Before we described why an organization needs threat intel-driven cybersecurity risk management approach and how to organize intel-driven cybersecurity risk management
across threat maturity lifecycle. Today we discuss how to implement a threat intelligence framework.Implementation guide
For commercial companies operating in competitive markets, who are looking to limit corporate responsibility, ensure business continuity and protect intellectual property, it is prudent to start developing threat defense plans as early as the "Child" stage. This allows companies to anticipate a full-blown attack on their networks without incurring the cost burden in the Infant or Embryo stages.
At the same time, the five-step model, which is detailed for smaller enterprises, may need significant simplification, since its foundations were laid by Intel, the global company. However, it is irrational to use less than three stages (classic traffic light), since there will be no time to carry out banal timely planning and budgeting of projects.
You can start with an analysis of the information security policy (top-down approach), identifying the threats that the organization already considers relevant (for simplicity, we assume that the policy contains a threat model / information security architecture directly or indirectly, through listing key information security risk mitigation measures). At the same time, it is worth deploying the IDS and seeing what is visible on the network (even on the default detection rules) — the bottom-up approach is also feasible.
The combination of top-down and bottom-up approaches creates a "down and up" format. This approach not only provides greater visibility of threats but also increases the authority of the information security service in the business, which usually uses down-up for business. planning, product management and budgeting. In general, applying the management practices used by the business, the information security service positions itself as a pragmatic business unit, and not as "regular IT geeks" or "consultants hovering in the clouds".
Having formed a list of threats, it is possible to determine at what stage of development the threat is. For example, mobile threats have grown to the "Adult" stage over the past few years. This is evidenced by both the statistics of viruses and sensational vulnerabilities in Android. Add the statistics of analytical agencies on the intentions of organizations to invest in the protection of mobile technologies (IT Security Budget Spending Priorities) — and you will see the importance of doing this for your company unless you did it already.
For large and global organizations, dozens or even hundreds of threats can be identified; for small businesses, it should be limited to three to five, perhaps up to ten. Too many manageable threats will turn cyber intelligence from a decision support process into another "work just in case". The organization should be able to take action on the monitoring results. Sources of outwards signs for threat intelligence
Outward signs can be collected from three categories of sources:
- open information (Open Sources, OSINT Sources);
- free services of information security companies;
- paid services of information security companies.
Public information can be collected from both online and offline sources:
- specialized portals;
- thematic conferences;
- online media and printed publications;
- Rapid Response Cyber Teams news feeds;
- databases of vulnerabilities;
- analytical reports of information security companies;
- hacker forums.
It is clear that it is possible to organize full-fledged monitoring of external sources only in a very large organization, for example, one of the TOP-20 in terms of revenue in the country. However, in addition to the obvious prioritization (we read only one leader report on network security, only one — on endpoint security, etc.), there are at least three strategies for organizing monitoring:
- independent monitoring of external sources;
- consumption of external monitoring;
- mixed strategy.
There are a number of companies that are leaders in the global cyber intelligence market:
- Dell (SecureWorks),
- FireEye (iSIGHT Partners),
- IBM (X-Force Lab),
Cyber intelligence products are divided into three levels - strategic, tactical, and operational.
The strategic level consists of four main products:
- reports on regional cyber threat landscapes;
- Industry-specific threat reports (e.g. gaming);
- annual threat reports and forecasts for the next year;
- customer-specific threat reports (typically Fortune 500 companies with significant IT dependency).
The tactical level consists of two main products:
- Situational Awareness reports on the current situation, for example, during massive attacks on banks and government websites;
- reports on significant groups of cybercriminals, vulnerabilities, and malicious code, including recommendations for identifying threats and closing vulnerabilities.
The operational level consists of subscriptions (feeds), usually in machine-readable form, containing potential indicators of attacks, such as:
- IP addresses of attackers;
- Hash sums of malware;
- TOR output nodes;
- DNS names of botnet control centers, etc.
In theory, subscriptions can increase detecting capabilities of already installed protection means, thereby increasing the return on funds invested in them. This is especially important in the current economic conditions. In practice, the author used subscriptions from SIEM manufacturers in SIEM projects, and they really helped to find problems previously unknown to customers in the corporate networks of TOP-50 banks.
