The intelligence cornerstone
Security strategies have moved far beyond intrusion detection. In a world without boundaries, the line between inside and outside is blurred. Advanced hacking can create new vulnerabilities from within, making it almost pointless to defend an organization’s ‘borders’. Security intelligence has taken on new importance as we move away from the old military defense lines and more toward guerilla warfare. Just as intelligence has been a corner stone of the war on terror, intelligence is becoming a critical requirement for large organizations which may be targeted by hacktivists or simply unfortunate bystanders in a mass attack.
So where do you get security threat intelligence and how do you use it? Reviewing lists of bad sites and IP addresses from the open source community is a start; but it is child’s play compared to the advanced, war-room techniques that leading security specialists are using. Their day reads like a Tom Clancy novel. Through hyper-vigilance and incredible brainpower, they gather information, watch trends, and spot anomalies invisible to the rest of us. Then, they investigate these anomalies much as an FBI profiler would work to understand their target. Two of these HP security experts, Jason Lancaster and Brian Hein, shared some examples of the techniques they are using and the insight they are able to achieve.
Know thy enemy
Social media is the prime vehicle hacktivists use to communicate and craft their plans; its use distinguishes hacktivists from nation-state-sponsored hackers or individual hackers. While a nation state wants complete secrecy and an individual hacker wants recognition, the hacktivist needs to get others on board with their cause, essentially mobilizing a flash mob to enlist in the cyber protest. Social media is a key tool to do this. Their approach is somewhat similar to that used by physical protest movements such as Occupy Wall Street. Initial plans are often developed in underground channels or Internet Relay Chat (IRC). Then social media is used to get support from a much broader base. Sites such as Pastebin.com and others provide free uncensored text hosting where the hackers can share information via anonymous posting with less chance of their posts being linked back to them personally. HP experts like Jason and Brian gather raw traffic data from sites such as these, plus internet chat, YouTube, Twitter, Facebook, Google, and traditional media. Then, using HP and third party software, they look at the frequency of hash tags, topics, geo-locations, etc. Together with linguistics analysis, the sentiment of a tweet or other communique can be determined and patterns of negative or positive sentiments around a given topic begin to emerge. Momentum of a specific idea is also tracked and detection of a spike can be an early indicator of an incident requiring further investigation.
Cut through the noise
By monitoring all of this chatter, HP experts have been able to identify potential attacks before they happen and have successfully forewarned HP security customers of pending threats. In fact, they have begun to recognize certain patterns of behavior that indicate an impending attack. First, there may be an announced intent, followed by brainstorming among hacktivist members; sometimes a proof of concept will follow, then finally the attack itself. Each of these stages can be characterized by analyzing traffic on the web. These HP experts have been able to cut through the noise and identify relevance of data in a way never before possible.
Change the game
So while we continue to develop and improve upon our industry-leading security products, there is a complimentary path that moves beyond building a better mouse trap and focuses instead on the mouse. In this model, high quality, reliable threat intelligence is a fundamental capability, moving beyond an enhancement to intrusion detection or security event correlation. Threat intelligence becomes the underlying theme of security and risk management and not having this insight would be like running blind.
So how do you collect and analyze this threat intelligence? Do you invest in hiring experts like Jason and Brian yourself? This may be out of reach for all but the largest companies. Or do you subscribe to a service where hired guns such as these watch your back without large capital investments or increase in staff?
Subscribe to greater protection
If we look outside of security, established subscription models are bringing low cost insight and better risk protection. One such example, ImpactWeather, applies detailed data and superior analysis of weather patterns to watch off-shore assets of most of the major oil companies’ drilling and production operations. With more granular intelligence than that which is available publicly, they are able to provide very specific advice to subscribers about which assets/platforms to evacuate in the face of severe storms. Retailers, banks, and other industries are also seeing the value of greater insight and analysis concerning weather-related risks to their unique assets and geographic locations. They can re-route distribution, bring in more staff, and otherwise better prepare for major weather events via the insight and intelligence delivered by this service. Similarly, how much would specific insight and advice be worth if it could help you avoid security threats that could bring down your whole business or have lasting impact on brand reputation?
In a subscription model, the cost of gathering more detailed data and analyzing it is carried across a number of subscribers. Subscribers may provide additional data points (such as asset locations in the example above) so the analytics can be mapped to their unique business risks; but, the overall expertise, methods, and tools are leveraged by all making actionable intelligence affordable. This approach brings the best of both worlds: proven expertise providing specific, constructive intelligence to mitigate risk, along with a low cost of entry and predictable expenses.
Enlisting ‘special forces’
In this new world of threat intelligence, focusing on the attacker’s communications and actions can provide greater ability to identify and block attacks before they do harm. Doing so requires data sourced from social media, a new set of tools, and analytical skills that move beyond traditional security and risk management. Such intelligence about the ‘bad guys’ requires expertise and investigation typical of the most engrossing spy novels. How you obtain this capability is the challenge. Subscription services will play an important role in bringing this level of sophisticated threat intelligence within reach to a large number of enterprises.
Regardless of whether you provide your own threat intel or enlist a third party, when it comes to threats, no news is good news. How would you measure the effectiveness of having good threat intelligence?