Posted February 16, 2016
This is the third blog in a three-part series (read parts one and two) by our Chief Technology Officer, Allan Thomson. In today’s post, he discusses how Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations make inform decisions regarding their response to the threat. can boost your confidence in your organization’s security posture.
How You Stay Confident in a World Full of Cyber Threats
In our two previous blogs on threat intelligence, we discussed the importance of focus and having a well-defined Threat Intelligence Scope to maximize your threat intelligence impact. This blog builds upon this framework and describes how you can increase your confidence in your cyber security and ultimately provides an answer to the following issue:
“Understanding the relevancy of a threat is a critical aspect of reducing risk in your environment”
The concept of threat confidence is defined as a measure of threat relevancy to an organization. Threat confidence is a multi-faceted determination that encompasses multiple aspects of where and how threats can arise in the global Internet.
Determining threat confidence starts by having a model of the Internet and all communications that occur across it.
Threat Confidence Conceptual Model
Threat Confidence Conceptual Model
© 2015 LookingGlass Cyber Solutions
Layer 1: Network Devices, Infrastructure and Connectivity
At the heart of the Internet model is the network itself. This includes both the endpoints (e.g. phones, laptops, servers) as well as the network infrastructure that those endpoints connect to and use to transport data between endpoints. Without devices or networks to connect devices, no communications would be occurring. But, without an understanding of how communications are transported between devices, the Internet is a black box that can be manipulated or subverted without organizations being aware of those negative impacts to their security.
Organizations connecting to the Internet should have already determined what infrastructure connects them to the Internet. But in many cases this is not a static thing and therefore maintaining a continuous understanding of Internet connections is an important aspect to ensure you understand your organization’s full security exposure to the global Internet.
Layer 1 in our model is the basis of threat confidence. A network device that never connects to your organization’s network is likely not relevant to any threat. Infrastructure that your organization uses to connect to the global Internet is extremely relevant to threat. Infrastructure that is insecure is likely a poor choice for your organization and will have a large impact on potential threats. Endpoints that connect to your network or communicate with your network are extremely relevant to threats.
Layer 2: Applications
The next layer in our model is the application layer and the (good or malicious) applications that run over the network devices and network infrastructure. Capturing which applications run on the network devices is vital to knowing what occurs on the network. Ability to identify applications and their associated behaviors (devices they communicate with, what ports and protocols are used, typical payloads exchanged, frequency of exchanges, etc.) contributes to a greater understanding and predictability of future events. Without this understanding, again the use of the Internet becomes a black box that can be manipulated and controlled from the outside. Botnets are examples of where an application has been created to take control of other devices and perform behaviors that are unexpected.
By characterizing applications and their expected behaviors, the lower layer of network threat confidence can be enhanced and then complemented with application threat confidence.
Layer 3: Users and Owners
Once we have built threat confidence for networks and applications, the next important artifact of global Internet use to determine is the user or owner information associated with the applications and network devices. Network infrastructure ownership is typically known due to the registration requirements when connecting devices to the global Internet. Both autonomous system and CIDR ownership can help organizations determine if those network entities should be communicated with and trusted.
However, in many cases, end-user information is protected to ensure that privileged private information about end users is not shared with unauthorized entities. As applications and network devices communicate globally, there may be no visibility to the end users that are initiating communications. Network tunneling protocols such as Tor, and VPNs in general, deliberately obfuscate communications to prevent attribution back to a user or end-device.
The reasons these technologies exist are legitimate but they can also aid threat actors. If an organization has determined a known malicious actor, then clearly any communications to or from that actor’s web site or server from their organization, irrespective of protocols or application, are likely worth further investigation.
Threat confidence is enhanced with greater knowledge of users or owners of networks.
