Executive Summary

Security professionals have the mandate to protect their networks from communication with malicious traffic. There is a clear understanding that some elements of the internet are more malicious than others. For example, we might assume that traffic from certain countries seems more suspicious than others, and that some hosting infrastructures are more likely to be compromised. In this research we explored three different approaches to assessing general areas of IP address risk across the internet. This understanding is a critical first step in setting network controls that can protect an organization’s infrastructure beyond blindly adopting IP blocklists, which are rapidly becoming obsolete.

Specific approaches we used for this research include:

• Ranking autonomous system numbers (ASNs) and associated countries based on the total number of risky IPs contained in the ASN: 22% of the world’s most risky IPs are in Chinese ASNs.
• Determining the most risky ASNs based on the percentage of risky IP addresses they contain: Three ASNs have risk-related content for 100% of their IP addresses.
• Analyzing rankings based only on those IPs explicitly associated with command and control (C2) malware infrastructure: 37% of C2 related IP addresses are on U.S. ASNs.

In our final analysis step, we examined newly emerging risky IP addresses and determined that newly risky IP addresses continue to emerge from clearly compromised ASNs, and can safely be blocked proactively without having to wait for others to add them to any current IP blacklist.

While it is trivial to implement traffic restrictions based on geolocation or autonomous systems membership, the challenge is in determining what to block. Network security teams need principled approaches to establish blocking rules that balance understanding of risk and legitimate business needs associated with different IP neighborhoods. Blocking around IP addresses is difficult because an IP could resolve to thousands of legitimate domains.

These data-driven approaches, based on large-scale historical threat data, can alert security teams to ASNs and to geographic regions that typically contain risky IPs and support risk/benefit analysis of certain sources of network traffic.

Background

For purposes of routing internet traffic, IP addresses are organized into autonomous systems, each containing one or more contiguous blocks of IP addresses. When we performed this analysis, there were 57,676 distinct AS numbers (ASNs are identifiers for individual autonomous systems) and 260,307 IP address subnets mapped to these ASNs. For example, AT&T Services owns AS7018 and manages 2,095 subnets including 99.51.88.0– 99.129.19.255 and 108.193.22.0– 108.228.255.255.

To investigate the risk of ASNs and associated countries, we used a comprehensive risk list of IPs containing four million IPs that have current and/or historical risk. This risk list is based on applying over 40 individual risk rules to assess levels of IP addresses between “Unusual” and “Very Malicious.”

These rules range from, “we’ve previously observed this IP address misconfigured as an open proxy” (Unusual), to “This IP address is currently reported to be a command and control (C2) server” (Very Malicious). We aggregate all of the risk information for an individual IP address to generate an overall score. The current risk list, updated in real time as new risk content emerges, scores IP addresses from 5 to 99.

ASNs Ranked by Individual IP Risk Score

We aggregated risky IPs across all 26,581 ASNs that had one or more risk-scored IP address. We then grouped the risky IPs by the country associated with the ASN to show the top 20 countries below. The circles in this plot are colored by the overall percentage of risky IPs relative to all IP addresses associated with ASNs in the country. This value ranges from 0.03% for Japan to 1.58% for Venezuela.

Risk associated with China dominates the map. Perhaps surprisingly, the cluster of southeast Asian countries of Korea, Taiwan, Thailand, Indonesia, Vietnam, and India, have twice as many risky IP addresses as Russia and Ukraine. Brazil alone has 20% more risky IP addresses than Russia. Also notable is, after China, the second-ranking country in IP riskiness is the United States, although those risky IPs are distributed among 360% more total IP addresses than are associated with China.

We took a deeper look at the top ASNs in terms of number of risky IPs below:

The ASNs with the most risky IPs are the first and fourth largest ASNs in the world: Chinanet and the China169 Backbone, with more risky IPs than the rest of the top ten combined. These two Chinese ASNs, operated by the state-owned entities China Telecommunications Company and China Unicom, are unique in being both so large and having so many risk-related IPs. In contrast, the next largest ASN on this top ten list is Taiwan’s Data Communication Business Group which is “only” the 34th largest ASN.

Looking around the globe in terms of ASNs with risky IPs, the riskiest European ASNs belong to Turkish Telecom (#11) and French provider OVH (#15). While we are all familiar with Nigerian email scams, African ASNs are relatively underutilized, with top rankings going to Egypt’s TE Data (#32) and Telecom Algeria (#81). The top U.S. ASNs are Amazon (#21) and Digital Ocean (#25).

We took note of the fact that the overall number of risky IPs in the U.S. is quite large, despite not having any individual ASNs of highest-volume riskiness. To understand this, note that in China, where the internet is highly controlled and the largest providers are state owned, there are only 580 ASNs and the bulk of the associated IP addresses are concentrated in the largest ASNs, such as Chinanet. In contrast, there are over 16,000 ASNs in the U.S., and while none manage as many IPs as Chinanet, there are more “large” ASNs in the U.S. than in China, allowing risk to be more distributed across U.S.-based ASNs.

Ranking ASNs by Percentage of Risky IPs

For companies with a significant international presence, assessing risk at the country level of these very large ASNs with large numbers of legitimate IP addresses is likely too crude an approach. Another way to assess ASNs is by the percentage of IP addresses they contain that are risky. Chinanet has by far the most risky individual IP addresses, but it also manages the world’s largest AS with over 100 million IP addresses. The ~400,000 risky IPs are a relatively small percentage (0.4%) of the entire IP address space of the AS.

In contrast, if we consider ASNs where the largest percentage of associated IPs are risky, it is easier to make assessments of the entire ASN based on riskiness. We considered the 1,377 ASNs with more than 200 risky IPs and classified the 203 that have a percent riskiness of 2%, or higher by the associated 57 countries. Below, we show the countries with three or more “high-risk” ASNs:

Countries with three or more high-risk ASNs.

We consider ASNs with these levels of riskiness to be potentially compromised at an endemic level. Russia and Brazil are clearly at the top of the list with over 30% of the potentially compromised ASNs. With a list of only 200, it is a manageable process to assess and make individual verdicts about these ASNs. Decreasing the percent risk cutoff to 1% increases the list size from 203 to 409.

We present the top ten ASNs by percent riskiness below:

Several ASNs seem completely compromised. These can easily be classified as dangerous and should be immediately blocked in their entirety. This prioritized list provides an opportunity to assess network risk versus business need. For example, while most U.S. companies might be reluctant to universally block German IPs simply based on country affiliation, the addition of a risk percentage metric makes it clear that traffic from AS200998 managed by Emgoldex should be dropped.

Most Risky ASNs Based on Malware Command and Control Association

The analysis thus far has been based on all of Recorded Future’s risk information. We could more conservatively look only at the IP addresses that have been explicitly associated with command and control (C2) malware infrastructure. IP addresses with the highest-levels of risk merits specific investigation. We look at the geographic distribution below:

The United States is clearly dominating here. While more “harmless” risky behavior like scanning and botnets may be focused in more “sketchy” locations, clearly, the efforts involved in mounting a malware campaign suggest a bias to investing in more “legitimate” locations like the United States, Hong Kong, Japan, Canada, and the UK. Threat actors investing in C2 infrastructure are motivated to ensure the malicious traffic looks as innocent as possible to network operators. Placing C2 servers in friendly looking locations decreases the likelihood of detection. Pure location-based rules aren’t sufficient in these cases, but clear assessments of C2-associated ASNs is possible. There are only 52 ASNs associated with 50 or more related C2 addresses and 122 ASNs associated with 20 or more C2 addresses. This is a manageable number to process and assess the legitimate business needs for traffic from these ASNs.

Below, we present the top ten ASNs based on the number of C2 associations:

Simple web searching shows that some of these ASNs have been malicious for years and are still the source of malicious infrastructure. While we see a minimal Chinese presence here, we do note that the worst offender above, eSited Solutions, peers directly with China Telecom.

We also extracted IP addresses hard coded into malware samples (no domains) and performed downstream analysis of associated ASNs. A recent Recorded Future query yielded 24,219 unique IP addresses mapped to a variety of malware families. The below table shows the top five malware families as ordered by the associated number of IP addresses:

We present the geographic distribution of the these IP addresses below:

We see the largest number of malware-related IP addresses in the United States as we did with C2 IP addresses, but China is now a close second. Because these are IP addresses embedded in malware files, threat actors not only have competing pressures to select innocent geolocations, but also to choose infrastructure they are confident will be maintained. So, while the U.S. still leads, we see a large increase in China and the Republic of Korea, presumably because servers setup there by threat actors are more reliable.

Unsurprisingly, the top ASNs by number of IPs in this analysis are Chinanet and CNCgroup, as we saw in the overall top listing. However, we see some new interesting ASNs when sorting malware-related IPs by percent riskiness:

Impact on Network Security

For network professionals seeking to protect their networks, one simple approach to implement is to restrict traffic based on ASNs. The technical rules are trivial to put in place, but the devil is in the details of choosing which of the world’s nearly 60,000 ASNs to block. Data-driven tables like those presented in earlier sections provide prioritized lists to investigate and evaluate the risks and benefits for different ASNs and geographic regions.

For example, the total number of risky IPs alone is likely not a sufficient factor on which to base blocking rules. Consider the source of the largest number of risky IP addresses — Chinanet. There are tens of millions of legitimate websites and internet users hosted by that ASN, but also a large number of risky IPs. Organizations must assess the tradeoffs between the business interests in foreign locales and the likelihood of IPs at those locations being malicious. Depending on the nature of the business needs, perhaps an organization decides that the ~75,000 risky IP addresses in Venezuelan AS8048 outweighs the business value.

