Rapid7 Blog

Threat Intel  

Survival of the fastest: evolving defenders with broad security automation

If you’ve read the news at all lately, you know that we're having some struggles with information security. Everything from elections to hospitals to Westeros is considered a target, and adversaries continue to learn and innovate—often faster than the defense can respond. It’…

If you’ve read the news at all lately, you know that we're having some struggles with information security. Everything from elections to hospitals to Westeros is considered a target, and adversaries continue to learn and innovate—often faster than the defense can respond. It’s not that they have better tools or work harder than the defense, so what gives? If you're struggling with these issues and happen to be coming Rapid7's annual United Summit, swing by the Detection and Response track on Wednesday, September 13 and hear Justin Pagano and I talk about how we are working on solving these problems! Turns out, the status quo is kind of the worst. Defenders are trying to work against the clock, to go back in time to deal with issues we thought were resolved decades ago...and on top of that, there aren’t nearly enough defenders out there (yet!). So what can we do against these types of odds? The key is automation—but not just any old kind of automation. Limited, silo-ed approaches to automation have helped put us where we are now. To move forward, we need broad security automation based on our understanding of the adversaries: how they operate, how they've targeted us in the past, and how they're likely to target us in the future. And that brings us to why I'm involved in this talk in the first place—the combination of broad security automation and threat intelligence! We need to automate what we should, not just what we can. This won’t look the same for every organization because organizations are protecting different types of information, defending against different types of adversaries, have different resources and constraints. What our talk will offer isn't a magical, one-size-fits-all solution, but instead a new approach to security automation. We will cover broad automation’s dependencies (e.g., scripting/programming skills, APIs, time, money, motivation, and prioritization), as well as what it takes to have worthwhile threat intelligence (sources, timely analysis, and expertise). We'll wrap it up with how to combine the two and develop a program that focuses on real threats, helps prioritize non-automated responses, and frees up the time needed to innovate and learn as defenders. We hope to see you there! If you haven't registered yet, do so here.

Live Threat-Driven Vulnerability Prioritization

We often hear that security teams are overwhelmed by the number of vulnerabilities in their environments: every day they are finding more than they can fix. It doesn't help when rating schemes used for prioritization, like the Common Vulnerability Scoring System (CVSS), don't really work…

We often hear that security teams are overwhelmed by the number of vulnerabilities in their environments: every day they are finding more than they can fix. It doesn't help when rating schemes used for prioritization, like the Common Vulnerability Scoring System (CVSS), don't really work at scale or take the threat landscape into account. How do you know where to focus if your vulnerability management solution shows that you have 10,000 vulnerabilities with a critical or high severity rating? And when a high profile vulnerability comes along, how do you quickly gain insight into its impact on your organization? Understanding which vulnerabilities are most likely to be exploited by an attacker is critical for effective prioritization. That's why the RealRisk score used in InsightVM and Nexpose takes into account whether a vulnerability is targeted by a known exploit or malware kit. In addition, the Rapid7 Critical vulnerability category enables security teams to automatically assess the risk posed by critical threats, particularly 0-days that don't have a CVSS score yet. But given recent events, there is clearly a need for vulnerability-based threat intelligence, as explained in this blog. Rapid7 already gathers and analyzes data on attacker methodology and emerging threats through the Rapid7 Insight platform, Rapid7 Labs' Project Heisenberg Cloud, our Managed Detection and Response team, and the Metasploit community. We want to make all this data available to our customers to help them better understand their exposure to the constantly changing threat landscape, but in a way that adds real value and not just noise. Introducing the Rapid7 Threat Feed in InsightVM The Rapid7 Threat Feed is a live, curated feed of vulnerabilities being actively exploited by attackers in the wild; these are the most dangerous vulnerabilities and should be addressed immediately. The feed combines data collected by our Heisenberg honeypots and incident response activity with information from trusted third parties: Source Description Heisenberg Attacks detected by Rapid7 Lab's modern honeypot framework IR Activity Confirmed incidents from Rapid7's Managed Detection and Response team FBI Information shared as part of the FBI's private sector partnership InfoSharing Information shared from a trusted partner tracking this threat Open Source Publicly available information In addition to actively monitoring and curating the feed, the Rapid7 Threat Intelligence team adds important context such as threat vector and actor information so you can see how relevant a threat is to your organization. Visualizing Threats in Your Environment But just having information is not enough, it needs to be combined with context about your organization's environment to make it actionable. We added a new Threat Feed Dashboard template that makes it easy for you to see how exposed your organization is to active threats and where you need to focus to reduce the likelihood of an attack. This dashboard includes information such as the percentage of assets or vulnerabilities in your environment that can be exploited by a novice, the most commonly exploited vulnerabilities, and common exploits and malware kits. Specifically, there are two new dashboard cards that leverage the Rapid7 Threat Feed. The Most Common Actively Targeted Vulnerabilities card shows you the most prevalent active threats in your environment. Clicking on this card gives a full list of actively exploited vulnerabilities on your network, which you can drill into for the Rapid7 Threat Feed details. The Assets with Actively Targeted Vulnerabilities card shows you the total number of assets on your network that are affected by active threats and which assets you need to prioritize for remediation. Remediating Threats in Your Environment Finding the most dangerous vulnerabilities in your environment is only half the job—next you need to actually fix them. Clicking on the Assets with Actively Targeted Vulnerabilities card gives a full list of affected assets, which can be added to a Static Remediation Project for driving action. With Remediation Workflow, you can create and assign tickets automatically, provide relevant and actionable information, and track progress from start to finish. If you're an existing InsightVM customer (or haven't upgraded yet and are still using Nexpose Now), you can get started with the Rapid7 Threat Feed by creating a new Threat Feed Dashboard or adding the new cards in the Threat Feed category to an existing dashboard. If you're not an existing InsightVM customer, you can sign up for a free 30-day trial.

Using Threat Intelligence to Mitigate Wanna Decryptor (WannaCry)

Basics of Cyber Threat Intelligence Cyber Threat Intelligence is analyzed information about the opportunities, capabilities, and intent of cyber adversaries. The goal of cyber threat intelligence is to help people make decisions about how to prevent, detect, and respond to threats against their networks. This…

Basics of Cyber Threat Intelligence Cyber Threat Intelligence is analyzed information about the opportunities, capabilities, and intent of cyber adversaries. The goal of cyber threat intelligence is to help people make decisions about how to prevent, detect, and respond to threats against their networks. This can take a number of forms, but the one people almost always turn to is IOCs. IOCs, or indicators of compromise, are technical network artifacts that can alert a defender that their system is compromised. These include things like IP addresses, domain names, hashes, file names, etc. IOCs are often a good way to detect malicious activity, but they are not the only output of threat intelligence, and often they are not the best output. Threat Intelligence for WannaCry In the case of WannaCry (get an overview of the WannaCry vulnerability here) – the primary IOCs available are the hashes and file names of the ransomware samples. By the time you alert on those on your system, it is already too late: the system is already being encrypted. WannaCry also uses a cryptographic loading mechanism that prevents the malicious DLL from ever touching the disk, which means that antivirus will not detect or block it. The hashes are useful from a research perspective, such as identifying new variants or tracking changes to the malware, but they are not useful for detection. Likewise, there are a few blogs that have published IP addresses that are related to the campaign, but have not provided information as to the nature of those IPs. This makes it hard to know how to handle them or use them in incident detection and response scenarios. Many of the IPs associated with WannaCry are so associated because they have been seen scanning for port 445. We know that WannaCry must scan for that port to identify systems to compromise; however, Wanna Cry is not the only thing that scans the internet, and blocking or alerting on scanning IPs will create a large number of false positives. The kill switch domain is a good indicator that you have compromised systems on your network that should be remediated. Contact with this domain - which should be allowed to prevent encryption! – can be used as a way to track what systems are compromised and launch investigations accordingly. It is not a prevention method, but it can help identify hosts compromised with this variant. The InsightIDR threat community has a threat list that will alert (but not block) this domain to assist with identification of compromised hosts. A Better Approach IOC-based threat intelligence is not the best approach for dealing with WannaCry—a vulnerability-based approach is. The best indicator that you will be compromised is whether or not you are vulnerable to the ETERNAL BLUE exploit that WannaCry uses as an initial attack vector. One researcher put a SMB honeypot up with port 445 open and was exploited in less than 3 minutes. With the way that WannaCry is spreading, if you are vulnerable, you will be compromised. Ensuring that all of your systems are patched, port 445 is not open to the internet, and network segmentation is in place are all far better things to focus on than finding IOCs for WannaCry. For information on how to scan for, and remediate, MS17-010 with Nexpose and InsightVM, please read this blog. WannaCry is Just the Beginning... The reality is that we're likely to see more attacks leveraging this attack vector. The basic equation for threats is as follows: Threat = opportunity + capability + intent For the WannaCry Ransomworm, the equation looks like this: WannaCry = Unpatched flaw in SMB + ETERNAL BLUE with ransomware and worming capabilities + Desire for $$$ But we have an almost unending list of potential threats, since the opportunity and capability are both public. It is almost guaranteed that we will see other threats where: Opportunity = Unpatched flaw in SMB Capability = Some variation of ETERNAL BLUE Intent = Money, power, chaos, revenge, etc. We can monitor for new capabilities that are being developed, we can brainstorm potential threat actor intents to understand whom the threat may target, but what will remain the same across all of these threats is the opportunity that the attacks have. If we can remove that opportunity then the threats will not exist, and will become an insubstantial threat, as the attackers will have no way to leverage their capabilities. Want to learn more? Visit our resource page filled with relevant information around WannaCry.

