Eric Olson, Cyveillance’s Vice President of Product Strategy, recently hosted a webinar on Turning Data into Threat Intelligence. Here are some of the highlights:
Most Threat Intelligence…Isn’t
While data is potentially useful, until some process is applied that turns raw data into something useable, it’s not intelligence. Intelligence comes from human analysts who have reviewed this information for context.
Defining Threat Intelligence
There’s a difference between data and information, and information and intelligence. If information is readable and interesting but doesn’t apply to the security professional and their business objective, then it’s not relevant and it’s not intelligence. Threat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations understand the risks common and severe external threats, used to inform decisions regarding the subject’s response. LookingGlass Cyber (n) - Actionable, relevant, and timely information that can help when assessing the security posture of an organization. A little more left. No no, that’s now too far... must be relevant, actionable, and valuable.
The Analyst’s Task
The cyber analyst’s job falls into the following categories: watch the horizon, watch the doors, and find out what happened after an incident. All of this comes amidst an ever-expanding set of online languages, formats, and sources to worry about.
When investigating a scenario like the one above, there are several points to keep in mind:
- Providing context around a Domain: A specified location where a set of activity or knowledge exists. For instance, an Internet domain is synonymous with a website address or URL where information can be made available. LookingGlass Cyber (n) - A fancy name for a URL or website. name
- Level of potential risk
- What next steps should be taken
- What should be communicated to management
Using a Cyber Threat Center
Using our Cyber Threat Center, for instance, analysts can utilize three main components: client intelligence, global intelligence, and the Analyst’s Toolbox. We’ll be focusing on the Analyst’s Toolbox, which provides the tools for just this kind of investigation. The toolbox includes a database of about 200 million domain names; information on Malware: A generic term for a software that is designed to disable or otherwise damage computers, networks and computer systems LookingGlass Cyber (n) - another type of cold that can destroy a computer by latching on to destroy other programs., Phishing: The use of emails that appear to be from a legitimate, trusted source that are enticed to trick recipients into entering valid credentials including personal information such as passwords or credit card numbers into a fake platform or service. LookingGlass Cyber (n) - tailoring an attack (such as email) to garner trust and credentials that are then used maliciously. The preverbal digital version of the ol' hook and bait., and malicious URLs; and ISP geo-location.
Since this was a Phishing Attack, We Start with the Phishing Database
In this instance, the target search returned 219 matches, beginning in 209–these are documented cases on phishing on this same domain. If we take these matches and filter them by target, we see they comprise a broad range of industries, countries, and languages.
In Less than Five Minutes, We Learned the Following
But More Data Isn’t Always Better
A key to being an analyst is knowing when you have enough information or if there isn’t anything valuable available. You need enough information to allow a decision to be made. There are other lines of inquiry you may wish to explore, such as malware history, linkages and contacts, and third-party corroboration.
We Now Have Plenty of Data. Let’s Create Intelligence
..and here’s what we’d conclude:
And Finally, You Can Make Some Recommendations
If you’d like to watch the webinar in its entirety, it’s available on demand here.