Intelligence Tsunami

Intelligence Tsunami

Tsunami FIRecently SANS and Enisa released research reports into the current state of the threat intelligence function. The results of both studies showed significant pitfalls in actually using threat intelligence to improve security for many organizations.

Let’s take a moment to baseline the value of Threat Intelligence.

Intelligence is an enrichment signal to apply better cyber acumen to a threat. Better decisions made faster.

Intelligence is used in two ways.

  1. To gain better detection signals from encountered threats
  2. To gain better response signals for encountered threats

Intelligence for detection acumen ceases to add value when the data:

  1. Is irrelevant to your network
  2. Is inaccurate

Intelligence for response acumen ceases to add value when:

  1. The threat is unique to you
  2. The remediation advice is generic and incomplete

Existing Threat Intelligence feeds have focussed on applying attributes and label identifiers to malicious encounters. The common attribute-based indicators of threat intel are file hashes, IP addresses, domain names, and URLs. These attribute-based indicators age almost instantly leading to very rapid security atrophy. Our own Malscape® Monitor Report found that sixty-five percent of malware files analyzed by Lastline had never been submitted to VirusTotal and were seen only once by Lastline, making them useless to any security team.

Threat Intelligence Models

Current Threat Intelligence models are failing security resources in two ways. They are:

  1. Burying already overloaded security teams with poor quality detection alerts
  2. Prolonging the time it takes to investigate and correctly remediate a threat

These two factors are the fundamental flaws in current intrusion defenses and Incident Response procedures that lead all too often to breach notifications.

In the Enisa report, 70% of the responders replied that threat information shared is often too voluminous and/or complex to be actioned. SANS also validated this with their own finding, stating that irrelevant, external IoCs are the biggest problem. Additionally, they concluded that threat intel needs to enable junior staff to do more with less time and that the gathering of internal threat data is gaining traction.

In support of the validity of these failings, Microsoft recently changed their security escalation processes from an external IoC-led security response process to an internal behavioral analysis led approach.

Introducing Lastline Behavioral Intelligence

A measure of threat intelligence is CART: Complete. Accurate. Relevant. Timely.

Lastline Behavioral Intelligence produces intelligence on your own internal data. Because your internal network data is the best source of timely, relevant data, you will gain back the resources lost to invalid external IoC investigations, and minimize the amount of unauthorized access that result from incorrectly prioritized alerts.

In addition, Behavioral Intelligence cuts out a bottleneck in response time. Instead of trying to identify or label a threat first, as the method to gauge its capabilities, it goes straight to the heart of the problem, identifying what a threat does, allowing for complete and accurate remediation. Labeling or attributing a threat is no longer a prerequisite to remediation but a post-remediation activity, unrelated to risk exposure.

Behavioral Intelligence and the Breach Chain

Behavioral Intelligence is not only applied across the breach chain. It connects breach chain events together.

Probability of a Data Breach Chain

Behavioral Intelligence is applicable to all compass points in an intrusion, highlighting the deterministic capabilities of infected devices during North-to-South infection phase, but also connecting the infection phase to later compromise activity, highlighting the functional anomalies of an intrusion during the East-to-West lateral movement phases. It provides security teams with an oriented map of each intrusion with complete, accurate, relevant and timely acumen.

Behavioral Intelligence is used to augment scarce expert resources, providing junior-level analysts with an effective tool to hunt for the most sophisticated threats that potentially pose the most risk. Functioning as a SOC analyst-in-a-box solution that has been trained to study the execution patterns of billions of malware submissions, to select highly deterministic traits of maliciousness, capturing these malicious instructions and interaction behavior as a simple sequence. These sequences have been stored and indexed over time and now allow fresh samples to be sequenced in the same way, highlighting the reuse of malicious building blocks and their evolutions and connections to malware strains. This malware sequencing approach offers much greater accuracy and longevity than current attribute-based indicators.

A Behavioral Intelligence-led approach to security will provide the most relevant alerts because the analysis is taken in real time from your internal environment. It provides the most complete and accurate information as the alerts produced highlight the behavioral capacity of the various elements in each threat, pointing incident responders to fast and effective remediation.

Andy Norton

Andy Norton

Andy has been involved in cyber security best practice for over 20 years, specializing in establishing emerging security technologies at Symantec, Cisco and FireEye. In that time, he has presented threat and intelligence briefings for both Bush and Obama administrations, The Cabinet office, the Foreign and Commonwealth office, SWIFT, Swiss National Bank, Prudential Regulation Authority, the Bank of England, The Hong Kong Monetary Authority and NASA. Returning to Europe from Asia in 2011, he has spent the past 5 years helping many of the FTSE 250 companies measure, manage and respond to cyber incidents.
Andy Norton