Recorded Future

“Ask anybody to name the riskiest cyber locations in the world, and chances are they’d be able to name about ten. The answers would be fairly consistent across the [information security] people you ask; but what about the other hundred and eighty-two countries out there?”

This question was posed by Lincoln Kaffenberger, a cyber security professional working at an international financial services company, during a recent webinar with Recorded Future. Kaffenberger and his team are highly focused on location-specific threat intelligence because of the company’s international operations, and also because “where you are matters.”

Organizations such as Kaffenberger’s face threats from geographically dispersed threat actor groups, as well as challenges posed by certain international governments which permit lawful communication monitoring.

Understanding the Risk of Business Travel

With offices in over 100 countries throughout the world, and employees from those locations traveling constantly, the organization has concerns about the devices used by employees during their travels and the security of the information on those devices. Sharing information about the company’s cyber threat intelligence methodology, Kaffenberger explained:

• Why location matters when it comes to an organization’s cyber risk.
• A framework for learning and measuring the specific cyber risk by physical location.
• A methodology for measuring threats and risks in a way that’s empirical and standardized.
• How Recorded Future helps them do this more quickly than before.

Kaffenberger said that, the company needed to quickly gain specific knowledge of the threats in different countries, so they could adequately prepare. Through a carefully crafted threat intelligence program incorporating Recorded Future, they were able to:

• Lower cyber risk outside of the headquarters.
• Raise awareness within the user population.
• Provide situation-specific advice and tools to use to help lower risk.

Defining a Threat Assessment Methodology

Threat intelligence — as opposed to threat data, which sometimes masquerades as “intelligence” — allows companies to identify the highest-risk threats and prepare. It’s important to understand the risk in geographies that aren’t necessarily in the “top ten,” but still put the company’s data and employees at risk.

Kaffenberger explained that the first step is to assess the situation in a given country:

• What are the political, economic, and sociological conditions?
• What is the infrastructure like? Where are the fiber lines connected? How do they connect to the broader internet? What countries are my traffic potentially traveling through? What natural hazards exist?

Then his team gauges location-specific threat actors:

• What threat actors operate in that country or have affected that country?
• What special security forces operate locally?

Next the team measures the level of threat based on each threat actor group’s intent and capability. It’s a complex, challenging problem, to be sure, but Kaffenberger says it’s absolutely worth the effort, as the team has become more accurate in its threat assessments, helping lower risk to the organization, and allowing employees to work more productively and securely around the world.

After gathering and analyzing all of this critical data, Kaffenberger and his team use it to generate a threat assessment. This is where Kaffenberger and his team use Recorded Future. The Intel Cards, he says, “in a quick snapshot, give me real-time information about that threat.”

An example Recorded Future Intel Card for a threat actor.

The detail and drill-down information provides a very quick way to determine if an actor is relevant.

Once a threat assessment has been completed, Kaffenberger and his team create a risk scenario for government monitoring, APTs, hacktivists, and cyber-crime. Combining internal telemetry and external data, like that from Recorded Future, the team is able to evaluate various scenarios that might exist when the company is operating in or an executive is traveling through an at-risk geography.

Combining Internal and External Sources

The internal information gathered comes from a detailed questionnaire that allows the threat intelligence group to imagine various scenarios. They carefully consider who’s traveling where, what information the employee has or has access to that is sensitive, operations, the nature of the relationships with persons at the organizations with whom the employee is doing business, procedures, the duration of the engagement, etc. Doing so “gives us a lot of context so we can build accurate risk scenarios,” says Kaffenberger.

Building on the scenarios, the team assesses the likelihood based on the threat actors’ intentions and capabilities to execute, and then the controls the company has internally that may prevent that scenario from happening. Once they’ve mapped the actors’ actions to controls that prevent threats, the team considers the impact on the information if that scenario occurs and the impact on the organization and then maps to controls to mitigate the threats. Threat intelligence informs risk strategies, so through this detailed process, Kaffenberger and his team allow the business to operate more efficiently. They have been able to develop a consistent, standardized, and empirical process that contributes to the continued growth of the organization as a whole.

A Holistic Threat Intelligence Program

A threat program isn’t one piece or stream of data, and Kaffenberger relies on a number of tools and skilled analysts. Recorded Future is an important part of the strategy. The team uses Recorded Future to generate a quick review of groups of actors in a concerning location, set queries, then filter down through queries to view more specific information on threat actors, actors’ tactics and techniques, and where geographically the actors are operating.

