Cyber Defense Magazine has recently published the following article of Dennis Lee, Territory Manager North America at Blueliv.
Organizations are finding themselves in a world where having defensive controls like a firewall, secure datacenter and stringent security policies is simply not enough. In 2014, we’ve seen companies like JP Morgan Chase, Sony Pictures and eBay pour millions into security programs, yet they still suffered from devastating and very public security incidents.
These organizations including private and public entities are getting tired of deploying layers of defenses, waiting for an attack. They want to take action and stop cybercriminals and state sponsored hackers by looking beyond their network.
One of the first steps in enabling an actionable security program is to use Cyber Threat Intelligence to uncover threats that are lurking in the shadows. This can be accomplished by:
•Acquiring raw feeds from the Government and other private organizations.
•Knowledge sharing with other Information Security teams in your industry.
Unfortunately, this leads to having too much data which becomes difficult to manage and ultimately non actionable. The solution is to use a Cyber Threat Intelligence platform that can identify cyber threats targeted to your organization in real time.
Let’s explore the types of threat intelligence essential to know by using one of my customers who’s a Global Life and Financial services entity– let’s call them XYZ Corp.
Entities need to identify bad cyber actors that threaten them. Many of these actors operate command-and-control servers that can issue commands to Botnets. Botnets can passively wait in silence or actively wreak havoc by:
•Launching dynamic and unpredictable DDoS attacks.
•Conduct large scale E-mail Spam campaigns.
•Serve as collection points for stolen data.
XYZ Corp can take action by:
•Initiating a botnet takedown to eliminate or paralyze criminal networks.
•Feed the botnet large amounts of false and unreliable data.
•Recover stolen data such as compromised passwords, credentials, credit card numbers, documents and much more. Afterwards, the entity can remediate the exposure.
•Proactively block, track and monitor a list of known crime servers.
Organizations should be aware of what’s being posted on social media sites, websites known for sharing stolen data and operations conducted by Hacktivist groups. XYZ Corp closely monitors this by analyzing real-time alerts and reports generated when keywords they specify are triggered.
For example, an alert is sent when a Hacktivist group like Anonymous uses Pastebin to expose information about XYZ Corp such as:
•Credentials to servers and websites.
•Personal details about corporate executives and officers.
•Trade secrets and other documents.
Organizations can also track campaigns such as #OpRemember which recently used Facebook, Twitter and Pastebin to coordinate cyber-attacks against dozens of companies in the financial sector. Stolen data is posted daily under #OpRemember since going live in November 2014. Organizations can take action by following established procedures to have the stolen data removed and trigger internal forensics investigations to mitigate further seizures.
There’s seemly little you can do today about Hacktivist threatening or openly coordinating an attack against your organization. The unpleasant truth is they probably already breached your environment. However, intelligence provides you with the early warning needed to prepare and hopefully locate any previously undetected vulnerabilities and exposure.
Brand Abuse Monitoring
XYZ Corp tracks brand abuse which can damage their reputation by putting its employees, customers and others at risk. For years Internet users knew that misspelling the address of a popular website meant you would probably be sent to a malicious website. Criminals now use a combination of social engineering and spear phishing tactics to lure users into visiting malicious websites designed to steal information.
Cybersquatting and Phishing websites designed to look like your brand can be identified using threat intelligence. Once discovered, an entity can take action by:
•Releasing public or private notices alerting users of the threat.
•Initiate legal procedures to control domain ownership.
•Block access to malicious websites using URL filters.
•Report URLs to anti-phishing companies.
With the rise of Mobile computing, rogue mobile apps portrayed to be associated to an organization are a real threat. XYZ Corp found numerous apps that used their company name and logo available on several Appstores. An investigation concluded that the Apps weren’t actually harmful scamware in this particular incident. However, do you really want an App out there which could pose as a potential liability?
•A future update to the application could reveal its true criminal intent.
•Your customer service line may receive calls regarding the application.
XYZ Corp learned of the existence of these Apps through Mobile App Monitoring intelligence and took action by having them removed from the Appstores.
The industry has seen Malware spread stealthy and harmlessly, in some cases for years until it found its way into a target’s environment.
Unfortunately, Antivirus products don’t offer enough protection because the existence of these threats remains unknown until it’s too late. Malware Threat intelligence allows organizations to proactively identify these threats. This is accomplished when Malware analysis or reversing discovers parameters associated to an entity such as their:
•Domain name and Domain SID
•Internal IP and IP Ranges
•Network naming conventions
An entity can work with law enforce to try and locate benefactors of the malware in order to take legal action. The entity can also work with security software companies to make the threat recognizable by their products.
In 2014, we’ve all witnessed or fell victim to some of the most sophisticated cyber-attacks ever seen. These attacks brought large organizations and governments down to its knees and subsequently caused billions of dollars in damage.
Threat intelligence is no longer just a military approach. Companies, small and large, should seek timely, high-quality insight and actionable intelligence for protecting their assets.
The days of being blind to external threats are over. It’s time to take action– Follow XYZ Corp and contact companies like Blueliv to obtain Cyber Threat Intelligence. The platform addresses botnets, command & control, targeted malware, credit card theft, rogue mobile apps, hacktivism, data leakage, phishing, cybersquatting, brand abuse, and much more to turn global threat data into predictive, actionable intelligence specifically for each enterprise and the unique threats it faces.
Dennis Lee, Territory Manager North America