Using Threat Intelligence Against Cybercriminals

ThreatStream Optic: Easy to Build Trusted Communities For Sharing Threat Information. 

According to security engineers the problem with network defense these days is two-fold. 

First, no matter how innovative the defensive technology deployed, it will eventually be breached or circumvented. And because most of the top attackers and groups collaborate, the tools and techniques used to successfully break down defenses are quickly shared. On the other hand, most companies and governments have not traditionally shared data about successful attacks. So even if one company spots a particular vulnerability and fixes it other companies will probably remain in the dark and be hit with an attack that could have been prevented.

Secondly, now that many security tools are generating alerts about possible threats, it’s almost like a dam has broken. There is literally so much random threat data circulating that it becomes difficult, if not impossible, for any one person or even one organization to parse it all out and find the relevant nuggets that relate to their specific situation.

That is where Threat Intelligence comes into play. This is a relatively new concept that is still being defined and modified by the very companies that offer it, even as it becomes a cornerstone of many network defensive plans. We got some hands-on training and testing with threat intelligence platforms from ThreatConnect, ThreatStream, Soltra, Arbor Networks and iSIGHT.
In general, there are two main types of threat intelligence vendors. First is the threat intelligence provider that finds external data about threats and emerging attack trends in order to share that data to subscribers. Secondly, some companies have built software platforms, that pull in multiple feeds from potentially hundreds of sources, and then sorts that data, so that the most relevant threats are shown to users in the form of alerts.

But there is a lot of crossover. A threat intelligence provider may parse data for subscribers by industry or type, or even specific servers and programs running on a client network, while a platform vendor might provide their own threat feed streams in addition to just tracking others. Finally, many products in both groups offer some form of collaboration, making it easier for companies and organizations to share security information, while protecting any proprietary data from slipping out to competitors. Each of the threat intelligence products we looked at approached the topic differently, with each adding unique value to an organization’s security posture.

ThreatStream OPTIC

One of the most advanced Threat Intelligence Platforms (TIP) we looked at, ThreatStream OPTIC is designed to process, analyze and rank threat data from more than 170 open source feeds, up to 30 or more commercial feeds and several more produced by government organizations. Data tied to threats that specifically endangers a protected network is then given to appropriate personnel.

ThreatStream OPTIC is designed to work in conjunction with SIEM tools like QRadar and Splunk to determine if the data from outside threat streams is of concern to protected networks, such as if any outgoing traffic is hitting known malware sites. Depending on the program that OPTIC is paired with, patches or remediation actions can be deployed or even automated.

However, if an organization is not using a commercial SIEM product, they can still use ThreatStream OPTIC because it integrates with the open source alternatives, something ThreatStream can setup for customers if needed.
The ThreatStream program is designed to be deployed behind enterprise firewalls so that all the matching of internal threats and data processing takes place internally and is never vulnerable to data sniffing type attacks. Nobody on the outside would have any way of knowing what OPTIC is doing or what data is being parsed. OPTIC itself is a relatively small file in terms of installation size and can be deployed on a single Linux virtual machine.

The amount of threat data that OPTIC has access to is impressive, though the real magic is how the program examines all of that data to find relevant threat information based on the specific network it’s protecting. It can even monitor some of the dark web channels used by hackers to see if, for example, any credentials stolen from a protected organization are up for sale, and then alert affected users to immediately change their passwords.
Another unique feature is the inclusion of the Modern Honey Network (MHN) platform as a potential threat feed. MHN is an open source honeypot deployment program that allows organizations to set up traps to catch malware that is targeting specific data, sectors or technology. 

Once a threat is identified by the feeds and matched to some internal network indicator, users can drill down and get information on what that threat was attempting to do, which can then be matched to known threat data on adversaries, tools and techniques. Because information about threats is saved from the streams, researching a specific URL, for example, can be done anonymously because the analyst is looking at the threat data collected by OPTIC through the streams and not on the live Web. That way nothing like an IP address from a company security officer visiting a suspect site can tip off an attacker that their probing has been discovered. A further tool available in OPTIC is ThreatExplorer, which can help to visually show the links and connections between threats detected on the network with known threats streaming in from the global community and configured threat streams.