3 Things We Learned From the Joint Analysis Report

2016 kept us on our toes right up to the very end - and its last curveball will have implications lasting well past the beginning of the new year. Speculation on Russian hacking is nothing new, but it picked up notably with the DNC hack…

2016 kept us on our toes right up to the very end - and its last curveball will have implications lasting well past the beginning of the new year. Speculation on Russian hacking is nothing new, but it picked up notably with the DNC hack prior to the presidential election and the subsequent release of stolen emails, which the intelligence community later described as an information operation aimed at influencing the election. And then on December 29th we saw the US government's response, the coordinated release of a joint report detailing the hacking efforts attributed to Russian intelligence agencies, economic sanctions, and the expulsion of Russian diplomats. This blog is not going to discuss the merits – or otherwise - of various political actions, nor whether cyberespionage should warrant different responses to other types of espionage. Instead, I'm going to focus on the learnings we can take away from the Joint Analysis Report (JAR). The report is not perfect, but nonetheless, I believe it can be valuable in helping help us, as an industry, improve, so I'm choosing to focus on those points in this post. The Joint Analysis Report won't change much for some defenders, while for others it means a reevaluation of their threat model and security posture. But given that the private sector has been tracking these actors for years, it's difficult to imagine anyone saying that they are truly surprised Russian entities have hacked US entities. Many of the indicators of compromise (IOCs) listed in the JAR have been seen before -- either in commercial or open source reporting. That being said, there are still critical takeaways for network defenders. 1) The US government is escalating its response to cyber espionage. The government has only recently begun to publicly attribute cyberattacks to nation states, including attributing the Sony attacks to North Korea, a series of industrial espionage-related attacks to Chinese PLA officers, and a series of attacks against the financial sector to Iran-backed actors. But none of those attack claims came with the expulsion of diplomats or suspected intelligence officers. The most recent case of a diplomat being declared persona non grata (that we could readily find) was in 2013 when three Venezuelan officials were expelled from the US in response to the expulsion of US diplomats from Venezuela. Prior to that was in 2012, when a top Syrian diplomat was expelled from the Washington Embassy in response to the massacre of civilians in the Syrian town of Houla. Clearly, this is not a step that the United States take lightly.These actions are more significant to government entities than they are to the private sector, but being able to frame the problem is crucial to understanding how to address it. Information and influence operations have been going on for decades, and the concept that nations use the cyber domain as a means to carry out these information operations is not surprising. This is the first time, however, that the use of the cyber domain means has been met with a public response that has previously been reserved for conventional attacks. If this becomes the new normal then we should expect to see more reports of this nature and should be prepared to act as needed. 2) The motivation of the attackers that are detailed in the report is significant. We tend to think of cyber operations as fitting into three buckets: cyberespionage, cybercrime, or hactivism. The actions described in the JAR and in the statement from the President describe influence operations. Not only do the attackers want to steal information, but they are actively trying to influence opinions, which is an area of cyber-based activity we are likely to see increasing. The entities listed in the JAR, who are primarily political organizations (and there are far more political organizations out there than just the two primary parties' HQ), as well as organizations such as think tanks, should reevaluate their threat models and their security postures. It is not just about protecting credit card information or PII, anything and everything is on the table. The methods that are being used are not new – spear-phishing, credential harvesting, exploiting known vulnerabilities, etc. – and that fact should tell people how important basic network security is and will remain. There was no mention of zero-days or use of previously undetected malware. Companies need to understand that the basics are just as, or even more, important when dealing with advanced actors. 3) We need to work with what we have – and that doesn't mean we just plug and play IOCs. It's up to us to take the next step. So, what is there to do with the IOCs? There are a lot of people who are disappointed about the quality and level of detail of the IOCs on the JAR. It is possible that what has been published is the best the government could give us at the TLP: White level, or that the government analysts who focus on making recommendations to policy makers simply do not know what companies need to defend their networks (hint: it is not a Google IP address). We, as defenders, should never just take a set of IOCs and plug them into our security appliances without reviewing and understanding what they are and how they should be used. Defenders should not focus on generating alerts directly off the IOCs provided, but should do a more detailed analysis of the behaviors that they signify. In many cases, even after an IOC is no longer valid, it can tell a story about an attacker behavior, allowing defenders to identify signs of those behaviors, rather than the actual indicators that are presented. IOC timing is also important. We know from open source reporting, as well as some of the details in the JAR, that this activity did not happen recently, some of it has been going on for years. That means that if we are able to look back through logs for activity that occurred in the past then the IOCs will be more useful than if we try and use them from this point in time forward, because once they are public it is less likely that the attackers will still be employing them in the way they did in the past. We may not always get all of the details around an IOC, but it's our job as defenders to do what we can with what we have, especially if we are an organization who fits the targeting profile of a particular actor. Yes, it would be easier if the government could give us all of the information we needed in the format that we needed, but reality dictates that we will still have to do some of our own analysis. We should not be focusing on any one aspect of the government response, whether it is the lack of published information clearly providing attribution to Russia, or the list of less-than-ideal IOCs. There are still lessons that we, as decisions makers and network defenders, can take away. Focusing on those lessons requires an understanding of our own networks, our threat profile, and yes, sometimes even the geo-political aspects of current events so that we can respond in a way that will help us to identify threats and mitigate risk.

