Meaningful Noise: Making Threat Intelligence Useful
By Tony Velleca, CEO, CYBERPROOF
The only thing more chilling than the name dark net, (aka dark web) is what can be accomplished there: people buying and selling usernames, passwords, email accounts, stolen information, and methods of hacking. It’s also a place where parties can communicate without being detected.
It’s never been easier for someone with an axe to grind to find someone with the technical skills to perpetrate an attack. It is also never been easier for someone with the technical skills to find and persuade someone with credentials to sell out for big money – or simply trick into accidentally exposing a password or other information that inadvertently grants access to an outsider. Whether offered up by choice or through carelessness: security is breached. The challenge for companies is that, until now, most security methods have been prescriptive: designed for and depending on foreknowledge of a particular threat. Standard intrusion-prevention software only blocks what is known (and hackers already know how to get around this anyway). They don’t block anything new. But the biggest threat are the ones we don’t see coming.
In today’s mobile cloud world, there is a blurring of personal and company assets and even credentials. For example, many employees use the same password for their company login as well as for their personal login. Hacking people is essentially applied research. For example, if I know the CISO, and I know he works for CompanyX – I may not hack his corporate account; I may send a phishing attack to his personal account, which he then downloads onto his corporate machine. Unintentionally, his personal cyber life places the company at risk.
New Dangers Require New Capabilities:
Imagine this scenario: An employee in California, who usually logs in at 8 a.m. and logs out at 5 p.m. has just entered his password in Russia, at midnight. Maybe he can’t sleep. Maybe he has a deadline in the morning. Or maybe someone has stolen his password. The simplicity of this scenario is deceptive. Being prepared to analyze and respond to that single anomaly requires several things happening in tandem: knowing the behavioral patterns of everyone in a company; knowing if there are any external threats (current dark net activity) that specifically involve your company; and knowing how to evaluate the combination of internal anomalies and external intelligence to determine which threats are real versus which will simply exhaust your resources and distract you. Any one piece of that intelligence is not useful without the others.
Internal Patterns – Single Anomaly or Multiple?
There are vast and complex datasets to manage when addressing today’s advanced and dynamic threats. You have to know behavioral patterns well enough to know that this employee works 8-to-5 while that employee is on the system from 10-to-2 then midnight-to-4.
Good threat intelligence starts with one anomaly and then looks for more.
A midnight login is unusual for one and not for another. You also need to know what people usually do while they’re logged in. This person accesses these resources regularly. One day she does something different. Maybe her job changed and it makes perfect sense. Maybe not. At the very least, it’s an anomaly.
Good threat intelligence starts with one anomaly and then looks for more. The human brain simply cannot process data of this magnitude, and needs help to sort it.
This is where unsupervised machine learning and deep learning become part of the solution. These patterns are discovered using machine and deep learning. The solutions are not prescriptive; they don’t assume they know what kind of attack to block. They’re just looking for something that’s odd – starting with one difference (a login at an unusual time), looking to see if there are additional anomalies (if the login is from an unusual place or if the user is behaving in new or surprising ways). If there are multiple anomalies, then external context becomes even more relevant.
External Context – Is Your Company Being Targeted?
If you spot an anomaly, you need to have more context to know whether or not to put resources into chasing it down. Have there been any attempts to create a fake domain? This is the first step in a phishing attack. Have any fake social accounts been created, posing as an account belonging to your company or to a company VIP? Has any sensitive data been indexed by search engines or in the dark net?
We know you’re at a higher risk of having your credentials compromised if your email address is on a dark web list. If our people, threats and assets systems see this and we act. We know that 95% of attacks are opportunistic or drive by – therefore if they find that your credentials are available on the dark web, they will likely try. Therefore you are at higher risk.
Whether you start with information that’s internal or external, the same process works in both directions. The information is more useful once the dots are connected. If you detect leaked user credentials and also notice unusual behavior for that user (failed login attempts, logins outside normal hours of that user, logins from different locations) – the threat is probably real.
Picking the Riskiest User – Turning Noise into Signals:
Many of the most damaging breaches have been detected in advance, but the breach still happened. Why? Teams did not have the experience to recognize, prioritize, and respond. Those who follow the industry know that advanced hackers are often inside company networks for many months before they start their attack, studying the network from the inside and creating their own vulnerabilities. That’s a scary thought. But it’s also an opportunity, especially if you’ve got access to someone who knows how hackers think and operate.
Most security teams are trained on defense, using out-of-the-box technology (without changing the threshold settings) to target known threats. But a purely technological view is a disability: experienced hackers know how to get around these settings. To evade a persistent attacker, the objective is to frustrate. An expert – likely a hacker himself or herself – knows how to play offense. You need people who know that if you’re looking for possible phishing attacks, if you don’t detect and respond within a few hours, you’re already too late ... People who know that you don’t search the dark net directly, but search your own repositories (so that you don’t expose your methods).
Hackers are more sophisticated than ever. But so are you. Whether it’s a simple drive by or a targeted attack –we need to identify and find the key things for your operations teams to respond faster. If you’ve got targeted and timely external threat alerts, integrated with internal behavior anomalies – all validated by experts – you’ve got threat intelligence that’s actually useful.