The U.S. National Vulnerability Database, or NVD, is, in part, a collection of security-related reports. Software vulnerabilities are assigned CVE numbers, which stands for common vulnerabilities and exposures, which help track the issues and provide a common reference for referring to a specific flaw. China has a database of their own, the Chinese National Vulnerability Database, or CNNVD.

Our guest today is Dr. Bill Ladd, chief data scientist at Recorded Future. His team noticed that publicly known vulnerabilities were showing up more quickly in China’s database than in the U.S., quite often taking days instead of weeks. This not only has the potential to put U.S. defenders at a disadvantage, it could also give black hats the upper hand.

In this episode we’ll learn why the NVD lags behind the CNNVD, why it matters, and what could be done to correct it.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post Why Does the U.S. Lag Behind China in Vulnerability Reporting? appeared first on Recorded Future.

     

Boston, MA, October 31, 2017– Recorded Future, the leader in threat intelligence (TI), today announced it has raised $25M in a Series E round of funding to build on growing momentum and expand its innovative software product and services to solve a wider spectrum of cybersecurity challenges. Led by Insight Venture Partners, the funding will support the company’s meteoric growth, geographical expansion, and its continued commitment to machine learning-based threat intelligence and cutting-edge research.

In addition to financial investment, Insight Venture Partners, investors in leading security companies like Cylance, DarkTrace, and Firemon, brings rich industry expertise to Recorded Future.

“Recorded Future’s commitment to customer success and innovation in the threat intelligence space has shown time and time again, it is a best-in-class solution,” said Mike Triplett, managing director, Insight Venture Partners. “We are thrilled to welcome the company to our growing portfolio, and look forward to collaborating on the next phase of this journey.”

Recorded Future has continuously invested in its market-leading software-as-a-service (SaaS) threat intelligence product to deliver automated, contextual, and relevant intelligence for empowering security teams to defeat cyber threats. Only Recorded Future collects applicable threat intelligence from open, technical, and dark web sources in real time and delivers targeted analytics and alerts to dramatically improve business decisions, operational efficiency, and strengthen network defense.

“Based on a review of previously published market sizing estimates, Gartner forecasts the market to reach almost $1.8 billion by 2021, up from $670 million in 2016,” wrote Ruggero Contu, analyst, Gartner. He further noted that, “The company offers a TI platform that applies machine learning and leverages extensive real-time internet crawling capabilities to harvest large amounts of data across the internet and darknet.” *

“Our goal remains clear: to support our customers by providing the best threat intelligence on the planet,” said Christopher Ahlberg, CEO and co-founder of Recorded Future. “With this cash infusion provided by Insight Venture Partners, we will be able to supercharge our efforts to explore new solutions to the issues plaguing the cybersecurity industry both today and in the future.”

About Recorded Future

Recorded Future delivers threat intelligence powered by patented machine learning to significantly lower risk. We empower organizations to reveal unknown threats before they impact business, and enable teams to respond to security alerts 10 times faster. To supercharge the efforts of analysts and SOC teams, our technology automatically collects and analyzes intelligence from technical, open, and dark web sources. Recorded Future delivers measurably more context than threat feeds alone, updates in real time so intelligence stays relevant, and packages information ready for human analysis or instant integration with existing security technology. 86% of the Fortune 100 use Recorded Future. Learn more at www.recordedfuture.com and follow us on Twitter at @RecordedFuture.

About Insight Venture Partners

Insight Venture Partners is a leading global venture capital and private equity firm investing in high-growth technology and software companies that are driving transformative change in their industries. Founded in 1995, Insight has raised more than $18 billion and invested in over 300 companies worldwide. Our mission is to find, fund and work successfully with visionary executives, providing them with practical, hands-on growth expertise to foster long-term success. For more information on Insight and all of its investments, visit http://www.insightpartners.com/ or follow us on Twitter: @insightpartners.

*Gartner, Competitive Landscape: Threat Intelligence Services, Worldwide, 2017 Authored by: Ruggero Contu and Lawrence Pingree, Published: 26 July 2017

The post Recorded Future Raises $25M From Insight Venture Partners to Further Extend Leading Position in Threat Intelligence appeared first on Recorded Future.

     

Summary

Time is no one’s friend. In the long run we’re all dead, but let’s narrow the perspective and examine how time impacts cyber operations.

Compromise is inevitable

Before a compromise time is on the attacker’s side. They just need to compromise one system and they’ll have access.

Loss of access is inevitable*

After the compromise, time is on the defender’s side. They just need to discover one single IOC and they can roll up the compromise.

* This depends on the security posture of the defenders and the capabilities of the attackers. After a compromise, everything done by the attackers can result in discovery by the defenders. Including doing nothing.

Operations are continuous

Finally, the iterative cyclical nature of attack and defence means that once an attacker is discovered and purged, they can attempt to compromise the target again. This cycle results in time being an asset to alternating sides, depending on which one controls the network.

Types of Time

Cyber operations have multiple vectors on which to measure time:

• Time on the compromised system (dwell time)
• Time from compromise to breach to — maybe — discovery
• Time required for exploitation of the compromise
• Time until the criminal liabilities expire

Different attackers and operations are affected to a greater or lesser degree by these times depending on their purpose.

Hacking Shells Is Not a Strategy

Simply compromising a system is usually not an end goal in itself, rather it is simply a step in a process towards the final phase — exploitation — where the attacker benefits from the compromise.

Historically attackers would exploit their illicit access for resources — computers, internet access, bandwidth, etc. This was the old golden age of the curious explorer hackers, now long gone. These days hacker motivation typically falls into a small number of pragmatic purposes:

1. Monetisation
2. Espionage (political, military, or economic)
3. Preparations for future conflict
4. Hacktivism

Attackers share the common trait of operating outside the law, however only a subset — non nation state threat actors — face repercussions for their actions (although the US is insanely bringing criminal charges against nation state operators who merely enact their government’s policy).

Nation states exploit a compromise for intelligence or military purposes. These include:

• Political intelligence (long dwell time means more intel collection).
• Seeding civilian infrastructure for future wars (extremely long dwell times, one hopes!).
• Economic espionage, where rapid ROI is more important than dwell time. Economic spies want to build a better washing machine today, they don’t know what they’ll want next year.

There’s a subset of nation state hackers operating for financial gain. They share operational constraints with criminals, their monetisation strategy dictates their dwell time requirements.

Background

To better analyse cyber operations it is helpful to understand the structure of operations and special operations theory. These two frameworks provide a methodology for analysing cyber operations.

Operations Overview

Operations have an inherent structure, defined confusingly as “pre-operational, operational, and post-operational” … but they’re also more formally divided into stages. This division is, in many ways, a matter of taste. The transitions through the operational cycle are not marked by clear lines. What is important is the concept that operations are cyclical (assuming the group or operator remains active). There are a number of ways to divide operations into phases, but a simple version is enough for our analysis:

1. Planning: selecting the target, creating a plan, etc.
2. Preparation: gathering the necessary elements, e.g., tools, ppl, intel; rehearsals
3. Execution: conducting the operation
4. Escape and Evasion: avoiding the response from the defenders
5. Exploitation: getting value from the results of the op, e.g., money, propaganda, etc.

Never forget that all of the phases prior to exploitation are simply there to enable exploitation. For espionage operations exploitation can mean collecting intelligence information, while for cyber criminals it typically means monetisation (some sort of business plan), while hacktivists attempt to promote their agenda, and so on. Operations exists to achieve the exploitation phase.

Takeaways:

• Operations have phases
• Operations are conducted to achieve the exploitation phase
• Exploitation is the principle phase for an attacker, without it the operation is a waste of resources

Special Operations Theory

Special forces are able to achieve mission success against a larger adversary by successfully applying the principles of Spec Ops theory. The principles that help determine Spec Ops success are in many ways similar to the principles that govern success in cyber. Spec Ops theory only goes as far as the execution phase, but that generally includes escape and evasion.

• Planning: simplicity
• Preparation: security (aka, secrecy), repetition (aka, automatic tasks)
• Execution: speed, surprise, purpose

Special operations work when the plan is simple, because too many components cause the chance of failure to increase as problems cascade. The plan must be kept secret to maintain the element of surprise. The operatives rehearse and train for it specifically, so the actual operation is essentially done with “muscle memory.” Alternately, the plan can be comprised of only rote tasks with which the operators are already intimately familiar. The operation must be conducted with speed, surprise, and purpose.

These six principles are very similar to how successful cyber operations are conducted. The attacker maintains secrecy about the central elements of their plan (e.g., the target, the vulnerability, etc.). Typical attackers operate in familiar environments using tools, techniques, and procedures they know well. If the target has a novel system, a sophisticated attacker will become familiar with it before the operation (c.f. Phineas Phisher’s penetration of Hacking Team.) Frequently, advanced attackers will go so far as to replicate the target environment in a lab and script their attack (c.f. TAO clickscripts). Completely scripted attacks, honed against a duplicate target environment, are extremely fast, rehearsed, and present minimal opportunities for human error.

Successful cyber attacks share many of the same principles that enable successful special operations. But there is another useful framework that spec ops theory provides: a graph model for visualising the probability of mission success and operator risk, measured as “area of vulnerability.” This visual model is a simple graph of operational activities over time. The key factor to mission success is to reduce the area of vulnerability, where the attacker can be thwarted by the defence before achieving mission success. The critical point of the model is when the attacker achieves “relative superiority.” Where they become dominant over the defenders and thus relatively immune to their capabilities.