12 Days of HaXmas: New Years Resolutions for the Threat Intelligence Analyst

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts…

Merry HaXmas to you! Each year we mark the 12 Days of HaXmas with 12 blog posts on hacking-related topics and roundups from the year. This year, we're highlighting some of the “gifts” we want to give back to the community. And while these gifts may not come wrapped with a bow, we hope you enjoy them. You may or may not know this about me, but I am kind of an overly optimistic sunshine and rainbows person, especially when it comes to threat intelligence. I love analysis, I love tackling difficult problems, connecting dots, and finding ways to stop malicious actors from successfully attacking our networks. Even though 2016 tried to do a number on us (bears, raccoons, whatever...) I believe that we can come through relatively unscathed, and in 2017 we can make threat intelligence even better by alleviating a lot of confusion and addressing many of the misunderstandings that make it more difficult to integrate threat intelligence into information security operations. In the spirit of the new year, we have compiled of a list of Threat Intelligence Resolutions for 2017. Don't chase shiny threat intel objects Intelligence work, especially in the cyber realm, is complex, involved, and often time-consuming. The output isn't always earth-shattering; new rules to detect threats, additional indicators to search for during an investigation, a brief to a CISO on emerging threats, situational awareness for the SOC so they better understand the alerts they respond to. Believe it or not in this media frenzied world, that is the way it is supposed to be. Things don't have to be sensationalized to be relevant. In fact, many of the things that you will discover through analysis won't be sensational but they are still important. Don't discount these things or ignore them in order to go chase shiny threat intelligence objects – things that look and sound amazing and important but likely have little relevance to you. Be aware that those shiny things exist, but do not let them take away from the things that are relevant to you. It is also important to note that not everything out there that gets a lot of attention is bad – sometimes something is big because it is a big deal and something you need to focus on. Knowing what is just a shiny object and what is significant comes down to knowing what is important to you and your organization, which brings us to resolution #2. Identify your threat intelligence requirements Requirements are the foundation of any intelligence work. Without them you could spend all of your time finding interesting things about threats without actually contributing to the success of your information security program. There are many types and names for intelligence requirements: national intelligence requirements, standing intelligence requirements, priority intelligence requirements – but they are all a result of a process that identifies what information is important and worth focusing on. As an analyst, you should not be focusing on something that does not directly tie back to an intelligence requirement. If you do not currently have intelligence requirements and are instead going off of some vague guidance like “tell me about bad things on the internet” it is much more likely that you will struggle with resolution #1 and end up chasing the newest and shiniest threat rather than what is important to you and your organization. There are many different ways to approach threat intelligence requirements – they can be based off of business requirements, previous incidents, current events, or a combination of the above. Scott Roberts and Rick Holland have both written posts to help organizations develop intelligence requirements, and they are excellent places to start with this resolution. (They can be found here and here.) Be picky about your sources One of the things we collectively struggled with in 2016 was helping people understand the difference between threat intelligence and threat feeds. Threat intelligence is the result of following the intelligence cycle - from developing requirements, through collection and processing, analysis, and dissemination. For a (much) more in depth look into the intelligence cycle read JP 2-0, the publication on Joint Intelligence [PDF]. Threat feeds sit solidly in the collection/processing phase of the intelligence cycle - they are not finished intelligence, but you can't have finished intelligence without collection, and threat feeds can provide the pieces needed to conduct analysis and produce threat intelligence. There are other sources of collection besides feeds, including alerts issued by government agencies or commercial intelligence providers that often contain lists of IOCs. With all of these things it is important to ask questions about the indicators themselves: Where does the information come from? A honeypot? Is it low interaction or high interaction? Does it include scanning data? Are there specific attack types that they are monitoring for? Is it from an incident response investigation? When did that investigation occur? Are the indicators pulled directly from other threat feeds/sources? If so, which ones? What is included in the feed? Is it simply IOCs or is there additional information or context available? Remember, this type of information must still be analyzed and it can be very difficult to do that without additional context. When was the information collected? Some types of information are good for long periods, but some are extremely perishable and it is important to know when the information was collected, not just when you received it. It is also important to know if you should be using indicators to look back through historical logs or generate alerts for future activity. Tactical indicators have dominated the threat intelligence space and many organizations employ them without a solid understanding of what threats are being conveyed in the feeds or where the information comes from, simply because they are assure that they have the "best threat feed" or the "most comprehensive collection" or maybe they come from a government agency with a fancy logo (although let's be honest, not that fancy) but you should never blindly trust those indicators, or you will end up with a pile of false positives. Or a really bad cup of coffee. It isn't always easy to find out what is in threat feeds, but it isn't impossible. If threat feeds are part of your intelligence program then make it your New Year's resolution to understand where the data in the feeds comes from, how often it is updated, where you need to go to find out additional information about any of the indicators in the feeds, and whether or not it will support your intelligence requirements. If you can't find that information out then it may be a good idea to also start looking for feeds that you know more about. Look OUTSIDE of the echo chamber It is amazing how many people you can find to agree with your assessment (or agree with your disagreement of someone else's assessment) if you continue to look to the same individuals or the same circles. It is almost as if there are biases as work - wait, we know a thing or two about biases! This Graphic Explains 20 Cognitive Biases That Affect Your Decision-Making>Confirmation bias, bandwagoning, take your pick. When we only expose ourselves to certain things within the cyber threat intelligence realm we severely limit our understanding of the problems that we are facing and the many different factors that influence them. We also tend to overlook a lot of intelligence literature that can help us understand how we should be addresses those problems. Cyber intelligence is not so new and unique that we cannot learn from traditional intelligence practices. Here are some good resources on intelligence analysis and research: Kent Center Occasional Papers — Central Intelligence Agency The Kent Center, a component of the employee-only Sherman Kent School for Intelligence Analysis at CIA University, strives to promote the theory, doctrine, and practice of intelligence analysis. Congressional Research Service The Congressional Research Service, a component of the Library of Congress, conducts research and analysis for Congress on a broad range of national policy issues. The Council on Foreign Relations The Council on Foreign Relations (CFR) is an independent, nonpartisan membership organization, think tank, and publisher. Don't be a cotton headed ninny muggins Now this is where the hopeful optimist in me really comes out. One of the things that has bothered me most in 2016 is the needless fighting and arguments over, well, just about everything. Don't get me wrong, we need healthy debate and disagreement in our industry. We need people to challenge our assumptions and help us identify our biases. We need people to fill in any additional details that they may have regarding the analysis in question. What we don't need is people being jerks or discounting analysis without having seen a single piece of information that the analysis was based off of. There are a lot of smart people out there, and if someone publishes something you disagree with or your question then there are plenty of ways to get in touch with them or voice your opinion in a way that will make our collective understanding of intelligence analysis better.

Cyber Threat Intelligence: How Do You Incorporate it in Your InfoSec Strategy?

In the age of user behavior analytics, next-gen attacks, polymorphic malware, and reticulating anomalies, is there a time and place for threat intelligence? Of course there is! But – and it seems there is always a ‘but' with threat intelligence – it needs to be carefully applied…

In the age of user behavior analytics, next-gen attacks, polymorphic malware, and reticulating anomalies, is there a time and place for threat intelligence? Of course there is! But – and it seems there is always a ‘but' with threat intelligence – it needs to be carefully applied and managed so that it truly adds value and not just noise. In short, it needs to actually be intelligence, not just data, in order to be valuable to an information security strategy. We used to have the problem of not having enough information. Now we have an information overload. It is possible to gather data on just about anything you can think of, and while that can be a great thing (if you have a team of data scientists on standby), most organizations simply find themselves facing an influx of information that is overwhelming at best and contradictory at worst. Threat intelligence can help solve that problem. What is Threat Intelligence? As Rick Holland and I mentioned in our talk at UNITED Summit 2016, there are a variety of definitions and explanations for threat intelligence, ranging in size from a paragraph to a field manual. Here's the distilled definition: “Threat Intelligence helps you make decisions about how to prevent, detect, and respond to attacks." That's pretty simple, isn't it? But it covers a lot of ground. The traditional role of intelligence is to inform policy makers. It doesn't dictate a particular decision, but informs them with what they need to make critical decisions. The same concept applies to threat intelligence in information security, and it can benefit everyone from a CISO to a vulnerability management engineer to a SOC analyst. All of those individuals have decisions to make about the information security program and threat intelligence arms them with relevant, timely information that will help them make those decisions. If intelligence is making it harder for you to make decisions, then it is not intelligence. When Threat Intelligence Fails Threat Intelligence can be a polarizing topic –  you hate it or you love it. Chances are that if you hate it, you've probably been burned by threat feeds containing millions of indicators from who-knows-where, had to spend hours tracking down information from a vendor report with absolutely no relevance to your network, or simply fed up by the clouds of buzzwords that distract from the actual job of network defense. If you love it, you probably haven't been burned, and we want to keep it that way. Threat Intelligence fails for a variety of reasons, but the number one reason is irrelevance. Threat feeds with millions of indicators of uncertain origin are not likely to be relevant. Sensationalized threat actor reports with little detail but lots of fear, uncertainty, and doubt (FUD) are not likely to be relevant. Stay away from these, or the likelihood that you end up crying under your desk increases. So how DO you find what is relevant? That starts with understanding your organization and what you are protecting, and then seeking out threat intelligence about attacks and attackers related to those things. This could mean focusing on attackers that target your vertical or the types of data you are protecting. It could mean researching previously successful attacks on the systems or software that you use. By taking the time to understand more about the source and context behind your threat intelligence, you'll save a ton of pain later in the process. The Time and Place for Threat Intelligence Two of the most critical factors for threat intel are just that – time and place. If you're adding hundreds of thousands of indicators with no context and no expiration date, that will result in waves of false positives that dilute any legitimate alerts that are generated. With cloud architectures today, vendors have the ability to anonymously collect feedback from customers, including whether alerts generated by the intel are false positives or not. This crowdsourcing can serve as a feedback loop to continuously improve the quality of intelligence. For example, with this list, 16 organizations are using it, 252 alerts have been generated across the community, and none have been marked as false positives. The description also contains enough context to help defenders know how to respond to any alerts generated. This has served as valuable threat intelligence. The second half is place – different intelligence should be applied differently in your organization. Strategic intelligence, such as annual trend reports, or warnings on targeted threats to your industry, are meant to help inform decision makers. More technical intelligence, such as network based indicators, can be used as firewall rules to prevent threats from impacting your network. Host based indicators, especially those from your own incidents or from organizations similar to yours, can be used to detect malicious activity on your network. This is why you need to know exactly where your intelligence comes from, as without it, proper application is a serious challenge. Your own incident experience is one of the best sources of relevant intelligence – don't let it go to waste! To learn about how you can add threat intelligence into InsightIDR, check out the Solution Short below. Threat intelligence isn't as easy as plugging a threat feed into your SIEM. Integrating threat intelligence into your information security program involves (1) understanding your threat profile, (2) selecting appropriate intelligence sources, and (3) contextually applying it to your environment. However, once completed, threat intelligence will serve a very valuable role in protecting your network. Intelligence helps us understand the threats we face – not only with identifying them as they happen, but to understand the implications of those threats and respond accordingly. Intelligence enables us to become persistent and motivated defenders, learning and adapting each step of the way.

