July 26, 2016 • RFSID
Sourcing threat intelligence from the web is hardly a new thing.
After all, companies in the threat intelligence space have been sharing valuable information for several years now, and with the spate of high-profile breaches in recent months some private organizations are starting to see the light.
But that’s not the only thing on offer. If you know where to look, or have a platform setup to do it automatically, all sorts of open source information is available on the web. Information you can learn from and use to anticipate and prepare for future attacks.
Learn. Anticipate. Prepare.
Below are six surprising benefits you can gain using threat intelligence from the web.
The internet was originally created as a way to share information, and the web has grown into the single greatest learning tool in human history. In fact, over the past two years more new data has been created than in the entire previous history of the human race.
We’d be foolish not to make use of it.
1. Let Me Google That for You
I’d be remiss if I didn’t start by pointing out the obvious.
The internet is a massive repository of human knowledge, and the natural starting point for any research project.
Threat intelligence is no exception.
Whether you’re looking into specific attack vectors or planning your remediation process, conducting deep research online will be tremendously beneficial. It would be flippant to say that other mediums are completely redundant at this stage, but we’re certainly moving in that direction.
Since most new data is created online, and threat intelligence is a relatively new (and extremely fast-paced) field, it seems likely that the internet will only become a more important research tool in the coming years.
2. Keep the Stakes Low: Learning From the Misfortune of Others
Just like learning from the mistakes of others, the best time to acquire threat intelligence is when something happens to someone else.
Recent cyber attacks are prime opportunities to learn, so long as you can locate the information you need to protect your organization.
For instance, who was first to talk about the event? Who has unique information about the event? Different threat actors have their own favorite tactics, techniques, and procedures (TTPs), and identifying the actors closest to an attack can provide vital context for intelligence programs.
This type of information is known as metadata (literally data that describes other data), and is fundamental to remediation and asset-hardening processes. The more information you can find relating to important events, the more you’ll be able to protect your organization against similar circumstances.
This is particularly true in the case of hacktivism, where groups often openly claim responsibility for attacks. Further investigation of these groups’ online forums often yields surprisingly specific information about methods, tactics, and targets.
But it doesn’t stop there. Threat actors fall into a number of discrete categories, from script kiddies to series organized cyber crime syndicates and nation states. By taking the time to collect and analyze information about each new attack, you’ll gradually build up an extremely valuable threat intelligence resource that can be used to inform your wider cyber security program.
Unsurprisingly, it’s much easier to defend against an attack if you know it’s coming. With that in mind, wouldn’t it be a good idea to get ahead of the game?
3. The Well-Publicized Joys of Pastebin
It’s every CISO’s worst nightmare.
In recent years there have been a variety of high-profile instances where private data has turned up on text-sharing platforms such as Pastebin and GitHub.
And GitHub poses an entirely different concern for organizations. As the world’s largest online code repository, it allows users to share application source code openly on the web. And while it has facilitated the development of some world-changing applications, it also poses a significant security risk.
Take, for instance, last year’s revelation that C, a highly popular programming language, contains far more references to “dirty” code fixes than any other language. This news (identified using GitHub’s built-in search feature) may seem innocuous, but the unspoken addendum is that the platform paints a clear path to messy and potentially vulnerable code in applications ranging from the obscure to the wildly popular.
Of course, any form of private data turning up online is one of the worst things that can happen to an organization from a security standpoint. It’s even worse, however, if it’s happened to your organization and you don’t even know about it.
Routinely scanning these types of platforms will help you to identify breaches much more quickly, giving you the opportunity to react quickly.
Having your staff immediately change their credentials would be a good start.
More than that, however, finding your own proprietary asset data on a text-sharing website should prompt you to ask how it got there. Logically, there must be a vulnerability somewhere within your organization, and that information alone is gold dust.
It might take time and effort to locate the source, but once you do you’ll be able to close it for good.
4. Know Your Enemy
As I’ve already alluded to above, not all adversaries are tight-lipped.
If you know where to look, you can find all sorts of information about planned attacks, hacktivist threats, and new attack vectors, and it goes without saying that this can be tremendously beneficial to your ongoing security efforts.
And past events have even shown that “adversary chatter” can be a direct precursor to attacks.
Take, for example, the recent well-publicized attack on TalkTalk, where analysis of online chatter found a series of adversary claims and threats around the times of both major attacks.
— Recorded Future (@RecordedFuture) October 28, 2015
High-profile adversary groups often announce their intentions publicly before retreating to private channels to discuss the specifics, however not all groups are this diligent. Open source intelligence (OSINT) platforms analyze the open web along with areas of the “deep” and “dark” web known to host adversary chatter, making this an extremely valuable source of actionable threat intelligence.
For the more prudent hacking groups, OSINT platforms complement more hands-on collection approaches for maximum benefit.
Threat intelligence doesn’t exist in a vacuum. To be truly valuable, it must be a tool that enables you to take positive and proactive measures. The best way to do that is to start using your web-based threat intelligence to prepare for the most likely attacks.
5. Learn From Bulk Indicators of Compromise
The rapid rate of advancement in attack methodologies can seem discouraging, but take heart.
As threat intelligence becomes a more widely accepted necessity for organizations, the tools available to improve it are coming on in leaps and bounds. Not only are modern threat intelligence platforms capable of assimilating data from a functionally unlimited number of sources, recent technological advances such as machine-learning algorithms have enabled dramatically faster and more efficient data processing.
One of the most valuable recent intelligence trends is the increasing availability of bulk indicators of compromise (IOCs).
Bulk IOCs are sets of information that assist in the detection of attacks and intrusions, and include data on geographical irregularities, unusual outbound network traffic, suspicious activity in privileged user accounts, and much more.
Several open source platforms have sprung up to facilitate sharing of bulk IOCs, and they are rapidly becoming an excellent source of threat intelligence. Most importantly, this information can be utilized directly to remediate vulnerabilities, harden at-risk assets, and prepare for the most likely future attacks.
6. Observe Adversary Tactics, Techniques, and Procedures
Knowing your adversaries’ favored TTPs is an obvious advantage. If you know what the most likely attack routes are, you’re much more able to defend against them.
Fortunately, once again, this information is widely shared on the open internet. It may not relate to specific announced threats, but that doesn’t take away from its usefulness.
By prioritizing your resources to defend against currently favored attack vectors, you’ll be dramatically reducing the risk of suffering a costly (and embarrassing) breach.
Of course, for all the talk of web-based threat intelligence being open source (which it is) and freely available (also true), it has to be accepted that there are costs associated with collecting it.
You can’t, for example, simply ask an intern to browse the web and report back about any identified threats. The scope of this work is huge, and a dedicated platform is required.
With that said, the web is still the single largest and least costly source of threat intelligence, and consistently turns up highly valuable information. From early-stage research to direct adversary threats, the web offers tremendous threat intelligence benefits.
So if you aren’t already, I hope you’ll take my advice: learn, anticipate, and prepare.
This information is also available to view as a SlideShare presentation.