Posted October 31, 2014
Eric Olson, Cyveillance’s Vice President of Product Strategy, recently hosted a webinar on Turning Data into Threat Intelligence. Here are some of the highlights:
Most Threat Intelligence…Isn’t
While data is potentially useful, until some process is applied that turns raw data into something useable, it’s not intelligence. Intelligence comes from human analysts who have reviewed this information for context.
Defining Threat Intelligence
There’s a difference between data and information, and information and intelligence. If information is readable and interesting but doesn’t apply to the security professional and their business objective, then it’s not relevant and it’s not intelligence. Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations make inform decisions regarding their response to the threat. must be relevant, actionable, and valuable.
The Analyst’s Task
The cyber analyst’s job falls into the following categories: watch the horizon, watch the doors, and find out what happened after an incident. All of this comes amidst an ever-expanding set of online languages, formats, and sources to worry about.
When investigating a scenario like the one above, there are several points to keep in mind:
- Providing context around a domain name
- Level of potential risk
- What next steps should be taken
- What should be communicated to management
Using a Cyber Threat Center
Using our Cyber Threat Center, for instance, analysts can utilize three main components: client intelligence, global intelligence, and the Analyst’s Toolbox. We’ll be focusing on the Analyst’s Toolbox, which provides the tools for just this kind of investigation. The toolbox includes a database of about 200 million domain names; information on Malware: Software that is intended to damage or disable computers and computer systems., Phishing: The fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers., and malicious URLs; and ISP geo-location.
Since this was a Phishing Attack, We Start with the Phishing Database
In this instance, the target search returned 219 matches, beginning in 209–these are documented cases on phishing on this same domain. If we take these matches and filter them by target, we see they comprise a broad range of industries, countries, and languages.
In Less than Five Minutes, We Learned the Following
But More Data Isn’t Always Better
A key to being an analyst is knowing when you have enough information or if there isn’t anything valuable available. You need enough information to allow a decision to be made. There are other lines of inquiry you may wish to explore, such as malware history, linkages and contacts, and third-party corroboration.
We Now Have Plenty of Data. Let’s Create Intelligence
..and here’s what we’d conclude:
And Finally, You Can Make Some Recommendations
If you’d like to watch the webinar in its entirety, it’s available on demand here.