Creating order and drawing actionable information data ... - LogRhythm

Cyberthreat intelligence Creating order and drawing actionable information data from a multitude of log files and data streams is a daunting task but help might be on the way in the form of cyberthreat intelligence. Sponsored by

over the past year in the information security world and vendors want to profit from it. For that reason, anti-virus vendors might describe their products as being powered by Organizations today are using combinations of threat intelligence because they classify their useful data left behind by attackers and combinsignature feeds as CTI. However, Pescatore ing it with analytic tools to create a new generais dismissive of this tendency, defining CTI as “more than just signatures.” Instead, he tion of intelligence, reports Jesse Staniforth. explains, “What SANS tends to call ‘cyberthreat intelligence’ is information about active threats that you can consume to both prevent hether mucking about in the murky more attacks and detect ones you can’t world of the Dark Web or developprevent more quickly.” While he acknowledging Big Data analytics to process the es that anti-virus signatures can be helpful in thousands of log files and data feed, security both preventing and detecting attacks, he says professionals are searching advanced tools to that CTI encompasses a much broader array create order from chaos. of information than simple signatures. Cyberthreat intelligence (CTI) is evidence“Some will define threat intelligence as based knowledge – including context, mecha‘indicators of compromise,’ and those are gennisms, indicators, implications and actionerally signatures,” he says. “If you’re broken able advice – about an existing or emerging into by this threat, you should see these files menace or hazard to assets that can be used on your machine. What we really want threat to inform decisions regarding the subject’s intelligence to do is go a little more broadly response to that menace or hazard, according to describe exploits or techniques and indicato Gartner. It also can be described as the tors that are more process of detectthan just signatures. ing potential and We want to identify actual threats using OUR EXPERTS: broader behaviours. evidence-based data, Cyberthreat intelligence If you see signs of responding to them Ed Bellis, founder and CTO, Kenna Security those behaviours, and defeating the atBob Gourley, co-founder and partner, Cognitio you may have been tackers using forensic Andrew Hay, CISO, DataGravity attacked.” and logical data the John Pescatore, director of emerging security As an example, he attackers themselves trends, SANS Institute provides the recent leave behind. It is Michael Orosz, director of the Decisions Systems discovery of vulfast becoming one Group, Information Sciences Institute Viterbi School nerabilities in SSL of the key security of Engineering, University of Southern California (secure socket layer) resources for CISOs encryption. Potential and security teams, threat actors would but it’s not just enterleave traces in the form of log events to show prises benefiting from CTI; small to midsize that they had been exploring vulnerabilities in businesses are finding value in CTI as well. a target’s SSL and a second set of data would One of the barriers to understanding the show traces of whether they had exploited merits of CTI is confusion about what it is any vulnerabilities they found. An ability to and what it isn’t. John Pescatore, director of identify both types of evidence is an example emerging security trends at SANS Institute, a of threat intelligence that is responsive to research and development organization, says information that both prevents attacks and that threat intelligence has become a buzzword

W

CTI

Cyberthreat intelligence

www.scmagazine.com | © 2016 Haymarket Media, Inc.

67%

Percentage of respondents in the 2014 Global Information Security Survey who see threats increasing in the infuse risk environment Source: EY

2

CTI

detects the unpreventable ones more quickly, tial consumer to determine the value of the he explains. intelligence that the CTI company provides. Another example is the insider threat. “There’s nobody out there comparing, “Imagine you have an employee who, out of grading and rating them,” SANS’s Pescatore the blue, accesses a critical, privileged datasays, “and there are just so many of these base,” posits Michael Orosz, director of the sources. The bad news is there’s a lot of ‘buyer Decisions Systems Group, Information Scibeware.’” ences Institute, Viterbi School of Engineering, Pescatore assumes that every business is University of Southern California. “Maybe likely to be taking a few basic steps to defend they’re totally within reason; maybe there’s a itself against cyberattack, such as deploying new job responsibility added anti-virus software. This to this employee. But maybe constitutes a base level of denot. That’s an indicator that fenses. “If you’re not up that may require further investigabase level,” he says, “don’t tion, which is where threat even think about threat intelintelligence comes in.” ligence. But if you’re at that Traditional defenses against base level, then you consider viruses, worms and distribthe staff you have and the uted denial of service (DDoS) security controls you have in attacks are reactive and rely place, and ask what sort of on recognizing established information, if you had it, threats, says Orosz. By would allow you to detect contrast, CTI is an attempt faster and prevent more.” to put up a proactive defense John Pescatore, director of emerging security However, even for those trends, SANS Institute that sets up appropriate who have surpassed the base countermeasures before an level of security, integrating attack can occur. it into existing systems can prove difficult. “It’s about identifying the steps, processes, CTI, in general, takes the form of feeds of tactics and techniques that are used by people information and Hay emphasizes that without launching these attacks,” explains Pescatore, the means to apply that raw information to its “rather than simply identifying these threads, defensive footing, CTI will be useless. and rather than just a hash-tag of a file or a “Unless you have something to plug those simple signature to look for.” feeds into, or a policy procedure process to actually do something with that data received, Who needs cyberthreat intelligence? you’re really just throwing money out the “There are a lot of companies getting funding window,” he says. “The absolute minimum for threat intelligence,” says Andrew Hay, barrier to entry is a SIEM [security informaCISO at DataGravity, a Nashua, N.H.-based tion and event management] or log managestorage vendor. “At the beginning of 2015, ment product of some sort. Then you at least you’d just walk up and say, ‘I’ve got a threat have something to correlate the information intelligence solution,’ and [venture capitalists] that’s coming in with your security ecosystem. would say, ‘Shut up and take my money! Go Another barrier would be a recent firewall – make me rich!’” something that has the ability to act on those Through his hyperbole, Hay, a former IANS threat intelligence indicators.” Research faculty member, is serious about the On its own, the information is too disconplethora of CTI companies presently operating nected to be of any use. DataGravity’s Hay – a variety that makes it difficult for a potenoffers the analogy of a person trapped on a

