CHAPTER 3 : INCIDENT RESPONSE THREAT INTELLIGENCE GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC
Size: px
Start display at page:

Download "CHAPTER 3 : INCIDENT RESPONSE THREAT INTELLIGENCE GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC"

Transcription

1 : INCIDENT RESPONSE THREAT INTELLIGENCE 1

2 THREAT INTELLIGENCE How it applies to our clients, and discuss some of the key components and benefits of a comprehensive threat intelligence strategy. Threat intelligence, at its core, is a specific application of broader intelligence principles which includes the painstaking collection of data and information from many sources, context-aware analysis, intelligence production, and delivery to the intelligence consumer. CORE INTELLIGENCE DISCIPLINES According to Intelligence Community (IC), there are five core intelligence principles: Human Intelligence (HUMINT) the collection of information from human sources. Open Source Intelligence (OSINT) explores, exploits and enhances generally-available public information via data mining and advanced search techniques. Signals Intelligence (SIGINT) the collection and exploitation of signals transmitted from communications systems, radar and weapon systems. Imagery Intelligence (IMINT) geospatial information collected and processed by a variety of terrestrial, airborne or satellite-based collectors. Measurement and Signature Intelligence (MASINT) a technical branch of intelligence which uses information gathered by technical instruments such as radars, lasers, passive electro-optical sensors, seismic and other sensors to identify them by their signatures. 2

3 DEFINING CYBERINTELLIGENCE Cyberintelligence (CYINT) is not one of the core intelligence disciplines, but is a hybrid field which can consist of any combination or all of the five core disciplines. Although it can be used as a key component of cybersecurity, CYINT operates independently of the cybersecurity mission and supports a variety of operations across every sector of government and industry. It is critical for organizations to recognize the broader capabilities of this rapidly emerging field of intelligence, and how it can be used beyond identifying cyberthreat actors, technical data about vulnerabilities, malware or IP reputation data. CYINT goes beyond these narrow parameters and encompasses the analysis of actions and events associated with an organization s physical environment which can lead to forecasting digital threats. THE INTELLIGENCE CYCLE At NTT Group, we have helped numerous enterprises around the globe implement successful threat intelligence programs. Our holistic approach is outlined below. 1. Planning, Requirements and Direction Planning and direction for intelligence gathering includes management of the entire intelligence effort, from Priority Intelligence Requirements to the final intelligence product. 2. Collection The threat intelligence service gathers potentially useful raw data from relevant sources. 3. Processing The collected data is consolidated into a standardized format suitable for detailed analysis. 4. Analysis and Production The gathered data is analyzed by subject matter experts to identify potential threats to customer environments and develop threat countermeasures. 5. Dissemination The intelligence analysis is distributed to stakeholders to guide appropriate measures. 3

4 1. Consumer Needs Planning, Requirements & Direction 5. Dissemination of Product to Consumer 2. Raw Information Collected Based on Requirements 4. Intelligence Analysis & Production 3. Information Processed & Exploited Caption: The five steps in the intelligence cycle. INFORMATION VS. INTELLIGENCE Despite what many security threat intelligence vendors may say, data and information are not intelligence. Let s look at an example: Information: An exploit for a zero-day Java vulnerability is publicly released on a security mailing list. Shortly thereafter, malware is identified utilizing the vulnerability. Security vendors vnotify clients of this threat and provide recommendations for mitigation. This is threat information and while useful, it is not, by definition, threat intelligence. Intelligence: A security vendor monitoring exploitation of the Java vulnerability notices infection rates in Asia are much higher than in the U.S. New strains of 4

5 malware, which install code associated with a botnet command and control system on victim devices, are being observed in the wild. At the same time, a large financial institution has announced the acquisition of a number of smaller, regional banks initiating an increase in their non-sufficient funds fee from $20 to $35, thereby angering consumers. A number of hacktivist groups begin discussing a protest against the U.S. banking system on Twitter and other social media sites, promising to halt online transactions for a day at major institutions. One hacktivist Twitter account posts instructions for using botnet command and control software, which appears to be related to the botnet client code installed by the Java malware. Piecing these data points together leads to a clearer picture: U.S. banks are likely going to be targeted with a DDoS (Distributed Denial of Service) attack by a hacktivist group using botnets based on the Java vulnerability. Based on what is known about infection profiles, banks can expect the attacks to originate from Asian source IP addresses. This is threat intelligence information gathered from a number of disparate sources, synthesized by human analysts to identify a specific threat to a specific target. THE IMPORTANCE OF IN INFORMATION VHHSECURITY There are four principal reasons threat intelligence is becoming recognized as a critical information security requirement: Change in Cyberthreat Profiles: Organizations must defend against a dramatic shift in security threats and understand that the attack surface encompasses far more than a narrowly defined technical parameter. Cyberthreat actors are no longer idiosyncratic or dissident individuals and groups. They now include 5