Percent riskiness of an ASN is a more immediately actionable list to evaluate. Due to the smaller size of these ASNs, the negative impact of blocking them is minimal. Factoring in the country of origin as an investigator moves to lower risk levels and can help in making assessments.

ASNs that are home to large numbers of C2 servers should attract specific review. For example, one could review whether a network has any legitimate traffic to eSited Solutions, Enzu, or Psychz ASNs and then block them, unless there is significant evidence of business solutions. These ASNs implicated in numerous risk-related activities for years will likely continue to be dangerous.

Testing Percent Risk Based ASN Blocking

ASN-based blocking makes sense if new IP addresses are emerging from these ASNs. If this is the case, putting these blocks in place can protect networks from. To test this, we took our IP risk list as it existed on June 15, 2017 and determined the percent riskiness of all ASNs, considering basic rules to block ASNs with various degrees of risk. We then looked at IPs presenting new risk-related content for the first time in the 30 days after June 15. The results for varying levels of riskiness are below:

X-axis is the minimum percent risk level of ASNs blocked. Y-axis is the number of newly emerging risky IP addresses from blocked ASNs.

For example, implementing a rule blocking the ten riskiest ASNs (percent risk of 25% or higher) pre-emptively blocks 1,722 IP addresses that were not identified as risky at the time of the blocking, but emerged as risky in the following 30 days. Similarly, blocking the riskiest 50 ASNs (percent risk of 6% or higher) blocks 11,977 IP addresses about to emerge with risk content. More aggressively, blocking the 200 worst ASNs (percent risk of 2% or more) blocks 124,390 IPs that will become risky.

These are large proportions of an AS to be risky, and illustrate some endemic AS security issues, typically with a smaller AS. In fact, 95% of the worst 200 ASNs involved 150,000 IP addresses or less, so, implementing these blocks will have minimal impact on legitimate business use.

New malicious IP addresses will continuously emerge as different weak spots on the web are exploited. Risk lists based on identifying malicious behavior and reporting it are critical, but will not protect networks from soon-to-be risky infrastructure. The reality is that much of that new infrastructure will arise from network locations associated with previously identified risk. Blocks based on selected ASNs can protect you from IP addresses before they show up on risk lists. Without data-driven approaches, it is extremely difficult to know which of the over 55,000 ASNs to preemptively block. Structured approaches based on historical risk levels can generate manageable lists of ASNs to assess and block.

Outlook

Network security teams need structured approaches to establish blocking rules. Simp

As security professionals, we’re relied upon to protect our networks from malicious traffic. But what’s the best strategy for determining the most likely sources of risky traffic? Is it safe to assume that traffic from certain countries is more suspicious than others, or that some hosting infrastructures are more likely to be compromised? With a growing consensus that IP blocklists are rapidly becoming obsolete, a more sophisticated approach is needed.

Our guest today is Dr. Bill Ladd, chief data scientist at Recorded Future. He’s the author of the report, “From Chasing Risk Lists to ASN Policies: Large-Scale Analysis of Risky Internet Activity.” The report takes a data-driven look at a variety of ways to determine risky ASNs and IP addresses. In this episode Bill Ladd gives us an overview of his team’s research and findings.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post Chasing Risky Internet Business appeared first on Recorded Future.

     

We’re excited to announce Recorded Future’s new full-scale training program aimed at maximizing threat intelligence investment in Recorded Future and reducing security risk.

Complete with seminars, workshops, and certification, the program will introduce new training segments to empower users to get up to speed quickly using the Recorded Future product, while supplementing the world-class configuration, education, and support services already delivered to our customers.

Threat Intelligence Seminar

To help users obtain deeper product expertise, Recorded Future has developed a comprehensive threat intelligence seminar featuring live, half-day or full-day training delivered by a Recorded Future analyst.

The seminar is custom-built to train analysts, security engineers, and other users on common threat intelligence principles and fundamentals. Common frameworks for intelligence analysis, threat intelligence sources, and our proprietary Intel Goals for security teams are covered during this seminar, as well as practical exercises in progressively deeper analytical research and data exploration.

Advanced Threat Hunting Workshops

Recorded Future advanced threat hunting workshops are half-day, onsite training sessions that provide enterprise security teams with practical applications of threat intelligence in advanced use cases. These workshops are built for all organization levels, and are presented by our senior analysts and Insikt Group research team members.

Areas covered include pre-exploitation and post-exploitation threat hunting, developing online HUMINT sources, and understanding and identifying nation-state adversary TTPs, taught by some of the foremost threat experts in the world.

Certification Program

Recorded Future now offers a new certification program to validate the expertise of power users.

The certification is a three-hour practical examination conducted by Recorded Future senior threat intelligence analysts for determining proficiency in the product. To achieve recognition, participants must score above 85 percent and demonstrate a clear knowledge of:

• Threat intelligence principles, strategies, and goals.
• Sources and methods utilized by Recorded Future.
• Execution of security team requirements by advanced queries and workflows.

Successful candidates will receive a Recorded Future Certified Analyst certificate and will be able to use the Recorded Future Certified Analyst emblem on their physical and digital resume.

Thomas McNeela of U.S. Cellular was among the first group of certification program participants and shared feedback on LinkedIn following the training:

Learn More

Recorded Future aims to provide the best threat intelligence training services and strategic guidance to help customers and partners get the education and access they need to be successful in using the product.

Contact your account manager today for more information on our newly launched training program, or request a demo from the convenience of your own desk to learn more about Recorded Future.

The post Announcing Recorded Future’s New Training Program appeared first on Recorded Future.

     

In this post, we offer in-depth analysis of the Chinese information security organizations tapped to support the national security review portion of China’s new cybersecurity law (CSL) and reveal an expanded role for an office run by the Ministry of State Security.

Executive Summary

On June 1, 2017, after years of domestic and international debate, China’s national cybersecurity law finally went into effect. Much of the law focused on the protection of Chinese users’ data, while assessments of the law emphasized the potential negative impacts to foreign companies and technologies and the difficulties in complying with the onerous, vague, and broad new legal requirements.

Recorded Future’s research has focused on the broad powers the cybersecurity law gives to the China Information Technology Evaluation Center (CNITSEC), an office in China’s premier foreign intelligence service, the Ministry of State Security (MSS). The law gives “network information departments,” including CNITSEC, the power to conduct “national security reviews” (see Article 35) of technology that foreign companies want to use or sell in the Chinese market.

The MSS’s integration into the information security architecture of China via CNITSEC will (1) possibly allow it to identify vulnerabilities in foreign technologies that China could then exploit in their own intelligence operations, and (2) create an impossible choice for foreign companies between giving their proprietary technology or intellectual property to the MSS and being cut out of the mainland Chinese information technology market, which is projected to reach $242 billion in 2018.

Background

In our May 2017 blog post attributing the threat actor group APT3 to the Chinese MSS, we also identified a Chinese information security organization that is actually run by the MSS — CNITSEC, also referred to in this piece as “the center.”

According to academic research published in “China and Cybersecurity: Espionage, Strategy, and Politics in the Digital Domain,” CNITSEC is run by the MSS and houses much of the intelligence service’s technical cyber expertise. CNITSEC is used by the MSS to “conduct vulnerability testing and software reliability assessments.” Per a 2009 U.S. State Department cable, it is believed China may also use vulnerabilities derived from CNITSEC’s activities in intelligence operations. CNITSEC’s former Director and current party secretary, Wu Shizhong, even self-identifies as MSS, including his work as a deputy head of China’s National Information Security Standards Committee as recently as January 2016.

Analysis

CNITSEC’s role in the new information technology regulatory regime has become apparent only over the last few months as the Chinese state began to finalize and publicize regulations in support of the CSL.

Cybersecurity Law Is Broad and Language Is Vague

Before delving into CNITSEC’s role, it is important to first review relevant sections of the CSL and the obligations foreign companies are likely to incur (for a good English-language translation, please see China Law Translate). It is important for companies to note the imprecision and breadth of the CSL as well as the 2015 National Security Law, because both contain vague language that can be invoked by Chinese authorities to compel national security reviews, data sharing with government authorities, and even inspections into proprietary technology or intellectual property.

Upon its passage in November 2016, one of the poorest-defined sections of the law was “Chapter Three: Network Operations Security.” Chapter three includes 18 articles which define the “network security protection” responsibilities of “network operators” and additional legal responsibilities for companies that operate “critical information infrastructure.”

Only one of the three terms referenced above was defined in the law itself. The CSL states that “network operators” are “network owners, managers, and network service providers.” According to a KPMG analysis of the law:

This is such a broad interpretation of the term that it could encompass any business that uses the internet or collects user data in China. Further, companies that are categorized as “network operators” are subject to a review by government regulators if they ever wish to transfer large amounts of user data abroad (see Article 37).

According to Article 28 of the CSL, “network operators” are also obligated to provide assistance to “preserve national security and investigate crimes” to public and state security agencies. This could place companies in a position of having to provide information to Chinese law enforcement and state security organizations on users or activities that are not considered crimes in the west, particularly “internet-related crimes.” Some of these “internet-related crimes” include using the internet to “fabricate or distort facts, spread rumors, disturbs social order,” “insult or slander others,” and to propagate “harmful information.”

A subset of “network operators” are classified by the law as operating “critical information infrastructure” and subject to even greater regulations and reviews. The text of the CSL classifies “critical information infrastructure” as:

The Chinese state’s definition of “national security” was formalized in the July 2015 “National Security Law” as:

Companies in this sector, and any products or services purchased by them, will also be subject to a “national security review,” which the Financial Times reported allows the government to “request computer program source code” and “delve into companies’ intellectual property.” The article also states that “even fast-food delivery companies could be considered critical infrastructure, Shanghai regulators ruled during a pilot run for the law,” probably because they possess personal information on millions of Chinese users.