Usually, there is a portal where customers can view the materials available to them, leave a request for new ones, or view the technical parameters for connecting to machine-readable subscriptions.
There are a number of vendors who have enough threat intelligence to be de-facto leading players in the cyber intelligence market. These are Kaspersky Lab, Group-IB, Positive Technologies, Solar Security (listed in alphabetical order). All of them were sent an invitation to talk about free services in the field of cyber intelligence. Sources of internal intel
Many organizations have a variety of internal sources available:
- proxy logs;
- network security devices logs;
- network traffic logs (internal and perimeter traffic);
- LDAP logs
- security logs — IDS, AV, etc .;
- custom correlation rules (handmade IoC);
- analytics of user behavior;
- programs to reward researchers for vulnerabilities found (including those doing this for the sake of fame);
- user messages.
Skillful use of all these tools will allow you to identify threats that have already penetrated the perimeter of the organization's network. Benchmarking intel
Information about projects and information security measures from peers is classified by default, but it can also be obtained from a number of sources:
- reports of analytical agencies (IT Budget Stats, State of Security, etc.);
- reports from consulting firms, primarily Big4 (Global Security Reports, etc.);
- thematic conferences;
- thematic media;
- procurement notifications;
- personal communication with colleagues;
- interviews with specialists;
- information security service benchmarking services provided by analytical agencies or consulting firms.
Intelligence has historically been the prerogative of the state. In this regard, cyber intelligence without observing certain rules can have negative consequences for both the employee engaged in it and the organization as a whole.
For the safe conduct of cyber-intelligence activities, it is recommended to create a list of information prohibited from collection, track changes in legislation, and periodically update the list.
Such a list may include:
- Information about the cyberspace military capabilities of the country of which the organization is a resident;
- Personally-Identifying Information;
- Information marked "Commercial secret", "State secret" and any other protected by the legislation of the country of which the organization is a resident.
By the way, specialized information security companies can conduct cyber intelligence more freely, since they usually have close ties with law enforcement agencies and special services (they help them catch cybercriminals or act as experts in court). Conclusion
By leveraging the knowledge of the threats gathered by cyber intelligence and adding knowledge of the importance of business processes, business systems, and assets, you can proactively manage risk, reducing the cost-benefit of attacks against a specific organization.
Constant monitoring will automatically saturate the knowledge base with relevant and understandable information that helps to choose the right moment and method for developing an information security system and make a convincing presentation to management to secure their buy-in.
In summary, we can say that strategic threat intelligence helps to manage information security risks, and for companies that are skeptical about such management, it can de facto replace information security risk management from the point of view of external threats. Addendum 1: Example of a threat sources ist
Information from IT vendors:
- Adobe Security Notification Service
- Oracle Security Alerts
- Microsoft Security Tech Center
- Red Hat security updates
- Cisco Security Center
- Juniper Cyber Intelligence Center
Information from information security vendors and rapid response cyber teams:
- Research Center Digital Security
- IDefense Public Vulnerability Feed
- Research Center Positive Technologies
- CheckPoint Threat Prevention Center
- Symantec Security Center
- HP Enterprise Threat Center
- IBM X-Force Threat Center
- McAfee Security Lab
- Internet Threat Research TrendMicro
- Kaspersky Lab Threat Analytics
- Analysis of viral activity from DrWeb
- ThreatExpert Threat Analysis Service statistics
- CERT (Computer Emergency Response Team) of United States (US-CERT)
- ICS CERT (US-CERT)
- Oldest CERT in the world - CERT of Carnegie Mellon University (USA)
- FireEye M-Trends
- Verizon Security Blog
- Hacker Intelligence Initiative by Imperva
Information from anti-DDoS service providers:
- Arbor Knowledge Library
- Radware Security Portal
- Akamai Knowledge Center
Threat intel databases:
- Zone-H Hacking Registry
- Security Mailings from Seclists
- FullDisclosure Vulnerability Newsletter
- Malc0de Malware and Link Database
- Malware and Link Database from MalwareDomainList