Posted February 1, 2017
The cyber landscape is constantly evolving, and in turn, security products need to evolve with it. One of the most common questions cyber security professionals have is how to stop real-time threats with the limited resources at their disposal. There is a cost for tools, processes and manpower. As CISOs and VPs of Security Operations know, skilled security professionals are hard to come by, and finding those with Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations make inform decisions regarding their response to the threat. operational experience is even harder.
Yesterday, LookingGlass launched the ScoutShield™ Threat Intelligence Gateway designed to specifically address these problems.
ScoutShield is part of a new category of security infrastructure, the Threat Intelligence Gateway (TIG), designed to work with firewalls to identify and stop rapidly emerging threats and significantly improve an organization’s ability to respond to attacks in real-time. Data breaches, IP theft and stolen credentials are all major concerns for organizations and a Threat Intelligence Gateway can help disrupt or stop these threats completely.
Not only does this security solution speed up attack mitigation response times, it also addresses the common challenge of how inefficient and ineffective threat intelligence driven rules are deployed to the security infrastructure. Many security professionals don’t believe their threat intelligence is accurate and actionable, or that real-time driven threat intelligence solutions can solve their problems. As a result, they remain unconvinced that their network security devices need updating based on un-vetted threat intelligence rules. This leaves security teams with the responsibility of reviewing all threat intelligence before deciding whether to push firewall or IDS changes – wasting valuable time. This method is also error-prone because as threat intelligence data continues to increase, security teams will continuously have to review and make business critical decisions without the necessary skills or insights. Ultimately, the real problem is the organization’s threat intelligence tools and their deployment.
With a TIG, security professionals can now deploy enhanced threat response (including rules) without having to impact or change their existing traditional security tools such as firewalls, IDS and web content inspection.
A typical deployment (as shown below), allows organizations to deploy the TIG inline to the network data plane as complementary to the existing security infrastructure.
The TIG adds a level of protection as it is invisible in the network path, unlike traditional firewalls, making it harder for adversaries to discover and avoid deployed detection capabilities.
TIG Key Technologies:
Machine-Readable Threat Intelligence (MRTI)
- Highly actionable, analyst-vetted feeds supporting broad and deep coverage across a variety of malicious activity including Command and Control (C2) servers.
- Automatically integrates multiple MRTI feeds pre-vetted by analyst teams.
Threat Intelligence Gateway (TIG)
- An inline inspection and mitigation appliance that supports up to 10Gbps line rate, which performs per packet correlation with MRTI.
- A key part of a TIG deployment is having real-time mitigation integration with MRTI to ensure that threats are mitigated within minutes of identification.
Threat Intelligence Platform (TIP)
- An optional component that allows organizations to customize and further refine MRTI that drives the mitigation steps take by the TIG.
When using Machine Readable Threat Intelligence (MRTI), the set of threat intelligence data is highly automated and human-vetted before it is pushed to the TIG. For machine-to-machine automation, threat intelligence is shared using the OpenTPX JSON structure so that the TIG can easily process the data.
Examples of MRTI key feeds:
Malicious C2 Domains
- A blacklist of 100% known C2 botnet servers.
- On outbound traffic streams from the organization, Malicious C2 Domains stop any internal assets that may have been infected by Malware: Software that is intended to damage or disable computers and computer systems. reaching the C2. This stops further compromise from occurring, while allowing the security operations team to identify and clean up the infected asset.
- On inbound traffic streams, this blocks C2 servers reaching back into the internal network if the perimeter security infrastructure has somehow allowed external domains to establish connections through the perimeter firewall.
- Here’s an OpenTPX snippet of a malicious C2 Domain and associated context that can be actioned immediately to block the content:
Phishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. URLs
- A list of global phishing URLs.
- On outbound traffic streams from the organization, Phishing URLs stop internal assets from connecting to sites that would try to download malware or infect the internal assets. This may occur where the asset has received spear-phishing emails or visited web-sites with phishing URLs embedded, often hidden in images or obfuscated by content, to avoid human detection on the asset.
- Here’s an OpenTPX snippet of a phishing URL threat and associated context that can be actioned immediately to block the content:
- A list of global malicious URLs.
- A malicious URL is both the domain and any associated sub-elements of the URL that identify the specific details to act on.
- On outbound traffic streams from the organization, mMalicious URLs help stop internal assets from browsing or downloading content from known malware distribution sites.
- Here’s an OpenTPX snippet of a malicious URL threat and associated context that can be actioned immediately to block the content:
So how does a TIG integrate with existing security environments? Let’s look at some simple deployments before and after a TIG is integrated into the operational environment:
Threat Detection Without TIG
The diagrams below show both outbound (intranet –> Internet) traffic and inbound (Internet –> intranet) for an organization where the perimeter firewall inspects traffic. The default policy for traffic in this scenario is implicit “deny” from outside to inside, and implicit ‘allow’ for inside to outside.
Threat Detection With TIG
A TIG is typically deployed behind the firewall and can complement the firewall. The diagram below shows a key advantage of TIG. By default, TIG has an implicit ‘allow’ policy for forwarding traffic and therefore will only deny traffic based on the threat intelligence before it gets to the firewall. This has the additional advantage of offloading traffic from firewall processing that has already been identified as malicious.
The diagram below shows how the TIG can add an additional level of threat detection behind the perimeter firewall. This provides the ability to deny inbound packets that have slipped past the firewall, as the MRTI identifies them as harmful as originating from known bad sources.
The next diagram shows how the TIG can be integrated with additional local threat intelligence and local prioritization if the organization has the need to add additional actionable threat intelligence for the TIG to mitigate:
In a Nutshell
At a time when skilled security experts are scarce, CISOs and VPs of Security Operations must find ways to secure their organizations with the resources at their disposal. Threat Intelligence Gateways helps alleviate this problem by increasing an organizations ability to respond to real-time threats in a more effective and efficient manner.
Please reach out to me (@Tweet_A_T) or the LookingGlass team for more information, or leave a comment on this blog!