Nexpose integrates with McAfee ePO and DXL: The first unified vulnerability management solution for Intel Security customers!

We wanted to give you a preview into Nexpose's new integration with both McAfee ePolicy Orchestrator (ePO) and McAfee Data Exchange Layer (DXL); this is the next stage of our partnership with Intel as their chosen vendor for vulnerability management [PDF]. This partnership is also…

We wanted to give you a preview into Nexpose's new integration with both McAfee ePolicy Orchestrator (ePO) and McAfee Data Exchange Layer (DXL); this is the next stage of our partnership with Intel as their chosen vendor for vulnerability management [PDF]. This partnership is also a first for both Rapid7 and Intel, as Nexpose is the only vulnerability management solution to not only push our unique risk scoring into ePO for analysis, but also automatically import asset data from ePO and threat intelligence from DXL into Nexpose for better discovery and prioritization. On top of that, we publish vulnerability data to DXL so that your entire DXL eco-system can benefit from this intel (pun fully intended). The integration is currently in its final stages, so here's what you have to look forward to:ePO and Nexpose: Correlating risk, and ensuring no asset goes unscannedePO lets you deploy, manage and report on a huge portion of your security program - from endpoint protection right out to the gateway. Now you can overlay this information with the susceptibility of your systems to a real world attack, by importing our unique risk score that incorporates vital context including exploit exposure, vulnerability age and malware exposure to show you the vulnerabilities and assets an attacker is most likely to target.In addition, ePO and Nexpose communicate asset information, ensuring coverage accuracy for the crucial first step of any scan: Discovery. Not only can you import current ePO asset details into Nexpose, making initial set up a breeze, you can automatically import newly discovered ePO assets too, so your vulnerability management team always has the complete picture of your network (or if you're a one man shop or an elite team of security oracles, you don't have to waste time doing the same work with multiple products).DXL and Nexpose – share vulnerability info and automate exploit responseThe McAfee DXL platform lets multiple products collaborate and share information with each other – it's essentially a force multiplier for your security program. Nexpose and DXL customers correlate Nexpose risk scores and vulnerability data with other products in the ecosystem. Via Intel's Threat Intelligence Exchange (TIE), Nexpose can also identify systems that may have been compromised and prioritize them for remediation. No other vulnerability management tool provides this kind of insight to the Intel Security partner ecosystem.Keep an eye out for detailed blog posts on each of these integration points over the next few weeks; in the meantime, check out our webcast on October 26th and reach out to your friendly neighborhood sales rep or customer success manager for more information on integrating these two key pieces of your security program!

The Calm Heroes Fighting Cyber Crime

The call everyone had been waiting for came in: the shuffleboard table arrived, and was ready to be brought upstairs and constructed! The team had been hard at work all morning in the open-style office space with conference rooms and private offices along the perimeter.…

The call everyone had been waiting for came in: the shuffleboard table arrived, and was ready to be brought upstairs and constructed! The team had been hard at work all morning in the open-style office space with conference rooms and private offices along the perimeter. The Security Operations Center (SOC) with computers, many monitors and an open layout was behind a PIN activated door. The team wanted something fun in the office to do when they took a break from defending networks.My office-mates for the week were casually dressed in jeans and either t-shirts or button downs, and they were sweating while laughing and strategizing for how to get a 20-foot shuffleboard table up two flights of stairs and into the office. About five minutes later, the shuffleboard table parts were placed in the open space in the office, and the team was back downstairs figuring out how to dispose of the wood and other protective covering that came with it.  They were calm and happy—the consistent mood throughout the week even when larger puzzles arose. The next morning, the table was fully assembled and there were tests underway for how to straighten the slope.What does a shuffleboard table have to do with my trip to Alexandria and the team I visited? The shuffleboard assembly showed me a lot about how some of the best problem solvers work together to get the job done. The team quickly, quietly, and efficiently solves problems regularly, and they have a lot of fun doing so. They work well together—they collaborate together, eat together, smoke together, and joke together. One way that they mark their success: you never heard about the incident that they solved, it's just solved—similar to how they built the shuffleboard table. One minute, there were many parts in a box that needed to be brought up the stairs and constructed.  A day later, there was a shuffleboard table set up and the packaging has been recycled. Most of the time, however, this teamwork is put to solving some of the largest, most complicated cyber security breaches and problems. Everyone on the team has a distinct role and they rely on each other to creatively problem solve. These are the crime fighters that you don't see or hear. So, how do they do it?They divide and conquer. The team is broken up into three smaller teams—there's an analytic response team, an incident response team, and a threat intelligence team. Their knowledge and collaboration enable quicker threat detection and response and a deep, unparalleled understanding of the threat landscape, user behavior, and attacker behavior.What are these three different teams and how are they not duplicative?Analytic ResponseThe Analytic Response team is a group of people who work in the security operations center and continuously keep an organization's environment safe. The combination of people and technology of Analytic Response act as “detectors” in the environment. With this team monitoring, detecting, and responding to what's going on in your environment, when an incident comes up, you gain an understanding of what is happening and how serious it is. There are three tiers of analysts in the SOC, and each has a different role in detecting and responding. They make it possible to detect and respond to threats in hours instead of months. These people eat, sleep, and breathe problem solving and do so calmly and with ease. Many of these analysts have been coding and participating in hacking events since they were young and have a lot of experience spotting anomalies.Incident ResponseThe Incident Response team is another subset of this larger IDR ecosystem. This group helps teams come up with proactive strategies so that they have a program. They are also the boots on the ground if there's an issue; as the team lead put it, “we're the people you don't want to see at your organization.” When the Incident Response team is called in unexpectedly, it's because there's a cyber-incident that needs to be solved, immediately. They examine and make sense of the virtual crime scene.Threat IntelligenceThe Threat Intelligence team analyzes information on threats and generates intelligence that feeds both analytic and incident response and gives all of the teams situational awareness of emerging and evolving threats. Our leader of the threat intelligence practice is a former Marine Corps network warfare analyst. Threat intelligence helps defenders understand threats and their implications and speeds decision making in the most urgent situations.The three teams that make up Rapid7's broader IDR Services all support each other and make it better for the customer. They may seem like three distinct teams, but they all come together to solve problems quickly and create a vast amount of knowledge to be used by all. The analytic response team is made more efficient by threat intelligence, and the incident response team helps customers experiencing major incidents and utilizes the work done by both teams to solve the problems. They are a integrated, fun, quirky team that calmly and easily solves problems… and they also find time for shuffleboard!Learn more about Analytic Response here.

Real-Time Discussion On Real-Time Security

In case you haven't yet met someone from Rapid7, you should know that we care about improving security at all companies. We have no interest in selling you products that are going to sit on your shelf, so I recently wore makeup for the first…

In case you haven't yet met someone from Rapid7, you should know that we care about improving security at all companies. We have no interest in selling you products that are going to sit on your shelf, so I recently wore makeup for the first time and sat down for a live videocast with Sara Peters from Dark Reading and John Pironti from IP Architects to talk through how organizations can get their people, process, and technology working together to prioritize and respond to security threats in real time. So what did we discuss? Somehow, I didn't black out like Frank the Tank in the all-important debate to save the frat, so I remember three major themes we hadn't really planned prior to the cameras starting to roll: preparation, being realistic, and data vs. intelligence. What do I mean by this? Well, I hate watching myself on video, so I'll paraphrase from memory: Preparation No security team, no matter the skill level, can be dropped into a new organization and start responding to threats in real time. There needs to be a great deal of attention to the basics of security hygiene, getting buy-in from leadership on the approach, and operating according to plan. No technology is going to solve this for us; the team of IT, InfoSec, and Risk stakeholders need to develop playbooks as a group, test themselves as a group, and develop the level of trust in each other necessary to take action right as problems arise. The "test themselves as a group" part is rarely done, but might be the most valuable piece for improving overall effectiveness. Being realistic Multiple times in our discussion, we brought up the unrealistic scenarios for most businesses. Should you be worried about nation state attacks? Do you need to protect against Stuxnet? Do you need to rush to protect yourself against the latest zero-day with a logo and catchy name? The answer to all three of these questions is: most likely not. Your focus should first be on defending the assets at the core of your business against the opportunistic attacks that use well-known exploits. Additionally, if you aren't involved in helping the organization adopt the latest technology that makes it productive, they are going to be used anyway - just not in a secure fashion. Data vs. intelligence This topic of data needing context to become information and needing to be relevant to you to actually constitute intelligence has been a common discussion topic at Rapid7 lately. We all agreed that threat intelligence is not just a list of IP addresses from an unknown source, but an organization's log and other machine data are no different. Your goal should be to get the right information for you team, not simply accessing all of the data. To watch the full video on-demand, even if only to get black mail screen grabs of me in makeup, check it out here: Prioritizing And Responding To Security Threats In Real Time - Webcast - 2016-08-16 13:00:00 EDT If you want to learn more about the various ways Rapid7 can help your business, our Advisory Services are often a good place to start.

