INTRODUCTION The most disruptive change to the IT security industry was ignited February 18, 2013 when a breach response company published the first research that pinned responsibility for Advanced Persistent Threats on a branch of the Chinese PLA. 1 In addition to clearly pointing the finger at the threat actors the APT1 report included an addendum of 3,000 Indicators of Compromise (IoC); IP addresses, domains, and MD5 hashes of files associated with the attackers. End users could download the file and begin the arduous task of forensic analysis required to determine if they too had been targeted by the Comment Crew. This one APT seemed to have launched a market. We now have dozens of companies that have either pivoted to threat intelligence research, consumption, and response, or have been newly formed. In two short years a threat intelligence ecosystem has risen. And, predictably, this has led to information overload for those who must consume the threat data and determine which threats are important, which require additional research and which justify specific action. This report identifies eight key criteria that are required in a Threat Intelligence Management platform. BrightPoint Security Sentinel Actionable Threat Intelligence. Now. Easy to install and deploy VM threat intelligence platform Support for 25+ open source threat intelligence feeds Enriches from commercial threat data feeds including Flashpoint, VirusTotal, and Webroot Automated ingestion of STIX/TAXII and publish out Supports all major SIEMS and log management tools Automated enrichment of threat data based on data behind your perimeter defenses Local IOC repository for reporting, trending and visualization Real time threat intelligence information sharing based on configurable policies via BrightPoint Security Trusted Circles Extensible with restful API including workflow The Nascent Threat Intelligence Ecosystem There are now thousands of sources of threat intelligence. Companies have sprung up to research malware, network attacks, chatter on hacker fora, and the identities of the threat actors themselves. These research firms coupled with government sources, open source intel providers, and feeds from many security product vendors publish their findings, often for a fee, via threat streams, PDFs, and email alerts. Some government agencies even fax lists of IoCs to organizations they believe are being targeted. IoCs take many forms. They can be IP addresses of servers known to host spam bots, or addresses of Command and Control servers. Domains, email addresses, and fingerprints of malware or suspect files are also included. Malware researchers operate hundreds or even millions of email boxes and honey pots to cast a wide enough net to capture as many samples as possible. They use a combination of automated and manual analysis to extract IoCs, often by detonating malware samples in a sandbox environment that is instrumented to detect unusual behavior and communication with Command and Control servers. 2015 IT-Harvest 1
Other threat researchers collect data from hacker fora, IRC, social media and pastebin repositories. Several firms employ former cyber law enforcement agents to infiltrate hacker groups. They even attend hacker meet-ups in person. They can alert their customers when their brand is being targeted. There are open source groups collecting this data as well as commercial services. Regardless of the model, they seek to provide their data in a usable format. IP addresses are relatively easy to add to firewall policies and IPS signatures for blocking or alerting. MD5 hashes, the common way of uniquely fingerprinting files, are harder to make good use of. Network monitors and end point solutions have the ability to match fingerprints and provide alerts when a match is made; a sighting. Practically every security solution from firewalls, to IPS/IDS, to endpoint security, to SIEM data aggregation, are striving to be able to ingest threat intelligence data. Many organizations contribute their own threat intelligence data, derived from their own sensors, back to a community of trusted partners. Information Sharing and Analysis Centers (ISACs) have been formed for many sectors including Financial Services (FS-ISAC) and Industrial Control Systems (ICS-ISAC). The Defense Industrial Base (DIB) has one of the most mature information sharing facilities. An Executive Order from the White House was published February 12, 2015 to encourage ISOUs (Information Sharing and Analysis Organization). 4 On top of formalized sharing mechanisms many organizations of loosely affiliated groups share threat intelligence via emails or private web sites, even if it is just a group of CISOs or interested parties on a LinkedIn Group. Not only do organizations have to manage the inflow of threat intelligence they get from multiple sources, they have to manage which information they share with several trusted communities. Threat Intelligence Management solutions are being deployed to solve the data overload problem, reduce time to detection of a breach in progress, maximize the value of their cyber defenses, and benefit from information sharing. 2015 IT-Harvest 2