Analysts can pivot from an Intel Card to six different data visualizations for additional insight.

Events related to RedHack are displayed on a timeline for chronological analysis.

The Intel Cards provide additional information associated with threat vectors and methods, which allows Kaffenberger and team to aggregate all relevant information, use it for searching or further research, and display all activity on a timeline — by severity, geography, or other type in which they might be interested.

Kaffenberger says Recorded Future is “a great way to get a good snapshot in time, a very quick assessment of how things are going.” Because of how the information is stored in Recorded Future, he can also check back at intervals to learn about changes or updates. Importantly, because security does not operate in a vacuum, the threat team can hand off intelligence gained from Recorded Future to the SOC (security operations center) so analysts can monitor for any changes and quickly contextualize the information when a change has taken place

In closing, Kaffenberger said that recorded Future is a real time saver when it comes to managing their complex threat intelligence program: “When we looked at what it would take to analyze all the countries that we care about, it would take us about three to five years. Using two people, assuming about two months to get all the information for a country, Recorded Future, for an initial assessment, cuts that time down to just two hours or less.”

Earlier this year, Splunk announced their Adaptive Response Initiative — an effort bringing best-in-breed security capabilities together in ways that will improve an organization’s ability to defend against advanced attacks.

At the core of the initiative is a new version of Splunk Enterprise Security, scheduled to be generally available soon, that facilitates bi-directional integrations from security partners. Through these integrations, each partner’s unique capabilities can be coordinated and used for faster threat validation, systematic defensive actions, and better overall security posture.

Since we heard about this initiative at the March, 2016 RSA Conference, we’ve been interested in joining this select group of partners and enhancing the capabilities of our Splunk ES integration.

Today, we’re very pleased to be included in Splunk’s announcement about the expanded initiative.

Practically speaking, we’ve developed a feature using the Adaptive Response Framework that allows an analyst to dispatch an “Enrichment Action” on any notable event. This action, which can be applied to any IP address, domain, hash, or cyber vulnerability, will pull in rich context from Recorded Future (e.g., a comprehensive real-time view of everything that’s publicly known about the given entity) into Splunk.

For IP addresses, hashes, and cyber vulnerabilities, Recorded Future risk scores are also delivered into Splunk and include references to the evidence from which the risk scores were derived.

Recorded Future Enrichment workflow using Splunk’s Adaptive Response Framework.

While seeming simple in workflow, this is a huge improvement from the current version of Splunk ES and opens up the door for additional automation and coordinated security actions.

As with our own OMNI Intelligence Partners program launched earlier this year, we believe building and supporting integrated capabilities between security products and services is in the best interests of our customers and an important direction the entire security industry is taking. Splunk’s Adaptive Response Initiative is another example of an integrated ecosystem and we’re extremely excited to be part of it.

If you’d like to learn more and to see a live demo then register for our live webinar “Exploiting Threat Intelligence Using Recorded Future and Splunk,” on Wednesday, October 12. We’re thrilled that Siri De Licori, Senior Product Manager for Splunk ES, will join us for the webinar to tell us more about the Adaptive Response Initiative.

The post Recorded Future Announces Its Participation in Splunk’s Adaptive Response Initiative appeared first on Recorded Future.

from Recorded Future http://ift.tt/2d9q1Lt

via IFTTT

In 2015 we released a report on identifying known RAT (remote access trojan) controllers. Malicious IP addresses are continuously identified through proactive internet scanning (via Shodan) for known family signatures, like Poison Ivy and BlackShades. This year we created Recorded Future Intel Cards for common indicators that make analysis a breeze, and RAT controllers are a perfect example.

Threat actors use RATs to remotely record audio and video from a victim’s web camera and/or microphone — suspects often attempt extortion of vulnerable women after the RAT is installed on the victim’s computer. Also, many RATs are capable of keystroke logging and file exfiltration.

The computer located at 73.77.225.59 (Comcast Cable) is hosting a DarkComet RAT controller (in RAT nomenclature the malware on a victim’s system is referred to as the “server” and the suspect’s control panel is referred to as the “client”). Legal process for subscriber records sent to Comcast and No-IP will provide further information toward probable cause.

Additionally, a pen register for 73.77.225.59 may assist with identifying victims that are infected with this particular instance of DarkComet.

Analysis

On September 6, 2016, Recorded Future and Shodan produced an alert for a new DarkComet trojan (malware) controller located at 73.77.225.59.