The State of Cyber Threat Intelligence

The SANS State of Cyber Threat Intelligence Survey has been released and highlights some important issues with cyber threat intelligence:Usability is still an issue - Almost everyone is using some sort of cyber threat intelligence. Hooray! The downside – there is still confusion as…

The SANS State of Cyber Threat Intelligence Survey has been released and highlights some important issues with cyber threat intelligence:Usability is still an issue - Almost everyone is using some sort of cyber threat intelligence. Hooray! The downside – there is still confusion as to the best ways to implement and utilize threat intelligence, and the market is not making it any easier. We believe that the confusion is related to the initial push by threat intelligence vendors to sell list-based threat intelligence – lists of IPs, lists of domains, etc – with little, or even worse, no context. This type of threat feed is data, not intelligence, but it is easy to put together and it isn't too difficult to integrate with security tools that are used to receiving blacklists or signature based threat data. That…well…to put it nicely, doesn't exactly work. The survey shows that over 60% of respondents are using threat intelligence to block malicious domains or IP addresses, which contributes to high false positives and a nebulous idea of what threat intelligence is actually supposed to be doing. However, nearly half use threat intelligence to add context to investigations and assessments, which is a much better application of threat intelligence and even though it uses some of the same data sources, it requires the additional analysis that actually turns it into intelligence. A smaller number of respondents reported that they use threat intelligence for hunting or to provide information to management (28 and 27 percent, respectively), but it appears that these areas are growing as organizations identify the value they provide.Threat Intelligence helps to make decisions - 73% of respondents said that they felt they could make better and more informed decisions by using threat intelligence. 71% said that they had improved visibility into threats by using threat intelligence. These are both key aspects of threat intelligence and indicate that more organizations are using threat intelligence to assist with decision making rather than only focusing on the technical, machine to machine aspect of threat intel.  One of the overarching goals in intelligence work in general is to provide information to decision makers about the threats facing them, and it is great to see that this application of CTI is growing. CTI can be used to support every aspect of a security program, from determining general security posture and acceptable level of risk to prioritizing patching and alerting, and threat intelligence can provide insight to support all of these critical decisions.More isn't necessarily better – the majority of respondents who engage in incident response or hunting activities indicated that they could consume only 11-100 indicators of compromise on a weekly basis, and can only conduct in-depth research and analysis on 1-10 indicators per week. Since there are approximately eleventy-billion indicators of compromise being generated and exchanged every week that puts a lot of pressure not only on analysts, but on the tools we use to automate the collection and processing of data. Related – two of the biggest pain points respondents had with implementing cyber threat intelligence are the lack of technical capabilities to integrate CTI tools into environments, and the difficulty of implementing new security systems and tools. In order to automate the handling of large amounts of indicators in a way that allows analysts to zero in on the most important and relevant ones, we need to have confidence in our collection sources, confidence in our tools, and confidence in our processes. More of the wrong type of data isn't better, it distracts from the data that is relevant and makes it nearly impossible for a threat intelligence analyst to actually conduct the analysis needed to extract value. Download the SANS State of Cyber Threat Intelligence Survey here. To learn more about our approach to integrating threat intelligence into incident detection and response processes, come join us for an IDR intensive session at our annual conference, UNITED Summit.

Threat Intelligence Foundations: Crawl, Walk, Analyze - Part 3

This is the third post in a three-part series on threat intelligence foundations, discussing the fundamentals of how threat intelligence can be used in security operations. Here's Part 1 and Part 2.Intelligence Analysis in Security OperationsIn the first two parts of this series we…

This is the third post in a three-part series on threat intelligence foundations, discussing the fundamentals of how threat intelligence can be used in security operations. Here's Part 1 and Part 2.Intelligence Analysis in Security OperationsIn the first two parts of this series we talked about frameworks for understanding and approaching intelligence: the levels of intelligence (strategic, operational, tactical) as well as the different types of intelligence (technical, current, long-term, etc). Regardless of the level or type of intelligence, the consistent theme was the need for analysis. Analysis is the core of intelligence, it takes data and turns it into intelligence that we can use to help us make informed decisions about complicated issues. Analysis: The Missing PieceI recently gave a talk at RSA where I compared the traditional intelligence cycle: to what the intelligence cycle often looks like in cyber threat intelligence:     We are good at collection and processing, and we are good at dissemination, however we tend to leave a lot of the critical parts of the cycle out which results in overwhelming alerts, excessive false positives, and really, really confused people.It's easy to joke about or complain about, but here is the thing...analysis is hard. Saying that we should do more/better/more timely analysis is easy. Actually doing it is not, especially in a new and still developing field like cyber threat intelligence. Models and methods help us understand the process, but even determining what model to use can be difficult. There are multiple approaches; some work better in certain situations and others work best in others.What is Analysis?The goal of intelligence analysis is to evaluate and interpret information in order to reduce uncertainty, provide warnings of threats, and help make informed decisions. Colin Powell gave perhaps the most succinct guidelines for intelligence analysis when he said: “Tell me what you know, tell me what you don't know, tell me what you think. Always distinguish which is which”. This statement sums up intelligence analysis.Analysts take what is known—usually information that has been collected either by the analyst themselves or by others—identify gaps in the knowledge that might dictate a new collection requirement or may present a bias that needs to be taken into consideration, and then determine what they think that information means. Before you begin any analysis you should have an idea of what it is that you are trying to figure out. Ideally this would be driven by requirements from leadership, teams you support, or some other form of standing intelligence needs. There are many situations in CTI, however, where those requirements are not as well defined as we might hope. Understanding what it is that the organization needs from threat intelligence is critical. Therefore, step one should always be to understand what problems, concerns, or issues you are trying to address.Analytic ModelsOnce you understand what questions you are trying to answer through your analysis, there are various analytic models that can be used to conduct analysis. I have listed some good resources available to help understand some of the more popular models that are often used in threat intelligence.Different models are used for different purposes. The SWOT method is good for conducting higher-level analysis to understand how your own strengths and weaknesses compared to an adversary's capabilities. F3EAD, the Diamond Model, and the Kill Chain and are useful for analyzing specific instructions or how different incidents or intrusions may be related. Target Centric Intelligence is a lesser known model, but can help with not only understanding individual incidents, but provides a collaborative approach to intelligence including the decision makers, collectors, and analysts in an iterative process aimed at avoiding the stove-piping and miscommunications that are often present in intelligence operations. SWOT (Strengths, Weaknesses, Opportunities, Threats) Find, Fix, Finish, Exploit, Analyze, Disseminate by @srobertsTarget Centric IntelligenceDiamond Model for Intrusion AnalysisAnalysis of Adversary Campaigns and Intrusion Kill ChainsA final note on collectionIn many cases, analysis can only be as good as the information that it is based off of. Intelligence analysts are trained to evaluate the source of information in order to better understand if there are biases or concerns about the reliability that need to be taken into account. In cyber threat intelligence we, by and large, rely on data collected by others and may not have much information on its source, reliability, or applicability. This is one of the reasons that analyzing information from your own network is so important, however it is also important that we, as a community, are as transparent as possible with the information we are providing to others to be used in their analysis. There are always concerns about revealing sources and methods, so we need to find a balance between protecting those methods and enabling good analysis.