1. Ingest Threat Feeds (both structured and non-structured) There are dozens of free threat feeds available. 5 There are also at least two dozen subscription based feeds from security vendors and research companies. Some threat feeds use Open IOC but many are transitioning to STIX over TAXII but some, especially the free sites, provide data via email (the most prevalent), HTML or an RSS feed. A TIM solution must be easily configurable to accept new feeds. In addition to formatted feeds many sources of threat information are non-structured. It could be a phishing email forwarded from an alert employee or a partner. Many government agencies, be it the FBI, Treasury Department, or DHS, provide data in emails, PDFs, or even faxes. A TIM should make it easy to ingest these types on unstructured intelligence: csv, pdf, txt, text, log, xlsx, xls, doc, docx, ppt and pptx, to name a few (and custom formats too). STIX, Structured Threat Information expression, is an open standard supported by Mitre Corporation. The STIX Language intends to convey the full range of potential cyber threat information. It is communicated via TAXII, the Trusted Automated exchange of Indicator Information protocol. 2 2. Normalization and de-duping Normalizing threat data. With multiple sources comes duplication. The TIM should deduplicate the intelligence from these sources, even when they originate in multiple formats. 3. Two-way communication (via standard formats) Just as consuming threat intelligence via formats such as Open IOC and STIX is important, a TIM must be able to generate and transmit in formats readable by other solutions. 4. Integrate with internal resources Most organizations have a plethora of security tools already. Security Information and Event Management solutions are often the primary dashboard that analysts use to prioritize their workloads. The TIM should be able to work with the SIEM to identify sightings of IoCs and generate alerts that can be consumed by the SIEM. As technology matures Firewalls and IPS devices will look to the TIM to deploy pro-active defenses. 2015 IT-Harvest 3
5. Sharing with trusted groups. Information sharing has to support two-way communication. One of the most powerful capabilities of a TIM is to share threat intelligence with trusted groups. In a large organization this could be separate business units or departments. Even more valuable is the ability to query members of a trusted group in an automated, attributed or non-attributed way to discover if they too had sightings of particular IoCs. (Filtering out sightings that have been classified as false positives is a required step to reduce noise.) If everyone sees the same malware or attacking hosts, that could indicate a widespread campaign targeting an industry segment. If there are no sightings within the group, that is an indication that a highly targeted campaign is in progress. 6. Visualization An effective tool must be able to present data in an easy to understand manner with source references that include who/what IOC and where it is happening in my environment. Using that visualization, and enabling the analyst to pivot through the data to explore other relevant information about the threat, will serve to quickly inform the analyst. 7. Context Addition There are many sources of contextual data that can help determine the criticality of any matches to an IoC seen. Access control systems can provide data on user logins. Geolocation data and time of day can provide further insight into an attacker s location. Other sources of enrichment for IoC data include WHOIS lookups, domain registrations and histories, IP and web address reputation. 8. Flexible and Extensible Finally, a TIM must be designed to be flexible and extensible to accommodate future developments in a rapidly changing ecosystem. Not only are the threat actors evolving their methodologies that in the future could extend to physical breaking and entering, blackmail, and bribery, but the number of tools and vendors is skyrocketing. Workflow in many organizations is coordinated through a ticketing system. Sightings and indications of a breach should flow through to the ticketing system and be integrated with the incident response workflow. A restful API ensures a simple means of integration with systems and tools that are not foreseen today. While not present today, the future of Threat Information Management tools will include tagging, grouping, and campaigns. The concept of campaigns is derived from the leading cyber defense practitioners, mostly in the Defense Industrial Base, which group similar IoCs and tag them with campaign names. By tracking campaigns they are able to monitor the progress of attackers as they evolve their techniques. This gives the defender an opportunity to increase their watchfulness and ensure they can react if the attackers step up their exploit techniques. 2015 IT-Harvest 4
SUMMARY To counter modern targeted attacks organizations have to adapt by deploying new technology, changing processes, and even reorganizing. New skills are needed to see the attacks in process and react quickly. IT-Harvest published research predicts growth in spending of 24% annually and a total industry size of $640 billion by 2023. The disruption caused by new technologies and new organization demands will be accompanied by information overload in the threat intelligence space. Getting control of, and extracting value from threat intelligence today is the best investment in advanced security capability. REFERENCES 1. Mandiant APT1 Report. http://intelreport.mandiant.com/ 2. Mitre STIX and TAXII page. https://stix.mitre.org/ 3. Executive Order Promoting Private Sector Cybersecurity Information Sharing https://www.whitehouse.gov/ the-press-office/2015/02/13/executive-order-promoting-private-sector-cybersecurity-information-shari 4. DHS Information Sharing and Analysis Organizations http://www.dhs.gov/isao 5. Cyber Threat Intelligence Feeds. List http://thecyberthreat.com/cyber-threat-intelligence-feeds/ 2015 IT-Harvest 5