The Biggest Challenges to Firms using Cyber Threat Intelligence

Cyber threat intelligence is one of the hottest topics in cybersecurity today. Many firms are investing heavily in developing and deploying solutions to identify and respond to cyber threats. But despite the hype surrounding cyber threat intelligence, many firms still struggle to make sense of the data they collect.

Why are firms struggling to make sense of their data, and how they can overcome this challenge? We asked around. It looks like three key challenges emerged, and here they are:

1. Data quality – How do we know if our data is accurate?

2. Data volume – How much data do we need to store?

3. Data integration – How do we combine multiple sources of data?

We’re working on ideas around these 3 most common problems. We’re working with firms of all sizes to help solve them. When we get to firm, across-the-board answers, we’ll post them. In the meantime, knowing the most common issues firms are facing in the threat intelligence arena gives us all a good place to start.

Got workarounds or solutions to these issues? Drop me a line on Twitter (@lbhuston) and let me know how you’re doing it. We’ll share the great ideas as they are proven out.

Weekly Threat Brief 4/20

Starting today MSI will begin publishing our Weekly Threat Brief! This is a light compilation of cyber articles and highlights. Some articles have been broken down by verticals which include Financial, Business and Retail, Scada, Healthcare and Government/Military. Please take a moment to click on the link and read! Hope you enjoy it!

WTB Apr 16-20 2018

Please provide any feedback to info@microsolved.com

Are You Seeing This? Join a Threat Sharing Group!

Just a quick note today about threat sharing groups. 

I am talking to more and more companies and organizations that are putting together local, regional or vertical market threat sharing groups. These are often adhoc and usually driven by security practitioners, who are helping each other with cooperative defenses and sharing of new tactics and threat patterns (think TTPs (tactics, techniques & procedures)) or indicators of compromise (IOCs). Many times, these are informal email lists or RSS feeds that the technicians subscribe to and share what they are seeing in the trenches. 

A few folks have tried to commercialize them, but in most cases, these days, the sharing is simply free and open. 

If you get a chance to participate in one or more of these open source networks, you might want to check it out. Many of our clients are saying great things about the data they get via the networks and often they have helped contain incidents and breaches in a rapid fashion.

If you want to discuss your network, or if you have one that you’d like me to help promote, hit me up on Twitter (@lbhuston). If you are looking for one to join, check Twitter and I’ll share as folks allow, or I’ll make private connections as possible. 

As always, thanks for reading, and until next time, stay safe out there! 

Where Does Trouble Come From?

One of the most common questions I get is, “Where does attack traffic come from?”. I want to present a quick and dirty answer, just to show you how diverse illicit traffic sources are. 

To give you a glimpse into that, here is a list of the top 20 ISPs, based on the number of unique malicious source IP addresses who touched one of my HoneyPoint deployments in a single 24 hour period.

The list:

9 korea telecom
7 hinet
6 dynamic distribution ip’s for broadband services ojsc rosteleom, regional branch “urals”
5 sl-reverse
5 sfr
5 rr
5 chinanet jiangsu province network china telecom no.31,jingrong street beijing 100032
5 china mobile communications corporation mobile communications network operator in china internet service provider in china
4 turknet-dsl
4 superonline
4 sbcglobal
4 chinanet jiangsu province network china telecom 260 zhongyang road,nanjing 210037
3 zenlayer inc
3 virginm
3 verizon
3 totbb
3 jsc rostelecom regional branch “siberia”
3 intercable
3 comcastbusiness
3 comcast
3 charter
3 broadband multiplay project, o/o dgm bb, noc bsnl bangalore
3 as13285

As you can see by the above, the list is pretty diverse. It covers sources in many countries and across both domestic and foreign ISPs. In my experience, the list is also pretty dynamic, at least in terms of the top 10-20 ISPs. They tend to spike and fall like waves throughout different time periods. One of these days, maybe I will get around to visualizing some of that data to get a better view of the entropy around it. But, for now, I hope this gives you an idea of the diversity in sources of attacks.