www.scmagazine.com | © 2016 Haymarket Media, Inc.

37%

Respondents who say real-time insights on cyber risk is not available. Source: EY

3

It’s important the information is timely, accurate and relevant.” – Ed Bellis, founder and CTO, Kenna Security a strategic consulting and engineering firm managed by a team of former senior technology executives from the U.S. Intelligence Community, breaks cyberthreat intelligence down into three categories: strategic, operational and tactical. “Strategic cyberthreat intelligence is used by senior decision-makers for long range decisions and can be delivered by briefing or writing assessments,” he explains. “Operational cyberthreat intelligence is focused on the day-to-day operators directly engaged in incident response and other cyberdefense functions. It can also be delivered in writing, frequently in email. Tactical cyberthreat intelligence is for immediate action and is best

configured to enable automated response.” While a CTI intelligence feed might be readable by humans, Gourley notes, its ultimate goal is to enable your next-generation security device or endpoint device to take automatic action. In order to configure this connection, you will need input from your feed provider and the vendor of your security solution. Pescatore adds that CTI information delivered in the standard TAXI and STIX formats can be easily plugged into existing security processes, such as a SIEM. For that reason, he counsels a potential buyer to make certain that whatever information they’re signing up for will be delivered in standard formats. Furthermore, he offers questions for potential CTI customers to ask as they enter the marketplace: What are my security controls and what sort of threat intelligence information could I immediately take advantage of? What could I do to improve my security controls so they could take advantage of this threat intelligence information? Ed Bellis, founder and CTO of Kenna Security, a Chicago-based vulnerability management vendor, says that the value of CTI is predicated on the information it provides. “It’s important the information is timely, accurate and relevant,” Bellis explains. “While it can be said that integration is important for most security products, it’s vital for security intelligence. The ability to act on threat intelligence that is relevant to your organization in a timely manner is where the real value resides.” However, says Gourley, the market is so full of CTI at the moment that selecting a provider is a challenge. Venture capitalists are funding CTI startups at the same time as traditional security companies are getting into the CTI game, and it is difficult to determine which products will survive the competition. “Some CTI is worth its weight in gold and you will find it directly supports decisions and helps defend the enterprise,” Gourley says. “Some is of little value and you may regret signing up for it.”

CTI

desert island while it’s raining. “You could just open your mouth and hope to get water that way,” he says, “but it’d be great if you could have a bucket to hold all that water so that you could drink from it at a leisurely pace, or when you have time.” However, used properly, Pescatore says the bucket-style of CTI can provide a strong additional line of defense. “There are a great many really good sources of threat intelligence information that you can integrate right into your DNS [domain name system],” he says, “so that if any of your users tries to access a site, or if software gets on one of their PCs and tries to communicate it outbound, if it’s trying to resolve to a DNS location that the threat intelligence thinks is bad, it will either alarm or not allow the resolution to happen. That’s an easy one. If you can get that information in the right format, you can integrate it into your DNS and whammo.” Bob Gourley, co-founder and partner at the consulting and engineering firm Cognitio,

www.scmagazine.com | © 2016 Haymarket Media, Inc.