CNITSEC’s Role in CLS Provides MSS Collection Opportunities

As outlined in our blog on APT3 and the MSS and detailed again above, CNITSEC has never officially acknowledged its relationship with the MSS, but the center’s mandate to serve the Chinese state, party, and government organizations, as well as conduct reviews under the CSL, is well-documented.

• CNITSEC’s website describes the center as having a broad mandate, bestowed by the central government, to conduct security vulnerability evaluations and risk assessments of party and government information networks; security testing of information technology, products, and systems; boasts “first-class” vulnerability analysis resources and equipment; and professional research and development technical labs.
• In a June 2017 interview given to the Chinese-language paper Southern Metropolitan, CNITSEC’s Chief Engineer Wang Jun confirmed that CNITSEC had been certified by the Chinese government to conduct the national security reviews under the CSL. Wang further explained that a review could be initiated by a relevant state department, a national industry, or by the market, which included users and the public.
• At a conference later in the month, Wang delivered a keynote address on the same topic, making an explicit link between Article 59 of the 2015 National Security Law, which established the legal requirement for a national security review and oversight of foreign commercial investments, technologies, products, and services; the security reviews mandated under China’s 13th Five-Year Plan; and the national security reviews mandated under the CSL.

Wang (photo below) also emphasized in this speech that the CSL national security reviews would focus on the possible impact on national security, security risks, security reliability, control, security mechanisms, and technological transparency. He continued to maintain that the reviews would be conducted by professional “third parties” that were ostensibly objective and independent, however, with CNITSEC, an office within the MSS, emerging as a certified national security reviewer, it calls into question any other organization that has also been certified.

CNITSEC also runs the China National Vulnerability Database of Information Security (CNNVD), which is the nation’s information security assessment center, and is responsible for the construction, operation, and maintenance of the national information security vulnerability data management platform.

Official CNNVD website, stating that CNITSEC runs CNNVD. (Source)

Overtly, CNNVD operates similarly to other National Vulnerability Databases (NVD), such as the U.S. government’s National Institute of Standards and Technology (NIST) NVD, which is run by a division within the Department of Homeland Security (DHS), tasked with publicly identifying, reporting, and creating patches for software vulnerabilities. While there is not an exact DHS equivalent in China, the Ministry of Public Security (MPS) mission and scope is most similar and is widely considered China’s DHS counterpart. The MSS’s most similar U.S. counterpart is the Central Intelligence Agency (CIA); however, the MSS is also empowered to collect intelligence within China, with some functions resembling the Federal Bureau of Investigation (FBI). For comparison, the MSS running the CNNVD would be roughly the equivalent of the CIA running the NIST NVD.

The fundamental problem with the MSS running CNITSEC and CNNVD, and more broadly, the MSS’s role in China’s information security organizational infrastructure, is that the MSS is China’s “leading civilian intelligence agency,” responsible for both foreign intelligence and counterintelligence operations. According to “China’s Security State: Philosophy, Evolution, and Politics,” the MSS is “responsible for collecting and assessing civilian intelligence relevant to national security and for conducting counter espionage operations against foreign countries.”

This means that the MSS is using the broad language and new authorities in China’s cybersecurity law to possibly gain access to vulnerabilities in foreign technologies that they could then exploit in their own intelligence operations. The MSS has a voice in which vulnerabilities are reported via the CNNVD, because they run it; they could also easily identify and hide from the public a critical weakness in software or hardware, then turn around and use it in their own operations.

There are two critical differences in the way the MSS could run the CNNVD and how the CIA or NSA interact with the NIST NVD system. First, while it has been widely documented that the vulnerabilities exploited by the ETERNAL series of NSA tools were not identified to Microsoft or the NIST NVD before they were acquired by the ShadowBrokers group, NSA is not on the NIST NVD and did not actively censor these vulnerabilities from the database. The MSS (via CNITSEC) runs the CNNVD and can choose to repress or control the vulnerabilities that are reported to the public.

Second, the MSS could leverage research conducted by the CNNVD to support their operations. U.S. intelligence agencies such as the NSA and CIA identify vulnerabilities based on their own research and are not allowed to leverage NIST NVD’s non-public research.

Impact

The vagueness and opacity of the definitions in the CSL means that many foreign companies, especially those considered part of the “critical information infrastructure,” will have to make the grim choice between giving their proprietary technology/intellectual property to the MSS and being excluded from the mainland Chinese market. Allowing their technology to be security reviewed by the MSS could have a secondary ramification of putting current customers or users at increased risk for Chinese state-sponsored cyberattacks.

Foreign companies seeking to conduct business in China, especially those in the “critical information infrastructure” sectors, now face a host of technical, legal, and ethical decisions about operating in China that might not have been previously considered. These decisions will impact both the tactical and strategic plans and operations for companies in a wide range of industry verticals.

First, with the knowledge that the MSS could discover and operationalize vulnerabilities in proprietary products or services, companies need to evaluate three possible risk scenarios:

1. Risk to a company’s own machines or networks.
2. Risk to a company’s product or service.
3. Derivative risk to customers, clients, or users around the world.

Most products and services utilized in China will not be wholly unique from their global counterparts, raising the risk that vulnerabilities discovered by the MSS could be utilized to exploit international users of these machines, networks, products, and services. Companies in this loosely defined “critical information infrastructure” sector are at greatest risk. These likely include software and hardware vendors; SaaS (software as a service), IaaS (infrastructure as a service), PaaS (platform as a service) companies; cloud, security, and network providers; and many more.

Second, cooperating with Chinese authorities by providing information on the subjects of domestic investigations could open companies to public criticism in Europe and North America, lawsuits, and possible censure from multiple levels of government. In 2007, Yahoo found itself in the crosshairs of a bi-partisan congressional hearing after providing information to the Chinese authorities that was connected to the imprisonment of a dissident journalist. The company’s CEO and General Council were branded “moral pygmies,” and “irresponsible” by the chairman of the House Foreign Affairs Committee, and has been forced to defend its reputation with civil rights groups since the incident. Yahoo

When you’re responsible for safeguarding the money, not to mention the personal financial information of your clients, what are your specific needs when it comes to threat intelligence? Where do you begin, and how do you get the best bang for your buck? Is open source intelligence enough, or should you invest in a paid solution from the outset? What about regulators? And how do you get buy-in from the board?

Here to answer these and many other questions is Dr. Christopher Pierson. He’s chief security officer and general counsel at Viewpost, an electronic invoice, payment, and cash management company. He also serves as a special government employee on the Department of Homeland Security Data Privacy and Integrity Advisory Committee and Cybersecurity Subcommittee, and is a distinguished fellow of the Ponemon Institute.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post Follow the Money: Threat Intelligence for Financial Institutions appeared first on Recorded Future.

     

The dark web is a subset of the World Wide Web accessible by means of special software, allowing users and website operators to remain anonymous or untraceable. Websites on the dark web operate in their own unique environment, separated from surface sites such as Amazon, eBay, or the Wall Street Journal.

Although strongly discouraged, it is possible to visit dark web sites that sell a wide range of products and offer services with any popular browser. Just navigate to www.tor2web.org and check out sites like the Dark Wiki or one of another 30,000 websites. Many of these offer access to contraband, controlled substances, forged passports, counterfeit currency, and information that is available on the surface web.

How to Access the Dark Web

The research team behind the “Dark Web Notebook: Investigative Tools and Tactics for Law Enforcement, Security, and Intelligence Organizations” recommends that dark web access be gated through the Tor software bundle.

This collection of a web browser and privacy-focused add-ons flips on the dark web’s overhead lights. You can download the Tor bundle at www.torproject.org/download/download.html.

Keep in mind that law enforcement and intelligence authorities may monitor Tor downloads, and in some countries, downloading Tor is a signal of possible wrongdoing.

The dark web operates without many controls. Average shoppers can place an order after supplying only minimal information. Some vendors, however, require a referral or positive ratings from other vendors.

Several important features of the dark web are:

• The Tor software is a bundle of tools that help limit a website’s interactions with the user’s system — including a version of the Firefox browser, encryption features, components to route traffic through multiple Tor relay servers (which makes tracking user behavior more difficult), and utilities like NoScript. “Dark Web Notebook” recommends what it calls “the full Snowden,” which is the use of the TAILS operating system and other tools such as the Tor Browser.
• For now, the dark web is a digital location where secrecy is enforced through encryption, reputation, and systems designed to prevent law enforcement, security, and intelligence personnel from eavesdropping on communications or having direct access to network traffic among Tor users, servers, and websites.

Two points about the dark web to note:

• First, encryption and routing across Tor relays can make dark web access sluggish. Impatience can lead to errors, and those mistakes can compromise the security of the session.
• Second, some dark web sites are operated by law enforcement and intelligence entities. The idea is to obtain the identity of the site visitors and take appropriate legal action. The FBI operated a child pornography website for a period of time. The data collected allowed authorities to make hundreds of arrests worldwide.

3 Little-Known Facts

During the course of research for the notebook, the study team uncovered a number of little-known facts about the dark web.

The dark web is going to become more important. As companies like Facebook and Google filter for hate speech, those who want to disseminate this type of information will look for alternative outlets. Countries are also stepping up their censorship efforts. China’s aggressive program will attempt to monitor comprehensively real-time content streams. The dark web offers social media, video, and communication tools comparable to those in use by people who routinely access the surface web. The dark web attracts about two million users per month, but the censorship squeezing of the surface web will force those looking for terrorism-related information, contraband, and more secure ways to exchange content to migrate to the dark web.