This visual model of an attack provides a simplified way to examine different types of cyber operations. The fluid nature of cybersecurity means that “relative superiority” cannot be precisely defined, however an example might be: “gaining system level privileges and installs an implant.” Mission success is also dependent on operational requirements and the type of operator (hacker, criminal, nation state threat actor, etc.) A non-state operative has at least two criteria for mission success — firstly, achieving their purpose (exploitation), and secondly, not being caught and punished. State operatives also need to reach exploitation, and they typically don’t want to get caught (as it can retroactively negate exploitation of the operation), however they typically don’t face punishment. This distinction is important when it comes to plotting time.

In all cases the point of vulnerability begins when an attacker first compromises a system, as it is from this when they become signal rather than noise. In the illustrative diagrams consider the “exfil” operational activity as essentially a stand in for any operational activity, such as lateral traversal, downloading additional tools, exfiltration, anything.

Analysis

With that background out of the way it is now possible to model and visualise the effect that time has on cyber operations.

Non Nation State Threat Actors

Many hackers are not operating under direction of a nation state, but instead for themselves (or their team.) Typically they are motivated by monetisation, so there strategy there controls their access time requirements. Additionally, without the protection of a nation state, they face criminal liability for their actions. In the case of a pure CFAA violation in the US, this has a 5 year statute of limitations. Therefore, a non-state threat actor has to conduct their operation and then remain unidentified (and free) for at least 5 years.

Platonic Ideal

The ideal hack would therefore be one that started with the attacker in a position of dominance, exposed them only briefly while conducting their monetisation operation, and then they would clean up and vanish. Many limited nation state cyber operations actually follow this pattern as it creates minimal exposure to risk.

Pointless Hack

The older style hacks where there was no monetisation goal had this sort of risk exposure. While the attacker is in a strong position to remain safe against discovery, exposure, and potentially arrest, the length of time (5 years, at least) means that defenders constantly accrue advantage. Over time the risk of exposure increases as defenders have the opportunity to get lucky, their defensive tools become more aware of older known hacker tools, etc. This is a risky move for hackers, one of the reasons that the old style exploratory hacking has gone out of fashion. Long term risk and no reward? Bad deal.

Luck Is Not Neutral

A monetisation strategy might involve a one time exfiltration of data (such as a credit card database), and the attacker leaving after completing their operation. However, a chance discovery, or a functioning defence tool, or relevant threat intelligence data, could all lead to a relatively swift discovery of the breach. Once this has happened, it is a contest between how well the hacker operated (did they make mistakes, clean up properly, leave anything behind?) and how many resources are invested into the investigation. The attacker may lose their dominant position early, but the investigators might hit impediments to further progress (jurisdiction, resources, time, etc.)

Typical Sob Story

The bane of an attacker’s persistence is seldom defender tools but rather evolving and changing environments. Since the attacker is seldom consulted or informed of planned alterations to the network, their systems designed and deployed for a specific target environment are made obsolete almost immediately. For example, an implant installed and deployed on a host is typically not copied over and installed on the new system. Or a network without telemetry and monitoring suddenly has new monitoring tools installed. Attackers may dig in to a lax operational environment and then months later the environment changes drastically altering their risk exposure. Since the time duration here can cover years, this sort of change is a frequent occurrence.

Nation State Threat Actors

As we know, not all attackers are criminals attempting to make a profit. Some are nation state threat actors engaged in specific missions, such as espionage, or sabotage, and so on. It should be noted that an additional factor that gets added to this risk evaluation is just how bad the result of blowback would be. Many threat actors have figured out that the correct answer is usually “not that bad,” although some continue to prize covertness beyond the point of reason.

A Simple Job

The ideal scenario for a simple nation state operation is to compromise the target, conduct their operational activity (e.g., exfiltrate the relevant database), and then cleanup and leave. This sort of attack plan has a low risk profile as the success of the mission marks the end of the period of vulnerability. Although this is the ideal approach, a one shot hack with only a single operational activity, it is not always appropriate given the operational requirements of the mission.

Normal Operation Structure

It would be ideal if operations required only a simple one off hack, but the reality is that most ops require frequent periodic operational activity. A political or military espionage operation will require long dwell time and frequent collection of the take. This means that, given enough time, exposure is inevitable. Each time there is a collection (requiring operational activity), the attacker is exposed. Additionally, time is on the side of the defence, as the longer the attacker remains on the network the more likely that something goes wrong. Of course, the counter balance to this is that being discovered and evicted just means that they need to hack back in, and so the cycle continues …

Earning an AV Cryptonym

The modern cybersecurity environment involves a lot of adversarial defensive organisations. These companies, such as threat intelligence or anti virus, discover a nation state hacking campaign and expose it. Once this happens, all instances of attacker technology becomes a liability. What was initially a safe install of an implant is suddenly an Indicator of Compromise, which can retroactively jeopardise a mission. If the target learns that they were compromised, they will know that the information at a certain time is no longer secret, and they can alter their plans accordingly. Luck in cyber is fickle, and the consequences can reach backwards in time to invalidate intelligence. Thats the game …

Conclusion

Time is the enemy of everyone — defenders and attackers. Before a compromise, it is inevitable. After a compromise, loss of access is (essentially) inevitable. Until there is perfect cybersecurity, the cyclical nature of penetrations and breach discovery means that time will forever betray both defenders and attackers.

The post The 4th in the 5th: Temporal Aspects of Cyber Operations appeared first on Recorded Future.

     

Executive Summary

Everything has its price on dark web, and almost anything can be sold or bought openly. Although sometimes it seems that to succeed in cybercrime, a person must be a Jack of all trades, in reality almost every criminal endeavor requires various tools and services provided by a network other members.

The cybercriminal underground is quite verticalized, with threat actors specializing in particular areas of expertise. It is this distribution of expertise that contributes to the underground market’s resiliency. Similar to drug cartels, once you remove one threat actor or forum, rivals will immediately take its place. As a result, to kickstart a campaign and move beyond a concept to the final execution and substantial profit, a puzzle game has to be completed first.

Background

In the past 20 years, the cybercriminal underground has evolved from a handful of disperse message boards, mostly built around mundane e-commerce fraud primarily conducted by Eastern-European fraudsters, to a highly complex ecosystem that we now call dark web. Today the shadowy world of the internet is comprised of communities divided by various geographical regions, specialty, and the experience of its members and is capable of supporting both entry-level script kiddies and the masterminds of incredibly sophisticated attacks, such as the Taiwan ATM heist and malware attacks on Russian banks, which netted threat actors tens of millions of dollars.

Threat Analysis

A botnet operation is the best example to put things into perspective and to explain the complexity of all necessary steps to achieve the maximum profitability levels for its operators. The following example illustrates the upfront cost of launching and sustaining a cyber operation, as well as the direct and secondary financial returns for its operators.

• A banking trojan license is one of the most expensive elements of a cybercriminal campaign and can be obtained from professional malware developers for $3,000–$5,000.

• Then to intercept banking credentials, web-injects for each target financial institution have to be acquired separately and can cost anywhere between $150–$1,000 per set. In the past year, we’ve seen a significant increase in the cost of web-injects targeting Canadian institutions, offered at the upper-level of the price spectrum, while the cost of malware targeting U.S.-based banks has remained the same.

• To maintain consistent visibility into the entire operation and to control an infected network of computers, bulletproof hosting in one of the unfriendly jurisdictions in China, the Middle East, or Eastern Europe is required. Monthly rental of a web-server in a datacenter favorable to criminal activity will usually cost $150–$200.

• To ensure the consistent payload delivery, and to remain undetected by antivirus products, the executable file must be “cleaned” and obfuscated daily and in the case of a very large-scale operation, several times a day. Such services are available for $20–$50 per single payload obfuscation; however, lower prices can be negotiated for large-volume orders.

• Steady web traffic redirected to the infected resource or email spam campaign are two primary delivery vehicles of malicious payloads. While it’s going to cost $15–$50 to get a thousand unsuspecting people to visit the infected web page, professional spam operators will charge $400 per million of successfully delivered emails.

• Once the malware is successfully planted and banking credentials intercepted, the perpetrator has to work with a chain of mule handlers and money-laundering intermediaries to receive a final pay-off. A money launderer with a stellar reputation and is capable of quick turnaround, will charge a hefty 50-60 percent commission from each payment transferred from a victim’s account. In some cases, an additional 5-10 percent commission might be required to launder the funds and deliver it to the main operator via preferred payment method, such as bitcoin, Web Money, or the Western Union.

Advertisement of Sparta calling services on Russian-speaking dark web community.

• In the case an additional phone confirmation is needed to proceed with a money transfer, it will be facilitated by one of the underground calling services, with prices standing at $10–$15 per each call.

• If an additional document and phone verification are needed to proceed with the money transfer, various supporting vendors are available. A counterfeit driver’s license may be delivered within several hours for $25 while a more sophisticated video selfie will cost $100.

• To minimize the chances of an account holder noticing an unauthorized transaction, to intercept SMS confirmation, or to render an owner’s phone entirely unreachable for the duration of the attack, an email/phone “flooding” can be purchased for $20. However, the cost of a cloned SIM card is significantly more expensive at $150–$300.

Aside from funds stolen from compromised bank accounts, persistent access to an extensive network of victims around the world will inevitably generate a significant residual income.

• Look-ups of login credentials to resources not directly targeted by the attacker, can be offered to members of the underground and may fetch an additional $100–$200 per set. Such a service is in demand from niche buyers, who are likely to be engaged in a commercial and nation-state spying campaigns.

• Credit card information may be quickly sold via one of the dark web marketplaces at $5–$10 a piece.

• The demand for various e-commerce credentials is steady; however, the recent proliferation of large-scale account takeover campaigns has created a surplus of available data, lowering the price to $1–$5 per each set of credentials.

• In some cases, when an attacker is unable to achieve the desired results, per-demand malware may be offered to other criminals for approximately $1 per installation.

