Threat Intelligence Blog

Posted October 31, 2014

Eric Olson, Cyveillance’s Vice President of Product Strategy, recently hosted a webinar on Turning Data into Threat Intelligence. Here are some of the highlights:

Most Threat Intelligence…Isn’t

While data is potentially useful, until some process is applied that turns raw data into something useable, it’s not intelligence. Intelligence comes from human analysts who have reviewed this information for context.

threatintel1

Defining Threat Intelligence

There’s a difference between data and information, and information and intelligence. If information is readable and interesting but doesn’t apply to the security professional and their business objective, then it’s not relevant and it’s not intelligence. Threat intelligenceThreat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations make inform decisions regarding their response to the threat. must be relevant, actionable, and valuable.

threatintel2

The Analyst’s Task

The cyber analyst’s job falls into the following categories: watch the horizon, watch the doors, and find out what happened after an incident. All of this comes amidst an ever-expanding set of online languages, formats, and sources to worry about.

threatintel3

 Case Study

When investigating a scenario like the one above, there are several points to keep in mind:

  • Providing context around a domain name
  • Level of potential risk
  • What next steps should be taken
  • What should be communicated to management

threatintel4

Using a Cyber Threat Center

threatintel5

Using our Cyber Threat Center, for instance, analysts can utilize three main components: client intelligence, global intelligence, and the Analyst’s Toolbox. We’ll be focusing on the Analyst’s Toolbox, which provides the tools for just this kind of investigation. The toolbox includes a database of about 200 million domain names; information on malwareMalware: Software that is intended to damage or disable computers and computer systems., phishingPhishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers., and malicious URLs; and ISP geo-location.

Since this was a Phishing Attack, We Start with the Phishing Database

threatintel6

In this instance, the target search returned 219 matches, beginning in 209–these are documented cases on phishing on this same domain. If we take these matches and filter them by target, we see they comprise a broad range of industries, countries, and languages.

In Less than Five Minutes, We Learned the Following

threatintel7

But More Data Isn’t Always Better

A key to being an analyst is knowing when you have enough information or if there isn’t anything valuable available. You need enough information to allow a decision to be made. There are other lines of inquiry you may wish to explore, such as malware history, linkages and contacts, and third-party corroboration.

threatintel8

We Now Have Plenty of Data. Let’s Create Intelligence

threatintel9

..and here’s what we’d conclude:

threatintel10

And Finally, You Can Make Some Recommendations

threatintel11

 

If you’d like to watch the webinar in its entirety, it’s available on demand here.

 

Additional Posts

Cyveillance Weekly Trends Report – November 4, 2014

Welcome to the Cyveillance Weekly Trends Report Since threat intelligence is constantly evolving, ...

Why Big Banks Are Cracking Down on Law Firm Security Gaps

    Even before this summer’s spate of breach announcements by some of the country’s ...