Dealing with the security and obfuscated packets requires specialized tools. The “Dark Web Notebook” provides a discussion of free and open source tools. A special feature of the book is a listing of the Defense Advanced Research Projects Agency’s open source MEMEX program software. The book also profiles a number of companies offering specialized indexing and analytic services for dark web content. Among the companies highlighted are IBM and its Analyst Notebook tool,* Palantir Technologies and its Gotham system, and Recorded Future’s threat intelligence product.

Analysts — whether in government or commercial enterprises — will have to become familiar with the dark web. It is critical to understand the type and degree of security threat posed by sites which sell Uber accounts, valid credit cards and PayPal accounts, and confidential company information, as well as the readily available exploits, malware, and hacks offered on dark web forums. Because more aggressive censorship of the surface web is now taking place, understanding the dark web’s positive and negative aspects will fill in a knowledge gap for those unfamiliar.

Learn More

To discover more insights into the dark web, the table of contents for the “Dark Web Notebook” is available at www.xenky.com/darkwebnotebook.

* Disclosure: The author of the “Dark Web Notebook” was an adviser to i2 Group Ltd., the developer of the Analyst’s Notebook system. The book provides a list of more than 18 other companies with dark web capabilities for business, financial, and government applications. Many of these firms are not “household names.”

The post Dark Web Explained: Shining a Light on Dark Web Activity appeared first on Recorded Future.

     

Our guest today is Myke Cole. He’s a cyber threat intelligence analyst with a large metropolitan police department, and a member of the United States Coast Guard reserve, supporting maritime search and rescue and law enforcement around New York City. He is also an award-winning, best-selling author of fantasy fiction, perhaps best known for his “Shadow Ops” series of novels, combining military action with magic and sorcery. And if that weren’t enough, he’s also featured in the CBS reality TV series, “Hunted,” where he’s one of an elite team of fugitive hunters.

Mr. Cole shares his unlikely path to cybersecurity, how his ability to conjure convincing characters in his fantasy novels transfers to understanding the minds of cyber adversaries, and the importance of creativity and taking risks.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post Speaking With Analyst and Fantasy Author Myke Cole appeared first on Recorded Future.

     

Growing Concern

Businesses are increasingly concerned with insider threats as a business risk. Once the purview of government organizations and defense enterprises, concern around insider threats has spilled into commercial markets, most notably in multiple large financial breaches in 2016. Consequently, more companies are seeking insider threat detection and prevention processes and tools than ever before.

Five-year timeline of chatter related to financial breaches reported
on the dark web and special-access forums.

Unfortunately, many security tools fail to detect and prevent insider theft. This makes sense when you think about identity and access management. Insider threats, by definition, are granted access to sensitive company resources, and regular monitoring is difficult and costly. Even with properly configured UEBA (user and entity behavior analytics), insiders may evade detection, as their actions may fall within the spectrum of expected behaviors. Worse, many of the insider threat detection efforts contribute a preponderance of false alerts to the noise already experienced by security teams.

Combatting insider threats requires fusion between security teams and technologies. Using threat intelligence for insider threats is beneficial to detection efforts. Insider theft typically seeks a customer for the product of their betrayal. Likewise, criminal actors and nation states continually hunt new avenues for profitization and deep access. Threat intelligence can surface various points along the insider maturation cycle both prior to and post data theft.

Using information surfaced from open and closed sources across the web, threat researchers can monitor for leaks of sensitive information, surface valuable context to forecast potential insider activity, surveil developing trends in criminal adoption of insider recruitment and utilizations, and provide warning on direct threats to an organization.

The State of the Insider Threat

Much news coverage of insider threats highlights the impact on espionage and large financial thefts, for good reason. In February 2016, the Bank of Bangladesh issued a statement that criminal hackers had stolen the equivalent of over $86 million from the bank. Likely using custom malware and insider information, the criminals sent forged SWIFT messages to withdraw funds from the Bank of Bangladesh’s account at the U.S. Federal Reserve Bank. In total, the criminals attempted to steal over $1.1 billion.

Criminal actors recognize insiders as a rich source of both sensitive access and valuable knowledge across industries. According to 2016 research by Kaspersky Labs and B2B International, criminals targeting the telecommunications industry used insiders to penetrate network perimeters and recruit other insiders. Criminals may use previously compromised data, such as the Ashley Madison breach, to blackmail telecommunication employees for credentials, information, to propagate spear phishing emails, or recruit other employees for further malfeasance. Kaspersky Labs cited reported 38 percent of targeted attacks now involve insiders.

Insider Threat Intelligence Monitoring

Monitoring for insider threats starts with the likely path of insiders’ maturation. Insider threat behaviors start with naivety and mature to criminal collaboration and theft. Naive actors may violate rules due to ignorance, while self-interested individuals may recognize the policies, but willfully violate as they deem necessary to accomplish or speed their job functions. This creates a gamut of external indications to monitor, as insiders use the internet as frequently as the rest of society to comment, transact, purchase, and research.

Unfortunately, organizations often focus on monitoring challenging or impossible-to-identify information, likely directly focused on their employees. Monitoring an employee’s external behaviors is both disturbing and unproductive as an insider threat mitigation strategy. While public discontent, computer malfeasance, and suspicious working hours are possible behaviors associated with insider activity, these are not reliable indicators of the intent to betray. Many employees portray these behaviors at one point or another during their employment lifecycle, and potential insiders may not exhibit any of these behaviors.

Threat intelligence surfaces relevant sources of information for analysts to rapidly identify potential insider activity. These indications alert the security analyst to research, and if necessary, escalate the incident for further investigation. Recorded Future can assist in monitoring for insider threat indications in four areas:

1. Proprietary information on sensitive sources.
2. Proprietary assets or information on public code repositories.
3. Employee PII or databases for sale.
4. Posted advertisements or solicitations on criminal forums and dark web.

Leaks of Betrayal

In late 2014, a 30-year old financial firm employee offered 6 million account records, including passwords and login data, for sale on Pastebin. Later, 1,200 accounts were actually spilled and offered as an enticement to purchase more accounts via Bitcoin. Overall, the financial firm determined the insider, Galen Marsh, accessed data on approximately 10 percent of the entire firm’s wealth management clients.

To avoid this fate, it is imperative to monitor for proprietary assets, including mentions of your information assets, brand names, and products in context. Assets may be mentioned for innocuous reasons, so it is important to identify the context where these mentions occur. Context may be an association with a particular event like a cyberattack, or may be the venue where the asset is mentioned, such as a paste site or criminal forum. While this may not always target insider threats in particular, it allows your organization to quickly identify posted information which would immediately require investigation.

Proprietary Code on Public Repositories

Proprietary code represents an immediate threat to a business’s core infrastructure and operating applications. Many network and information technology workers utilize public source code for maintaining and improving company networks and applications. Additionally, they may contribute back to this open source code. While the contributions themselves are not necessarily cause for concern, the addition of company proprietary or sensitive information to open source code repositories certainly is.

In many cases, the proprietary code posted may be accidental. However, this is still an insider posting sensitive information in a public forum where malicious actors can take advantage of the information. Monitoring for this information, and effective, timely remediation, improves the organization’s security posture.

Employee PII or Healthcare Database Leaks

Large-scale healthcare breaches present an avenue for insider blackmail and solicitation by criminal actors. Recorded Future has previously reported on significant breaches of healthcare databases across the United States and elsewhere around the world. To date, criminal actors have primarily monetized this data theft through ransoming the data back to the organizations, with mixed results. This leaves the criminals with a large quantity of data without a direct, reliable revenue source.

Criminal Advertisements and Solicitations

Criminal forums and marketplaces are well known for facilitating all types of illicit transactions. Insider threat advertisements are frequently used by actors promoting their illicit services on dark web sites — from retail cash-out services, to carding operations, to bank insiders facilitating theft. Many of these advertisements lie on closed source forum sites, requiring extensive vetting and personas to maintain persistent access. Additionally, many services cannot regularly automatically harvest from closed sources or forums, so be sure to vet vendors carefully.

Insider threat alerting on closed forums or the dark web takes three forms. Monitoring for direct mentions of your organization or assets are the first priority, as mentions likely indicate either targeting or potential breach. Industry mentions or tangential targeting are the next avenue of monitoring, as mentions of a “UK bank” or “#x of banking accounts” attempt to cover the source of information. Finally, presence on closed access forums allows direct interaction with threat actors, possibly retrieving samples of allegedly stolen information and materials as validation. These interactions are difficult and private, but may prove exceptionally valuable.

Conclusions

Insider threats are a complex problem requiring fusion of security teams, business operational teams, and technology to adequately address. Threat intelligence teams can provide valuable monitoring, as well as investigative and contextual reporting in real time, while requiring few resources to maintain. As security loopholes continue to close, criminal actors will continue to identify exploitable opportunities using available resources. Likewise, nation-state actors will utilize insiders for persistent access to hard targets.

To learn more about insider threats and how to protect your assets, information, and personnel, download our white paper titled “Insider Threats to Financial Services: Uncovering Evidence With External Intelligence.”

The post Using External Intelligence to Uncover Insider Threats appeared first on Recorded Future.

     

Our guest today is BT’s Vice President, Security UK and Continental Europe, Luke Beeson. Located in London, he leads teams who deliver cybersecurity services to customers, while simultaneously protecting BT’s own systems.

We discuss the challenges a large organization like BT faces when it comes to protecting themselves and their clients, the affect the upcoming GDPR regulations may have on the company and organizations around the world, and how they set their priorities across a broad spectrum of products and services.

