Ask yourself, does your organisation collect threat information? How is this done? And is this information being used positively to assist in the detection and identification of a cyber threat or attack?
NIST defines Cyber threat information as…” any information that can help an organization identify, assess, monitor, and respond to cyber threats. Examples of cyber threat information include indicators (system artifacts or observables associated with an attack), TTPs, security alerts, threat intelligence reports, and recommended security tool configurations. Most organizations already produce multiple types of cyber threat information that are available to share internally as part of their information technology and security operations efforts.”
Threat Intelligence has been used as a marketing term by Security vendors for some time now. In recent years many Cyber Security vendors have looked to monetise the intelligence gathered by their globally deployed assets. Organisations with the resources to purchase, ingest and utilise these feeds within their Security Operations have certainly gained much benefit from this intelligence gathering.
From a technical stand-point the amount of threat intelligence in each protective security layer shouldn’t be discounted either. I won’t delve into the merits of having a security program with multiple vendors in this post, we’ll save that for another day!
So back on topic, organisations often forget (or neglect to notice) that the underlying piece of the intelligence is the information itself! And organisations of all sizes create plenty of information (some would say too much!). A Cyber aware organisation creates its own threat information via numerous means, be it personnel, partners and trusted advisors or through their own technology investments.
Traditionally SIEMs have done a decent job of collecting this information and using it intelligently. However, whilst it acknowledges that technology does play a large part in monitoring for and in the identification of cyber threats, organisations should also consider internal processes and procedures to report, capture and utilise threat information originating from non-technical sources. Basic workflows and standards should be put in place across the organisation to funnel threat information to the applicable parties who can in-turn make it usable as intelligence.
Consider a number of attack scenarios and the contributions various parties within (and external to) an organisation can make in the early detection or identification of an incident.
If we look at a Denial of Service style attack, common indicators include:
- Unknown or unexpected incoming Internet traffic
- Peaked amount of inbound data
- Detection of unknown or unidentified packets from unknown senders
- Alerting from Firewall and Intrusion Detection Systems
- Notification from outside organizations (ISP, business partners, 3rd party)
There are a number of parties that can collect and review this information and turn it into intelligence, including the SOC (assuming the organisation has the resources) NOC, IT Infrastructure and Operations teams and external parties including Internet providers or third party vendors or business partners.
If we look at the almost ubiquitous Phishing/ Business Email Compromise Scenarios there are a number of indicators
- Identification of Spoofed email
- Emails that are non-returnable or non-deliverable
- Notification from internal users of suspicious or fraudulent activity related to emails
- Notification from 3rd parties of suspicious or fraudulent activity related to emails
- Emails that have been linked to external or unknown URLs
- Monitoring of organization websites to identify attempts to copy web content or perform web scraping
- Notifications from external users or customers of suspicious or fraudulent activity related to emails
- Notification from Law Enforcement of suspicious or fraudulent activity related to emails
- Emails returned by mail servers as identified
- Notification from ISP of increased amount of email or web traffic (ingress or egress)
Business users at the coalface can provide almost immediate feedback if an email address (has been harvested) and used in such a campaign. Business Supply Chain and various partners can also provide almost real-time feedback.
Ensuring organisations are able to freely share and provide threat information to the relevant parties (and systems) in a timely manner makes a huge difference to detection and incident response activities. These processes and procedures need not be onerous, costly and cumbersome, but every organisation should be aware of the value that they add.