Hacking is up. Dwell time for attacks is increasing, as well as the financial impact. Hacking activity itself is also increasing. So are the number and severity of reported vulnerabilities. The unavoidable conclusion is that what we have done up to this point has not been terribly effective. Ample opportunity and an evolving threat has given rise to a new approach, Threat Hunting.
Threat Hunters create and consume Cyber Threat Intelligence (CTI). CTI refers broadly to unstructured and structured products which provide insight into potential cyber security attacks. Structured data exchanges are extremely effective when timely communication is a core requirement, such as when attempting to contain malware with a highly adaptive propagation engine. Structured CTI is built around Indicators of Compromise (IoCs) which are discrete data points that have been previously observed as a part of successful or unsuccessful cyber attacks. IoCs are very helpful when attempting to detect or confirm a cyber attack. Recently a pair of open source standards for CTI have been published to establish a common language and method of exchange for threat intelligence (TAXII, STIX). These standards are gaining traction and nearing the status of “industry standards”. While effective at sharing basic information, nothing can rival a detailed forensic analysis of malware behavior when it comes to containment and recovery from a cyber attack. For this reason, unstructured resources such as blogs (i.e. CyberReason), will continue to be a tremendous resource for Threat Hunters.
CTI producers can be independent security researchers, cyber security service providers, or government organizations (i.e. DHS). CTI producers work on the Public Internet, actively surveilling, moving towards and analyzing threats. CTI producers are also continuously evaluating attack methodologies and malware for signatures. The goal is to uncover nefarious behavior early in the hack cycle and help defuse the propagation mechanics before attack campaigns achieve broad reach. For example, a potentially devastating strain of ransomware was shut down early in it’s lifecycle when a group of security researchers from MalwareTech reverse engineered the binary and discovered a kill switch. Adding momentum to this trend, the NSA just open sourced Ghidra, a powerful set of tools for reverse engineering and malware analysis.
Once created, CTI data flows to Top Level Aggregators (TLAs) organized around business Communities of Interest (COIs) called Information Sharing and Analysis Centers (i.e. Health-ISAC, Retail and Hospitality>). Check out the DHS Cyber Information Sharing and Collaboration Program (CISCP) for a primer on the Conceptual and Data Architecture under implementation.
In its most basic sense Merriam Webster describes a threat as “an indication of something impending”. Threats are external to the organization and have not yet occured. This is the true organizational value proposition of CTI. CTI helps organizations understand and prioritize which external threats are the most relevant to their organization. Where to focus their attention and limited resources to decrease organizational risk of succumbing to a cyber attack.
The ISACs distribute structured CTI to downstream consumers such as small, medium, and large businesses. CTI data typically flows into organizations via the Security Operations Centers (SOCs) where it can be processed by analysts for application to internal security events (i.e. SIEM). The structured CTI feeds provide insight into successful attacks on similar organizations. SOC analysts will apply these insights, along with organizational context to determine exposure to the threat and if a similar attack is already in mid-cycle within the organization.
From a SOC Point of View (PoV), analysts should be focused on activities such as: consumption of CTI to determine relevance and priority of external threats, development of timelines for identified threats, validation of IoC patterns for identified threats, presentation of digested intelligence at the management and peer-level, and finally building IoC and behavior based detection signatures for high priority threats.
Organizations can also align Threat Hunter activities to a tiered operations model (Tier I - IV). At Tier IV, Threat Hunters are focused on advanced activities such as: development of modular analytical frameworks that generate detection algorithms, extraction of threat characteristics (behavior + IoCs) from unstructured CTI work products, enrichment of threat characteristics for algorithm development, tailoring/contextualizing algorithms to the architecture implementation of the organization, and finally optimization or adaptation of algorithms to remove false positives.
As tailored algorithms are applied within an organization, it is likely that real-world cyber attacks will be detected. Once a threat has passed the defensive perimeter of an organization, it is no longer a threat, it is an attack. And an attack requires a response. Let CyberWorx guide your organization so you are prepared to weather the next storm.