Threat Intelligence Foundations: Crawl, Walk, Analyze - Part 2

This is the second post in a three-part series on threat intelligence foundations, discussing the fundamentals of how threat intelligence can be used in security operations. Read Part One here. Tinker, Tailor, Soldier, Spy: Utilizing Multiple Types of IntelligenceJust as there are different operational levels…

This is the second post in a three-part series on threat intelligence foundations, discussing the fundamentals of how threat intelligence can be used in security operations. Read Part One here. Tinker, Tailor, Soldier, Spy: Utilizing Multiple Types of IntelligenceJust as there are different operational levels of intelligence—discussed in detail in the first post of this series—there are also different types of intelligence that can be leveraged in an organization to help them better understand, prepare for, and respond to threats facing them.Don't laugh—but a great basic resource for understanding the types of intelligence is the CIA's Kid Zone, where they break intelligence down for the 6-12th graders that we all are at heart (or K-5, no judgement here).They break intelligence down into several different types:Scientific and Technical – providing information on adversary technologies and capabilities.Current – looking at day-to-day events and their implications.Warning – giving notice of of urgent matters that may require immediate attention.Estimative – looking at what might be or what might happen.Research – providing an in-depth study of an issue.While most organizations may not work with all of these types of intelligence, or do so in the same way that the CIA does (and please don't tell me if you do), it is useful to understand the spectrum and what each type provides. The different types of intelligence require varying levels of human analysis and time. Some, like technical intelligence, are easier to automate and therefore can be produced at a regular cadence, while some, like threat landscape research, will always rely heavily on human analysis.Technical IntelligenceIn information security operations, technical intelligence is used to understand the capabilities and the technologies used by an adversary. It can include details such as IP addresses and domains used in command and control, names and hashes of malicious files, as well as some TTP details such as vulnerabilities that a particular actor targets or a particular callback pattern for a beaconing implant.Technical intelligence is most often used in machine-to-machine operations, and is therefore automated as much as possible to handle the large volume of information. In many cases, technical intelligence does not contain much context, even if context is available in other places, because machines do not care as much about the context as their humans do. A firewall doesn't need to know why to block traffic to a malicious domain, it just needs to do it. The human on the other end of that firewall change might want to know, however, in case the change ends up triggering a massive amount of alerts. Technical intelligence must have been analyzed prior to consumption, otherwise it is just data or information at best. For more information see Robert Lee's post on the data vs information vs intelligence debate.If you are not using technical intelligence that you generated yourself, it is critical that you understand the source of the technical intelligence and how it was analyzed, especially if it was analyzed using automated means. I am going out on a limb here by stating that there is a way to analyze and produce threat intelligence in an automated fashion that can be utilized machine-to-machine. Do NOT prove me wrong—do the analysis!Current IntelligenceCurrent Intelligence deals with day-to-day events and situations that may require immediate action. I have heard several people say that, “news isn't intelligence,” and that is a true statement; however, threat information in the public domain, when analyzed for implications to your specific organization, network, or operations, becomes intelligence.An example of the use of current intelligence is a report that an exploit kit has integrated a vulnerability that was just announced three days ago. If you know that you are on a thirty-day patch cycle that means (best case) you have twenty-seven days where you will be vulnerable to these attacks. Understanding how this threat impacts your organization and how to detect and block malicious activity associated with it is an example of current intelligence. Current intelligence can also be generated from information within an organization's networks. Analyzing an intrusion or a spearphishing attack against executives can also generate current intelligence that needs to be acted on quickly.When you do generate current intelligence from your own network, document it! It can then contribute to threat trending and threat landscape research, which we will discuss shortly. It can also be shared with other organizations.Threat Trending (Estimation)All of the intelligence gathered at the tactical level (technical intelligence, current intelligence) can be further analyzed to generate threat trends. Threat trending takes time because of the nature of trending, you are analyzing patterns over time to see how things change and how they stay the same. Threat trending can be an analysis of a particular threat that has impacted your network repeatedly, or it can be an analysis of how an actor group or malware family has evolved over time. The more relevant a threat trend is to your network or organization, the more useful it will be to you.Threat trending allows us to move from an analysis of something that we have seen and know is bad towards predicting or estimating future threats.Threat Landscape ResearchSpeaking of trending, there has been a long trend in intelligence analysis of focusing on time-sensitive, current intelligence at the expense of longer term, strategic research. Consider how many tactical level, technical IOCs we have in the community compared to strategic intelligence resources. How many new programs are focused on providing “real-time intelligence” versus “deliberate, in-depth analysis.” There are legitimate reasons for that: there are not enough analysts as it is, and they are usually focused on the time-sensitive tasks because they are, well, time sensitive. In addition, we don't always have the right data to conduct strategic level analysis, both because we are not accustomed to collecting it from our own networks and most people who are willing to share tactical indicators of threats are not as willing to share information on how those threats impacted them.We need to change this, because you cannot (or should not) make decisions about the future of your security program without a strategy, and you cannot (or should not) have a security strategy without understanding the logic behind it. Threat landscape research—which is a long term analysis of the threats in your environment, what they target, how they operate, and how you are able to respond to those threats—will drive your strategy. The tactical level information you have been collecting and analyzing from your network on a daily basis can all contribute to threat landscape research. Current intelligence, yours and public domain information, can also contribute to threat landscape research. One framework for capturing and analyzing this information is VERIS—the Vocabulary for Event Recording and Incident Sharing, which the DBIR is based off of. Just remember, this type of intelligence analysis takes time and effort, but it will be worth it.Information SharingThere is currently an emphasis on sharing IOCs and other technical information, however any of the types of intelligence we have discussed in this post are good candidates for information sharing. Sharing information on best practices and processes is also incredibly beneficial.Sharing information on what has been seen in an organization's network is a good way to understand new threats as they emerge and increase situational awareness. Information sharing essentially generates intelligence to warn others of threats that may impact them. Information sharing is becoming increasingly automated, which is great for handling higher volumes of information, however, unless there is an additional layer of analysis that focuses on how this information is relevant or impacts your organization then it will stay information (not intelligence) and will not be as useful as it could be. For more information see Alex Pinto's presentation on his recent research on measuring the effectiveness of threat intelligence sharing.Even if you are not yet convinced of the value of generating your own intelligence from your environment, consuming threat intelligence still requires analysis to understand how it is relevant to you and what actions you should take. A solid understanding of the different types of intelligence and how they are used will help guide how you should approach that analysis.

Threat Intelligence Foundations: Crawl, Walk, Analyze - Part 1

This is the first post in a three-part series on threat intelligence foundations, discussing the fundamentals of how threat intelligence can be used in security operations. There is a consensus among many in threat intelligence that the way the community has approached threat intelligence in…

This is the first post in a three-part series on threat intelligence foundations, discussing the fundamentals of how threat intelligence can be used in security operations. There is a consensus among many in threat intelligence that the way the community has approached threat intelligence in the past -  i.e, the “Threat Data → SIEM → Magical Security Rainbows” approach has left something to be desired, and that something is usually analysis. Rick Holland (@rickhholland) warned us early on that we were on the wrong track with his 2012 post My Threat Intelligence Can Beat Up Your Threat Intelligence where he wrote “The real story on threat intelligence is your organization's ability to develop your own."There are ways that we can take advantage of the threat intelligence that currently exists while learning how to better leverage the threat intelligence in our own networks. Doing this requires an understanding of intelligence fundamentals and how they can be applied in security operations. This series is designed to help those interested in threat intelligence -whether just starting out or re-evaluating their existing programs - understand the underlying fundamentals of threat intelligence and intelligence analysis.In the first part of this three-part series we will discuss the levels of intelligence and the various ways threat intelligence can be utilized in operations.Threat Intelligence Levels in Security Operations: CrawlWhen an organization is determining how to best integrate threat intelligence into their security operations it is helpful to have a framework detailing the different ways that intelligence can be effectively utilized.Traditionally, intelligence levels have aligned to the levels of warfare: strategic, operational, and tactical. There are several reasons for this alignment: it can help identify the decision makers at each level; it identifies the purpose of that intelligence, whether it is to inform policy and planning or to help detect or deter an attack; it can help dictate what actions should be taken as a result of receiving that intelligence.At any level of intelligence it is critical to assess the value to your organization specifically. Please answer this for yourself, your team, and your organization, “How does this information add perspective to our security program? What decisions will this information assist us in making?”Strategic intelligenceStrategic intelligence is intelligence that informs the board and the business. It helps them understand broader trends that are facing their organizations and other similar organizations in order to assist in the development of a strategy. Strategic Intelligence comes from analyzing longer term trends, and often takes the shape of analytic reports such as the DBIR and Congressional Research Service (CRS) reports. Strategic intelligence assists key decision makers in determining what threats are most impactful to their businesses and future plans, and what long-term efforts they may need to take to mitigate them.The key to implementing strategic intelligence in your own business is to apply this knowledge in the context of your own priorities, data, and attack surface. No commercial or annual trend report can tell you what is important to your organization or how certain threat trends may impact you specifically.Strategic intelligence - like all types of intelligence - is a tool that can be used to shape future decisions, but it cannot make those decisions for you.Operational IntelligenceOperational intelligence provides intelligence about specific attacks that may impact an organization. Operational intelligence is rooted in the concept of military operations - a series of plans or engagements that may take place at different times or locations, but have the same overarching goal. It could include identified campaigns targeting an entire sector, or it could be hacktivist or botnet operations targeting one specific organization through a series of attacks.Information Sharing and Analysis Centers (ISACs) and Organizations (ISAOs) are good places to find operational intelligence.Operational intelligence is geared towards higher-level security personnel, but unlike strategic intelligence it dictates actions that need to be taken in the near to mid-term rather than the long term. It can help inform decisions such as whether to increase security awareness training, how to staff a SOC during an identified adversary operation, or whether to temporarily deny requests for exceptions to the firewall policy. Operational intelligence is one of the best candidates for information sharing. If you see something that is going on that may impact others in the near term, *please* share that information. It can help other organizations determine if they need to take action as well.Operational intelligence is only useful when those receiving the intelligence have the authority to make changes to policies or procedures in order to counter the threats.Tactical IntelligenceTactical Intelligence focuses on the the “what” (Indicators of Compromise) and the “how” (Tactics, Techniques, and Procedures) of an attacker's actions with the intent of using that knowledge to prevent, detect, or respond to incidents. Do attackers tend to use a particular method to gain initial access, such as social engineering or vulnerability exploitation? Do they use a particular tool or set of tools to escalate privilege and move laterally? What indicators of compromise might allow you to detect these activities? For a good list of various source of tactical intelligence check out Herman Slatman's list of threat intelligence resources.Tactical intelligence is geared towards security personnel who are actively monitoring their environment and gathering reports from employees who report anomalous activity or social engineering attempts. Tactical Intelligence can also be used in hunt operations, where we are looking to identify attacker behaviors that vary only slightly from a typical user's behavior. This type of intelligence requires more advanced resources, such as extensive logging, user behavioral analytics, endpoint visibility, and trained analysts. It also requires a security-conscious workforce, as some indicators may not be captured or alerted on without first being reported by an employee. You will always have more employees than attack sensors…listen to them, train them, gather the information they can provide, analyze it, and then act upon it.Tactical threat intelligence provides specific, but perishable, information that security personnel can act on.Understanding how threat intelligence operates at different levels can help an organization understand where it needs to focus their efforts and what it can do with the threat intelligence it has access to. It can also help guide how the organization should approach intelligence in the future. The intelligence you can generate from your own network will always be the most actionable intelligence, regardless of the level.For more information on the levels of intelligence and the levels of warfare, check out these resources:The State of Security: Cyber Threat IntelligenceJoint Publication 2-0: Joint Intelligence INSA Operational Levels of Threat Intelligence CIA Library: The State of Strategic Intelligence

