Threat Intelligence Blog

Posted October 24, 2018

Imagine if our national electrical grid were to stop functioning with no immediate hope of re-establishment. The likelihood of such an event might not seem high but the impact on every home, business, and person in the nation would be significant.

The widespread ramifications of such an attack is the very reason why our nation’s critical infrastructure –electric grids, power plants, etc. – is a prime terrorist target to those intending to cause significant harm to our nation, and at the minimum propagate fear and mass hysteria.

Having worked in the cybersecurity industry for more than three decades, and as LookingGlass’ CTO, there is nothing more important to myself or our company than to use every available asset and capability to provide our critical infrastructure providers with enhanced security against these types of attacks.

So, with the stakes set high, let me introduce what LookingGlass views as key ways to fortify critical infrastructure provider’s security posture.


Insight #1: Know the adversary and the target(s)

The first step is always to know the who, what, why, and would an adversary would attack. The mitigation response for one risk or actor group may not apply to another group. Some actors may be interested in fraud (via system data manipulation) whereas others may be motivated to sabotage or cause harm with intent to disrupt operational systems rendering them useless. Depending on the target and outcome, the actors may use similar tactics, techniques, and procedures (TTPs) or potentially different TTPs. All of this re-enforces the importance of quality intelligence so you can better profile and understand potential adversaries and their objectives.

Consider developing a matrix similar to the one below that identifies high-level motives and use that matrix to develop strategies on threat response across each identified motive.

Figure: High-Level Adversary Categories and Objectives

Figure: High-Level Adversary Categories & Objectives



Actor Example: NullCrew

  • Founded in 2012 to support Wikileaks founder Julian Assange
  • Responsible for multiple high profile cyberattacks
  • Preferred targets: Cable Companies & ISPs
    • Also targeted financial services companies, universities, Department of Defense, & technology companies such as Sony and ASUS
  • Members of NullCrew include: Zer0Pwn, rootcrysis, nopnc, and Siph0n
  • On February 1st, 2014, NullCrew claimed to have hacked Bell Canada and compromised their database server
  • Prior to the claim, the group published a list of leaked Bell Canada client information containing usernames, email addresses, plain-text passwords, and some credit card data


Insight #2: Understand the attack surface

Understanding the attack surface allows you to develop an understanding of where your organization is vulnerable and thus open to an attack, as well as any potential attack method. This is extremely significant when considering risk brought about by third parties.

Three aspects to scoping the attack surface are shown below.

Figure: Understanding the Intelligence Driven Attack Surface

Figure: Understanding the Intelligence Driven Attack Surface

Internet Intelligence

  • Collect the organization’s Internet point of presences and of all related organizations. This should also include how those networks are connected and how traffic is routed to them.
  • Consider monitoring Border Gateway Protocol (BGP) for route changes as well as CIDR ownership announcements to detect either malicious reconfiguration or hijacking attempts.
  • Depending on the size of critical infrastructure being protected, monitoring for all changes and other relevant meta-data (e.g. ownership/containment) for these networks it could potentially be a significant undertaking. Therefore, we recommend to either plan for large capacity data and processing or consider methods that only focus on specific networks and systems.
    Figure: Example of CIKR Internet POPs

    Figure: Example of CIKR Internet POPs


High-Quality Threat Intelligence

Once you have a well-defined understanding of what systems and processes to protect within your critical infrastructure, the next step is to collect relevant and actionable threat intelligence.There are many sources of threat intelligence that could be relevant to your critical infrastructure. Intelligence selection and refinement is a key part of maximizing the benefits to security operations. Consider choosing intelligence that can provide insight into the behaviors associated with malicious activities and any indicators (network, social, host) that can give insight into active attacks. Types of intelligence for consideration:

  • Structured Threat Intelligence
    • Malware hosting/distribution particularly malware that has been crafted to attack Critical Infrastructure and Key Resources (CIKR) systems or by actors known to attack CIKRs
    • Virus/Botnet infection known to infect CIKR systems
    • Command-and-Control activity that may be detected in any phase of the kill-chain
    • Malicious/Scanning behavior
    • Spamming or Phishing observed that would target users or systems within CIKRs
    • Questionable Asset Use within CIKR networks or connected networks
    • Emergent vulnerabilities specifically relevant to CIKR systems
    • Malware network parameters and malicious certificate information that can be used to detect such behavior
  • Unstructured Threat Intelligence
    • Compromised Account Credentials of organization admins and known third parties that are responsible for CIKR maintenance
    • Reported breaches of third parties, especially those that are responsible for some aspect of CIKR systems
    • Vulnerabilities found/announced in a third party’s product that could be used to attack the CIKR environment
    • Suspicious domain registrations & spear phishing exposure that would result in attacks being launched against CIKR infrastructure identified during the internet intelligence phase.
Figure: Example of Unique Threat Types and Threat Instances