5

Number of variants to the Backoff PoS malicious code identified in 2014: backoff, goo, MAY, net and LAST. Source: U.S. Computer Emergency Readiness Team

4

Some CTI is worth its weight in gold and you will find it directly supports decisions and helps defend the enterprise...” – Bob Gourley, co-founder and partner, Cognitio requirements in order to seek out CTI that meets those needs. “The first place to start is with a use case or multiple use cases,” he says. “What is the problem you are trying to solve and how will threat intelligence help your cause? Some threat intelligence providers are focused on ‘the who,’ meaning what threat actors, where are they coming from, IP addresses, who are they targeting. While others are focused on ‘the how,’ such as, what techniques are they using, methods and kits and so on.” Bellis adds that a potential customer needs to articulate their needs to a CTI supplier as precisely as possible, ideally by presenting real examples from experience. “If the team understands their use cases well,” he says, “a vendor should be able to clearly demonstrate how their threat intelligence product would help achieve success for those use cases. By having predefined use cases and questions you want answers to, the prospective vendor should be able to plug in their data to help you find answers.”

Orosz agrees. “It’s not just detecting a potential attack or compromise, it’s a question of what you’re going to do about it. A vendor needs to understand and work with an organization to develop a mitigation plan. You have to have that in place. It should be really obvious how it all pieces together and there should be no question marks. If someone presents you with something that doesn’t make sense, that might be your first clue.” Even then, determining the overall worth of threat intelligence information can be a difficult task – and one that often leaves organizations feeling taken advantage of. An important consideration, says Bellis, is the relevance of the data, the value of which changes daily and widely. “It is hash values, IP addresses, domain names, network artifacts, tools or methods,” Bellis says. “These all have different value and very different shelf lives. An IP address being used in a malicious campaign can be stale by the time it even makes it into a feed, let alone when it’s pulled into your process.” The specificity of industry-select CTI can also be misleading, Hay adds. Imagine a small-town credit union in the Midwest that wants to purchase financial-services cyber CTI in order to keep its coffers safe. An immediate problem appears in that most financial-services CTI will be geared toward much larger organizations in major urban centers. Consequently, information that a small-town credit union derives from such CTI might not prove applicable to that company’s specific needs and circumstances, even though the industry vertical is fundamentally the same, Hays says. Pescatore notes that at the Executive Security Action Forum that preceded the 2015 RSA Conference, the 100 or so CISOs were surveyed about the subject of cyberthreat intelligence. “The common response was, ‘When I first looked at one threat-intelligence service, I found that about 75 percent of it I got for free.’ So much of this information can come from free sources that if you have

CTI

Still, he says, “The only way we know of to optimize your current threat intelligence feeds is by independent assessment.” The vendors of the cyberintelligence products and the vendors of security solutions all want to do good for you, he says, but everyone comes with bias. “A detailed review by professionals who know the art and science of cyberthreat intelligence is the best approach.” Determining the value of information is not easy. In order to do so, Bellis says that an organization must begin by determining its

www.scmagazine.com | © 2016 Haymarket Media, Inc.

>19K

Number of hacktivist attacks against French websites credited to #OpFrance. Source: Verisign

5

CTI

the people, you could be downloading it and would take to integrate open-source CTI, Hay doing it all yourself. At one level, the first wonders whether CTI might simply be too check of a threat-intelligence service is to ask much trouble for small and midsized business. whether it’s providing more than you can get Its potential for improving defenses could be on free websites that we already know about. equalled through alternative measures, he That’s a simple but worthwhile check.” says, what he calls ”shoring up the kingdom.” But even that is a difficult measure to be “See what software’s installed, what’s out certain about. DataGravity’s Hay points out of date, what needs to be patched,” he says. that there is an enormous amount of overlap “A good guide that I usually tell people, espein the data provided by CTI vendors – who cially mid-market and lower, is to look at the generally find their intelligence in the same SANS Institute or the Center for Internet Seplace as their competitors find their own. curity’s Top 20 Critical Security Controls. If “A lot of them start with grabbing informayou follow and implement and measure that, tion from honeypots, such as source IPs,” you’re going to cover 95 percent of the holes Hay says, “or they’re just getting them from that could really be attacked. Your attack the same free feeds that get published online, surface area will be reduced that much.” and amalgamating them, maybe slicing and With that much reduction in attack surface, dicing them so that it aligns with the types of the necessity for CTI would be greatly industries they’re selling to.” reduced, he notes. For that reason, Hay wonders whether For those who believe that they have smaller organizations would already covered their bases be better off handling CTI on and would like to add CTI their own through the same to their arsenal, the easiest widely available sources of upgrade, Hay says, is simply threat information curated whatever is in front of them. by CTI companies for their “If [an organization has] an specific audiences. existing product that has an “The open source route is upgrade or add-on service probably the best starting that is a threat intelligence point, but again, what are feed, that would probably you going to do with the be step one,” he explains. data?” he asks, identifying a “Measure the effectiveness central CTI quandary. “You of that. If they’re not getting need to have something that any positive results or any Michael Orosz, University of Southern California can use the data. There’s no marked improvement followsense in pulling the data in if ing that, then start looking at you’re never going to look at or act on it.” dedicated threat intelligence vendors that may Cognitio’s Gourley notes that there are mulplay nicely with your equipment.” tiple open source feeds. An example of a strategic feed is ThreatBrief.com from Cognitio. Finding the right CTI vendor The feed is free but requires a subscription. Looking for dedicated CTI vendors, Pescatore Some examples of free operational feeds are and Orosz agree, is best done with advice those provided by the United States Computer from experts. Orosz suggests contacting the Emergency Readiness Team, or US CERT. On FBI’s local InfraGard information-sharing a tactical level there are many feeds, including organizations, which have 86 local chapters those provided by the National Cyber Forenacross the country. He also counsels simply sics and Training Alliance (NCFTA). calling one’s local police department and However, considering the time and trouble it asking them for advice on who to trust.