How to Build Threat Intelligence into your IDR Strategy: Webinar FAQ

Thanks to everyone who joined our webinar on How to Build Threat Intelligence into your Incident Detection and Response Program. We got so many great questions during the session that we decided to follow up with a post answering them and addressing the trends and…

Thanks to everyone who joined our webinar on How to Build Threat Intelligence into your Incident Detection and Response Program. We got so many great questions during the session that we decided to follow up with a post answering them and addressing the trends and themes we continue to see around threat intelligence. TL/DR for those of you who don't have time to read all of the responses (we got a lot of questions): Threat intelligence is a process, not something you buy. That means you will have to put work in in order to get results. Threat intelligence works best when it is integrated across your security operations and is not viewed as a stand-alone function Strategic, Operational, and Tactical threat intelligence (including technical indicators) are used differently and gathered using different methods. Do you see threat intelligence as a proactive approach to cyber monitoring or a just a better way of responding to cyber threats? If you see it as proactive, how, since the intelligence is based on events, TTPs,that have already occurred? A misconception about threat intelligence is that it is focused exclusively on alerting or monitoring. We talked about indicators of compromise and how to use them for detection and response, but there is a lot more to threat intelligence than IOCs.  When threat intelligence is properly implemented in a security program it contributes to prevention, detection, and response. Understanding the high level, strategic threats facing your organization helps determine how to improve overall security posture. All intelligence must be based on facts,( i.e. things that have already occurred or that we already know), but those facts that allow us to create models that can be used to identify trends and assess what controls should be put in place to prevent attacks.  As prevention comes into alignment, it is important to maintain awareness of new threats leveraging operational and tactical intelligence,taking actions to protect your organization before they are able to impact you. I can see the usefulness of tactical, operational and technical intelligence. How would you be able to establish strategic intelligence? Strategic Intelligence is intelligence that informs leadership or decisions makers on the overarching threats to the organization or business. Think of this as informing high level decision making based on evidence, seeing the forest without being distracted by the trees. Information that contributes to strategic intelligence is gathered and analyzed over a longer period of time than other types of threat intelligence. The key to utilizing strategic intelligence is being able to apply it in the context of your own data and attack surface. An example would be intelligence that financially motivated cyber criminals are targeting third party vendors in order to gain access to retail networks. This information could be used to assess whether a business would be vulnerable to this type of attack and identify longer term changes that need to take place to reduce the risk, such as network segmentation, audits of existing third-party access, and development of policies to limit access. What is the difference between Strategic and Operational Intelligence? Strategic intelligence focuses on long term threats and their implications while operational intelligence focuses on short term threats that may need to be mitigated immediately. Implementing strategic and operational intelligence often involves asking the same questions: who and why. With strategic intelligence you are evaluating the attackers - focusing on their tactics and motivations rather than geographical location - to determine how those threats may impact you in the future. With operational intelligence you are evaluating who is actually being targeted and how so that you can determine if you need to take any immediate actions in response to the the threat. What is positive control and why is it important? Positive control is the aspirational state of a technical security program . This means that only authorized users and systems are on the network, and that accounts and information are accessed only by approved users. Before you start assessing your network to understand what “normal” looks like, take care and be sure that you are not including attacker activity in your baseline. If you are being targeted by an identified entity, what should you do to build intelligence on possible attacks? Active and overt attacks fall into the realm of operational intelligence. You can gather intelligence on these attacks from social media, blog posts, or alerts from places like US-CERT, ISACs, ISAOs other sharing groups. Some questions you should be asking and answering as you gather information are: Who else is being targeted? Can we share information with them on this attack? How have the attackers operated in the past? What are we seeing now that can help us protect ourselves? What is done in Tactical Monitoring? Tactical Intelligence tends to focus on mechanisms- the “how” of what an attacker does. Do they tend to use a particular method to gain initial access? A particular tool or set of tools to escalate privilege and move laterally? What social engineering or reconnaissance activities do they typically engage in prior to an attack? Tactical intelligence is geared towards security personnel who are actively monitoring their environment as well as gathering reports from employees who report strange activities or social engineering attempts. Tactical Intelligence can also be used by hunters who are seeking to identify a behavior that may be a normal user behavior but is also a behavior that is used by an attacker to avoid detection. This type of intelligence requires more advanced resources, such as extensive logging, behavioral analytics, endpoint visibility, and trained analysts. It also requires a security-conscious workforce, as some indicators may not be captured or flagged by logs without first being reported by an employee. Can you point me to resources where to gather information regarding strategic, tactical and operational intelligence? Before you start gathering information it is important to have a solid understanding of the different levels of threat intelligence. CPNI released a whitepaper covering four types of threat intelligence that we discussed on the webinar: https://www.cpni.gov.uk/Documents/Publications/2015/23-March-2015-MWR_Threat_Int elligence_whitepaper-2015.pdf - Or - if you are an intelligence purist and find that four types of threat intelligence is one type too many (or if you're just feeling rambunctious) you can refer to JP 2-0, Joint Intelligence, for in-depth understanding of the levels of intelligence and their traditional application. http://www.dtic.mil/doctrine/new_pubs/jp2_0.pdf Once you are ready, here are some places to look for specific types of intelligence: Strategic Intelligence can be gathered through open source trend reports such as the DBIR, DBIR industry snapshots, or other industry specific reports that are frequently released. Operational Intelligence is often time sensitive and can be gather by monitoring social media, government alert like US-CERT, or by coordinating with partners in your industry. Tactical Intelligence can be gathered using commercial or open sources, such as blogs, threat feeds, or analytic white papers. Tactical Intelligence should tell you how an actor operates, the tools and techniques that they use, and give you an idea of what activities you can monitor for on your own network. At this level understanding your users and how the normally behave is critical, because threat actors will try to mimic those same behaviors and being able to identify a deviation, no matter how small, can be extremely significant.  What is open source threat intelligence? Open Source intelligence (OSINT) is the product of gathering and analyzing data gathered from publicly available sources: the open internet, social media, media, etc. More here: https://en.wikipedia.org/wiki/Open-source_intelligence For more information on the other types of intelligence collection disciplines: https://www.fbi.gov/about-us/intelligence/disciplines Open source threat intelligence is OSINT that focuses specifically on threats. In many cases you will be able to gather OSINT but will still have to do the analysis of the potential impact of the threat on your organization. What are ISACs and ISAOs? Where can I find a list of them? Most private sector information sharing is conducted through Information Sharing and Analysis Centers organized primarily by sectors (usually critical infrastructure, a list is located here: http://www.isaccouncil.org/memberisacs.html. In the United States, under President Obama's executive Order 13691, DHS was directed to improve information sharing between the US government's National Cybersecurity and Communications Integration Center (NCCIC) and private sectors. This executive order serves as the platform to include those outside the traditional critical infrastructure sectors, Information Sharing and Analysis Organizations. What specific tools are used for threat intelligence? This is a great question, and I think underscores a big misunderstanding out there. Threat Intelligence is a process, not a product bought or service retained. Any tool you use should help augment your processes. There are a few broad classifications of tools out there, including threat intelligence platforms and data analytics tools. The best way to find the right tools is to identify what problem you are trying to solve with threat intelligence, develop a manual process that works for you, and then look for tools that will help make that manual process easier or more efficient. Can a solution or framework be tailored to support organizations at different levels of cyber security maturity and awareness, or is there a minimum requirement? There is a certain level of awareness that is required to implement a threat intelligence program. Notice that we didn't say maturity - we feel that any level program can benefit from threat intelligence, but there is a lot that goes into a organization being ready to utilize it. At the very basic level an organization needs to understand what threat intelligence is, what is isn't, understand the problems that they are trying to solve with threat intel, and have a person or a team who is responsible for threat intel. An organization with this base level understanding is far ahead of many others. When discussing the more technical implementations of threat intelligence such as threat feeds or platforms then there are some barriers to entry. Aside from those situations, nearly any organization can work to better understand the threats facing them and how they should start to posture themselves to prevent or respond to those threats. Regardless of where you are, if you understand how threat intelligence works and start to implement it appropriately then you will be better off regardless of what else you are dealing with. How do you stop an attacker once discovered? ACL IPS etc? Scoping the attack is the first stage, which requires both investigation and forensics. The investigation team will identify various attributes used in the attack (tools, tactics, procedures), and then will go back and explore the rest of your systems for those attributes. As systems get added, the recursive scoping loop continues until no new systems are added. Once scoping is done, there are a number of actions to be taken- and the complexity involved in deciding exactly what happens (and when) grows exponentially. A short (and anything but comprehensive) list of considerations include: Executive briefing and action plan signoff Estimate business impact by the recovery actions to be executed Isolate compromised systems Lock or change passwords on all compromised accounts with key material in the scoped systems Patch and harden all systems in the organization against vulnerability classes used by the attacker Identify exactly what data was impacted, consult with legal regarding regulatory or contractual required next steps Safely and securely restore impacted services to the business Obviously there are a lot of variables at play here, and every incident is unique. This stuff is extremely hard, if it was easy- everyone would be doing it. Call us if you need help. When I find a system that has been compromised, can you tell me where it came from? You're asking the right question here- getting a sense of the attacker's motivation and tactics is extremely valuable. Answering “who did this” and “where did they come from” is a lot more difficult than simply pointing at the source IP for initial point of entry or command and control. Tactical Intelligence from the investigation will help answer these questions. What should be the first step after knowing that the host has been compromised by zero day attack? Run around, scream and shout. In all seriousness, you won't start off with the knowledge of zero-day being used to compromise an asset. Discovering that 0day was used in a compromise, by definition, means that an investigation was performed when the root-cause identified at the point of infection was, in fact, 0day. At that point you will hopefully have gathered more information about the incident that you can then analyze to better understand the situation you are facing.