We’ll also get his take on the role of threat intelligence in his day-to-day security strategies.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post Protecting a Global Telecommunications Company appeared first on Recorded Future.

     

You’re likely familiar with the phrase, “know your enemy.” The idea being, the more you know about your adversary, their motivations, methods, and capabilities, the better advantage you’ll have when it’s time to defend yourself.

In cybersecurity threat intelligence, we speak of threat actor tactics, techniques, and procedures, or TTPs. TTPs can come from a variety of sources, including open source, darknets, scanning and crawling, and others, but to turn the raw data from TTPs into actionable intelligence, you need to know how to set your priorities based on your organization’s needs.

Joining us once again to help make sense of all of this is Levi Gundert, vice president of intelligence and strategy at Recorded Future.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post TTPs From A Through Z With Levi Gundert appeared first on Recorded Future.

     

When someone mentions New York City, there are a variety of images that may come to mind. The Statue of Liberty, the Empire State Building, Times Square, or maybe Wall Street or Central Park. And, of course, 9/11. It’s no wonder the city of New York is often called “the greatest city in the world.”

Mayors of other cities may take issue with that label, but there’s no argument that New York is one of the largest, most important cities in the world, with over eight and half million people.

Geoff Brown is the chief information security officer for New York City, and he’s our special guest today. He heads up New York City Cyber Command, a new cybersecurity organization for the city of New York that works across more than 100 agencies and offices to prevent, detect, respond, and recover from cyber threats.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post NYC CISO Geoff Brown Protects the Greatest City in the World appeared first on Recorded Future.

     

Our anticipated sixth annual threat intelligence conference is now only a day away and entirely sold out, so naturally, everyone is buzzing here at Recorded Future.

This year’s RFUN (Recorded Future User Network) event will take place on October 4-5 at the Newseum in Washington, D.C. and will welcome Recorded Future customers, partners, and threat intelligence experts as they gather for two days of education, networking, and fun.

Training

RFUN 2017 will feature a wide breadth of threat intelligence training and breakout sessions ranging from strategy to hands-on use of the Recorded Future product, delivering the most relevant information necessary to stay proactive. And for the first time this year, attendees will obtain CPE credits and a certificate of completion following our training day!

Sponsors

Along with gaining valuable insight into threat intelligence best practices by hearing from industry luminaries, peers, and Recorded Future experts, attendees will get the chance to see integrations in action with our valued technology partners.

Conference

We’ll be hosting a sensational lineup of speakers including Myke Cole, cyber threat intelligence analyst, TV personality, and author. Cole will be delivering the opening keynote at the International Spy Museum on the first day of RFUN, October 4.

Attendees will also get to hear from The Grugq on October 5 as he delivers day two’s opening keynote at the Newseum, titled “The Age of the Great Leaks.” The Grugq is an information security expert who has worked in an array of security facets including digital forensic analysis, rootkits, and binary reverse engineering.

More speakers featured in our world-class lineup include:

• Teresa Shea, Former Director of SIGINT at NSA
• Robert M. Lee, CEO and Founder at Dragos
• Chris Poulin, Principal/Director at Booz Allen Hamilton
• And many more!

One of the goals of the conference is to share a new perspective on threat intelligence not only as it shapes our world in the present, but also in the years to come. Dynamic presentations such as “Disrupt the Disruptors: Threat Hunt Like a Pro,” delivered by Ismael Valenzuela of McAfee, and “Fireside Chat on the Future of Threat Intelligence,” delivered by Errol Weiss of Bank of America, joined by our very own Christopher Ahlberg, CEO and co-founder of Recorded Future will touch on the evolving world of cyber threat intelligence.

Receptions

Starting at 5:00 PM on October 4, attendees at our opening reception will have exclusive museum access to the International Spy Museum, the only public museum in the United States solely dedicated to espionage and cybersecurity. The party will be packed with drinks, food, networking, and of course, the anticipated opening keynote from Myke Cole.

Lastly, as the exciting two days of RFUN come to a close, our closing reception at the Newseum on October 5 will give attendees the chance to exchange new insights and ideas with fellow security professionals.

New Brand Rollout

To top it all off, we’re excited to announce our fresh new brand being rolled out just in time for RFUN. Expect to see a completely refreshed Recorded Future style, website, and even a new logo, so keep your eyes peeled!

We hope this year’s RFUN will surpass all expectations! If you’ve heard the buzz, but are still unsure what Recorded Future is all about, request a demo now.

The post Disrupting Intelligence at RFUN 2017 appeared first on Recorded Future.

    

Related Stories

• RFUN 2016: The Business of Intelligence From All Perspectives
• Having Fun (and Learning a Thing or Two) at RFUN 2015

 

By now, you’ve surely heard that Equifax, one of the largest credit reporting companies in the U.S., suffered a huge data breach. How bad was it? Reports say over 143 million sets of personal information may have been lost on U.S. residents alone, including names, social security numbers, birth dates, addresses, and in some cases driver license numbers. Reports say Equifax neglected to patch a known vulnerability in a timely manner, and took even longer to go public with news of the breach. The story is still developing, but it’s shaping up to be one of the most significant security breaches yet.

John Wetzel is head of threat intelligence training at Recorded Future, and he joins us today to help make sense of what happened to Equifax, how it might have been prevented, and what a breach of this size means for all of us.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post The Facts on Equifax appeared first on Recorded Future.

     

The world of threat intelligence can be a bit confusing.

Take a scan through any resource or blog related to threat intelligence (including ours) and you’ll see references to threat intelligence platforms, sources, providers, feeds … the list goes on. And, naturally, they all mean something slightly different.

But if you aren’t yet familiar with the way a powerful threat intelligence facility operates, these terms can be difficult to wrap your head around.

To find some clarity, let’s go over the most commonly used buzzwords, with a particular focus on the ubiquitous threat intelligence platform. After all, there are many platforms on the market right now, and it would be useful to understand exactly what they do (and don’t).

Threat Intelligence 101

First things first, let’s set the record straight on threat intelligence terminology.

A threat intelligence source is literally the origin of threat intelligence coming into your organization — for example, open source intelligence (OSINT) or network telemetry. Regardless of your approach to threat intelligence, you’ll always have at least one source, and probably more.

A threat intelligence feed is a collection of intelligence from a variety of sources, usually of the same type. Feeds are often freely available, and usually rely exclusively on open source intelligence.

A threat intelligence platform is defined as a piece of software, typically developed by a security vendor, which organizes one or more feeds into a single stream of threat intelligence. Typically, threat intelligence platforms rely on open source feeds, but most can also integrate premium feeds via STIX/TAXII or similar.

Finally, a threat intelligence provider is a security organization that actively produces threat intelligence through a variety of means, and offers it up either as a premium threat feed, a pre-packaged software product, or as a customer-specific report. Most (but not all) of these services utilize a mixture of human and automated security operations, and harvest intelligence from both open and closed sources.

With that out of the way, let’s take a deeper look at the most popular starting point for organizations interested in developing a threat intelligence capability.

How and Why Threat Intelligence Platforms Became Prominent

There are dozens of threat intelligence platforms available for comparison, but since they largely perform the same set of functions, we’ll take a look at a “standard” offering.

Leaving aside the most basic (typically free) offerings, most platforms offer a set of benefits that looks something like this:

• Combines thousands of feeds into a single location.
• Receives alerts in real time.
• Normalizes feed data (remove duplicates, enables user-set rules, etc.)
• Integrates with SIEM, firewall logs, etc.
• Creates reports

What else could you need?

For an organization looking to “get started” with threat intelligence, threat intelligence platforms seem like the obvious starting point. After all, they are (in some cases) freely available, and can be quickly setup to monitor any number of open source feeds.

If that same organization wants to go a stage further, they have the option to pay for one or more premium feeds.

The ability to integrate with existing SIEM solutions is particularly appealing, as it enables organizations to combine a very large quantity of potentially valuable intelligence into a single, convenient location.

For these reasons, many organizations have concluded that implementing a threat intelligence platform is the logical way to initiate a threat intelligence capability without the requirement for significant up-front investment.

Sounds good, doesn’t it? After all, “more is better,” right?

Here’s where we hit a problem. Nearly every organization that takes this approach will quickly realize that more isn’t better. In fact, more can be a nightmare.

Let’s imagine, for a moment, that you implement a standard threat intelligence platform, and set it up to “listen” to a dozen or so open source threat feeds. Naturally, you’ll require at least one analyst to man the platform, and it’s his or her job to identify relevant threats and act upon them.

By definition, the scope of open source intelligence is huge, but only a tiny fraction is relevant to any one organization. Combining so-called “big data” into a single location might seem like a great idea, but without an automated mechanism to differentiate the useful from the irrelevant, analyst overwhelm is inevitable.

So, what happens? Your analyst spends a few days attempting to investigate every single alert, quickly realizes it isn’t possible, and stops responding to alerts altogether.

Discouraged, many organizations drift away from threat intelligence, and set their sights elsewhere.

What can we learn from this?

Quite simply, more isn’t better. Better is better.

Context (or Lack Thereof)

So, how do we get better intelligence? First, we have to start from the realization that intelligence is only useful if it can be acted upon in a timely manner.

It’s no use knowing about something you can’t change, just as it’s no use finding out about a threat after it’s taken place.

To be truly valuable, your threat intelligence capability must deliver actionable intelligence in a timely manner. When this happens, your security operations staff are able to make informed decisions at speed. When this doesn’t happen, they aren’t.

Again, the goal isn’t to obtain more intelligence, it’s to gain better intelligence. In this case, “better” means relevant.

