January 8, 2018 • Amanda McKeon
Our guest today is Denver Durham. He’s a threat intelligence consultant at Recorded Future, with a background in the U.S. Army as an intelligence analyst, working in signals intel and all-source intel supporting counterterrorism, and later in the private sector in a SOC (security operations center) as a cyber threat analyst, performing attribution and analytics.
On today’s show, he takes us through what he believes are some of the most relevant questions for a SOC analyst, including collecting and prioritizing indicators of compromise, handling news feeds, managing firewall alerts, and performing trend analysis. We’ll learn about the types of reports a SOC analyst is likely to generate, how to make good use of some third-party rules, and he’ll share his advice for anyone considering a career as a SOC analyst.
For those of you who’d prefer to read, here’s the transcript:
This is Recorded Future, inside threat intelligence for cybersecurity.
Hello everyone, and thanks for joining us. I’m Dave Bittner from the CyberWire, and this is episode 38 of the Recorded Future podcast.
Our guest today is Denver Durham. He’s a threat intelligence consultant at Recorded Future, with a background in the U.S. Army as an intelligence analyst, working in signals intel and all-source intel supporting counterterrorism, and later in the private sector, in a SOC as a cyber threat analyst, performing attribution and analytics.
On today’s show, he takes us through what he believes are some of the most relevant questions for SOC analysts, including collecting and prioritizing indicators of compromise, handling news feeds, managing firewall alerts, and performing trend analysis. We’ll learn about the types of reports a SOC analyst is likely to generate, and we’ll find out about making good use of some third-party rules. Stay with us.
I joined the Army after college and didn’t really have a background in intelligence or analytics at that point. But when I went into the military, I landed an intelligence analyst position as a signals intelligence analyst. As I progressed through that short career, it really became more and more technically heavy with the way the wars in Iraq and Afghanistan developed, and required a lot more knowledge of technologies, and things like that. That led me into a few different jobs doing all-source and intelligence analytics in the government sector, public sector.
After that, I really actually just fell into a job as a cyber threat analyst for a private company and was doing threat attribution. Looking at TTPs, techniques, tactics, and procedures of APTs, advanced persistent threats, which was brand new to me at the time, but the methodology of threat intelligence and how I had approached that before doesn’t change much. It was just a matter of learning a new area of information, a new area of data, and becoming an expert in that.
That has led me down a completely new path. Over the last few years, I’ve gone through a couple different companies, supporting analysts with their methodologies, analytics, or just training in software for a couple different companies. That’s pretty much where I’m at now.
In terms of if being a cyber threat analyst, what are the things about that job that you find particularly appealing?
I think that it’s really interesting because it’s still very new. Threat attribution, in terms of cybersecurity, has been going on for a few years. It was brand new maybe five or six years ago, but it’s still … You can run into a lot of different shops, or a lot of different areas within the sector, and people still aren’t really thinking that way, about actually identifying the threat and leading it back, trying to find out where the threat comes from, instead of just blocking an IP, or blocking a domain — something like that.
I’ve found it to have a lot freedom. There is not very much stuff that’s codified. There is not a lot of manuals out there that tell you how to do it, it’s just, “Dive in and start digging through the data,” and figure out the best methods on your own. I think that’s really exciting. It can be a lot of fun, especially coming from a military background where everything has a step-by-step process that you’re supposed to follow, and there is not very much wiggle room left to right in terms of how you accomplish your job. You’re supposed to do it in a very, very specific manner.
Yeah. Let’s talk about working in a SOC, in a security operations center. Let’s go through some of the important things for being a SOC analyst. Let’s start with prioritization. How do you collect IOCs, indicators of compromise, and how do you set your priorities?
That’s something that’s still developing a lot, in terms of collecting indicators. Even just a few years ago when I was an analyst, when I first started out in that job, I had to go out and literally search the internet every single day, set up RSS feeds just to read articles, read blogs, and then either copy and paste these new IOCs that came up into an internal database, or hand type all of them. That is okay for maybe a few 10 or a few dozen a day, but when you really start seeing how the threat landscape has evolved over the last few years, it’s too much to keep up with in a manual process.
Now, I think people are relying a little bit more on feeds — automated feeds — of some form or fashion, and that raises some other problems, some other questions. How do you really validate the confidence of the feed? How do you know that all of the different IOCs you’re getting are truly malicious? Or if you’re blocking something that might actually be useful, that you might need? All of those questions come into play, and that gets into the methodology of how to research what those IOCs are, where they come from, and how to prioritize those.