12 Days of HaXmas: Charlie Brown Threat Intelligence

This post is the third in the series, "The 12 Days of HaXmas." “Get the biggest aluminum threat feed you can find, Charlie Brown, maybe painted pink.” It has been a few years now since the term “cyber threat intelligence” entered mainstream, and…

This post is the third in the series, "The 12 Days of HaXmas." “Get the biggest aluminum threat feed you can find, Charlie Brown, maybe painted pink.” It has been a few years now since the term “cyber threat intelligence” entered mainstream, and since then it has exploded into a variety of products, all claiming to have the biggest, the best, the shiniest, most aluminum-est threat feed, report, or platform. Much of the advertising and media surrounding threat intelligence capitalizes on fear and uncertainty, “you must have threat intelligence or there is a 100% chance you will get hit by OMG-APT-Cyber-Poodle-Heartbleed.” It feeds off of executives' desires to avoid being the next story in the news about how a breach could have been prevented if only they had employed the latest threat intelligence from company XYZ. Buy, buy, buy. More, more, more. Good grief! It can really bring a poor threat analyst down during the holidays. Amidst the commercialization and fear and the threat-intel-buying frenzy, it is easy to overlook the true meaning of threat intelligence. Threat intelligence exists to help us make decisions about how to best protect assets with limited time, money, and personnel. Knowing what is likely to affect you - how, why, what to look for, and what you can do about it - and then taking actions to mitigate those threats is what threat intelligence is all about. Threat intelligence doesn't have to be about buying something shiny and expensive. For those of you who haven't seen A Charlie Brown Christmas (and seriously, go watch it when you are done reading this) when the other kids saw Charlie Brown's Christmas Tree - small, made of actual wood, losing a few needles here and there, and definitely NOT painted pink - they laughed and questioned his ability to do anything right. But that tree turned out to be exactly what they needed to refocus their school play and their mindsets to what they were actually supposed to be celebrating. Likewise, many organizations have more at their disposal than they know, but because it doesn't look like what marketing says threat intelligence should, it is often scoffed at and overlooked. Business priorities, asset management, log data, lessons learned from a partner's (or their own!) breaches or incidents, reports of phishing emails that come in from employees, open source news feeds, blogs, and non-commercial reports are all things that can be used as the foundation for a threat intelligence program. Many companies are eager to purchase some variety of threat intelligence while overlooking the wealth of information they currently have at their disposal. That information is priceless, but like Charlie Brown's Christmas tree, it just needs a little love. If Charlie Brown was in infosec he would understand that the true meaning of threat intelligence is to identify and respond to threats in order to change outcomes. Charlie Brown Threat Intelligence is about looking past the commercialization bombarding us and learning what we can do with what we have, because truly that is the very best place to start.  How to make the most of Charlie Brown Threat Intelligence: Understand business priorities: It is impossible to protect your business or your information from threats if you don't actually know what you are protecting. What are the systems, assets, or information critical to meeting business objectives? Analyzing business priorities is something that all companies can do for themselves and it is the first step in utilizing threat intelligence. Identify what you can change, and what you can't: Threat intelligence is about identifying threats in order to change outcomes- outcomes do not change themselves, this means that some sort of action is taken. Focusing time and effort on something that you can't change will waste time and resources. However, if you are unable to change something that you think is critical to the security of your organization you can use threat intelligence to build the business case for making the change while still making strides towards changing what you can now.  Keep an eye on the news: Maintaining an awareness of what is going on in the news can help you stay ahead of threats. Sure, if they are in the news they are not always the late-breaking, cutting-edge threats, but that doesn't mean they won't still hit you...or haven't already. Likewise, you are in the best position to know whether something in the news has the potential to affect your organization and how serious the impact would be. Use that knowledge to start planning how to detect and respond to that threat in your environment. Training: I am a firm believer that trained personnel are critical to an organization's ability to protect itself. Your platform or your threat feed is useless without someone to implement it and interpret the results. It's not just threat analysts who are supporting threat intelligence: IT, SOC, IR, every employee who touches your network can learn how to identify and better respond to threats. We said that threat intelligence needs a little love, and these are the people who are going to be providing the care and feeding it needs to thrive. Invest in your people. Identify your gaps and find something that meets your needs: There is definitely a place for threat intelligence services in the equation, but it comes after a good hard look at your objectives, what you have, what you still need, and what you can realistically implement and support. You may not need the shiniest, most expensive threat intelligence product to make your program successful, in fact, most organizations don't. What they need to remember is the true meaning of threat intelligence, asses their own needs, capabilities, and priorities, and start taking steps to better understand and respond to the threats facing them.

Featured Research

National Exposure Index 2017

The National Exposure Index is an exploration of data derived from Project Sonar, Rapid7's security research project that gains insights into global exposure to common vulnerabilities through internet-wide surveys.

Learn More

Upcoming Event


Rapid7's annual security summit is taking place September 12-14, 2017 in Boston, MA. Join industry peers for candid talks, focused trainings, and roundtable discussions that accelerate innovation, reduce risk, and advance your business.

Register Now


Security Nation

Security Nation is a podcast dedicated to covering all things infosec – from what's making headlines to practical tips for organizations looking to improve their own security programs. Host Kyle Flaherty has been knee–deep in the security sector for nearly two decades. At Rapid7 he leads a solutions-focused team with the mission of helping security professionals do their jobs.

Listen Now