This is where context comes in. The very best threat intelligence solutions are able to contextualize intelligence by comparing alerts with other sources, internal telemetry, and a detailed understanding of your organization’s infrastructure. As a result, the alerts pushed to human analysts are far fewer in number, but much higher in quality, enabling security operations staff to make informed, proactive decisions at speed.

A Different Way of Thinking

So far we’ve been talking exclusively about intelligence. In this case, though, perhaps a different term is more appropriate: Threat context.

In a previous article, we explained in detail the difference between data, information, and intelligence. In that piece, we explained that threat intelligence platforms don’t actually provide intelligence, they provide a mixture of threat data and threat information.

To truly count as threat intelligence, an output must be relevant, fully contextualized, and actionable.

Unfortunately, the term threat intelligence has been misused to such an extent that it no longer holds this distinction. Security vendors, experts, and practitioners alike have taken to labelling anything delivered by a threat feed as intelligence, irrespective of its operational value.

For that reason, we’d like you to consider valuable outputs in a slightly different light: Not as threat intelligence, but as threat context.

As with any other information-based field (whether it’s news media, blogs, or podcasts) threat context is only worthy of the title if it is relevant, easily digestible, and includes the necessary details.

After all, nobody in Minnesota orders daily copies of the Mumbai Mirror. It’s news, yes, but it’s not relevant news.

Naturally, Recorded Future is the result of our concerted effort to consistently deliver true threat context to each of our customers.

Recorded Future combines threat data and information from a huge range of sources, using natural language processing (NLP) to ensure even threat actor chatter on hidden foreign-language forums is identified. Using powerful AI — including machine learning and predictive analytics — this broad range of inputs is automatically processed, contextualized, and converted into an easily digestible format.

Vitally, unlike many solutions, Recorded Future doesn’t rely on a database of intelligence, as this dramatically hinders the speed with which important alerts can be pushed to human analysts. Instead, our threat intelligence machine is organic and grows in real time, enabling relevant threats to be pushed to human analysts the moment they are identified.

In addition, Recorded Future can be easily integrated with SIEM solutions, instantly providing the context necessary for a human analyst to triage security events from a firewall log 10 times faster than the manual alternative.

To start seeing the benefits of powerful threat context for free, sign up for our Cyber Daily email. Each day, you’ll receive up-to-the-minute results for technical indicators such as the most targeted industries, threat actors, and exploited vulnerabilities.

The post Threat Intelligence: Difference Between Platforms and Providers appeared first on Recorded Future.

     

PepsiCo is one of the largest consumer-facing brands in the world, with over 60 billion dollars in sales per year and some of the most recognizable names in the food and beverage industry. Names like Cheetos, Doritos, Mountain Dew, Quaker Oats, and of course Pepsi. It’s a global organization with manufacturing, distribution, and corporate offices all over the world.

Joe Coleman is a cyber threat intelligence analyst at PepsiCo’s headquarters in Plano, Texas. We spoke with him at Recorded Future’s annual user conference in Washington, D.C., where he shared his background in the military, his role in defending and protecting the PepsiCo brands, and what he’s learned are the most effective ways to get buy-in from his co-workers.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post Threat Intelligence in the Food and Beverage Industry appeared first on Recorded Future.

     

This blog post highlights key takeaways from the latest report from the Recorded Future Insikt Group, titled “Proliferation of Mining Malware Signals a Shift in Cybercriminal Operations.”

Click here to download the full report.

Background

Since 2015 ransomware has presented cybercriminals with the easiest and most effective method to take money from unsuspecting users and organizations. Before this, other cyber threats have had their moment in the sun: worms, phishing, fake antivirus, and banking trojans are just a few examples. But as fashions and seasons change so do the tactics of criminals.

New threat intelligence gathered and analyzed by Recorded Future’s elite Insikt Group researchers has yielded some significant new insights into the latest method to target weakened systems. This investigation uses information from a wide range of sources and has identified malicious cryptocurrency mining as a long-term, low-velocity revenue source for these threat actors. This analysis also uncovers the opportunity that mining malware presents to rogue nation states like North Korea and explores how they may already be employing this technique.

Recent Cybercrime History

Fraudulent bank transfers remain, by some distance, the most profitable method for cybercriminals. However, these operations are more complex to execute, requiring threat actors to work with developers of web-injects and automatic money-transferring malware. To get to the stolen and laundered funds then relies on potentially dishonest intermediaries. All of this means operational outcomes for banking malware are, to say the least, uncertain.

Against this landscape, ransomware presented a much more straightforward and less risky method. Fueled by the growing adoption of bitcoins, a truly global and entirely untraceable payment method, chances of a successful outcome became very binary. Either infected victims will pay or they won’t, but if they do, all the money goes straight into the attackers wallet. As new vulnerabilities continued to be uncovered, ransomware became a fixture of the already-established exploit kit distribution network.

In recent years the sophistication and damaging effects of ransomware have evolved to an unstoppable, global epidemic, capable of crippling the economy and costing hundreds of millions of dollars in losses to public and private organizations. In the wake of the unprecedented WannaCry and NotPetya campaigns attackers saw growing media attention and increased “heat” from law enforcement. This led more acutely aware threat actors to began searching for the new “big idea” which could generate a steady income stream without all of the inherent risk.

Crypto-Mining Malware

Mining malware hides itself while using the victim’s processing power to mine cryptocurrencies. The first samples of this began appearing in 2013, but threat intelligence from our analysis revealed it was in the second half of 2017 that it gained popularity among members of the criminal underground. By then, dozens of vendors were offering various types of mining malware, ranging in price and functionality.

The profitability levels of mining malware are directly related to how long it remains undetected, leading threat actors to employ crafty techniques to hide this activity from users. It will typically be hidden from the Task Manager and immediately relaunched if deleted. Variants that depend on graphics processors will even terminate the mining process if a videogame is run on the computer to avoid detection.

Analysis of bitcoin wallets and conversations in criminal communities confirms the increasing prevalence of this kind of malware. In one instance a hacker expressed extreme satisfaction with the results of a trial infection:

In attempts to stand out among the competition and answer the demand from customers, developers began expanding their products, in some cases adding various key-logging and data intercepting functionality.

Nation-State Participation: North Korea

While our research did not identify any North Korea-specific cryptocurrency mining malware, given North Korea’s demonstrated interest in both legally and illegally procuring cryptocurrencies, it is likely that the regime will employ mining malware in the near future if is has not already. North Korean threat actors have prior experience in assembling and managing botnets, bitcoin mining, and cryptocurrency theft, as well as in custom-altering publicly available malware; three elements that would be key to effectively creating and managing a network of covert cryptocurrency miners.

Technical Analysis of Mining Malware

We obtained a feature-rich mining malware called “1ms0rry MINERPANEL,” which is sold across the criminal underground. The product comes in several packages ranging in price from $35 to $850. While the “ Premium” version offers barebone functionality, without access to command and control (C2) panel, the most comprehensive and expensive “Source” version includes the source code for the malware. Our evaluation was of the “Extended” version sold for $100 and offering a range of features including the C2 panel. In addition to all of the required installation files, a software that joins multiple files together into one payload and a step-by-step guide for building and deploying the miner was provided.

You can find the full technical analysis of the mining malware, as well as more research and information on this new type of cyber threat in the report, “Proliferation of Mining Malware Signals a Shift in Cybercriminal Operations” written by our threat research team.

Read the report now.

The post Mining Malware: Signals of a Shift in Cybercrime appeared first on Recorded Future.

     

Click here to download this article as a PDF.

Executive Summary

Vulnerabilities are continuously found in all software and organizations need access to the latest vulnerability information to manage their exposure to risk. Because organizations use systems provided by dozens of software vendors, they require access to a centralized source of vulnerability information across all vendors to prioritize which to address next.

Background

In prior research we took a close look into software vulnerability (CVE) disclosure and learned that there were unexpectedly large gaps between public disclosure of a vulnerability and inclusion in the U.S. National Vulnerability Database (NVD). Concerned about this performance, we compared NVD CVE reporting times to what we observe on China’s National Vulnerability Database (CNNVD).

Scope Note: We examined how many days after initial web disclosure NVD and CNNVD waited to report the 17,940 vulnerabilities first publicly disclosed and then incorporated by both systems between September 13, 2015 and September 13, 2017. Initial web disclosure includes any mention of the vulnerability on the web. Our dataset is based on Recorded Future holdings.

NVD home page.

CNNVD home page.

Analysis

CNNVD outperforms NVD in reporting vulnerabilities.

On any given day, there is more current information about software vulnerabilities on CNNVD than on NVD. We found an average delay between first disclosure and availability on CNNVD of 13 days. On NVD, the average delay is 33 days.

Averages can be dominated by a small set of vulnerabilities with long delays, so we looked at the data based on percentiles as well. Within six days of initial disclosure, 75 percent of all vulnerabilities published on the web are covered in CNNVD. The U.S. NVD takes 20 days.

CNNVD captures 90 percent of all vulnerabilities within 18 days. The NVD takes 92.

There are two classes of vulnerability disclosure: coordinated and uncoordinated. In some cases, a vendor clearly coordinates the announcement of the vulnerability, and it is simultaneously publicly disclosed and reported in NVD. In these cases CNNVD trails NVD by a median of one day. When the vendor doesn’t tightly coordinate with NVD, it takes NVD 38 days to report on 75 percent of published vulnerabilities and 125 days to cover 90 percent. For CNNVD in these cases it takes seven days to report on 75 percent and 23 days to report on 90 percent.