• At the end of its reasonable shelf-life, random botnet logs comprised of unstructured data collected can be easily sold for $20 per gigabyte of data.

Outlook

Although this example only examined a single popular attack method, a similar supporting infrastructure would be used to initiate other cybercriminal operations, including ransomware and phishing campaigns. It is going to be rare to attribute a cyberattack to a sole individual operating in isolation, because success requires expertise across multiple disciplines to take an attack from conceptualization to profit. The means to do so are all available for a price; cost would simply depend on how sophisticated a campaign is desired by the actor.

To get more information on information and attack tools pricing, download the appendix.

You can follow Andrei on Twitter at @DeepSpaceEye.

The post Dissecting the Costs of Cybercriminal Operations appeared first on Recorded Future.

     

The recent Equifax breach highlights the vulnerability of our personal data online, and serves as a reminder that there’s an active, thriving, global criminal market for that sort of information.

In this episode of the Recorded Future podcast we return to the dark web, with Recorded Future’s Director of Advanced Collection, Andrei Barysevich, as our guide. He’ll separate fact from fiction, and help us gain a better understanding of the mysterious and increasingly volatile world of the online criminal underground. What sorts of information and services are actually available for purchase in these markets, how does law enforcement respond, and what are the challenges of gathering threat intelligence in an environment where trust and anonymity are the coins of the realm?

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post A Look Into the Thriving Dark Web Criminal Market appeared first on Recorded Future.

     

Boston, MA, November 7, 2017– Recorded Future, the leading threat intelligence provider, today announced the expansion of its threat intelligence powered by machine learning to give analysts and security operations centers access to analyst-originated current and finished intelligence. In real time, customers now have direct access to current intelligence assessments on topics in Recorded Future, as well as access to in-depth, on-demand finished intelligence, carefully researched and customized specifically to their needs.

By adding current and finished threat intelligence to the broadest compilation of machine learning and natural language processing generated intelligence, only Recorded Future can provide organizations with the relevant expert insights and analysis they need for operational improvements and targeted risk reduction.

This new analyst-originated information provides customers with access to new insight as well as additional third-party intelligence research on threat actors, vulnerabilities, malware, and other indicators of compromise (IOCs). It is available in multiple formats to suit the diverse needs of customers, including:

• Intel Cards. Notes from Recorded Future’s expert team of analysts are now automatically generated and embedded within the product’s existing automated intelligence. Notes have been integrated into more than 3,000 Intel Cards and are now completely searchable and available in real time. Customized alerts can also be configured to trigger when new information is available.
• On-demand assessments. Customers can request timely, relevant analyst-created intelligence that is custom to their specific needs.
• Weekly reports. Customers can subscribe to a weekly threat landscape report that is specific to their industry and organization with the analyst team’s expert view on what’s critical to know that week.
• Customer-exclusive Insikt Group blog. Insikt Group, a team comprised of ex-NSA, CIA, and USSS expertise, generates in-depth blog posts containing both current and finished intelligence assessments and are exclusive to Recorded Future customers.

“To effectively combat the risks of cyberattacks, defenders need intelligence from the widest range of sources in real time. The direct access to analyst insights combined with our open, closed, and technical threat intelligence sources provides our customers with the most powerful source of advantage against their adversaries. The breadth of threat intelligence sources we arm customers with is unmatched and puts organizations in the best position possible to defend against threats.”

— Dr. Christopher Ahlberg, chief executive officer and co-founder at Recorded Future

“Access to threat research in the product combined with on-demand reports lets analysts ask iterative questions at speeds never before possible and they can do it over the most comprehensive and timely information available. The result is significantly improved understanding of threats relevant to business needs and an ability to take action to reduce risks. The experts at Recorded Future deliver insights that can’t be found anywhere else.”

— Bob Gourley, co-founder at Cognitio, former chief technology officer at the Defense Intelligence Agency, author of “The Cyber Threat”

To see the Recorded Future solution in action, request a live demo here.

About Recorded Future

Recorded Future delivers threat intelligence powered by patented machine learning to significantly lower risk. We empower organizations to reveal unknown threats before they impact business, and enable teams to respond to security alerts 10 times faster. To supercharge the efforts of analysts and SOC teams, our technology automatically collects and analyzes intelligence from technical, open, and dark web sources. Recorded Future delivers measurably more context than threat feeds alone, updates in real time so intelligence stays relevant, and packages information ready for human analysis or instant integration with existing security technology. 86% of the Fortune 100 use Recorded Future. Learn more at www.recordedfuture.com and follow us on Twitter at @RecordedFuture.

The post Recorded Future Expands Automated Threat Intelligence Solution With Analyst-Originated Intelligence appeared first on Recorded Future.

     

Collecting raw data on cybersecurity threats does not constitute threat intelligence. By the same token, analyzed data only qualifies as meaningful threat intelligence if the results are directly attributable to business goals.

True threat intelligence is the output of analysis based on identification, collection, and enrichment of relevant data and information. When analyzing the data, it’s important to always keep quantifiable business objectives in mind and how those objectives are impacted by the intelligence.

Producing intelligence “just in case” you need it is a waste of valuable resources. It may also cause you to react to false positives or legitimate threats that do not really pose a significant risk.

The 2 Types of Threat Intelligence

Threat intelligence falls into two categories that are heavily interdependent on each other:

1. Operational intelligence is produced by computers and includes data identification, collection, enrichment, and analysis.
2. Strategic intelligence is produced by humans and focuses on identifying and analyzing threats to an organization’s core assets — including employees, customers, infrastructure, applications, and vendors.

Both types of intelligence traditionally rely heavily on skilled and experienced analysts to develop and maintain. It’s also important that security analysts develop external relationships and proprietary information sources so they can identify trends, as well as educate employees and customers. Analysts should also study attacker tactics, techniques, and procedures, and then ultimately make the defensive architecture recommendations that are necessary to combat the identified threats.

Evolution of Threat Intelligence Sharing

In addition to developing a solid internal threat intelligence program, another key to successfully defending digital assets is threat intelligence sharing. This concept has evolved in recent years in direct response to cybercriminals doing the same thing from the other end of the attack perspective. Hackers have become very effective in sharing their secrets, which is why sophisticated attacks can go undetected for months — even years.

By sharing information, the cybercriminal community has become extremely well-organized, providing valuable tips and tricks to each other. Through various online communities, they love to brag about their exploits and eagerly share their experiences as well as the attack tools and methods that work particularly well.

Hence the recent rise of threat intelligence sharing to help protect organizations on the receiving end of those attacks. Internal information security teams, along with security vendors, consultants, and researchers are now providing information to each other, and those who are breached share their experiences with security experts. And, in turn, the security vendors are building more effective defense, detection, and incident response solutions.

A Community With a Wealth of Intelligence Information

As collaboration technologies and platforms continue to mature, the threat intelligence sharing community is looking for standard ways to operate in a more efficient manner. Organizations that participate can now leverage many services, associations, standards, and frameworks to learn how to best protect their digital assets. A good place to start is the threat intelligence feeds of the security vendors who provide the solutions your business is currently using.

Another good resource to turn to is the Cyber Threat Intelligence Integration Center (CTIIC), a U.S. government entity. The organization provides information on foreign cyber threats to U.S. national interests by integrating information from the defense, intelligence, and law-enforcement communities. CTIIC also facilitates information sharing and analysis of cyber threats by publishing intelligence alerts that place cyber threats in context and provide assessments of an adversary’s capabilities and motivations.

Also consider IT industry-specific information sharing and analysis, such as IT-ISAC— ​the Information Technology-Information Sharing and Analysis Center. The organization provides security information that impacts the IT sector and features a forum that includes experts from the world’s leading IT companies to help businesses minimize threats, manage risk, and respond to cyber incidents.

Your organization can also turn to a wide variety of standards and frameworks to help guide your IT security strategy. Given the number of available resources, check with your colleagues, your security partner, or a threat intelligence expert to determine which ones might be best for your organization:

• Open Indicators of Compromise (OpenIOC) framework
• Vocabulary for Event Recording and Incident Sharing (VERIS)
• Cyber Observable eXpression (CybOX)
• Incident Object Description and Exchange Format (IODEF)
• Trusted Automated eXchange of Indicator Information (TAXII)
• Structured Threat Information Expression (STIX)
• Traffic Light Protocol (TLP)
• Open Threat Exchange (OTX)
• Collective Intelligence Framework (CIF)

While all of these standards and frameworks provide helpful guidance in devising a threat protection strategy and implementing security technologies, one in particular that has worked well for many is STIX. STIX is a set of XML schemas that comprise a language for describing cyber threat information in a standardized manner. Regardless of the standard(s) utilized, it is paramount that the threat intelligence information be available in a format that allows it to be both machine readable and human digestible; ultimately, this information will be used to make a decision, and the decision makers need to be able to make sense of it.

This is important because cyber threat sharing currently occurs manually between trusted parties. By using a standardized way of describing the data, automated threat sharing becomes possible. STIX can be used to characterize indicators, tactics, techniques, indicators, exploit targets, and other aspects of a cyber threat.

You Can’t Do It Alone, But There Is Help!

Threat intelligence sharing is all about realizing you can’t protect your digital assets all on your own. Today’s cybercriminals are simply too sophisticated. They share information readily and quickly evolve their techniques. The IT defense technologies that work today will likely not work tomorrow.

But by working closely with your security vendors and your colleagues at other companies — as well as the many organizations in the threat intelligence sharing community — you can check to ensure you’re doing everything you can to identify risk and block the pending attacks. That makes it much more likely that you will keep your IT network running so your end users — employees, partners, and customers — can continue to access the data and the applications they need to get their jobs done.

