– TLP White
Globally, hundreds of thousands of companies employ “big data” in one way or another. With millions of devices connected to their respective enterprise servers, threat analysis and cyber security become a major challenge. In fact, most major companies have a team dedicated to the threat intelligence process. Here are a few insights into how these computer experts – in some instances more formally known as data scientists – do what they do with cyber threat intelligence.
Intelligence gathering – Identifying the risks associated with an enterprise level asset is the first step in a structured threat intelligence process. On a strategic level, this means producing a long-term overview of the enterprise’s cyber threat landscape. Secondly, on an operational level, it means proactively assessing potential threats associated with ongoing events, incidents and other activity. Lastly, on a tactical level, it means responding to specific real-time events associated with malware, phishing campaigns and other malicious activities. A simple example is the investigation of suspicious emails and the determination of what specific information the sender is seeking.
Data analysis – The complexity of this stage in the threat analysis process ranges from the quite simple to the extremely sophisticated. The former may include such things as ensuring that passwords are regularly changed, that employees are sufficiently knowledgeable to not succumb to phishing attacks and that the physical assets themselves are isolated and secured from manual manipulation. More refined analysis can identify the manner in which a hacker defaced a particular site or gained entry into the asset itself to cull information suitable to their own purposes.
Detection tactics – Threat intelligence teams have a number of technological resources at their disposal. Packet analyzers – also known as port sniffers – can intercept and log traffic that passes over a digital network. End-point detection and response (EDR) software can help identify problems facilitated by end-users. Looking for anomalies in the system logs can often lead to the detection of incipient threats. Similarly, even a cursory inspection of the incoming mail and monitoring different logs can provide valuable clues as to how your particular enterprise network is being attacked.
Digital Forensics – In the simplest terms, digital forensics is the recovery and investigation of material – malicious or otherwise – found on a digital device. On a more technical level, this process generally means locating extraneous artifacts observed on a network or on a computing device that indicate an intrusion. These artifacts – referred to as Indicators of Compromise (IOC) in a cyber security incident or event – can include finding unknown IP addresses and file attributes, the IDing of malicious files as well as the locating of domain names or URLs of (Infrastructer) an attacker’s command and control servers.
Incident response – Obviously, removing the offending malware will be the first priority. Next, the utilization of network intrusion detection systems (NIDS) and host-based intrusion detection systems (HIDS) can help to detect, mitigate – hopefully eliminate – any further compromises to the network. These systems typically rely on the use of software that recognizes patterns in the incoming traffic (signature-based detection) or detecting deviations from so-called “good” traffic (anomaly-based detection) and machine learning (signature-less behavior based).
In addition, the proper EDR and anti-virus software can help protect against a wide variety of network intruders including:
• browser helper objects
• browser hijackers
• user behavior analytics
• fraud tools
• malicious link state packets
• trojan horses
• misuse of corporate resources
End-user feedback – As already mentioned, there are numerous technological pieces to the threat intelligence process but also integral to it is the human element – not just the data scientists but also the end-users. It is incumbent upon a company to keep the people who actually use the network apprised of any cyber security risks and to inform them of the proper procedures for handling any suspicious activities such as social engineering attacks and suspicious emails. This broad proactive approach utilizes every “eyeball” in the organization and will help the threat intelligence team meet and counteract the vast majority of intrusion attempts before they can do any significant harm.
Information sharing – There are a large and quite diverse number of computer threats. They encompass everything from a simple spam or scam attack to the more high-tech attack. Targeted spear phishing utilizes social engineering techniques to deliver malware and gain access to personal data or intellectual property. In addition, more computer-savvy hackers, also known as advanced persistent threats (APTs) will employ sophisticated tactics, techniques and procedures (TTPs) in order to gain persistence and exfiltrate data from their targets. All in all, there is a tremendous amount of broad-based, technical knowledge needed to foil these threats. Companies that share information with each other are better prepared to detect intrusions and handle breaches than those that only rely on their own resources. There are a number of general forums such as the Cyber Security & Information Systems Information Analysis Center (CSIAC) and industry-specific ones like the National Health Information Sharing and Analysis Center (NH-ISAC) to facilitate this sharing within the health care sector.
The Intelligence Cycle – A noted threat intelligence expert, Matthew McKnew from ThermoFisher Scientific – a multinational biotechnology firm – likens the whole cyber threat intelligence process to a feedback loop. In this loop, security requirements are stated. Next, the appropriate data collection is planned, implemented, and evaluated. The results are then analyzed to produce the threat intelligence. Finally, that intelligence is disseminated and fed back into the environment. The process is then repeated as consumer feedback is collected, analyzed and added to by other feeds such as from NH-ISAC. In short, threat intelligence is not an end-to-end process but an iterative one. Mr.McKnew says that “being actively involved with NH-ISAC threat intel sharing helps us keep our fingers on the pulse of the (healthcare) group as a whole and understand what types of threats others are seeing.”
Maintaining data security across a large enterprise system is certainly a daunting challenge, especially as hackers and phishers are constantly evolving new methods to circumvent existing security techniques. Data scientists and other cyber security professionals, however, are well-equipped to meet the challenge. For more information on understanding the integral connection between cyber threat intelligence and big data and to learn how information sharing can be a threat mitigation tool, please visit us online at NHISAC.org and consider becoming a member of the NH-ISAC community.