Posted March 16, 2016
By Allan Thomson, LookingGlass Chief Technology Officer
In the last few weeks I wrote a series of blogs discussing the importance of threat intelligence, how to use it to reduce your risk profile, and how to leverage LookingGlass’ Threat Indicator Confidence model. Today, I’m going to provide a more in-depth explanation about this model.
One of the critical drivers that led us to create the Threat Indicator Confidence model was our realization that at the core of all security technologies is a goal to stop threats from manifesting. As a result, we believe that focusing on innovation and technologies designed around threats will naturally address all aspects of a threat’s lifecycle.
How did we become threat centric? By characterizing threats we investigated how they are created, behave, and morph, as well as how they are distributed and manifested in target environments. Focusing on these aspects allowed us to deliver technologies that could provide threat detection and mitigation not solely based on Indicators of Compromise (IOC), but also on the full set of available intelligence.
Understanding what Internet threats are targeting your organization is a key part of the overall threat picture. Ideally, threats are stopped before becoming activated inside your perimeter but that is not always possible. A critical aspect of being threat centric is the ability to detect and mitigate threats that may have already breached the interior of your network.
Correlating network telemetry from inside the perimeter using network switches and routers that can collect telemetry data provides the security operations team a vital insight into threats. It’s important to note that today’s perimeter is a constantly changing boundary based on application and network virtualization occurring with cloud services and other externally available services.
Below are some steps to consider when correlating threat intelligence with network telemetry.
Step 1: Assess Organizational Threat Posture
Are any of my internal assets communicating with sites on the Internet that have been identified as having an elevated threat confidence score (i.e. higher risk)?
Your network telemetry data should be able to provide information such as what sites internal hosts are communicating with, protocols, ports, URLs, byte counts for each flow, and time of communication. By correlating the telemetry data with global threat intelligence that identifies IP addresses and domain names of malicious sites, an overall picture of the threats occurring in an organization’s environment is formed. Without the context that global threat intelligence provides, you are left with many questions of those communications.
If any internal asset is found to be communicating with elevated threat confidence sites, move on to these next steps.
Step 2: Identify Potential Compromised Assets
What threat intelligence is available on the external site regarding its malicious behavior? Is it a command & control (C2) server? Is it a web server hosting malware? What protocols did the internal asset access that site using?
As shown below, the internal host (in blue) was communicating with a site site (in red) that was acting as a C2 server for a known botnet. The threat intelligence provides information on that site as well as an elevated threat indicator confidence score.
Step 3: Understand the Full Context of Communication Between the Compromised Asset and the Internet
Were other external sites communicated with after the initial communication with the compromised site? Are there any indications of what those other sites do?
By investigating the sequence of flows it may be possible to understand the nature of the threat.
Step 4: Identify Any Data Exfiltration or Impact on the Compromised Asset
How much traffic has been sent and received between that asset and the identified site?
Was there a large amount of data communicated? Were there small amounts of long-running sessions? Who initiated the connections (user datagram protocol [UDP], transmission control protocol [TCP], etc.) and were there any obvious holes in external firewalls?
When did this traffic start, and end?
Is this threat active or has it only been active in the past? A critical aspect of threat detection is having the capability to do both real-time and historical analysis of threat intelligence.
Threat intelligence about the global Internet is most likely different from what you discovered in the past 30 or 60 days. Is there intelligence that shows previous communication from an internal asset to the potentially malicious site?
Step 5: Identify the Spread of Any Threat Within the Perimeter
For an identified internal host, with whom are they communicating internally? Did that communication occur before or after the identified risky communications?
After identifying that an internal asset has been compromised, security operations teams must understand the extent of the threat to plan a response. This includes understanding if an infected asset could have spread their infection to other internal assets.
Having a global perspective of all communications from internal assets to the Internet and correlating that with threat intelligence, a threat analyst can determine if there were any other internal assets communicating with those sites.
Step 6: Repeat Steps 2-5 for Each Compromised Asset
Here’s an example of the power of global threat intelligence correlation.
Impact of Threat Intelligence Correlation
For an organization with 1,000-networked assets, global threat intelligence can reduce threat analysis across the network telemetry from 115,000,000 flows down to 180,000 flows for an 8-hour period, a 99.999% reduction in traffic inspection based on threat correlation with threat intelligence and enhanced by Threat Indicator Confidence.
Without knowledge of global threat intelligence and internal perimeter telemetry, the threat team is left to assess all flows that communicate with the global Internet. This can be a significant task, and without some automation to identify relevant threats, will likely result in analysts being unable to identify threats.