A threat intelligence provider can help make this information easier to find and analyze, as well as add vital context to internal security data. Read our white paper, “Best Practices for Applying Threat Intelligence,” for more information.

The post Augmenting Your Threat Intelligence Program With Threat Intelligence Sharing appeared first on Recorded Future.

     

Editor’s Note: The following blog post is a partial summary of a RFUN 2017 customer presentation featuring Bryan Campbell, senior security researcher at Fujitsu, and Rob Kraus, senior director, global threat intelligence center operations at NTT Security.

Before implementing an effective threat intelligence program, it is imperative to define what exactly threat intelligence is. The above definition focuses on the IT-related aspects, which are certainly core to the practice. However, threat intelligence extends into a number of different applications that aren’t necessarily IT assets, but still impact the bottom line, including brand reputation, abuse or misuse of intellectual property, activities across geographically disparate markets, and more.

Also critical to building an effective threat intelligence program is knowing that it’s an ongoing, repeating process: the intelligence lifecycle. Businesses and security teams alike should be prepared to set clear goals and properly focus information to maximize positive security impacts.

The Intelligence Lifecycle

Executing on the intelligence lifecycle determines your success with implementing a threat intelligence program. Each phase needs to be addressed adequately and with the understanding that it needs to be the repeating process previously mentioned:

• Planning, requirements, and direction
• Raw information collection based on requirements
• Information processing
• Intelligence analysis and production
• Dissemination

The intelligence lifecycle begins by defining needs. What keeps executives and security analysts up at night? These needs are called priority intelligence requirements (PIRs), and they help determine the information you’re looking to gain. PIRs also provide the basis for the type of raw information that needs to be collected, as well as processing and exploiting. Exploiting intelligence is the process of taking information from its raw state, mapping it to PIRs, and creating an intelligence product. Lastly, and most overlooked, there’s the question of how to disseminate a threat intelligence product. It’s a significant investment in order to be successful, and each of these steps need to be evaluated on a regular basis.

Creating a Plan and Setting Goals and Expectations

A key consideration in building out a threat intelligence program is knowing that intelligence without action is about as valuable as not having intelligence at all. It’s necessary to understand why you’re interested in investing in an intelligence program, followed by putting some key performance indicators (KPIs) behind it. Know what threat intelligence means to your business, how you can leverage and apply the information, and what outcomes can be generated. Investing in a program isn’t enough — how will it get you to where you want to be with respect to protecting your organization? Here’s what you should be evaluating to adequately answer that question:

Intelligence Goals

What do you expect intelligence to give you? Why are you interested in investing in your intelligence program?

If building out a threat intelligence program is an initiative, it’s not enough to simply make the decision to move forward. Without direction or goals, it won’t get far, especially among a full team of security analysts with their own visions. Develop a clear goal and a common vision.

What are the defined KPIs?

Without quantifiable measures, it’s difficult to determine if goals are being met as a threat intelligence program progresses. KPIs can evolve as businesses grow or change, or as goals are met, and can address both the short and long term.

For instance, if the objective is to invest in intelligence, can it be determined that it will prevent a certain number of attacks from happening per year, as well as how much money can be saved by doing so? As the program grows and budget needs to be added, it will be important to be able to demonstrate what you’re getting out of the investment.

Intelligence Expectations

Remember that intelligence capabilities are proportional to how you invest in your program.

This includes people, processes, procedures, training, information sources, etc. If you only invest a small amount of budget into your intelligence program, you may not get a lot of out of it (refer back to those KPIs). Know how much you need to invest in processes, people, and procedures to make it worthwhile, hit KPIs, and meet your intelligence goals.

No one sees everything — however, if you look for nothing, you will most certainly find nothing.

Intelligence without action is lost. Consider the recent attacks that could’ve been prevented for major organizations (the Equifax breach, for example) with the proper threat intelligence. Define what threat intelligence truly means for your organization, how information can be applied, and the potential outcomes.

The Criticality of Filtering Data

To generate an intelligence product and actionable intelligence, data has to be filtered. “Noise” is comprised of everything that is collected according to PIR, not all of which is relevant. Noise has to be filtered and scrubbed, leaving the remaining artifacts which should be grouped according to defining characteristics; data doesn’t become information until it’s assigned a purpose. If it can be determined that information has a strategic purpose that can be used to gain advantage, it’s considered intelligence. Finally, actionable intelligence is the process of carrying out intelligence-led, evidence-based assessments that can be initiated and acted upon.

Why Commit to an Intelligence Program?

There are a number of operational and security benefits to threat intelligence, from gaining a more holistic understanding of potential threats to determining mitigation controls:

• Achieve greater situational awareness
• Understand threats, threat actors, and their capabilities
• Identify threats before they are realized
• Identify targets for threat actors
• Mitigate attacks more effectively
• Identify target profile and exposed data
• Determine countermeasures and mitigation controls
• Gain actionable intelligence specific to the organization

As you begin your threat intelligence journey, remember to be intentional in your goals and know your applications. Can the information you gain be used for proactive identification? Incident response? Making the effort to figure out why, how, and where to apply threat intelligence will put you well on your way to success.

The post Key Initiatives of a Strong Threat Intelligence Program appeared first on Recorded Future.

     

This episode focuses on phishing, where a bad actor pretends to be someone they’re not in order to get a user to reveal information, like a login or password, or to get them to perform a task, like transferring money.

Phishing has been around for quite a while. Many of us remember breathless email requests from a certain Nigerian Prince looking to share millions of dollars. It’s still around today because it works and it’s inexpensive to do, taking advantage of human nature and most people’s tendency to be helpful and trusting.

Our guest today is Oren Falkowitz, CEO and founder of Area 1 Security, a company that specializes in protecting organizations from phishing attacks. He describes the history and continued effectiveness of phishing campaigns, the techniques that companies like Area 1 Security use to defend against them, and whether or not he thinks it’s a problem we’ll ultimately solve.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post No Phishing Allowed appeared first on Recorded Future.

     

Editor’s Note: The following blog post is a partial summary of a SANS webinar we co-hosted with Dave Shackleford.

Cyber threat intelligence is the output of analysis based on identification, collection, and enrichment of relevant data and information. With thousands of potential data sources, generating true threat intelligence to combat cyberattacks must be a combination of the right technology and the right people.

To effectively analyze all the threat data that’s available, security teams also require a framework to process all the information that flows their way. They then need put that data into proper context to react appropriately.

Building a threat intelligence framework is just as much about identifying and mitigating legitimate major threats as it is about avoiding false positives and threats that would otherwise present little impact to the business operations. The last thing you want is to have your information security team waste valuable time chasing a threat that won’t result in major consequences, taking them away from the possibility of detecting an attack that could bring the whole network down.

Goals Before Data

As a starting point to building a threat intelligence framework, put aside, at first, thinking about the data you need from cyber threat intelligence feeds and the sources for that data. Begin rather by determining the goals of your program:

• What systems, data, and other digital assets must be protected?
• How do you anticipate threat intelligence will help protect those assets?
• With which specific tactics are you expecting intelligence to help?

The answer to this last question might be to block attacks, streamline incident responses, facilitate vulnerability management, reinforce compliance, or to help with some other area of security operations. Perhaps you want threat intelligence to assist in all of these areas. It’s critical to understand the goals before selecting and ingesting threat intelligence data.

Threat Intelligence Framework Tools

Taking it a step further, the answers to all of the questions above will help direct you towards the type of data feeds you need to collect. From there, you can then categorize the framework tools the information security team will need at its disposal. These tools typically fall into three main categories:

• Collecting: Ingesting threat data from the right sources.
• Processing: Turning the data into useful information.
• Analyzing: Turning the information into actionable intelligence.

As the information security team works its way through these three stages, the volume of data to handle will decrease, while the value of the data will increase. With less noise and false positives to deal with, the team can better prioritize its activities, focusing on what matters.

All three components require utilizing the right technologies and the right forensic expertise. When armed with the right intelligence, skilled resources can intervene to detect and prevent threats before they do any damage. If any threats breach the digital infrastructure, the combination of intelligence and expertise can serve to mitigate the damage. Here are some examples of cyber threat intelligence resources:

• Forums (both hackers and researchers)
• Paste sites (leak and breach posts)
• Blogs and social media (security community)
• Real-time alerts (changes to tactics, techniques, and procedures)
• Threat deeds (open source feeds number in the hundreds)
• Dark web collection (TOR pages, IRC channels)
• Code repositories (malware code, vulnerability databases)
• Technical collection (Shodan RAT controllers, Google dorking, GEO IP)

The Cyber Threat Intelligence Payoff

By building a threat intelligence framework, your information security team will gain the ability to act quickly (before attacks occur) and to put threats into context. Just how big is the threat, and is it time to put all hands on deck?

The team will also become more proficient at uncovering and investigating new threats and techniques, as well as identifying new and interesting attack patterns, external adversaries, indicators of compromise, and malicious behavior that could otherwise go undetected.

Threat intelligence can also be integrated with your existing information security technologies and processes. With meaningful and contextual integrations in place, organizations gain the confidence that they can make informed decisions faster.

Proficient, informed decision making is the name of the game. With a threat intelligence program integrated as part of a company’s larger information security management program, security teams will know more about the threats quickly, giving them the ability to defend their organization much more proactively.

To find out how you can build a framework with threat intelligence from billions of data points in multiple languages from the open, deep, and dark web, request a personalized demo today.

The post Building a Threat Intelligence Framework to Defend Against Cyberattacks appeared first on Recorded Future.

     

Approaches to the collection and analysis of all kinds of intelligence have traditionally relied heavily on the capabilities of humans to understand references, filter out noise, and ultimately make a decision about any action that needs to be taken.