The diversity also makes it very difficult to baseline log activity and such. As such, there may be some effective risk reduction in blocking ISPs by netblock, if your organization can tolerate the risk associated with doing so. But, more on that in another post. Hit me up on Twitter (@lbhuston) and let me know what your firm’s experience with that type blocking has been; if you’ve tried it or are doing it today. I’d love to hear if it reduced log noise, made traffic modeling easier or led to any specific risk reductions.

Thanks for reading! 

A SilentTiger™ Look At The Logistics Industry

I was recently asked to discuss how attackers view parts of the logistics industry with some folks from a research group. As a part of that, I performed a very quick OSINT check against a handful of randomly chosen logistics firms set around a specific US geographic area. Using our proprietary SilentTiger™ passive assessment platform, we were able to quickly and easily identify some specific patterns. We allowed the tool to only complete the first step of basic foot printing of the companies and analyzed less than 10% of the total data sources that a full run of the platform would access.

 

This quick approach lets us learn about some of the basic threat densities that we know are common to different industries, and gives MSI a rough idea of comparison in terms of security maturity across a given industry. With a large enough data set, very interesting patterns and trends often emerge. All findings below are based on our small geographic sample.

 

In this case, we quickly identified that our sample set was not as mature in their phishing controls as other industries. There were substantially more overall phishing targets easily identified across the board than other industries we’ve sampled (we mined 312 targets in 60 seconds). However, the platform ranks the threats against the identified phishing targets using basic keyword analysis against the mined email addresses, and in this case, the good news is that only 3 “critical risk” target accounts were identified. So, while the engine was able to mine more accounts in a minute than other industries with similar sized samples, the number of critical accounts mined in a minute was quite a bit less than usual. We ranked their maturity as low, because in addition to the number of mined accounts, the platform also found specific histories of this attack vector being exploited, some as recent as within 3 days of the study.

 

The study set also showed issues with poor DNS hygiene to be prevalent across the study group. Leaking internal IP address information and exposure of sensitive information via DNS was common across the data set. Many of the companies in the data set also exposed several dangerous host names that attackers are known to target to the Internet. Overall, 67 sensitive DNS entries were found, which is again significantly higher than other similar industry datasets. When compared against highly regulated industry data sets of similar size, the logistics industry sample shows an 18% increase versus average with regard to poor DNS hygiene. This likely increases the probability of focused targeting against what is commonly viewed as weaker targets – translating to increased risk for the logistics industry.

 

Lastly, the data set also demonstrated the logistics industry to be plagued with the use of plain text protocols. Telnet and FTP exposures were the norm across the data set. Given the known dependence on flat file, EDI and other plain text operations data across the logistics industry, the maturity of controls surrounding these exposures seems to be relatively low. In some cases, anonymous FTP was also in use and exposed operational data (we have notified the companies of the issue) across the Internet. This is a significant problem, and represents a clear and present danger to the operations of these firms (according to the sources we talked with about the issue). We also identified attacker conversations around this issue, and the presence of these targets on attacker lists of compromised hosts or hosts to use for covert data exchange!

 

Obviously, if you are a security person for a logistics firm, these points should be used for a quick review of your own. If you’d like to discuss them or dive deeper into these issues, please don’t hesitate to get in touch with MSI (@microsolved) or give us a call for a free consultation. As always, thanks for reading, and until next time, stay safe out there!

Worm detection with HoneyPoint Security Server (HPSS): A real world example

This post describes a malware detection event that I actually experienced a few short years ago.

My company (Company B) had been acquired by a much larger organization (Company A) with a very large internal employee desktop-space. A desktop-space larger than national boundaries.

We had all migrated to Company A  laptops – but our legacy responsibilities required us to maintain systems in the original IP-space of company B.  We used legacy Company B VPN for that.

I had installed the HPSS honeypoint agent on my Company A laptop prior to our migration into their large desktop space.  After migration I was routinely VPN’ed into legacy Company B space, so a regular pathway for alerts to reach the console existed.

After a few months, the events shown in the diagram below occurred.

