Posted February 23, 2017
The current number of active cyber threats is astounding. If your organization is like most, your cyber security team doesn’t have the capacity to manually detect, monitor, and defend against all of today’s known threats. Effective cyber threat management requires leveraging automation to inform decisions about when and where to take action.
Typically, threats that are targeting you in real-time take precedence over the myriad of other potential threats. However, it takes effort to determine which threats are targeting you right now, as well as which threats are likely to cause the greatest harm to your company.
Automating the correlation of network activity data with cyber threat intelligence can quickly generate knowledge about which threats are targeting you, what threat actors are responsible, and which of your assets are being targeted. It can also identify which assets may already be compromised.
The Big Picture
Threat correlation fits into a much larger picture of cyber threat management. On any given day, there are 10’s of millions of active known threats and even a medium-sized organization’s network activity can consist of billions of flows. Automation is essential for identifying attacks from known threats and discovering anomalies for deeper analyst review. An organization should be configured to continuously improve its threat management activities, feeding new threat intelligence back into its knowledge base of known threats and enhancing its understanding of evolving vulnerabilities.
The results of your threat intelligence efforts are highly dependent on the quality of inputs into your activity. Threat intelligence feeds aid in detecting known threats, and these feeds often contain indicators of compromise that are contributed by the global cyber security community. Most feeds provide a machine-readable format such as STIX (Structured Threat Information eXpression) so that threat intelligence platforms can easily ingest a wide range of information including:
- Threat Actors
- Exploit Targets
- Courses of Action
When evaluating which feeds are right for your organization, there are many factors to keep in mind. Feed information should contain rich context that helps you understand how the various vulnerabilities; indicators; actors; and tactics, techniques, and procedures (TTPs) appear to be related. Since emerging threats tend to move quickly, feeds that provide frequent updates (e.g. hourly or real-time) can be of greater value. Finally, your threat intelligence feeds should yield a broad coverage of domain names such as dark web and social media, as well as traditional Internet. Ensure that your final feed portfolio provides sufficient information to support your intelligence analysis for both automated and human processes.
However, remember that as your external threat intelligence feeds continue to pour more data into your systems, your cyber threat management teams will want to augment the threat information with what they have learned internally. Together this trove of threat indicators provides an important resource for automating detection of attacks that are targeting your organization.
Network activity contains useful information about computers and applications that are talking to each other. There are two forms of network activity that can be used for threat correlation: packets and flows.
Packet-based network activity monitoring capabilities, such as SNORT-based solutions, can examine each packet as it arrives and are available as both hardware and software products. Deep packet inspection allows known malicious signatures to be detected within the data payload, even when the source or destination of the communication is not a known threat. Unfortunately, examining each packet’s full contents for a wide range of potential threats requires massive processing power that can operate at line rates equivalent to your organization’s network bandwidth.
A more common approach is to use flow-based network monitoring solutions that provide summaries of the metadata about where groups of packets are coming from and going to. Most current switches and routers can provide network flow data in real-time without reducing the performance of the device. Data typically includes fields such as:
- Duration: start/stop timestamps
- Src/dst: MAC, IP, port
- Protocol: TCP/UDP
- Packet: count, size, TTL
This metadata provides opportunities to identify new threat intelligence indicators via detection of anomalies in network flow. For example, identification of data exfiltration actions may lead your cyber threat management team to identify indicators of a zero-day vulnerability. These indicators may then become useful for monitoring network flow for any other signs of related system infections.
Network flow data can also be used to obtain enriched information about which cyber assets might be more vulnerable (or resilient) to various attacks. In addition to understanding basic network connectivity, it can be used to infer the type of applications on a machine, which may help identify heightened risk.
Most importantly, solutions exist that examine both packet and flow data for evidence of any known threats. Indicators may come from threat intelligence feeds and from your own cyber threat management efforts. For example, if a computer on your network sends a packet containing series of bytes known to be unique to a malware file or if it is observed communicating to an IP address that is a known malware command and control node, that computer is likely infected.
This blog is part of a 2-part series from Chief Technology Officer Allan Thomson and Principal Data Scientist Dr. Jamison Day. Next week they will discuss different threat correlation techniques security professionals can use to assess attacks targeting their organizations.