Today, the overwhelming amount of available data from numerous sources (internal and external) is challenging the capacity of human analysts to effectively identify potentially useful information, including uncovering emerging threats that could be relevant to your business.

Applying machinery to the collection and analysis of huge volumes of threat-related data unburdens human analysts to focus on refining new intelligence, which is considerably less time consuming than gathering, reading, and understanding information from sources of intelligence manually.

We’ve calculated some of the benefits to be gained in speed and scale by automating collection and analysis of threat data using machine learning and AI. You can see the results in the infographic below.

The post Man vs. Machine: Speed and Scale in Threat Intelligence appeared first on Recorded Future.

     

Click here to download the complete analysis as a PDF.

Executive Summary

Earlier research based on the last two years of vulnerability reporting illustrated that China’s National Vulnerability Database (CNNVD) was generally more aggressive in capturing up-to-date information for software vulnerabilities than its U.S. counterpart (NVD). In this research we examine exceptions to this general rule and discover a broader role for the Ministry of State Security (MSS) in vulnerability reporting than was previously known.

Recorded Future analysis has uncovered evidence of a formal vulnerability evaluation process at CNNVD in which High-threat CVEs are likely evaluated for their operational utility by the MSS before publication.

We studied 300 CVEs, representing CVE 1) with the most atypical CNNVD reporting delays, and 2) associated with malware used by Chinese APT, and discovered multiple examples where we believe the MSS probably delayed the publication of High-threat vulnerabilities.

• In one instance, a Chinese APT group was actively exploiting the Microsoft Office vulnerability (CVE-2017-0199) during the publication lag of 57 days after NVD published.
• The most atypical publication delay experienced by CNNVD (236 days), was for a pre-installed backdoor that sent vast amounts of user data to servers in China and was possibly associated with Chinese government surveillance.
• Among groups of vulnerabilities that were released together, High-threat vulnerabilities were consistently published substantially later (anywhere from 21 to 156 days later) than Low-threat vulnerabilities.

Further, our research on vulnerabilities commonly exploited by malware linked to Chinese APT groups revealed an inconsistency in CNNVD publication practices. CNNVD breaks its larger pattern and is beat to publication by NVD on 97 percent of these vulnerabilities. The probability that NVD would beat CNNVD to publication for this proportion of CVEs is incredibly small — less than .00001 percent. We believe CNNVD publication was likely delayed by the MSS because Chinese APT groups were actively exploiting those vulnerabilities.

Lastly, we discovered that on average, it takes CNNVD longer to publish vulnerabilities with High Common Vulnerability Scoring System (CVSS) scores than vulnerabilities with Low ones. This is in contrast to NVD, which publishes High CVSS vulnerabilities more quickly than lower ones. We assess that this is likely due to influence by the MSS in delaying the publication of High-threat vulnerabilities in order to evaluate its utility in future intelligence operations, or buy time for current ones.

Key Judgments

• CNNVD is essentially a shell for the MSS; it has a website but appears to be separate from the MSS in name only.
• We have identified at least two examples of vulnerabilities with CNNVD publication delays that we believe were likely influenced by the MSS.
• Even though CNNVD beats NVD to publication 43 percent of the time, for vulnerabilities exploited by malware linked to Chinese APT groups, CNNVD was first to publish for only three percent of those.
• It takes CNNVD longer to publish vulnerabilities with high CVSS scores than low ones, even though there is no increase in published context, indicating that there might be different reporting and evaluation procedures for high-threat vulnerabilities.
• For a small subset of vulnerabilities (44 CVEs), NVD is faster than CNNVD to publish vulnerabilities that already have exploits for them.

Background

As we previously reported in “The Dragon Is Winning,” the U.S. NVD trails China’s National Vulnerability Database (CNNVD) in average time between initial vulnerability disclosure and database inclusion. On average, it takes the U.S. NVD 33 days after public disclosure to make a vulnerability available in its database, while it takes CNNVD only 13 days. Further, CNNVD captures 90 percent of all vulnerabilities within 18 days; it takes the NVD 92 days to cover that same percentage.

The explanation for the delay by NVD is relatively simple — NVD waits for voluntary submissions of information, while CNNVD pulls data from extensive sources of vulnerability information across the web, rather than relying on voluntary industry submissions. While the U.S. government has focused on a process, China has focused on the key goal — quickly reporting available vulnerabilities.

For this research, we studied two groups of CVEs. The first, was a statistically unique subset (268 CVEs) of the 17,940 vulnerabilities first publicly disclosed, and then incorporated by both NVD and CNNVD between September 13, 2015 and September 13, 2017. This subset waswere of CVEs that were reported quickly by NVD, and slowly by CNNVD. We know from our previous research that NVD prioritizes significant vulnerabilities for faster release; therefore, when we see CVEs published quickly by NVD followed by a long CNNVD lag, it is extremely atypical. We hereafter refer to these CVEs as the “outliers.”

Our second group of CVEs were of vulnerabilities exploited by malware used by Chinese APT groups. We studied 15 different pieces of malware used by Chinese APT groups, which included 32 separate CVEs. In total, we studied 300 different CVEs for this research.

CNNVD: Thinly Veiled Front Organization for the MSS

As we identified in additional previous research, CNNVD is run by the China Information Technology Evaluation Center (CNITSEC), which is an office in China’s premier foreign intelligence service, the Ministry of State Security (MSS). Further research into the administration of CNNVD has revealed that it is essentially a shell, or cover, for the MSS.

Submissions to CNNVD are directed to vulpro@itsec.gov.cn, which is CNITSEC’s domain, as are all contact email addresses (that we could discover) for CNNVD.

Vulnerability submission page for CNNVD.

Further, the location and contact information for both CNITSEC and CNNVD are identical. Both are located in the same building, on the same floor, and have the same contact phone numbers.

Contact information for CNITSEC and CNNVD; both list the same contact phone numbers and address.

The MSS runs CNNVD. The closest U.S. analog to the MSS is the Central Intelligence Agency (CIA), and the MSS running the CNNVD is the equivalent of the CIA running the NVD. Conversely, the CIA does not run the U.S. NVD; it is run by a division within the Department of Homeland Security (DHS) tasked with publicly identifying, reporting, and creating patches for software vulnerabilities. While there is not an exact DHS equivalent in China, the Ministry of Public Security (MPS) mission and scope is most similar and is widely considered China’s DHS counterpart.

The fundamental problem with the MSS running CNNVD, and more broadly, the MSS’s role in China’s information security architecture, is that the MSS is China’s “leading civilian intelligence agency,” responsible for both foreign intelligence and counterintelligence operations. This means that the MSS could use the information gained from vulnerability submissions to CNNVD to then exploit in its own intelligence operations. The MSS has a voice in which vulnerabilities are reported via the CNNVD, because they run it; they could also easily identify and hide from the public a critical weakness in software or hardware, then turn around and use it in its own operations.

Shared location of CNITSEC and CNNVD.

It is this relationship, where the public defensive mission is supervised by an intelligence service with broad powers to collect intelligence, both domestically and overseas, that led us to investigate CNNVD statistical reporting anomalies in greater depth.

What is the influence of the MSS on CNNVD, the publishing of vulnerabilities, and public information security in China?

Threat Analysis

In examining the outliers, two analytic questions jumped out from the data. What can we learn from the CVEs that 1) experienced large lags in publishing, and 2) are associated with malware commonly used by Chinese state-sponsored groups?

Large Lags in Publishing

For the outliers, we decided to examine CVEs that NVD reported on quickly (six days or less), and that CNNVD took over twice as long as its average delay of 13 days to publish. This length of delay (we selected 28 days, or four weeks) is a full 10 days longer than the 90 percent publishing rate and should control for the typical organizational and bureaucratic issues and delays, like employee vacation, national holidays, systems or network problems, etc.

Out of the 17,940 vulnerabilities first publicly disclosed and then incorporated by both NVD and CNNVD between September 13, 2015 and September 13, 2017, 268 vulnerabilities (or approximately 1.5 percent) took less than six days for NVD to publish and longer than 28 days for CNNVD to publish.

Average reporting delays for all vulnerabilities in time frame and the selected set of vulnerabilities used in this analysis.

Of these 268, nearly 43 percent had a Common Vulnerability Scoring System (CVSS) severity rating of High, 45 percent had a Medium CVSS rating, and 12 percent were Low.

When these vulnerabilities are broken down further by published date, the data follows a similar pattern. The vast majority of the delayed vulnerabilities (74 percent) were published 28 to 50 days after initial report; however, 11 percent were published in 51 to 91 days, and 15 percent took over 120 days to publish.

Additionally, there were several companies and projects with numerous vulnerabilities among these outliers, with the largest numbers being from Cisco, Oracle, Linux, Adobe, Google, IBM, and Microsoft, in sequential order.

As we identified in prior research, for the NVD, higher-severity vulnerabilities have shorter release lags, as more effort is put into communicating and remediating them. However, for CNNVD, the opposite is true. On average, CNNVD takes three days longer to report a vulnerability with a High score than a Low-Medium score.

Severity scores of vulnerabilities vs. lag until 90 percent vulnerability coverage. NVD (blue) is faster in publishing high-severity vulnerabilities than lower-severity vulnerabilities; CNNVD (green) is slower to publish high-severity vulnerabilities than lower-severity vulnerabilities. Overall, CNNVD is still faster.

The diverging trend lines in responsiveness to more severe vulnerabilities raise interesting questions about reporting criteria and priorities. While CNNVD is still faster than NVD in each CVSS category, NVD is fastest when reporting High vulnerabilities, while High is CNNVD’s slowest category. Further, of the selected outliers, 43 percent were High even though these vulnerabilities make up only about one-third of all total published vulnerabilities. The probability of this degree of difference occurring by chance is quite small — 0.016 percent.