I started to receive email alerts directed to my Company B legacy email account. The alerts described TCP 1433 scans that my Company A laptop was receiving.  The alerts were all being thrown by the MSSQL (TCP 1433 – Microsoft SQL Server) HoneyPoint listener on my laptop.

I was confused – partly because I had become absorbed in post-acquisition activities and had largely forgotten about the HPSS agent running on my laptop.

After looking at the emails and realizing what was happening, I got on the HPSS console and used the HPSS event viewer to get details. I learned that the attackers were internal within Company A space. Courtesy of HPSS I had their source IP addresses and the common payload they all delivered.  Within Company A I gathered information via netbios scans of the source IPs.  The infected machines were all Company A laptops belonging to various non-technical staff on the East Coast of the U.S.

All of that got passed on to the Company A CIO office. IDS signatures were generated, tweaked, and eventually the alerts stopped.  I provided payload and IP information from HPSS throughout the process.

I came away from the experience with a firm belief that company laptops, outfitted with HoneyPoint agents, are an excellent way of getting meaningful detection out into the field.

I strongly recommend you consider something similar. Your organization’s company laptops are unavoidably on the front-line of modern attacks.

Use them to your advantage.

 

 

Yahoo Claims of Nation State Attackers are Refuted

A security vendor claims that the Yahoo breach was performed by criminals and not a nation state.

This is yet more evidence that in many cases, focusing on the who is the wrong approach. Instead of trying to identify a specific set of attacker identities, organizations should focus on the what and how. This is far more productive, in most cases.

If, down the road, as a part of recovery, the who matters to some extent (for example, if you are trying to establish a loss impact or if you are trying to create economic defenses against the conversion of your stolen data), then might focus on the who at that point. But, even then, performing a spectrum analysis of potential attackers, based on risk assessment is far more likely to produce results that are meaningful for your efforts. 

Attribution is often very difficult and can be quite misleading. Effective incident response should clearly focus on the what and how, so as to best minimize impacts and ensure mitigation. Clues accumulated around the who at this stage should be archived for later analysis during recovery. Obviously, this data should be handled and stored carefully, but nonetheless, that data shouldn’t derail or delay the investigation and mitigation work in nearly every case.

How does your organization handle the who evidence in an incident? Let us know on Twitter (@microsolved) and we will share the high points in a future post.

From Dark Net Research to Real World Safety Issue

On a recent engagement by the MSI Intelligence team, our client had us researching the dark net to discover threats against their global brands. This is a normal and methodology-driven process for the team and the TigerTrax™ platform has been optimized for this work for several years.

We’ve seen plenty of physical threats against clients before. In particular, our threat intelligence and brand monitoring services for professional sports teams have identified several significant threats of violence in the last few years. Unfortunately, this is much more common for high visibility brands and organizations than you might otherwise assume.

In this particular instance, conversations were flagged by TigerTrax from underground forums that were discussing physical attacks against the particular brand. The descriptions were detailed, politically motivated and threatened harm to employees and potentially the public. We immediately reported the issue and provided the captured data to the client. The client reviewed the conversations and correlated them with other physical security occurrences that had been reported by their employees. In today’s world, such threats require vigilant attention and a rapid response.

In this case, the client was able to turn our identified data into insights by using it to gain context from their internal security issue reporting system. From those insights, they were able to quickly launch an awareness campaign for their employees in the areas identified, report the issue to localized law enforcement and invest in additional fire and safety controls for their locations. We may never know if these efforts were truly effective, but if they prevented even a single occurrence of violence or saved a single human life, then that is a strong victory.

Security is often about working against things so that they don’t happen – making it abstract, sometimes frustrating and difficult to explain to some audiences. But, when you can act on binary data as intelligence and use it to prevent violence in the kinetic world, that is the highest of security goals! That is the reason we built TigerTrax and offer the types of intelligence services we do to mature organizations. We believe that insights like these can make a difference and we are proud to help our clients achieve them.

3 Reasons You Need Customized Threat Intelligence

Many clients have been asking us about our customized threat intelligence services and how to best use the data that we can provide.

