Your Most Valuable Threat Intelligence Already Exists Inside Your Network – You Just Need to See It

Your Most Valuable Threat Intelligence Already Exists Inside Your Network – You Just Need to See It

Securing Against Insider Threats

It should be an axiom: we undermine our cyber security when we retreat into silos. That’s because bad actors profit off of us when we separate ourselves by technology, department, organization, or sector. Ultimately, siloing doesn’t give us a business advantage; it just robs us of information that we could share with one another and use to defend against the latest advanced attack.

The weaknesses inherent in siloing highlights the importance and advantages of cyber security partnerships. This is especially important when it comes to technology. As we wrote in a previous article, it’s important to realize that no one solution can meet all of our security needs. Cyber security has traditionally been and will always be a team sport. With that in mind, we stand to benefit from using multiple technologies together, especially solutions that can work together, draw upon the strengths of one another and share information.

Partnerships don’t end with just technology, either. In this article, we’ll discuss how working together from an intelligence perspective is also beneficial to organizations’ cyber security. Threat intelligence feeds aren’t without their limitations; recognizing this fact, we’ll explain why we believe gaining comprehensive visibility of your own systems and data, not someone else’s, is the most effective means for defending cyber attacks.

What Is Threat Intelligence?

According to Recorded Future, threat intelligence is information that organizations can use to prevent or block cyber attacks. This data typically consists of indicators of compromise (IoCs), attack motivations, as well as other details pertaining to a specific campaign or threat actor that’s already affected other entities. Using these indicators, organizations can create a defensive strategy for attacks that they themselves have not yet seen.

Threat intelligence comes in various categories, which originated in the more traditional intelligence world:

  • Strategic intelligence illustrates broad trends to a non-technical audience;
  • Tactical intelligence gets a little deeper into the weeds about how an attack works; and
  • Operational intelligence deeply explores details of an operation for technical readers such as security defenders or threat hunters.

Various solutions offer these types of intelligence. Even so, it’s generally recommended that you use underlying technologies such as machine learning to automate the data collection process, your integration with other tools, and connect the dots.

Regardless of the form in which you receive it, threat intelligence is important, for it empowers security professionals to make better, more informed decisions at a faster rate than they otherwise could. These impacts, in turn, help security leaders plan for the future all while hopefully saving time, lowering expenses, and maximizing efficiency.

Understanding the Shortcomings of Threat Intelligence

Threat intelligence is an important tool in a security team’s arsenal. But for us to get the most out of it, we need to realize where threat intelligence’s limitations lie. Jonathan Zhang, CEO/founder of WhoisXML API and TIP, helps point the way in an article for Dark Reading:

“Cybersecurity teams sometimes see threat intelligence as the quick fix that will protect them from hackers and scammers. This expectation is largely overinflated. The fact is, there is no such thing as one-size-fits-all threat intelligence.”

That is to say, not all us can or will derive the same benefit from any single threat intelligence feed, or multiple ones for that matter. Every organization, suborganization and department has its own security needs, after all. It’s therefore entirely possible that we might land upon a feed that doesn’t give our organization useful insights into attacks that threaten those needs, regardless of whether those campaigns jeopardize the digital security of others. Other feeds might give us a false sense of security if they lack threats that pertain to our systems, while different feeds could convince us to waste time and money investigating threats that don’t pertain to the organization. Add to that the reality that many threat feeds are not absorbed in a timely fashion. As attackers churn through domain names and IP addresses, a large amount of external feed data becomes outdated very quickly.

How threat feeds are implemented is also an essential consideration. A feed that lacks the ability to integrate with other solutions, for instance, makes threat intelligence less effective and potentially gives security teams more work. In response, security professionals must manually assemble data and compare it to another source. Teams thereby waste their time gathering evidence instead of actually investigating a potential security incident. Pragmatically, it’s probably better for the team to not even bother working with feeds they can’t easily and quickly integrate with the other tools in their security stack.

Though alarming in their own right, the above concerns are all secondary in nature. The primary weakness associated with threat intelligence feeds is that they all reflect others’ experiences with an attack, and rely too heavily on signatures and reputation. The types of systems and applications that are deployed on a network often differ widely between organizations.

Even if they don’t, digital criminals are changing their signatures and techniques so quickly that one instance of a campaign can easily differ from another. This dynamism results in very little overlap across threat intelligence feeds. A Lastline study found that of the unique threats we analyzed in 2018, 65 percent had not been submitted to VirusTotal, and had been

submitted only once to Lastline. What this means is that there is very little repetition of malicious artifacts being seen across multiple customers’ and partners’ environments.

Threat Intel Done Right

The ultimate value of threat intelligence therefore doesn’t come from subscribing to one feed or even dozens of feeds. It comes from obtaining your own intelligence about the threats endangering your systems and your data. To do this, you need to achieve comprehensive network visibility with the help of a sophisticated tool. This solution should ideally use AI, network traffic analysis (NTA) and artifact analysis to flag anomalies for suspicious behavior and provide high-fidelity alerts indicative of potential security incidents.

Threat intelligence can contribute to this effort, assuming it provides the right type of information. The more granular the data, the more likely it is to be useful. Information about indicators of compromise, malicious behaviors, and reusable code segments can actually be helpful in detecting attacks where signatures are unique and IP addresses have been changed.

Lastline’s Global Threat Intelligence Network solves some of the shortcomings of other threat intel feeds. It is the industry’s largest curated repository containing tens of millions of malicious artifacts. It includes malicious code samples, malicious behaviors, domain names, and IP addresses collected by Lastline’s global customer and partner base. This type of information and level of detail simply is not available from other feeds because only our technology is capable of capturing this level of detail about attacks, thanks to our patented Deep Content Inspection™ technology. We continuously update the repository with new artifacts as new threats (and new relationships among existing threats) emerge.

In addition, we automatically and immediately share information about all detected threats with all of our customers and partners, speeding detection of attacks aimed at multiple organizations. While the signatures may have changed and threats morph, we can still detect these attacks because of other behavior-based characteristics that make detection unmistakable.

It’s widely believed that criminals are collaborating, sharing details of what works and what doesn’t so they can improve their techniques. Organizations being attacked, and the security industry developing technology to help them in that challenge, can break down silos by improving collaboration and sharing of attack details through threat intelligence. While it is not perfect, it’s an added layer of defense against a clever and relentless enemy.

We also encourage vendors to join the Cyber Threat Alliance whose mission is to improve cybersecurity through sharing of timely, actionable, and contextualized threat information.

Create your own source of timely and actionable network-based threat intelligence with Lastline today.

Richard Henderson

Richard Henderson

Richard Henderson is Head of Global Threat Intelligence, where he is responsible for trend-spotting, industry-watching, and evangelizing the unique capabilities of Lastline’s technologies. He has nearly two decades of experience and involvement in the global hacker community and discovers new trends and activities in the cyber-underground. He is a researcher and regular presenter at conferences and events and was lauded by a former US DHS undersecretary for cybersecurity as having an “insightful view” on the current state of cybersecurity. Richard was one of the first researchers in the world to defeat Apple’s TouchID fingerprint sensor on the iPhone 5S. He has taught courses on radio interception techniques multiple times at the DEFCON hacker conference. Richard is a regular writer and contributor to many publications including BankInfoSecurity, Forbes, Dark Reading, and CSO.
Richard Henderson