Heartbleed.” It feeds off of executives' desires to avoid being the next story in the news about how a breach could have been prevented if only they had employed the latest threat intelligence from company XYZ. Buy, buy, buy. More, more, more. Good grief! It can really bring a poor threat analyst down during the holidays. Amidst the commercialization and fear and the threat-intel-buying frenzy, it is easy to overlook the true meaning of threat intelligence. Threat intelligence exists to help us make decisions about how to best protect assets with limited time, money, and personnel. Knowing what is likely to affect you - how, why, what to look for, and what you can do about it - and then taking actions to mitigate those threats is what threat intelligence is all about. Threat intelligence doesn't have to be about buying something shiny and expensive. For those of you who haven't seen A Charlie Brown Christmas (and seriously, go watch it when you are done reading this) when the other kids saw Charlie Brown's Christmas Tree - small, made of actual wood, losing a few needles here and there, and definitely NOT painted pink - they laughed and questioned his ability to do anything right. But that tree turned out to be exactly what they needed to refocus their school play and their mindsets to what they were actually supposed to be celebrating. Likewise, many organizations have more at their disposal than they know, but because it doesn't look like what marketing says threat intelligence should, it is often scoffed at and overlooked. Business priorities, asset management, log data, lessons learned from a partner's (or their own!) breaches or incidents, reports of phishing emails that come in from employees, open source news feeds, blogs, and non-commercial reports are all things that can be used as the foundation for a threat intelligence program. Many companies are eager to purchase some variety of threat intelligence while overlooking the wealth of information they currently have at their disposal. That information is priceless, but like Charlie Brown's Christmas tree, it just needs a little love. If Charlie Brown was in infosec he would understand that the true meaning of threat intelligence is to identify and respond to threats in order to change outcomes. Charlie Brown Threat Intelligence is about looking past the commercialization bombarding us and learning what we can do with what we have, because truly that is the very best place to start.  How to make the most of Charlie Brown Threat Intelligence: Understand business priorities: It is impossible to protect your business or your information from threats if you don't actually know what you are protecting. What are the systems, assets, or information critical to meeting business objectives? Analyzing business priorities is something that all companies can do for themselves and it is the first step in utilizing threat intelligence. Identify what you can change, and what you can't: Threat intelligence is about identifying threats in order to change outcomes- outcomes do not change themselves, this means that some sort of action is taken. Focusing time and effort on something that you can't change will waste time and resources. However, if you are unable to change something that you think is critical to the security of your organization you can use threat intelligence to build the business case for making the change while still making strides towards changing what you can now.  Keep an eye on the news: Maintaining an awareness of what is going on in the news can help you stay ahead of threats. Sure, if they are in the news they are not always the late-breaking, cutting-edge threats, but that doesn't mean they won't still hit you...or haven't already. Likewise, you are in the best position to know whether something in the news has the potential to affect your organization and how serious the impact would be. Use that knowledge to start planning how to detect and respond to that threat in your environment. Training: I am a firm believer that trained personnel are critical to an organization's ability to protect itself. Your platform or your threat feed is useless without someone to implement it and interpret the results. It's not just threat analysts who are supporting threat intelligence: IT, SOC, IR, every employee who touches your network can learn how to identify and better respond to threats. We said that threat intelligence needs a little love, and these are the people who are going to be providing the care and feeding it needs to thrive. Invest in your people. Identify your gaps and find something that meets your needs: There is definitely a place for threat intelligence services in the equation, but it comes after a good hard look at your objectives, what you have, what you still need, and what you can realistically implement and support. You may not need the shiniest, most expensive threat intelligence product to make your program successful, in fact, most organizations don't. What they need to remember is the true meaning of threat intelligence, asses their own needs, capabilities, and priorities, and start taking steps to better understand and respond to the threats facing them.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event

UNITED 2017

Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now

Podcast

Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now