Once a threat is confirmed, administrators can share that data with their communities within OPTIC. Collected threat data can be carefully shared, and more or less information can be shared based on levels of trust established by the program. For example, sharing something publicly with all OPTIC users might use the least amount of data while sharing within a trusted circle of partners might include things like IP addresses or target data. That way, sharing is enabled for the good of the community without compromising any proprietary data, or anything that might inadvertently help the attackers. Microsoft has renewed the information-sharing partnership with NATO ThreatStream OPTIC, which starts at $50,000, is a very advanced program that can make sense of a nearly unlimited number of threat streams, and then share intelligence within a select community of users.

ThreatConnect 3.0

ThreatConnect 3.0 is a Threat Intelligence Platform (TIP) that puts a heavy emphasis on collaboration and community. It’s one of the strongest platforms for those who believe that the key to winning the war against adversaries is to rally the affected communities to band together for mutual support and defense.

At the time of our testing, there were more than 4,000 active users on the ThreatConnect platform. A user does not necessarily mean an individual person, but could also represent an organization or an entire enterprise. ThreatConnect collects threat streams from multiple sources and then allows specific communities of users to collaborate on what steps work, who the adversaries are and what they are targeting. Users are even able to write specific apps that can be deployed through ThreatConnect, after being approved by administrators, to take actions that benefit the community, such as deploying a patch to a specific type of firewall to help block an emerging threat in a specific industry.

ThreatConnect can be deployed as a public cloud application, a private cloud application or as an on-premise solution. Company officials say it takes about one to two weeks to install ThreatConnect, make it the hub of security operations for an organization and train users. It might take slightly longer for an on-premise installation. Our test used the public cloud version.

Users of ThreatConnect are first evaluated based on where they sit on a five-tier security maturity model, with the goal of eventually getting every organization up to the final step in the model. At level one, organizations may be purchasing outside threat streams but not doing much with them. Level two is where they begin to process their own data, which might mean cutting and pasting log files into spreadsheets to look for threats and trends. Level three is when a company starts to incorporate threat data from others to compare it with their own, and where many customers begin in the maturity model with ThreatConnect. At level four, everything begins to get integrated, where alerts from internal Security Information and Event Management (SIEM) software is compared to external threat data from the streams to generate real threat intelligence. Finally, at level five, most of the internal security problems have been addressed and the organization can begin sharing its own collected data with the community, protecting not only their supply chain but possibility their entire industry and sector.

The main ThreatConnect interface is a splash page showing general information about the current state of threats, threat actors, victims and other indicators being tracked by the program worldwide, or by the specific communities that users join. To join a community, a user needs to apply. So the owner of a store might join the Retail Community while a bank might join the Global Financial Services community. Communities are administered and moderated by users, and individual access and membership must first be approved, so that only companies that are actually part of a community can have a hand in defending it. Once a user joins a community, the main splash page can be configured to show just that information.

Regardless of what communities are joined, from the main page each individual threat intelligence feed that an organization has access to can be clicked on. The entire interface is a drill-down model, where users can keep clicking for increasingly specific information about threats including IP addresses used for attacks, information about the threat actors, the MD5 hash of the malware being used and any contributed insights, documents or solutions offered up by the community. Once singled out, individual adversaries can be tracked so that new attacks that use the same techniques, servers or information can be linked back to the original threat actor – thus giving insight to their motivations and attack patterns.
One of the big advantages of ThreatConnect is the ability to input unstructured data. We were able to take a Threat Report PDF from a known anti-malware vendor and have the system scan it for things like the IP addresses being used by attackers in the report. That data then could be automatically compared to the existing threat data to see if any known adversaries working within an organization’s community are possibly involved with this new technique. You can also take that captured data and link it back to the original document, which can also be added to the system.

ThreatConnect works great on its own as a community defense platform for generating specific threat intelligence and making sense of all the available data. However, it can also be integrated with third-party programs to provide automation where specific threats found by the community can be automatically patched. That was outside of the scope of this review, but again, even without that component, ThreatConnect provides a very powerful collaboration tool that can put organizations on equal footing with adversaries while improving their cybersecurity maturity.

ThreatConnect offers a free edition as well as three paid editions starting as low as $45,000. The number of features, functionality and the chosen deployment model (private cloud, public cloud, or on-premises) determine the price for each edition.

Arbor Networks Pravail Security Analytics

Pravail Security Analytics is one of the easiest threat intelligence systems to use. Built by Arbor Networks, it’s also unique in that it does not provide alerts to users because company officials say that most analysts are in a state of constant over-alert fatigue anyway. Instead, Pravail is a tool designed to allow analysts to go hunting for threats and even to create rule sets that lets them play hunches and prove theories they can develop by observing the data.
Networkworld: http://http://bit.ly/1QvEwDp