Figure: Example of Unique Threat Types and Threat Instances

Connecting Human & Machine Insight

Intelligence derived from machine correlation of raw security data alone might not yield the same results as an effective machine + human intelligence combination can provide. Machine algorithms can be effective at processing large volumes of data and well-known patterns that can be easily computed without ambiguity. In some cases, machine algorithms can learn to improve their function provided sufficient data (training data) and appropriate learning algorithms are applied with suitable guidance from skilled experts.

However, the human-being may also have context that the machine does not (data gaps). We can fill those gaps with human analysis for additional understanding and insight that is not easily quantified into a program.  Additionally, the human element can identify multi-factor context and relationships across unrelated network behaviors that without substantial effort, machine-learning systems would not identify with sufficient accuracy.

For critical infrastructure protection, having human expertise complement machine-driven analysis is a vital check-and-balance for both detection and response, especially when making automated decisions to mitigate threats driven by intelligence.

Figure: Aggregated Threat Risk Across CIKR Sectors

Figure: Aggregated Threat Risk Across CIKR Sectors

Insight #3: Profile and identify the (weakest) links

For many critical infrastructure providers, the weakest link in their attack surface may not be their organization but a third party provider or supply chain organization on which they rely. The risk introduced by organizations who are not directly managed by your organization is highly dependent on the relationship those organizations have to the business operations and their access to critical systems. If a third party organization has admin rights to controlling or monitoring critical infrastructure systems, that organization has the same amount of risk for becoming a target as the primary owner of the equipment.

Continuous monitoring and assessments of third parties and supply chain organizations should be built-in to your security program to bring awareness and active response to weak spots in your attack surface. Consider the following questions when assessing third parties:

  1. Do we know and understand active application vulnerabilities in our own org as well as our third parties?
  2. Can a third party be used to attack our infrastructure? If yes, what are the detection and response strategies for such an attack and how do they differ from an external adversary?
  3. Do we know what data has been leaked from our third parties or supply chain? If a third party is compromised how can that impact our own security posture?

Here are some key elements to monitor for both your organization and all third party vendors:

  • Network Footprint
  • System Compromises & Infections
  • Account Compromises
  • External Facing Vulnerabilities
  • Domain & Spear Phishing Risk
  • Intelligence Indications & Warnings


Insight #4: Effective Business Process Integration

One of the key factors to improved CIKR protection is how well the threat intelligence practice is integrated into the business processes that manage those CIKR systems. It is not just what data is collected but how efficiently data is refined, how effectively is data enriched, and the subsequent processing that can affect changes to the security response of the organization.

This is particularly important when CIKR networks provide potentially life-saving services and the processes to identify and respond to threats to those networks must be highly efficient and responsive. Data-processing systems and workflow processes do not exist in isolation of each other and organizations must implement methods that connect those elements with the data in a meaningful manner that supports the security team and their operations.

The security team should focus on reducing incident time to resolution; increasing the capability of detection (& mitigation effectiveness) and numerous other important operational metrics driven by a mature intelligence processing model.

Figure: Example Intelligence Data to Reporting Operations Workflow

Figure: Example Intelligence Data to Reporting Operations Workflow

Protecting our nation’s critical infrastructure is an important issue that organizations need to prioritize. If some of the topics I outlined seem a few years down the road for your organization, then consider starting with the basics: continuously update and patch systems, regularly change passwords, train employees to identify and report cyber threats, and start implementing automation of mitigation to address known threats into your systems.

If you would like to learn more about how LookingGlass can help secure your critical infrastructure, contact me @tweet_a_t or our team @LG_Cyber.


Additional Posts

2017 cyberattacks proved more numerous, sophisticated, and ruthless than in years past

WannaCry, NotPetya, ransomware-as-a-service, & attacks abounded. Victims of cybercrime ranged from ...

Russian Pharma: A Case Study

When it comes to online shopping, the majority of consumers know to avoid “too-good-to-be-true” ...