Why is this the case? Does CNNVD publish more content on High and Medium vulnerabilities than on Low ones? What could account for this systemic lag in publishing more severe vulnerabilities, or the fact the nearly 43 percent of the statistical outliers had High CVSS scores?

A Tale of Two Vulnerabilities

In addition to our NVD comparisons and statistical modeling, we decided to compare NVD and CNNVD publish dates and content for two High vulnerabilities: CVE-2017-0199 and CVE-2016-10136/CVE-2016-10138.

1. CVE-2017-0199 is a Microsoft Office vulnerability that was first identified on April 11, 2017. In the succeeding months, this vulnerability was successfully exploited by North Korean state-sponsored actors in the global WannaCry attack, the unknown actors responsible for NotPetya, and the criminal group behind Dridex. This vulnerability was widely exploited across the world, including in China.

Below are side-by-side screenshots of the U.S. NVD and CNNVD entries for CVE-2017-0199 (CNNVD assigns its own numbers and calls this one CNNVD-201704-692).

Both NVD and CNNVD contain brief descriptions of the vulnerability, version affected, and links to the security patch. Interestingly, CNNVD’s entry contains fewer references, technical details, and does not list the original identification date (April 11), only the dates which CNNVD published and updated the entry (both June 7, 2017). CNNVD links to the MITRE maintained CVE entry and the description of the vulnerability on CNNVD appears to be very similar to the MITRE description.

In comparing the content of both NVD and CNNVD entries for this vulnerability, there is no evident explanation as to why CNNVD took 57 days after disclosure to publish. There is no additional content or analysis in CNNVD’s entry. Aside from having a different vulnerability number and risk class score (although it was still the highest category so it was virtually the same), CNNVD actually had less useful data on this particular entry.

Additionally, in the months between April 11 and June 7, 2017, the WannaCry ransomware attack swept the world and victimized 40,000 institutions in China, including Tsinghua University, China Telecom, Hainan Airlines and several police stations and public security offices. Based on the information in the entry and the unusually high level of exploitation of the vulnerability, CNNVD left Chinese companies and organizations exposed and should have published sooner.

Timeline of cyber events during CNNVD publication lag of CVE-2017-0199.

However, for this particular vulnerability, there may have been other influencing factors which drove the publication lag. Research published on April 27, 2017, revealed that a suspected Chinese APT group, referred to as TA459, had been using this vulnerability to target analysts who covered the telecommunications industry at Russian and Central Asian financial firms. This group has also utilized a number of other tools commonly associated with Chinese APT groups, such as PlugX, NetTraveler, and Gh0st. In this case, TA459 had been using a trojan called ZeroT to exploit CVE-2017-0199.

Given that the MSS runs CNNVD, it is likely that the publication lag for CVE-2017-0199 could have been affected by the MSS which wanted to buy time for the vulnerability to be exploited in its operations or on behalf of another Chinese state-sponsored actor.

2. CVE-2016-10136 and CVE-2016-10138 are two vulnerabilities in Android software developed by a company named Shanghai Adups Technology. According to Kryptowire, these two vulnerabilities are essentially pre-installed backdoors which, “actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI), and the International Mobile Equipment Identity (IMEI). The firmware could target specific users and text messages matching remotely defined keywords. The firmware also collected and transmitted information about the use of applications installed on the monitored device, bypassed the Android permission model, executed remote commands with escalated (system) privileges, and was able to remotely reprogram the devices.”

The

In this episode of the Recorded Future podcast, we take a closer look at the practical application of threat intelligence. Some security teams still meet threat intelligence with a skeptical eye, wondering how adding even more information to the flow of data they’re already receiving could improve their security posture. In reality, they’re likely already using some degree of threat intelligence even if they don’t realize it. We’ll explore ways that organizations can determine how much threat intelligence is the right amount, when it’s time to engage with a third-party provider, and when it’s not. We’ll review case studies from Facebook and Akamai, and we’ll discuss the importance of context when transforming information into intelligence.

Our guide this week is Allan Liska. He’s a solutions architect at Recorded Future, and author of the newly published e-book “Threat Intelligence in Practice.”

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post The Practical in Practice — Use Cases for Threat Intelligence appeared first on Recorded Future.

     

In this episode of the Recorded Future podcast we take a closer look at the Internet of Things (IoT). It’s a wide-ranging category, spanning everything from connected thermostats, refrigerators, and security cameras to industrial control systems, self-driving cars, and medical devices. It’s hardly an exaggeration to say that if a device has a power source, somebody is thinking up a way to connect it to the internet. And with that comes opportunities for improving our lives and the world we live in, as well as risks to our security and privacy.

Our guest this week is Chris Poulin. He’s a principal at Booz Allen Hamilton, where he leads the company’s Internet of Things security practice.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post AI, Robots, and Cyborgs — Inside IoT With Chris Poulin appeared first on Recorded Future.

     

Artificial intelligence (AI) has truly entered the mainstream consciousness. But how clearly do any of us really understand what AI is? How aware are we of the ways in which we’re interacting with techniques like machine learning, natural language processing, and cognitive analytics every single day?

It’s true that the advanced mathematics and complex programming at the heart of AI systems is challenging for most of us to get our heads around. So here, we’ll focus on understanding what some of these AI techniques (specifically machine learning) do and the difference they can make to our work and lives.

Why Is AI so Tricky to Define?

Webster’s Dictionary defines artificial intelligence as “an area of computer science that deals with giving machines the ability to seem like they have human intelligence.” The fact that this definition is so vague actually very effectively captures the difficulty in grasping what AI really means.

The challenge here is one of perception — measuring human intelligence is controversial enough. Some might say that solving problems, understanding concepts, and recognizing sequences are clear indicators of intelligence. Others would claim that empathy, understanding emotion, and interaction with others are measures of human intellect, not to mention the huge concepts of creativity, imagination, and perception.

To avoid straying into the realms of the metaphysical here, let’s focus instead on how AI is being applied today. Systems based on AI, sometimes referred to as cognitive systems, are helping us automate many tasks which, until recently, were seen as requiring human intelligence. However, AI allows us to not only automate and scale up tasks that so far have required humans, but it also lets us tackle more complex problems than most humans would be capable of solving.

Why Is AI Coming to Prominence Now?

AI has become such a focal point of attention for both researchers and entrepreneurs during the last few years due to several factors contributing to a “perfect storm”:

• Never before has so much information been available in digital form, ready for use. All of humanity is, on a daily basis, providing more information about the world for machines to analyze. Not only that — through crowdsourcing and online communities, we are also able to give feedback on the quality of the machines’ work at an unprecedented scale.
• Computing power and storage capacity continue to grow exponentially, and the cost for accessing these resources in the cloud are decreasing. Incredible resources are now available not only to the world’s largest corporations, but to garage startups as well.
• Research in algorithms has seen huge strides in giving us the ability to use these new computing resources on the massive data sets now available.

How Do Machines Learn?

Recorded Future AI experts explain the basics of machine learning.

Machine learning is an AI technique getting significant attention today. The ultimate aim of machine learning is to enable software applications to become more accurate without being explicitly programmed. But how do machines actually learn? The basic premise of machine learning is to build algorithms that can receive vast amounts of data, and then use statistical analysis to provide a reasonably accurate outcome.

Machine-learning algorithms are usually defined as supervised or unsupervised. Supervised algorithms need humans to provide both input and the desired output, in addition to providing the machine with feedback on the outcomes during the training phase. Once training is complete, the algorithm will apply what was learned to new data. Unsupervised algorithms do not need to be trained with desired outcome data. Instead, they use an iterative approach called deep learning to review data and arrive at conclusions.

In reality, machine learning is about setting systems to the task of searching through data to look for patterns and adjusting actions accordingly. For example, Recorded Future is training machines to recognize information such as references to cyberattacks, vulnerabilities, or data breaches. In this case, the machinery isn’t necessarily performing a task that is difficult for a human, but is impossible for a human to perform at the same scale. You can see the capabilities of machines in performing these kinds of task in our man versus machine infographic.

AI Applied to Threat Intelligence

Training machines to process and analyze threat data from numerous sources brings two clear benefits for information security in organizations. Firstly, as previously mentioned, there are significant advantages in the scale of data which can be collected and analyzed by AI systems. This performance gain allows businesses to task people with performing roles that require uniquely human capabilities and will result in greater efficiency. Secondly, the machinery gives structure to the data that makes it infinitely easier to get to relevant threat intelligence quickly.

In our upcoming webinar “Machine Learning in Black and White,” you can find out more about how the latest AI techniques are being applied in information security by defenders, as well as how attackers are adopting machine learning to conduct increasingly sophisticated attacks and to circumvent AI-based defenses.

The post What Is Machine Learning? Definition and Examples appeared first on Recorded Future.

     

The dark web is a mass of marketplaces and communities that can only be accessed through encrypted connections. The nature of dark web content is diverse, and the characters who live there range from those looking to purchase counterfeit goods, to drug dealers and cybercriminals. We’ll be focusing on this last category and exploring some examples of how threat actors use the dark web to conduct business, develop new threats, and trade techniques.

Selling Data and Credentials

Certain dark web marketplaces have become synonymous with the sale of credentials from large-scale hacks and data breaches. There are a few ways that unscrupulous individuals can look to profit from using these stolen credentials, including identity theft, or using email and social media accounts to defraud others. Some sellers of credentials have even specialized in trading logins for remote access to servers, or for spear phishing employees.

There’s also a market for corporate data, including intellectual property or customer information in dark web communities, and this kind of information is also sometimes made available by insiders looking to profit from their access to valuable data.

In this short video, Recorded Future’s Andrei Barysevich explains how threat actors are monetizing personal data breached from healthcare systems.