Adversaries Have the Advantage

Reporting delays give adversaries a head start over defenders. Privilege escalation vulnerability CVE-2016-5195, commonly referred to as Dirty Cow, was detected by researchers analyzing active exploits and disclosed on October 19, 2016. It was immediately covered by numerous information security sources and within two days, an initial report was translated to Russian and posted on a Russian criminal forum. Six days later, POC code was placed on Pastebin. This potential exploit code was available a full two weeks before the November 10 initial release for this CVE on NVD. CNNVD reported on this vulnerability two days after initial disclosure, 20 days before NVD. Even smaller delays can be important for critical bugs. CVE-2017-5638, the vulnerability responsible for the Equifax breach, was first announced by the Apache Software Foundation on March 7, 2016. It was immediately picked up by numerous sources and we saw hundreds of reports between March 7 and March 10 when it was included in the NVD database. Two places we observed it on release day March 7 were CNNVD and a Chinese blog that included POC code.

Why Is NVD so Slow?

NVD publication delays of weeks and months occur because NVD is waiting for the voluntary submissions of information. To better understand why, we need to understand the groups involved. NVD is managed by the Security Testing, Validation, and Measurement Group of the Information Technology Laboratory of the National Institute of Standards and Technology (NIST). The NIST overview of NVD states:

At first glance this seems reasonable — comprehensive coverage including information from industry resources. Looking a little deeper on the NVD website we see:

Essentially the NVD is reporting and analyzing vulnerabilities only after they are published in MITRE Corporation’s CVE Dictionary. If the CVE is not published in the CVE Dictionary, it’s not included in NVD nor available to companies relying on NVD for vulnerability awareness.

Taking a closer look at MITRE, it is readily apparent that MITRE does not simply maintain the CVE Dictionary, they oversee the entire CVE process including the selection and management of “CVE Numbering Authorities” (CNAs).

From their website:

Oracle, for example, is a CNA with the ability to generate CVE identifiers for vulnerabilities found in Oracle products. A CNA such as Oracle identifies a vulnerability in their software and assigns a CVE. They then typically disclose information about the vulnerability, potential impact, affected products, and available patches in a security bulletin on their website. Ideally the CNA would simultaneously update the CVE Dictionary thus leading to the addition of the vulnerability to NVD. At this point, our analyses show that the system breaks down as CNAs do not typically update MITRE’s CVE Dictionary in a coordinated fashion.

NVD publication delays of weeks and months occur because NIST and MITRE are waiting for the voluntary submissions of the vendors and CNAs associated with the vulnerabilities. MITRE manages the process, but doesn’t enforce timely submissions to the CVE Dictionary. NVD uses the CVE Dictionary as its sole source. The end result is that there is no U.S. government “comprehensive cybersecurity vulnerability database.”

Chinese Vulnerability Reporting

China’s CNNVD doesn’t have the luxury of being directly integrated in the exact processes that assign CVE numbers, but they are still able to report more rapidly than the U.S. As we saw in our earlier reporting there are numerous sources reporting on software vulnerability in advance of NVD publication. The only way to stay current is to monitor these varied sites either manually or using automated processes. Translated from the CNNVD website:

China has prioritized timely disclosure by using extensive sources of vulnerability information across the web rather than relying on voluntary industry submissions. While the U.S. government has focused on a process, China has focused on the key goal, reporting available vulnerabilities. Surely NIST’s Information Technology Laboratory, with its about 400 scientific and technical staff and its roughly $120 million budget could do the same. Or at worst, assign interns to capture what is found on CNNVD and incorporate into NVD. They could start with the 1,746 CVEs currently available in CNNVD and unavailable on NVD.

Conclusion

When hackers and security teams are racing to exploit or patch vulnerabilities, having access to the latest vulnerability information is critical. The United States National Vulnerability Database (NVD) is an obvious place security teams should be able to rely on to get this latest information. Unfortunately, because NVD relies on voluntary submissions, NVD is often updated weeks after a vulnerability is initially disclosed. This gap ensures that NVD cannot provide comprehensive vulnerability coverage. NVD should extend its mission to proactively gather vulnerability information as its Chinese counterpart (CNNVD) does. Blackhat hackers who monitor the CNNVD could benefit from its more complete collection as they are looking for new exploits to target. U.S. security teams should have access to a similar resource.

The post The Dragon Is Winning: U.S. Lags Behind Chinese Vulnerability Reporting appeared first on Recorded Future.

     

Our guest today is Bob Gourley, author of the book “The Cyber Threat: Know the Threat to Beat the Threat.” Earlier in his career, Bob spent 20 years as a U.S. Navy intelligence officer. One of his last assignments with the military was as director of intelligence for the first Department of Defense cyber defense organization. He’s currently a partner at Cognitio Corp, where he leads research and analysis activities, due diligence assessments, and strategic cybersecurity reviews for clients.

Bob sat down with us at our annual user conference at the Newseum in Washington, D.C. for a wide-ranging conversation on what it was like to define emerging cybersecurity missions for the Department of Defense, the importance of looking back to history as a guide, and the growing need for threat intelligence and basic cyber hygiene.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post Know the Threat to Beat the Threat appeared first on Recorded Future.

     

Threat intelligence can pay huge dividends in helping you protect your IT infrastructure and digital assets. Knowing what cybercriminals are up to and which forms of malware are lurking on the internet enables you to ensure your security posture is up-to-date and ready to defend against any malicious activity that might come your way.

However, the amount of threat intelligence that’s available can also be overwhelming. Not every threat pertains to your environment. Some threats only warrant a low priority in terms of the high-cost or high-effort mitigations that might apply. Still, you need to make sure you don’t miss anything that should get your full attention.

The 4 Types of Threat Intelligence

To help take on the challenge of parsing through all the data, it is important to understand the four categories of threat intelligence:

1. Tactical

Tactical threat intelligence is often referred to as tactics, techniques, and procedures (TTPs). This type provides information about how threat actors conduct attacks and is generally consumed by network defenders and the incident response staff to ensure that their defenses, alerts, and investigations are prepared for current tactics. As an example, attackers using tools to obtain clear-text credentials and then replaying those credentials through PsExec is tactical intelligence. This type of information can prompt defenders to change policy, prevent interactive logins by admins, or ensure logging captures the use of PsExec4.

2. Technical

Technical threat intelligence usually arrives in the form of raw technical data and is normally consumed through technical means. An example would be a feed of IP addresses suspected of being malicious or implicated as command-and-control servers. Technical threat intelligence often has a short lifetime, as attackers can easily change IP addresses or modify MD5 checksums; hence the need to consume such intelligence automatically, in as close to real time as possible. This type of intelligence also typically feeds the investigative or monitoring functions of a business, by blocking attempted connections to suspect servers, for example.

3. Operational

Operational threat intelligence includes information about specific impending attacks that target your organization. This type is initially consumed by high-level information security staff, such as security managers or incident response managers. In some cases — such as when the intelligence clearly indicates risk to the operation or reputation of the business — this information may prove valuable to the risk management team as well. The intelligence indicates which cybercriminal groups are planning an attack, when, and how. But such intelligence is very rare. In the majority of cases, only government organizations have access to attack groups and the infrastructure necessary to collect this type of intelligence.

4. Strategic

Strategic threat intelligence comprises high-level information in the form of reports, briefings, or conversations. Usually consumed by senior decision makers and support management teams, this type of intelligence can cover things such as the financial impact of cyber activity, attack trends, and areas that might impact high-level business decisions. An example would be a report indicating that a particular government is believed to have hacked into foreign companies that have direct competitors within their own nation.

Which types of tools you use and how many of each type will depend on your risk appetite, the current maturity level of your security posture, and the available resources your organization can apply to its threat intelligence activities — both in terms of people and technology. One way to approach the challenge is to divide the effort among different teams or individuals.

These types of intelligence are not just for the threat analyst. Security operations teams, incident responders, and vulnerability management functions can all apply, manage, and prioritize the intelligence they receive and then share with others as appropriate. Depending on the severity of a potential threat, intelligence may also need to be shared at the CFO/CEO or board level.

To improve your organization’s security posture, it’s best to use a combination of the above threat intelligence sources. While tactical information is important in the daily fight against cybercriminals, you need to plan strategically to know what might be coming in the next 6–12 months so you can proactively prepare your IT infrastructure.

Avoiding the Pitfalls of Collecting Threat Intelligence

The threat intelligence information you collect using the above sources must also be assimilated in a useful form and applied correctly. The following are five common reasons why threat intelligence often fails to protect organizations:

1. Misunderstanding the Value to the Business

Are business problems being solved by a particular threat intelligence feed, or did someone subscribe to the threat intelligence service because the data looks interesting and the charts look cool? If the intelligence isn’t tied to a business problem, chances are the service is a waste of money.

2. The Wrong Feed

There are many threat intelligence feeds available, so consider whether each source works effectively for you. Do you only need raw data or do you need processed intelligence? Is it drawn from public data, or private data shared anonymously by other organizations’ feeds? Also, be sure to minimize redundancy. Seeing the same threat reported on two similar feeds doesn’t make it twice as important.

3. Focusing on the Wrong Thing

Instead of just focusing on intelligence feeds, factor in your entire collection of information: internal data (threats, attacks, policies) as well as analyzed data (traffic/event monitoring, user/system activity blocking, rules/policy adjustments). Consuming intelligence on a regular, real-time basis is also critical. Just looking at the data once per week or expecting automated alarms to catch all the hazards won’t cut it.

4. Drowning in Too Much Data

Many cybersecurity professionals ignore security events and alerts because there’s too much to consume. They can’t keep up with the volume and end up with security data overload. Some of the causes include feeds that are intended for the wrong industries, the wrong types of companies, and even for inappropriately sized security teams. Another cause is redundancy — getting the same data from multiple sources.

