Threat Intelligence Blog

Eric Olson, Cyveillance’s Vice President of Product Strategy, recently hosted a webinar on Turning Data into Threat Intelligence. Here are some of the highlights:

Most Threat Intelligence…Isn’t

While data is potentially useful, until some process is applied that turns raw data into something useable, it’s not intelligence. Intelligence comes from human analysts who have reviewed this information for context.

threatintel1

Defining Threat Intelligence

There’s a difference between data and information, and information and intelligence. If information is readable and interesting but doesn’t apply to the security professional and their business objective, then it’s not relevant and it’s not intelligence. Threat intelligenceThreat Intelligence: Evidence-based knowledge about an existing hazard designed to help organizations understand the risks common and severe external threats, used to inform decisions regarding the subject’s response. LookingGlass Cyber (n) - Actionable, relevant, and timely information that can help when assessing the security posture of an organization. A little more left. No no, that’s now too far... must be relevant, actionable, and valuable.

threatintel2

The Analyst’s Task

The cyber analyst’s job falls into the following categories: watch the horizon, watch the doors, and find out what happened after an incident. All of this comes amidst an ever-expanding set of online languages, formats, and sources to worry about.

threatintel3

 Case Study

When investigating a scenario like the one above, there are several points to keep in mind:

  • Providing context around a domainDomain: A specified location where a set of activity or knowledge exists. For instance, an Internet domain is synonymous with a website address or URL where information can be made available. LookingGlass Cyber (n) - A fancy name for a URL or website. name
  • Level of potential risk
  • What next steps should be taken
  • What should be communicated to management

threatintel4

Using a Cyber Threat Center

threatintel5

Using our Cyber Threat Center, for instance, analysts can utilize three main components: client intelligence, global intelligence, and the Analyst’s Toolbox. We’ll be focusing on the Analyst’s Toolbox, which provides the tools for just this kind of investigation. The toolbox includes a database of about 200 million domain names; information on malwareMalware: A generic term for a software that is designed to disable or otherwise damage computers, networks and computer systems LookingGlass Cyber (n) - another type of cold that can destroy a computer by latching on to destroy other programs., phishingPhishing: The use of emails that appear to be from a legitimate, trusted source that are enticed to trick recipients into entering valid credentials including personal information such as passwords or credit card numbers into a fake platform or service. LookingGlass Cyber (n) - tailoring an attack (such as email) to garner trust and credentials that are then used maliciously. The preverbal digital version of the ol' hook and bait., and malicious URLs; and ISP geo-location.

Since this was a Phishing Attack, We Start with the Phishing Database

threatintel6

In this instance, the target search returned 219 matches, beginning in 209–these are documented cases on phishing on this same domain. If we take these matches and filter them by target, we see they comprise a broad range of industries, countries, and languages.

In Less than Five Minutes, We Learned the Following

threatintel7

But More Data Isn’t Always Better

A key to being an analyst is knowing when you have enough information or if there isn’t anything valuable available. You need enough information to allow a decision to be made. There are other lines of inquiry you may wish to explore, such as malware history, linkages and contacts, and third-party corroboration.

threatintel8

We Now Have Plenty of Data. Let’s Create Intelligence

threatintel9

..and here’s what we’d conclude:

threatintel10

And Finally, You Can Make Some Recommendations

threatintel11

 

If you’d like to watch the webinar in its entirety, it’s available on demand here.

 

Additional Posts

Cyveillance Weekly Trends Report – November 4, 2014

Welcome to the Cyveillance Weekly Trends Report Since threat intelligence is constantly evolving, ...

Why Big Banks Are Cracking Down on Law Firm Security Gaps

    Even before this summer’s spate of breach announcements by some of the country’s ...