Discussing Vulnerabilities and Trading Exploits

There are a number of forums that focus specifically on discussing vulnerabilities, as well as developing and trading exploits. Recent research from Recorded Future revealed that 75 percent of all disclosed vulnerabilities will be referenced on sources like blogs, forums, social media, and the dark web before appearing on NVD (National Vulnerability Database), the official site for these announcements.

As information on new vulnerabilities is made available, they present opportunities for capable threat actors to investigate the potential to exploit them. Often, the details of these new vulnerabilities will be translated from English into languages more commonly used in criminal forums to enable faster dissemination.

Proof-of-concept malware shared to code repositories like GitHub may also be publicized on dark web sites. The ultimate aim for many actors in these communities is selling zero-day or one-day exploits for these vulnerabilities. These exploits are most effective when they are fresh, so new ones that target the right technologies can earn their creators hundreds of thousands of dollars.

As vulnerabilities are weaponized and exploited, the risk of attacks and breaches increases.

The management and patching of vulnerabilities is universally acknowledged as a vital but exceptionally difficult aspect of information security. Any intelligence that helps define true risk from a vulnerability that could affect systems used in corporate organizations can be applied to make the process more effective and efficient. In many cases, the mechanics of how these vulnerabilities are ultimately commoditized are only visible in dark web communities and other unindexed areas of the open web, but the insight this intelligence can provide presents significant security benefits.

References to CVE-2017-8759 across numerous sources of intelligence.

In this example, CVE-2017-8759 is a vulnerability which affects Microsoft .NET framework. It was officially disclosed on September 12. The official disclosure appears in public and searchable sources, but it’s when the processes of exploitation and monetization for threat actors begin that references to the vulnerability become less visible. Only two days after this CVE was disclosed, proof-of-concept code started being shared to GitHub (a code repository), and an exploit builder was advertised for sale in a dark web forum. Within seven days, the vulnerability was being actively exploited in spam email attachments sent to targets in Argentina.

Recruiting Expertise and Insiders

According to Avivah Litan, a Gartner analyst who specializes in information security, “Insiders are being actively recruited by criminals operating on the dark web, according to Gartner clients. Disgruntled employees working at companies across many sectors, such as financial services, pharma, retail, tech, and government are gladly selling their services to the bad guys in order to inflict harm on their employers. Seeking harm and revenge on employers is a bigger incentive for insider threats than stealing money from employers, according to our clients.”

Threat actor with access to an insider seeks malware to infect a bank.

Recorded Future caches this information to make sure that intelligence from volatile sources isn’t lost or deleted.

Criminal forums and marketplaces are well known for facilitating all types of illicit transactions. Insider threat advertisements are frequently used by actors promoting their illicit services on dark web sites, from retail cash-out services to carding operations, to bank insiders facilitating theft. Many of these advertisements lie on closed source forum sites, requiring extensive vetting and personas to maintain persistent access.

Note: You can learn more about applying threat intelligence to insider threats by downloading our white paper, “Insider Threats to Financial Services: Uncovering Evidence With External Intelligence.”

Intelligence From the Dark Web Is an Extra Layer That Informs Risk

Collecting and analyzing available intelligence from the dark web presents a new opportunity to understand and potentially pre-empt attacks. This kind of information can be weighed in the balance to quantify risk, and ultimately, determine what action you might need to take to address it.

You can see more real-world examples of dark web intelligence and get a greater understanding of how to use the information in our white paper, “How You Can Use the Dark Web for Threat Intelligence.”

The post Dark Web Threats: From Technical to Tactical appeared first on Recorded Future.

     

Editor’s Note: The following blog post is a summary of an RFUN 2017 customer presentation featuring Marc Spitler from Verizon Security Research.

For the tenth year, the Verizon Data Breach Investigations Report (DBIR) was released, focused on exploring the current cybersecurity landscape. The 2017 DBIR report combined the experience of 65 organizations to provide a detailed overview on the state of cybercrime today, featuring the analysis of over 40,000 incidents, including 1,935 data breaches. Overall, the goal of the report is to provide insights and help organizations prioritize and discover new ways to protect against threats.

With the constant publishing and distribution of various reports on cybercrime and breaches, it can be difficult to bring information to a high level that will not only bring awareness and benefits to security professionals, but also to executives who oversee security programs — which is why the executive summary was released in concert. With the overflow of information out there, it’s key to be able to make plain what’s actually happening to real people and businesses, as well as what their losses look like.

Further, given the rate of attacks, one can imagine the variation of incident and breach types; so many that it’s difficult to quantify. Luckily for businesses and their security teams, most incidents and breaches fall into a much smaller number of patterns, so while the rate of cybercrime shows no signs of slowing, that doesn’t mean that decision makers need to be worried about every single type of threat.

Here’s what the report covered:

• Types of actors
• Tactics used
• Victims
• Common occurrences in cybercrime

Commonalities and Patterns of Incidents

The bad news is that in one year, over 40,000 incidents and nearly 2,000 confirmed data breaches occurred. The good news is that 98 percent of incidents and 88 percent of breaches fall into one of the following incident classification patterns:

• Miscellaneous errors
• Privilege misuse
• Physical theft and loss
• Denial of service
• Crimeware
• Web application attacks
• Point-of-sale intrusions
• Cyberespionage
• Payment card skimming

Malicious actors are always evolving their tactics, but their strategies have actually not changed much over time, so understanding how they work is a critical component of protecting your business from cyberattacks. Identifying patterns arms security teams with better information on how to optimize the resources available to them. Plus, patterns shed light on where danger is lurking for your organization and industry. With this knowledge, new initiatives like building applications or processes can be executed with security built in.

A quick snapshot of a few incident classification patterns:

Cyberespionage

• Attacks linked to state-affiliated actors and/or the motive of espionage.
• Malicious emails are the preferred method of access, usually followed by trying to blend in to have enough time to gather data of interest.

Internal and Privilege Misuse

• Classified as any unapproved or malicious use of access to internal resources.
• 60 percent of insiders are financially motivated.
• 17 percent of insiders are simply curious, snooping without sanction.
• 15 percent of the time, data is taken for a new employer or to become a competitor.

Denial of Service

• Any attack intended to compromise networks and systems availability.
• 98 percent of DDoS attacks target large organizations.
• Most attacks end within a few days.

Comparison by Major Industries

The differences in tactics used against your respective industry compared with those used with other industries are striking. Knowing which threats your business is most likely subject to allows you and your security team to align defenses with the most likely risk areas.

• In financial services, 88 percent of incidents were either denial of service, web application attacks, or payment card skimming.
• 81 percent of breaches in healthcare were because of privilege misuse, miscellaneous errors, or physical theft and loss.
• For manufacturing, 96 percent of breaches were attributed to cyberespionage, privilege misuse, and “everything else,” or, any incident that did not classify as one of the nine patterns.

As can be seen from analysis on the above three industries, profiles for each vary greatly. That’s why it’s key to be cognizant of the fact that while a comprehensive approach to security is valuable, investing in the technologies that best address your greatest risks is important, too.

Primary Findings That Affect All of Us

In considerations of the report findings as a whole, there are several conclusions that all businesses should be aware of.

First, the “main play” is still phishing that leads to installation of malware, followed by using stolen credentials to advance attacks.

Malware is very ubiquitous — entering email via malicious attachments, with the most common transports being JavaScript and Microsoft Office documents. Ransomware is the top functionality of malware within crimeware, with a 50 percent increase in the last year.

Espionage remains a serious problem, with assaults usually beginning with phishing emails.

And lastly, overall, the number of records lost in breaches is still on the rise.

Focus Your Defenses

While there were indeed nearly 2,000 recent data breaches, there are not nearly 2,000 problems that have to be solved, so there’s no need to worry about every last threat. The numbers that represent security incidents and breaches can be boiled down to identifying relevant assets, actors, and actions, and whether your respective business and industry are at high risk. Identify what matters most to you.

Similarly, when it comes to generating useful threat reports, it can be exhausting to wade through massive amounts of information, which is where advanced threat intelligence and experienced analysts become necessary. You’ll be empowered to sift through the massive amounts of data and convert information that’s relevant into actionable insights. Real-time harvesting of both open and dark areas of the web shifts the emphasis from reactive to proactive, and gives you the intelligence you really need in a sea of potential threats.

The post Executive Takeaways From the 2017 Verizon Data Breach Investigation Report (DBIR) appeared first on Recorded Future.

     

Recently, there’s been a good bit of focus on industrial control systems (ICS) — the systems that monitor and help keep our critical infrastructure running. The electrical grid tends to get the most attention, but ICS includes water, dams, communications systems, pipelines, natural gas, transportation, and other process control systems. As more and more of these systems get connected to the internet they can make an attractive target for cybercriminals or state actors who are up to no good.

Our guest this week is Robert M. Lee. He’s CEO at Dragos, a company dedicated to the security of critical systems. Before Dragos he was in the U.S. Air Force, where he served as a cyber warfare operations officer in the U.S. Intelligence Community.

This podcast was produced in partnership with the CyberWire and Pratt Street Media, LLC.

The post ICS Is Serious Business (But There’s No Need to Panic) appeared first on Recorded Future.

     

Executive Summary

On December 4, 2017, a joint task-force of European Law Enforcement agencies, U.S. FBI, and several non-EU Member States successfully dismantled Andromeda botnet, one of the oldest and largest criminal botnet operations. According to Microsoft, more than 2 million compromised computers worldwide were identified in 48 hours of observations prior to the take down. It is estimated that the Andromeda botnet was used by various criminal groups and individual actors to distribute more than 80 families of malware.

Timeline of Andromeda Botnet activity up to takedown.