How do you go about doing that? Do you have a system for determining how much something requires your attention?
In my experience, I think that a lot of it is being able to see how frequently that’s coming up with some sort of malicious tag identified to it. If you’re talking about an indicator, like an IP or a domain, historically linked to malware, historically used in a campaign, or an attack. Things like that can obviously be helpful, and then once you can really build a repertoire, or a card for that one identifier and see how much of those different rules … How much risk really applies to that, then it can give you a much better idea of the confidence of that. It’s sort of the intelligence paradox with the internet, right? If something shows up just once, there is so much information out there that can be lost. You kind of need to see it more frequently from different sources in order to really be able to put confidence in it.
In terms of handling things like RSS feeds, or news feeds, how do you dial that in?
I think that is a real imperfect process right now. In my experience, when I was sitting in that seat as an analyst — not so much as a consultant, like how I’m working now — I was always just following back on any interesting resource to try and find what blogs are posting it and reposting it, and then looking at the history of that blog, and then always building out this RSS feed.
Then, that just quickly becomes overload because every day, you come in and you want to get caught up on all the pertinent and interesting news that’s going on in your feed, and at some point, you have to dial that back and say, “I have enough sources to look at, so maybe I even need to start removing some sources.” What I was doing was just looking at some of the main vendors that were out there. Primarily security vendors, the vendors that are publishing white papers, doing independent research on threat attribution, writing about different APTs, or different campaigns, things like that.
You’ve come up with your own list of trusted sources, if you will.
Yeah, absolutely. That’s something that I had done, is just develop my own list of trusted sources. And of course, I would collaborate with other people, had other friends, and made other contacts within the industry, and picked on other people’s knowledge to start to build that out, but I don’t think that it’s a perfect process, by any means.
What part does automation play in this? Did you have tools to help you sort through the firehose of information that could come at you?
No. Only a few years ago, nothing like that was really around yet. There has been, in the last couple years, a lot of companies who have come up and identified that as a need.
Simultaneously, a lot of people say that there has to be a way to filter through this a little bit better than just a Google alert, or just going into your email inbox. I think there are much better tools out there now to filter through all that noise, where you can look at your trusted sources, but you can also filter through that because you’re really only interested in articles that pertain to your industry, or maybe only pertain to your company in particular, or certain types of malware.
That also gets into how shops really operate. Some of the larger organizations, we’re starting to see their cybersecurity broken up into not just a SOC, but then a separate threat intel shop, maybe threat hunting shop, and those guys have very different priorities, so they’re not each trying to look at the entire firehose of data. That, actually, is more so the position that we were in in the company that I was working at. It was just, “Everybody look at everything and be concerned with everything, at all times.” That can be really challenging. I think it’s still a need in cybersecurity, but it’s gotten much better.
In terms of managing things like firewalls, how do you handle the false positives that you get, and just looking out for things like trends?
Yeah, trending at the firewall, I think is … I’ll call it somewhat of an underrated approach to analytics. A lot of times, just the pervasive thought is that if it’s been blocked, then there is nothing else we need to do about it. But seeing the activity that is being stopped at your firewall and seeing what those trends actually are can be very interesting, especially when you start getting into wondering what threat groups, and what threat actors, are actually targeting your company, or targeting your industry. Maybe they’re not getting through the firewall, but we can see trends in the attacks that they are attempting.
Coming from a military background, I tend to think it’s almost like in a war zone in Iraq or Afghanistan, if you discover an IED and then diffused it and then removed it, but then did no research to find out who put it there or why it was there. It really leaves you in the dark and open for a lot of future attacks.
That’s interesting. One thing I do hear some people say is that attribution perhaps isn’t really that important, but it does play a part sometimes.
Yeah, I absolutely think that it does. I know, for a while, we saw a couple of APT groups that would intentionally increase their scanning, or even attempt to DDoS an organization at the same time that they’re launching a separate phishing attack so that everybody can be distracted with one thing, and then, something else might be able to get under the radar and doesn’t get picked up quite as quickly, or quite as easily.