1. Using HoneyPoint™, we can deploy fake systems and applications, both internally and in key external situations that allow you to generate real-time, specific to your organization, indicators of compromise (IoC) data – including a wide variety of threat source information for blacklisting, baseline metrics to make it easy to measure changes in the levels of threat actions against your organization up to the moment, and a wide variety of scenarios for application and attack surface hardening.

2. Our SilentTiger™ passive assessments, can help you provide a wider lens for vulnerability assessment visibility than your perimeter, specifically. It can be used to assess, either single instance or ongoing, the security posture of locations where your brand is extended to business partners, cloud providers, supply chain vendors, critical dependency API and data flows and other systems well beyond your perimeter. Since the testing is passive, you don’t need permission, contract language or control of the systems being assessed. You can get the data in a stable, familiar format – very similar to vulnerability scanning reports or via customized data feeds into your SEIM/GRC/Ticketing tools or the like. This means you can be more vigilant against more attack surfaces without more effort and more resources.

3. Our customized TigerTrax™ Targeted Threat Intelligence (TTI) offerings can be used for brand specific monitoring around the world, answering specific research questions based on industry / geographic / demographic / psychographic profiles or even products / patents or economic threat research. If you want to know how your brand is being perceived, discussed or threatened around the world, this service can provide that either as a one-time deliverable, or as an ongoing periodic service. If you want our intelligence analysts to look at industry trends, fraud, underground economics, changing activist or attacker tactics and the way they collide with your industry or organization – this is the service that can provide that data to you in a clear and concise manner that lets you take real-world actions.

We have been offering many of these services to select clients for the last several years. Only recently have we decided to offer them to our wider client and reader base. If you’d like to learn how others are using the data or how they are actively hardening their environments and operations based on real-world data and trends, let us know. We’d love to discuss it with you! 

Custom Security and Business Intelligence at Your Fingertips

We have decided to bring what has been a service offering to very select clients for the last several years to availability for all of our clients and the public.

For years, several of our clients have been enjoying custom security intelligence driven by the MSI TigerTrax™ analytics platform and our dedicated team of analysts and subject matter experts. The research and analysis work the team has been performing has been focused on agendas like:

  • competitive analysis
  • economic industry scale market analysis
  • consumer behavior, demographic or psychographic profiling
  • organizational human network data flows and relationship mapping
  • gathering data for marketing and sales opportunities on a global scale
  • dark net data raids
  • trend and disruptive technology assessments
  • scalability & DRM techniques
  • piracy and underground market analyses
  • and even assessments of threats against brands, nation-states and multi-national cooperatives

Our team has robust expertise to gather, profile, mine, visualize and analyze public or private data en masse for your organization.

Want customized threat data about your brands, on a global scale, updated monthly with new findings from the public, deep and dark web spaces? We can do that.

Want large amounts of competitive market data gathered, visualized and summarized? We can do that too. 

Need daily briefings on a set of specific trends, geo-locations or products? Our experts are experienced at producing it.

Desire to have entire market segments deconstructed, profiled and researched to find vendors, trends and critical relationships up to 3 levels away from the core processes? We’ve done that now for multiple industries.

How about a customized monthly briefing of industry wide changes, summaries of events and monitoring of specific sets of questions your organization may have around critical topic areas? We have done this for clients across multiple industries.

Basically, if your organization would like to have customized research, analysis and intelligence – and we aren’t talking about lists of indicators of compromises and such – but REAL WORLD operational intelligence for optimizing your products, services or marketing, then we may be able to assist you. If you need a larger world view than the data you have now permits, we may be able to solve that for you. If you need to match your organization’s internal data-driven views with the views of the public or smaller groups of the public, we may be able to turn those efforts into insights.

If any of this sounds interesting and useful, join us for a cup of coffee or a conference call, and let’s talk about your needs and our capabilities. We have been performing these services for years for a select few clients, and are now ready to open these capabilities to a wider audience. To schedule a discussion, drop us a line at info@microsolved.com, hit our website at microsolved.com and click on the request a quote button or give us a call at (614) 351-1237 today. We look forward to talking with you.