The Investigative Committee of the Republic of Belarus reported that, with FBI cooperation, it arrested a member of the international cybercriminal group responsible for the distribution and maintenance of the Andromeda Trojan.

Video of officials questioning Ar3s and subsequent arrest.

We believe that the arrested person is the actor known as “Ar3s,” one of the oldest and more highly respected members of the criminal underground. Ar3s is the mastermind behind the Andromeda Trojan and a longstanding administrator of the Damage Lab hacking forum. With a high degree of confidence, we assess that the arrested person is likely Jarets Sergey Grigorevich, although the name was not revealed by the Belarusian authorities.

Key Judgments

• Ar3s is recognized as a leading expert in malware development and reverse engineering, network security, and antivirus technology. On technologically sophisticated forums he acts as a highly reputable guarantor of deals on the one hand, and an analyst on the other. Based on the analysis of Ar3s’s forum activities, linguistic patterns, and photo materials, Recorded Future earlier identified him as Sergey Jarets or Jaretz, a 33-year old male residing in Rechitsa, Gomel region, Belarus.
• According to the materials of the investigation, undercover FBI agents purchased malware from the Belarusian hacker to ascertain the connection between the actor and the Andromeda malware distribution. The source code of this program was verified by the security experts and confirmed to be malicious.
• According to the press release, the investigation collected incontrovertible proof of his fraudulent activities and involvement in the hacker group along with other criminals: sellers, server owners, as well as users of the tool.
• Recorded Future conducted additional research across cybercriminal forums and with a high degree of certainty confirms that the arrested person is Ar3s.

Background

Ar3s, also known as “Арес” (in Russian), “Ch1t3r,” or “Sergey Jaretz”/“Sergey Jarets” (see below), is one of the most respected and longest-standing members of the hacking community and has operated in the Russian-speaking underground since at least 2004.

The actor is best known as a developer of the powerful Andromeda bot created in 2011, as well as the Win32/Gamarue HTTP bot. The actor is also known as the author of the Windows SMTP Bruter v.1.2.3, an SMTP bruteforcing tool, as well as “Swf-Inj Service” which hijacks web traffic by embedding iFrame malware into SWF (small web format) files.

According to the law enforcement statement, the criminal received $500 for each copy of Andromeda sold, and $10 for each follow-up malware update.

Threat Analysis

Recorded Future conducted additional analysis of Ar3s’s recent activities and observed that the last time Ar3s accessed DaMaGeLaB forum was on November 22, which could indicate the date of the arrest. Other members of various criminal communities have also expressed concerns that Ar3s has been unresponsive since at least November 20, 2017.

The facts mentioned above, along with the coincidence of other factors, such as his residence in Gomel Region, Belarus, date of birth, and administration of cybercriminal forums are clear evidence of Ar3s’s apprehension.

Since following Ar3s, we learned that Ar3s has used the ICQ number “5777677” as one of his primary contact methods, which was connected to the internet user “Sergey Jaretz” (very similar to the Russian spelling “Арес” and conformable with Jaretz/Ярец), who was also registered on multiple white-hacker and tech-oriented forums since the mid-2000s.

Once we had a possible name, we conducted subsequent contact analysis based on “Sergey Jaretz” and the above-mentioned ICQ number. We discovered that the phone number of the Belarusian mobile carrier MTC (+375) 29-735-56-11 tied him with an individual in Rechica, Belarus named Sergey Jarets or Jaretz (in Russian: Сергей Григорьевич Ярец), a person working at OJSC “Televid” Tele-Radio Company, broadcasting throughout Rechitsa area, Gomel Region, Belarus.

According to an open web search, as well as the LinkedIn page of the actor, Jaretz has been a Technical Director of OJSC “Televid” since 2003 and is responsible for procurement, maintenance of the company’s computer network, maintenance of its television station, contract work regarding technical issues, OSHA regulation, and staff management. His LinkedIn profile indicates that Jaretz studied at Gomel State Technical University in 2010-2012 and obtained a degree in software engineering.

Sergey Jarets’s LinkedIn page indicating his work at OJSC “Televid” Tele-Radio company.

The actor’s Belarusian roots can also be confirmed by the testimony of other members of the underground criminal communities who call Ar3s the “Belarusian” during their conversations.

Created in August 2011, the actor’s Twitter account also indicates Belarus as his location.

Outlook

Following the Avalanche operation in 2016, the Andromeda botnet takedown and the arrest of Ar3s is an excellent example of successful cooperation between international law enforcement agencies, including non-EU Eastern European members. Once again it shows the determination of international governments to eradicate cybercrime by supporting high-level joint operations and leveraging the expertise of law-enforcement agents.

To get more information and view screenshots of the arrest, download the appendix.

The post Mastermind Behind Andromeda Botnet Arrested in Belarus appeared first on Recorded Future.

     

The concepts of machine learning aren’t necessarily easy for all of us to understand, but as the impact of AI technologies in life and work is beginning to be felt more keenly than ever, we have more questions about the difference they are making to our world. The continuous improvement in the speed of computing and our access to the vastly increased amounts of available data means that today, machine-learning applications sit in connected speakers in our kitchens and the phones in the palm of our hand.

What Do Machines Excel at That People Don’t?

Analyzing data to learn what’s actually happening and see trends is nothing new. To understand where machines are bringing an advantage in this area, we can look back at one of the earliest stories of data analysis. In 1854, London is in the grip of a cholera epidemic. At the time, it was assumed that cholera was airborne, but physician John Snow did not accept this “miasma” (bad air) theory, arguing that in fact, it entered the body through the mouth. To understand how the disease was being spread, Snow began to plot individual infections onto a map. This process revealed that a water pump in Broad Street was the source of the disease. John Snow had made connections in three sources of data (the map, the infections, and the water pump) to identify a trend and draw a conclusion.

John Snow’s cholera map showing the pump on Broad Street.

Snow’s limited data set made his task the kind of focused process that humans excel at. Where computers have an advantage is accurately applying a process like this to huge volumes of data from numerous sources, at massive scale. The outcome of cross referencing from different sources enables the machine to create more relationships between the data at much greater speed than a human ever could.

Machines Can’t Really Predict the Future, Can They?

This question actually relates directly to the first one. Machines aren’t an AI crystal ball that can tell us exactly what will happen next week, next month, or next year, but because of the volume of available data, they can process and identify the emerging trends. We believe a better way to define this is the application of “predictive analytics.” This allows us to combine the historical data we see and the outcomes we’ve reached to make a reasoned assumption about what might happen in the future.

You can learn more about how predictive analytics are being applied to the field of cybersecurity in our latest white paper, “4 Ways Machine Learning Is Powering Smarter Threat Intelligence.”

To What Extent Can Machines Really Understand the World?

“Understand” is a difficult word to apply here. How intelligent or conscious a machine can be has frequently been the fodder of science fiction literature and cinema. The dictionary definition of AI is, “Giving machines the ability to seem like they have human intelligence.” One trait of intelligence would certainly be the capability to recognize objects appearing in particular images (which machines do quite well), or knowing the meanings of words and learning how sentences are constructed.

In the world of threat intelligence, our machine is able to do exactly this. Natural language processing means the machine can read and identify words in a sentence and understand how they relate to one another, and the more sentences it reads, the more it learns about how words are used, and in what context.

The difference between what a machine knows about the world and what we know really boils down to how we gather that knowledge. Some of our knowledge comes from what we see and experience, and some comes from data we gather and what we learn. The machine can’t experience things — it can only really gather the data and make relationships in the data it processes. But this does allow machines to be able to classify data, so they can learn that, “Paris is a city in France,” or, “Locky is ransomware used by the Necurs botnet.”

Should We Worry About Machines Stealing Our Jobs?

Today, the most powerful applications of AI and machine learning are when humans and machines work together to make use of both their strengths.

There’s no question that the nature of jobs is going to change dramatically in the coming years. The World Economic Forum expects automation and AI to result in the loss of at least 5 million jobs globally by 2020. Machines’ ability to process huge volumes of data and complete tasks in a more efficient way than a human being presents significant time and cost savings for businesses. It’s not an overstatement to say that we are moving toward a revolution in the way we work.

The advent of AI in the workplace will create roles we might find difficult to even imagine today, much as the internet’s arrival saw the birth of a whole range of new careers. Nobody’s grandfather was a web architect, but today, it’s a career with an attractive salary to match. It doesn’t matter whether a job is white collar or manual — if its routine, machines can do it.

Almost all industries will undergo a radical shift, so importance will be placed on acquiring new skills quickly. We’re unlikely to see mass unemployment, but as we’ve seen from technological progress in the past, businesses and employees must be ready and willing to skill up and retrain where necessary.

What Developments Will AI See in the Next 5 Years?

AI now feels a little like computing did back in the 80s. PCs were beginning to show businesses beyond just data processing companies that computers had real value to bring. Many more companies were creating computer divisions. Those divisions are long gone, with computing having become a ubiquitous part of our work, not to mention our everyday lives. AI is being, and will continue to be, quietly adopted by enterprises, allowing them to extract knowledge from all the data that is being generated — and not just the structured data.

The aim for many enterprises in the short to medium term will be to move AI systems to take on decision-making tasks like managing inventories or screening candidate resumes. These jobs are time consuming for humans and so present a significant cost saving for businesses. However, despite the rapid adoption of domestic assistants like Google Home and Amazon Alexa, consumers may prove a harder proposition, particularly in the much vaunted area of self-driving vehicles. Recent research from MIT found that while people have become more accepting of driver assistance features like automatic emergency braking and blind-spot warning, doubts about fully self-driving cars are growing. This is a clear indication that the applications for AI and machine learning still need to meet a demand and deliver a tangible benefit to experience widespread adoption.

The post 5 Machine Learning Questions Answered appeared first on Recorded Future.