January 5, 2016 • Amanda McKeon
Threat intelligence truly took center stage in 2015. While there is an element of trendiness to the term, the need for more accurate, timely, and actionable information about threats to enterprises, individuals, and even nation-states has never been more important. Certainly the people reading this post are most involved with cyber threats, but as we round out the year, we want to take a look at evolving trends — some information security-focused, some not — that are likely to heat up further in the New Year.
Historically speaking, as incident response (IR) teams find and treat an infection, they are focused on the infection. That is, they find the problem at hand and deal with the aftereffects, be they data loss, unpatched systems, or malware wending its way through the network. Given the nature of their work, IR teams have been statistics-driven and typically manage issues at a given point in time. This find-and-remediate process drives the categorization of incidents into buckets in order to report to executive management everything from the scope of the infection to how IR will mitigate the problem to what consequences — operational, financial, reputational — will be exacted.
In the last year, however, attackers have yet further morphed their methods and found new, inventive ways to access the data and disruption they seek. Because IR is laser-focused on finding infections and shutting them down, thereby “solving the problem” in the eyes of the enterprise, the best way for attackers to accomplish their aim is through blended threats.
We can think of blended threats as commodity malware meets nation-state campaign meets the utility toolkit. Taking this blended approach, when exacted, attribution is even more difficult, causation is confusing, and identifying the attacker and the initial point of infection next to impossible. When an adversary leads with a blended threat, their chances of accessing a system are higher (since they’re exploiting more than just one access point or vulnerability, for example, by dropping malware in one place and inserting a SQL injection in another), the likelihood of remaining undetected in a system for long periods of time is greater (because their presence is spread throughout the network and shutting down one exploit doesn’t stop another), and the possibility of attacker identification much less probable.
Blended threats, it’s safe to say, therefore raise the stakes for IR and information security teams even higher. A robust threat intelligence program proactively seeks emerging threats even if, at the surface, the threats are seemingly from disparate sources and through differing methods. Combining operational processes of identifying, collecting, and correlating data from the Internet, then enriching it to formulate a strategic threat analysis, companies are more likely to avoid being blindsided by a blended attack.
Decidedly, adversaries’ massive destruction of data from companies like Sony, Sands, and CodeSpace in 2014 forced security into the limelight in 2015, and there it stayed as Anthem, the Office of Personnel Management, Talk Talk, and Ashley Madison, to name a few, came tumbling down. In the past, information security experts have argued whether or not a data breach causes any long-term damage to an enterprise. Looking back at TJX, one could conclude: No. No long-term effect on stock price, on customer loyalty, on gainful employment would result from a data breach. That started to change in 2014 as Target’s Gregg Steinhafel was fired in the wake of the company’s monstrous breach, and executives took note. (N.B. Target’s Q215 reported earnings were quite favorable despite ongoing lawsuits and new technology infrastructure implementations resulting from the breach.)
In 2015, executives started more aggressively figuring information security into risk management strategy. Operational risk management is not a newfangled process by any means, and risk, by definition, is a matter of assessing exposure to potential damage. When an enterprise buys another, how much debt will it accrue? Will a new market prove profitable? Will a new product sell as well as projected? There are unknowns, unquestionably. In the case of information security, though, the uncertainties are certain. The adage, “It’s not ‘if,’ but ‘when,’ a company will be breached” is considered a truism in security these days, and boards of directors have begun — and we believe, will continue — to factor breaches and data loss into their plans throughout 2016. As of this writing, a new (and hotly debated) cyber security bill has become law, and it’s likely that businesses will start to value the confidentiality, integrity, and availability of proprietary data even more highly moving forward.
Is this a boon for information security teams at last? Yes and no. The result is that the scrutiny on information security will increase further and security teams’ actions will factor into business success in the future. We’re not just on the sidelines anymore, and this requires security teams to develop ever-improving insight to emerging threats to their organizations.
Yes, 2016 is going to be an exciting year for threat intelligence; actionable threat intelligence is the key to grasping and managing ongoing, and potentially increasing, information security threats. It will be security’s responsibility to not only not hurt the bottom line, but help businesses grow. The more relevant threat intelligence that can be incorporated into a company’s strategic plan, the better positioned it will be to help fuel that growth and create value alongside the business as a partner.
Fighting in the Middle East, physical terrorist attacks, climate change controversy, territory disputes, natural resource procurement, and more play out on the world stage, creating contention among nation-states. As countries jockey for position and political gain, we’re likely to see an increase in corollary Internet activity driven by (and which shadows) geopolitical events. Information will be exchanged online and in emails and stored in government systems and private contractors’ databases, and adversaries–of all sorts–will aim to gather what data they can find against their targets, legitimately as information is improperly handled and traverses cyberspace in the clear, or nefariously as highly skilled actors exploit weaknesses in rivals’ systems. Furthermore, as adversaries plan their attacks, physical or digital, information about those plans will circulate on the Web. Sensitive information will be posted or leaked proactively in an attempt to organize counter-attacks; some information will be stolen and copied to paste sites and hacker forums, waiting to be found.
Geopolitical strife is more rampant than ever, or so it seems with the world’s 24×7 media coverage. This plays right into the hands of attackers, but coincidentally offers advantages for opportunistic threat analysts. Whether it’s nation-states looking to gain intelligence about competing nations, hacktivists looking to shame or bring attention to a nation they believe is engaged in wrongdoing, or terrorists planning their next strike, the deep and dark Web will continue to be a resource for information gathering. Finding, correlating, and contextualizing that information so that it is reliable and actionable will be the key to stopping incidents before they occur.
Governments have long since been engaged in intelligence gathering; every so often a media story will be circulate about how the [insert nation here] government successfully stopped a terrorist attack due to the obtainment of unspecified but “classified information.” Obtaining “unspecified” or “secret” information online is less of a challenge if one has the skills and wherewithal to find it.
This is where a good threat intelligence program, tools, and team of analysts will prove their worth in 2016. While geopolitical events appear on the surface to be a government problem, consider the current public-private sector debate in the U.S. about encryption, the “Snowden Affair,” or any of the mega-breaches that were accomplished through weaknesses in third-party systems. The beauty of the Internet is that we’re all connected (except for, perhaps in the future, China, who wants to build it’s own), which means we’re all cogs in the wheel. To this point, it will not only be necessary for every enterprise and government to take the necessary steps to protect its data, but, due to the eventuality of data loss or theft, for every enterprise to do its part to find indicators of compromise across the Web, identifying when there is an emerging threat to itself, to its partners, and to its customers.
We at Recorded Future are excited by what 2016 is sure to bring. Certainly there will be malicious behavior, but we’re ever-improving our capabilities so that enterprises can develop more proactive threat intelligence programs and build greater defensive controls that are effective against targeted threats to their organizations.
Whatever your greatest information security threats are in 2016, threat intelligence is the key to risk management. Only you can identify which strategic assets are most sacred to your organization, but when you need to identify emerging threats on the Web, Recorded Future will be there to help.