Layer 4: Observations
Threat confidence is determined by observations on our layers for network, applications and users. Lack of observations (e.g. no Malware: Software that is intended to damage or disable computers and computer systems. hashes) on those layers does not necessarily indicate threats are imminent but having observations that are both positive and negative provides greater insight and therefore greater threat confidence. Clearly understanding threat requires access to data that can help guide the consumer of that data. But to be able to interpret this data, knowledge of where the data came from, the reliability of that data and the impact of the data on your organization is a critical facet. There are many examples where data in isolation of context and background of collection skews or misrepresents how that data should be considered for action. A simple example is one where well-known public DNS servers are accessed by malware to resolve their command & control servers IP addresses. If a customer solely blocked communications to DNS servers based on a single DNS exchange without the context that it was malware accessing a command & control server then all communications to the Internet would be blocked. Clearly, context of communication and purpose of that communication are critical to understanding when to act and when not to act.
Threat observations are gathered by many different mechanisms and by many different providers. Those providers and their processes define how accurate those observations are. A critical aspect of determining the accuracy of threat observations is measuring threat confidence on the providers’ side and the threat confidence of their processes themselves. As with other industries where data is a key asset exchange between organizations, organizations apply trust in the data and their services. Financial institutions survive in part, because of the trust afforded to them by their customers.
Similarly, one intelligence provider may have visibility to botnet behavior due to their ability to participate in as an infected server of a botnet, which therefore allows them to determine other control servers involved. Another intelligence provider may only have visibility on the end points and see the result of the botnet controlling the end point. How strongly one provider’s data should influence threat confidence vs. another’s depends on multiple factors but clearly one provider’s data should be judged different from another if one provider is more accurately involved in a botnet than another provider who is not.
The source and their methods are a fundamental aspect of providing improved threat confidence.
Layer 5: Analyst
The role of the human threat analyst and the analysis they provide to enrich raw threat intelligence data cannot be overstated. Having automated means to gather network, application and user observations to provide to the humans for analysis is crucial. But there is a limit to automation as human knowledge and experience has yet to be captured by programmatic means. It is crucial to have human analyst as part of any threat confidence model that provides threat confidence for consumption by other security teams.
Many threat characteristics are known by organizations either verbally or orally that are not easily determined by programs. This type of information guides analysis and outcomes. Therefore having the analyst provide customization and annotations to the observations is a critical aspect of making the information relevant and actionable to an organization.
Threat confidence annotation and customization by the experienced human threat analyst is critical.
Layer 6: Workflow
The final layer in our model for threat confidence is not really a layer in itself but a layer that connects and penetrates layers 1-5. It requires threat confidence to be integrated into an organization’s processes and security environment. Having threat confidence and relevant data has limited usefulness if the data cannot be acted upon quickly and effectively, without delays and dead ends.
There are two factors that drive the usefulness of threat confidence:
- Easy consumption of threat confidence by other systems and
- Easily interpreted and actionable results.
Easy consumption of threat confidence necessarily must identify the systems (or human threat analysts) that are the recipients of the confidence data, the intended outcome and the means by which the consumption occurs. For example, an automated decision to block a specific communication at a firewall requires certain information, such as IP, protocol, ports, payload, etc.) so that the firewall does not unnecessarily block traffic that has no relevancy to the threat. Similarly, if the intended outcome is for a human analyst to provide a briefing to an executive, then the information and its presentation must be suitably formatted.
Explanation of threat confidence is a critical factor for both meaningful analysis and consumption of threat confidence. Providing a recommendation without suitable evidence to support it requires a level of trust from the consumer to the provider that typically does not exist in the threat intelligence world. The consumption of threat confidence information requires full exposure of all the evidence that was gathered to determine the level of threat confidence.
Finally, when evidence was gathered, when it was applied to the threat confidence, and its impact as time passes is critical to providing the consumer with what they need to make effective decisions on their security assessment.
Threat confidence can be an extremely powerful indicator to determine the relevancy of threat to an organization. To establish accurate threat confidence, a comprehensive approach encompassing network, applications, users, observations, analysts and workflow is required.
Use Threat Intelligence to “Know More. Risk Less. Act Confidently.”