5. Inability to Operationalize the Data

The majority of IT leaders say threat intelligence can prevent or minimize an attack, but they also are not satisfied with their current approaches because the information is not timely or is not well-categorized according to threat type or attacker. Threat intelligence alone does not trigger a response to a breach. The information security team needs to know what the nuances are, why they matter, and how to use the data to drive the necessary action.

Are You Running a Sprint or a Marathon?

When beginning the effort to consume threat intelligence, many businesses start by tapping into free feeds that provide tactical data such as lists of IP addresses to block, or command-and-control server attacks to watch out for. But this approach misses the big picture of thinking strategically.

Reacting to threat intelligence just to do it is not the right model. Simply because a threat feed is free doesn’t mean it’s a good investment of time — it could be resource-intensive and may generate a lot of false positives. It’s easy to act on the tactical and technical stuff, but it’s equally important to make the operational and strategic types of intelligence just as actionable.

Instead of handling the different types of threat intelligence in isolation, think of them as more of a lifecycle to run through. Apply the intelligence to security controls and balance how you react against your available resources and capabilities, as well as your appetite for risk and the maturity of your current security posture.

Before you start the race, you need to know whether it’s a 100-meter sprint or a marathon. That means tapping into strategic tools and also carefully considering how you will manage the magnitude of intelligence data that comes in.

For more information on utilizing threat intelligence sources to improve the security posture of your organization, read our white paper titled “Best Practices for Applying Threat Intelligence.”

The post The Threat Intelligence Race to Improve Your Security Posture appeared first on Recorded Future.

     

As a threat intelligence analyst it’s easy to become detached from the business you work in.

You spend all day triaging alerts, identifying genuine threats, and ensuring the right people are informed. There just never seems to be any time for consultation, or collaborative working.

According to Brian Scavotto, who heads up the Cyber Threat Intelligence Team at Fannie Mae, this is a huge problem.

At the recent Recorded Future user conference, Scavotto spoke on the importance of maintaining a consultative approach to cyber threat intelligence (CTI), and how being open to feedback helped his team dramatically improve the service they provide.

With so many technologies available to boost your intelligence gathering operations, it’s easy to forget that human relationships are still the building blocks from which truly outstanding security capabilities are fashioned.

The Good and Bad of Threat Intelligence Teams

Although he had previously built up the threat intelligence program at BB&T Bank, Scavotto joined Fannie Mae as the senior IR handler on the incident response team. Then, three months ago, he was asked to take the reins of the threat intelligence team, and lead them through a period of development.

To kick things off, Scavotto detailed his team’s primary responsibilities at Fannie Mae:

• Managing threat data
• Supporting security operations
• Working alongside the incident response team
• Managing vendor relationships
• Responding to RFIs (requests for information) from company executives, other teams, etc.
• Lots and lots of research

“I knew there were challenges to the way the team had been operating,” Scavotto explained. “I wanted to get a sense of what the threat intelligence community thinks a savvy CTI team should look like.”

“So I went out and asked the community. I threw up messages on information-sharing boards and email groups, and started fielding answers from some of the big established players.”

From the feedback, Scavotto determined that his team should perform three primary functions: Feed the detection, prevention, response cycle; support threat detection and incident response; and reduce organizational risk.

In particular, Scavotto was adamant that his team should add value to other areas of the business in a way that had a tangible impact on organizational risk. At the same time, though, the feedback also highlighted a number of areas in which CTI teams often fall down. Here are some of the top mistakes identified:

• Being overly reactive
• Adding unnecessary IOCs to SIEM
• Prioritizing speed over accuracy
• Operating in a bubble
• Misusing the term “intelligence”
• Too much focus on tactics and short-term wins
• Lack of true prioritization
• Wild speculation
• Not following through after reporting a threat

Quite the list, wouldn’t you say? Determined not to allow his own CTI team to make these mistakes, Scavotto decided it was time to engage with his principal stakeholders.

MITGA: Making the Intelligence Team Great Again

A truly powerful threat intelligence capability cannot exist in a bubble. Without an in-depth understanding of the business as a whole, the entire process of identifying and prioritizing threats is little more than guesswork.

“I did the only thing I knew how to do,” Scavotto explained. “I went to the other teams, to our customers, and I asked them: What are we doing that’s stupid? What are we doing that’s valuable? What’s impacting your day-to-day work the most? What can we improve?”

With a vehemence that caught him slightly by surprise, Scavotto’s customers answered. They hated receiving emails from his team, and they hated the attachments to those emails even more. They already had hundreds of emails coming in every day, so receiving complex “wall-of-text” PDF attachments was a major cause of frustration.

On top of that, the teams had a few other concerns:

• For numerous reasons, the information being sent often wasn’t read.
• They needed support relevant to their specific workloads.
• They needed intelligence in a more timely manner.
• The CTI team would sometimes speculate, and sound the alarm too early.

To put it simply, to provide a maximally valuable service to their customers, Scavotto’s CTI team would need a detailed understanding of their individual needs and functions, and put in place a constant feedback loop to ensure service improvements were well received.

And that’s exactly what they did. First, they decided to move away from email updates, instead using the microblogging service Yammer. Although far from a perfect solution, Yammer was already available to the team, meaning no sign-off was required to test its efficacy.

The response from their customers was overwhelmingly positive. Important stories could be shared instantly, and relevant personnel tagged to ensure immediate receipt of vital updates. At the same time, members from all teams were able to comment on, discuss, and ask follow-up questions about updates in a way that everybody could benefit from.

But, of course, completely moving away from email isn’t an easy proposition. In some cases, it really is the best medium for important communications.

At the very least, though, Scavotto was determined to replace the old PDF attachments with a faster, more easily digested alternative. The solution: Pre-setup email signatures that could be quickly applied and filled in, while simultaneously being easy to understand.

In this case, part of the feedback Scavotto had received was that whatever medium was used to communicate threat intelligence, it needed to be mobile friendly. Using the HTML-based email template above, Scavotto’s team was able to solve this problem without spending a penny.

Once again, the feedback was immediate and overwhelmingly positive. Here’s what the finished result looks like:

In line with Fannie Mae’s CTI needs, the email report covers threats, vulnerabilities, exploits, and FS-ARC and FS-ISAC considerations. For each line item, Scavotto’s team includes a brief note on what is currently being done to address the issue in question.

What’s important to note here, though, is the way Scavotto and his team approached this development process: They requested brutally honest feedback from their direct customers, and systematically changed their operating processes to better align with the needs of the business.

And they didn’t bite off more than they could chew. When they started to trial microblogging and the revised email format, updates were only sent to 20-30 people across a handful of teams. Now, as these processes have become more robust, that number is up to 200, and feedback has been consistently good.

Now, of course, Scavotto and his team didn’t stop at simply changing their mediums of communication. Here are some of the other improvements they’ve made to their service in the last few months:

1. Renewed focus on BLUF (bottom line up front): Ensuring updates are concise and lead with the most important facts.
2. Use less jargon: CTI is often plagued by military terminology, but when it comes to communicating with customers, this is often unhelpful. Use of plain language and simple formatting has been well received.
3. Constant feedback: Asking for honest feedback isn’t a one-hit solution. Scavotto’s team is working hard to maintain a feedback loop that will enable constant improvement of their operating processes.

This last point is particularly important. If he hadn’t specifically asked for honest feedback, it would have been easy for Scavotto to focus his energies in totally different areas, oblivious to the level of hatred his customers had for the weekly email attachments being sent out.

When you’re trying to maximize the value of your threat intelligence capability, it’s easy to get hung up on complex processes and cutting-edge technologies. If you take the time to listen to your customers, though, you may well find something as simple as getting rid of email attachments could have a profound impact on the uptake of your CTI outputs.

Addressing Customer CTI Needs

Of course, providing an outstanding CTI service isn’t just about the communication process. At the end of the day, you do have to ensure the content of your updates matches the needs of each customer.

At Fannie Mae, executive management is one of the primary customers for CTI. Since executives tend not to have an in-depth knowledge of cyber threats, a big part of the CTI team’s job is to keep executives informed about the most significant current threats to the organization, and to alleviate their fears surrounding media coverage of less relevant threats.

Similarly, Scavotto has become concerned that Fannie Mae executives may become targets themselves, whether at home or at the office, and plans to provide executive protection briefings to help mitigate this threat to the organization.

When developing your own cyber threat intelligence capability, it’s vital that you routinely consult with each of your major customers to ensure you are supporting their work to the best of your ability. For instance, in support of your SOC, you might plan to:

• Help identify areas of significant security concern.
• Guide them on which threat sources are highest fidelity.
• Manage data flow from your TIP into the SIEM.
• Identify tools and online resources that may help them do their jobs.

Once you’ve made improvements to the service you provide, don’t stop. Keep on asking for feedback from existing customers, and if time allows, seek out other areas of the organization that could potentially benefit from CTI. Ultimately, the more value you can add, the greater the impact you’ll have on your organization’s overall level of cyber risk.

Do More With Cyber Daily

Did you notice how important communication was to the CTI process at Fannie Mae? That’s not a coincidence.

One of the biggest issues with applying threat intelligence is that most CTI teams are utterly overwhelmed by high-volume, low-yield threat alerts. Put simply, they don’t have enough time to properly triage each event and forward relevant, valuable intelligence to their customers in a timely manner.

Our free Cyber Daily informs you of the top results for trending technical indicators, like the most targeted industries, active threat actors, suspicious IP addresses, and more.

The post How to Build a Cyber Threat Intelligence Team (and Why Technology Isn’t Enough) appeared first on Recorded Future.