6 nation-state actors or sponsored groups, as well as transnational organized crime groups with considerable resources, support and expertise at their disposal. Conversely, those tasked with defending organizations often have limited resources and budgets to launch an adequate defense, hence the asymmetric nature of the threat. The steady rise in documented data loss incidents provides evidence that recent attacks are increasingly successful. The following chart depicts the increasing number of documented attacks as identified by datalossdb.org/statistics. NUMBER OF ATTACKS PER YEAR Caption: The number of attacks increases almost every year. The Volume of Information Security Vulnerabilities: The sheer volume of data which information security personnel must analyze can be overwhelming. Organizations must react to a daily influx of vulnerabilities, zero-day threats, malware, exploit kits, botnets, Advanced Persistent Threats (APT) and targeted attacks. The number of Common Vulnerabilities and Exposures (CVEs) ( web.nvd.nist.gov/view/vuln/statistics) identified every year for the last 15 years is shown in Figure 3 below over 4,000 new security vulnerabilities have been identified annually since

7 NEW VULNERABILITIES ANNUALLY Caption: The number of new vulnerabilities annually is almost unmanagable. The rate of malware identification has also increased in recent years, as shown in the following chart. Even a glance at the chart below shows the dramatic rise in the amount of new malware identified annually since 2011 ( en/statistics/malware/). NEW MALWARE IDENTIFIED PER YEAR Caption: The amount of new malware isn t just rising. It is skyrocketing. 7

8 Intelligence about threats targeted to an organization s environment can assist in the prioritization of remediation actions, so that mitigation efforts and resources are directed to areas with the greatest need and defensive value. Technology Growth and Usage Changes: The number of technologies in place at most organizations is dramatically higher than it was even two or three years ago. Bring Your Own Device (BYOD) initiatives, remote workers joining corporate networks via VPNs, pervasive wireless networking, and the increasing use of virtualization and cloud computing have all dramatically increased the technologies in use within typical organizational environments. New technologies don t typically replace legacy technologies they are most often an addition, resulting in a net increase to the organization s attack surface and vulnerabilities found within. Homogeneous organizational networks with defined perimeters no longer exist. A heterogeneous, distributed user and technology base is the new standard. This new reality comes with more complexities and more potential risks. Affordable Outsourcing of Threat Intelligence: As organizations face increasing risk and higher numbers of attacks from all the factors listed above, their resources can quickly get stretched thin. Fortunately, many vendors offer threat intelligence services to help these organizations better prepare for, defend against, and react faster to threats and attacks. HOW ORGANIZATIONS ARE USING Every organization has different information security priorities, assets to protect, levels of expertise, and types of security technology in place. As a result, different organizations can have different perceptions, needs, and expectations of threat intelligence services. Factors influencing organizational threat intelligence needs include organization size, alignment with government entities and key verticals, 8

9 supply and information chain outside the firewall, and the sophistication of internal security resources. For example, organizations with limited public exposure, and not storing or transmitting the types of data typically desired by attackers, are likely to have different threat intelligence needs than organizations which are highly visible in the public sphere, maintain highly desirable data, or are associated with controversial topics. And an international organization involved in highly political industries may require targeted intelligence on topics such as attacks from activist groups, attacks on competitors, high-profile conferences and events, and industrial espionage. CONCLUSION The terms intelligence, cyberintelligence and cyberthreat intelligence have been used extensively and interchangeably, and often incorrectly, in the information security community. They have been used quite inaccurately to describe automated data feed services or data which may be used to further identify and mitigate threats. However, the very specific nature of each of these terms builds on the fundamental understanding of what true intelligence is and how it is derived. It is important to align security industry terminology with that of the traditional intelligence community for a unified understanding. The traditional intelligence community has been managing threat intelligence information for a long time, and has had the opportunity to improve, if not perfect, the process. Industry should apply their lessons learned to maximize the effective of a newer breed of cyberthreat intelligence. Changes to the cybersecurity landscape over the last several years have been the primary driver in the need for threat intelligence services. As organizations seek new sources of threat intelligence, they need to be aware of the different types of intelligence being delivered by the security industry. 9

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information