www.scmagazine.com | © 2016 Haymarket Media, Inc.

7Gbps Average bandwidth

used in DDoS attacks in 2014. Source: Verisign

6

CTI

Pescatore also recommends InfraGard, tion of the threat intelligence vendors,” Hay although he suggests becoming involved in posits. “There are so many right now, and a an Information Sharing and Analysis Center lot of them are just two or three people who (ISAC) related to your organization’s indusgot together with a plan to reformulate a try. Members might well be able to suggest feed and sell it. They’ll get acquired, where CTI feeds that are most helpful, and which they’re happy to have a job and to be working are more likely to be less on their tool. I think there’s effective. This information, going to be a lot of that this drawn from wide experience, year and early next year, is probably the best measure because I think we’re at a presently available of the critical mass.” merits and demerits of the His prediction seems to be wide range of CTI providers coming true: The day after presently on the market. he talked to SC Magazine, Hay underscores that news broke that well-known determining the effectiveness cybersecurity giant FireEye of CTI is far too complicated had paid out $200 million to for a single organization to shareholders to acquire CTI do on its own. “There’s no company iSight Partners in Andrew Hay, CISO, DataGravity good stick against which to order to make that compameasure the effectiveness of ny’s cyberthreat intelligence your threat intelligence,” he says. “You can’t offerings, sourced from some 200 partners just say, ‘I didn’t get breached after buying across 16 countries, a keystone to the rebuildthis.’ Well, you weren’t hit by a tornado either ing of its empire. n – does it cover tornados as well as nation-state hackers?” For more information about ebooks from Meanwhile, as the Wild West mentality of SC Magazine, please contact Stephen the industry inevitably stabilizes, Hay sugLawton, special projects editor, at gests that those waiting to sign up for CTI [email protected]. might soon see a smaller and more stable If your company is interested in sponsorarray of providers from which to choose. ing an ebook, please contact David Steifman, “One thing I think we’re going to see in VP, publisher, at 646-638-6008, or 2016 and 2017 is probably a lot of [email protected].

15% In 2015, only 15

percent of assessed organizations are meeting corporate cybersecurity goals. Source: Hewlett Packard Enterprise

www.scmagazine.com | © 2016 Haymarket Media, Inc.

7

For more information, visit www.HPE.com

LogRhythm empowers organizations around the globe to rapidly detect, respond to and neutralize damaging cyber threats. The company’s awardwinning platform unifies next-generation SIEM, log management, network and endpoint forensics, and advanced security analytics. In addition to protecting customers from the risks associated with cyber threats, LogRhythm provides innovative compliance automation and assurance, and enhanced IT intelligence.

Sponsors

HPE’s approach to enterprise security disrupts the lifecycle of an attack with prevention and real-time threat detection, from the application layer to the hardware and software interface. HP Enterprise Security enables organizations to take a comprehensive approach to security, delivering actionable security intelligence while providing insight into the future of security and the most critical threats facing organizations today.

For more information, visit www.logrhythm.com

Recorded Future arms you with real-time threat intelligence so you can proactively defend against cyber attacks. With billions of indexed facts, and more added every day, our patented Web Intelligence Engine continuously analyzes the entire Web to give you unmatched insight into emerging threats. Recorded Future helps protect four of the top five companies in the world.

Masthead

For more information, visit www.recordedfuture.com

EDITORIAL VP, EDITORIAL Illena Armstrong [email protected] ASSOCIATE EDITOR Teri Robinson [email protected] SPECIAL PROJECTS EDITOR Stephen Lawton [email protected] MANAGING EDITOR Greg Masters [email protected]

DESIGN AND PRODUCTION ART DIRECTOR Michael Strong [email protected] PRODUCTION MANAGER Brian Wask [email protected] SALES VP, PUBLISHER David Steifman (646) 638-6008 [email protected] REGION SALES DIRECTOR Mike Shemesh (646) 638-6016 [email protected] WEST COAST SALES DIRECTOR Matthew Allington (415) 346-6460 [email protected]

www.scmagazine.com | © 2016 Haymarket Media, Inc.

8