The adversaries know that we are just looking at the indicators and not really trying to trace it back to its origin, and they use that to their advantage. The more that we understand how and why the threat actors are doing the things that they do, what their tactics are, the better prepared we can be to stay ahead of the curve, and stay ahead of future attacks, instead of always just being reactive.
Can you take us through what sorts of intelligence you produce from the work that you do, reports and so forth?
Yes. A lot of the reports are in that sort of trending, and what we’re mostly looking at is everything that is being posted out on the internet, not just open, but deep and dark web sources, as well. Say, if a zero day were to occur, a brand new piece of malware that’s out there, a brand new vulnerability, one or the other, then we’re going to see different sources and different technical reporting come out that contribute differently to what the background is on that, what the technical indicators are for that threat, whatever it might be.
Being able to quickly look at the whole … really, the totality of the open web, everything that’s out there, and compile it into a very concise, and clearly understandable format, and then ingest that into both your intelligence as well as your remediation, like your firewalls and things.
That’s the approach that we’re taking now with the work that I do. I think that, more so, people are going to be moving toward that idea where we have the technology and the ability to see a lot more of what’s going on, and try and filter out that noise across the internet.
Yeah, this seems to me that this sort of interval of the reporting allows you to delve into different things. Over time, you start to notice trends that might not be apparent in a daily report or a weekly report.
Yeah, absolutely. When we look at malware operations, or attacks that have been positively attributed to a threat actor, we might want to go back through time and look at what the trends are of those things. Are there certain times of the year, are there certain other indicators, either in markets or in industries, that can help us understand what they’re looking at in order to initiate an attack? Every time they initiate an attack, it’s for a particular reason, and it might not just be because they’ve finished coding a new malware. It might be because of something else that’s going on out in the industry, or with that particular company.
Being able to look for other correlates, other things that correlate to this being a malicious indicator — it should be blocked. Those are other ways that we can try and get ahead of that curve of the adversary.
In terms of ingesting other third-party rules, do you use things like Snort or YARA?
Yeah, those are incredibly useful. When I was going out searching for my own data manually, that was a top priority. If zero data came out, then the very first thing my manager wanted to know is, has somebody published a smart rule yet, or can we write one? Snort was what we were using in our enterprise, and there is YARA. There is probably some other ones out there that I’m not entirely aware of, but those are really great to harvest and get into your enterprise — well, into your environment, rather — into your firewall as quickly as possible.
That’s been really nice because Snort, in particular, is open source. If you’re competent with basic coding you can probably learn how to write your own Snort rules and go out and start gathering other people’s rules and tweaking them and things like that. I’ve found that to be one of the best open source resources that’s out there.
The nice thing about it is that you can create rules to filter and to block layers beyond just what the indicator is. Maybe patterns, or maybe what the attachment is, or other identifiers that aren’t as easily picked up on as just an IP or a domain, which is just straightforward and just on the face of the header data.
If someone is considering a career as a threat analyst, what sort of advice would you have for them?
I would recommend to really consider all types of analysis philosophies and methods as options to bring to the table. I think, in my experience working in a couple different intelligence fields, people tend to really pigeon hole themselves in a certain style of thinking. You see that a lot in the military. If you’re a human intelligence analyst then you do things one way, and if you’re a signals intelligence analyst, you do things one way. Those people don’t really communicate very much or consider each other’s methodologies as options for themselves. Everything is very segmented and siloed and codified, and that’s just the way it is.
I really think that in all analysis and in all analytics, you have to open your mind and think of different ways of approaching things, or even looking. I’ve spent a lot of time studying business analytics and stock market analytics and different things. People have been studying trends over time in a lot of different sectors, and we’re only just now starting to do that with the internet traffic we have for cybersecurity. There is a lot to learn outside of just cybersecurity blogs, just outside of the cybersecurity industry, that can contribute to the value that you have to add to an organization.
Our thanks to Denver Durham for joining us.
Don’t forget to sign up for the Recorded Future Cyber Daily email, where every day you’ll receive top results for trending technical indicators that are crossing the web, cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more. You can find that at recordedfuture.com/intel.
We hope you’ve enjoyed the show and that you’ll subscribe and help spread the word among your colleagues and online.
The Recorded Future podcast team includes Coordinating Producer Amanda McKeon, Executive Producer Greg Barrette. The show is produced by Pratt Street Media, with Editor John Petrik, Executive Produce Peter Kilpe, and I’m Dave Bittner.
Thanks for listening.