The Recorded Future Intel Card for 73.77.225.59 revealed (via FarSight Security’s passive DNS data integrated into Recorded Future’s Intel Card) three historical DNS A records, the most recent of which (shadows.sytes[.]net) was observed between September 15 and September 20, 2016.

The base domain name sytes.net is owned by No-IP, a free dynamic DNS (DDNS) service. DDNS gives the account owner(s) the ability to rapidly create subdomain names and quickly alter the IP address(es) resolving to each sub-domain, which is useful when administering a RAT that is configured to connect to a domain (instead of an IP address being hard coded into the RAT) for command and control (C2).

The Intel Card for shadows.sytes[.]net showed a Threat Expert malware report containing recorded network traffic to 73.77.225.59. A run-time analysis of the malicious binary produced MD5 hash B5462C4312A587171C400953F8FD79F0.

The Intel Card for MD5 hash B5462C4312A587171C400953F8FD79F0 uncovered (via ReversingLabs malware insight) additional metadata confirming this artifact is a DarkComet RAT.

Additional available information includes a VirusTotal URL verdict from Kaspersky for shadows.sytes[.]net, and a manual port scan of 73.77.225.59 (on September 22, 2016) revealed that the host’s port 1604 was closed, but open ports included 80, 2050, 4444, and 9000. Port 4444 is the BlackShades trojan default port.

Conclusion

A Recorded Future and Shodan alert for a new RAT controller host leads to a “one-click” lookup of the IP address — 73.77.225.59 (Comcast Cable) — in Recorded Future. The Intel Card includes corresponding DNS A records (domains) from FarSight Security.

A Recorded Future search of the domain — shadows.sytes[.]net — produces a MD5 hash — B5462C4312A587171C400953F8FD79F0 — from aggregated web data. A subsequent search for the hash presents an Intel Card that includes additional metadata from ReversingLabs confirming the existence of a malicious DarkComet RAT.

10 minutes and three Recorded Future Intel Cards — containing aggregated web data, Farsight Security’s passive DNS (pDNS) data, and ReversingLabs malware metadata — produced a potential criminal investigation with little remaining effort toward probable cause and hopefully a future indictment and prosecution of the RAT administrator.

The post Effective DarkComet RAT Analysis in 10 Minutes and 3 Clicks appeared first on Recorded Future.

from Recorded Future http://ift.tt/2d5A1b3
via IFTTT

Everybody in the security world knows the term “threat intelligence.” At this point, even some non-security folks have started talking about it.

But it’s still very poorly understood.

Raw data and information is often mislabeled as intelligence, and the process and motives for producing threat intelligence are often misconstrued.

If you’re new to the field, or you think your organization could benefit from a carefully constructed threat intelligence program, here’s what you need to know first.

Defining Threat Intelligence

Although most people believe they intuitively understand the concept, it pays to work from a precise definition of threat intelligence.

Threat intelligence is the output of analysis based on identification, collection, and enrichment of relevant data and information.

As already alluded to, raw data and information do not constitute intelligence. Equally, analyzed data and information will only qualify as intelligence if the result is directly attributable to business goals.

A truly well-planned and executed threat intelligence initiative has the potential to provide enormous benefit to your organization. On the flip side, if you aren’t careful, it’s easy to sink huge amounts of resources into an intelligence program without really achieving anything.

It would be foolish, then, to invest heavily in threat intelligence without having a clear idea of what you’re trying to achieve and why.

Simply “keeping the business secure” is not a valid motive for threat intelligence, but it’s the only driver for many organizations. The issue here is that as a goal it’s spectacularly generic, and almost impossible to measure.

A threat intelligence program with this motive is at serious risk of failing to identify what is and isn’t relevant or important.

A much better business goal, which is both relevant and tangible, would be to reduce operational risk by a given margin within a specified time period. Operational risk is a regularly measured and monitored business metric, and the results (however they’re derived) are there for all to see.

As a result, a threat intelligence program designed to reduce operational risk will be far more focused on those aspects of security that can be clearly linked to the markers used to measure cyber risk. As an example, intelligence relating to recent attacks on similar organizations within the same industry would be highly relevant, whereas analysis of the most recent high-profile attack in a totally different industry would not.

Intelligence Typologies

Perhaps the single most important phase of the whole process is analysis. During this phase, large quantities of raw data and information are processed into relevant, actionable intelligence.

But the actual analysis process can vary enormously depending on the desired output. Largely speaking, depending on the form of analysis used to produce it, threat intelligence falls into two categories: operational and strategic.

Operational intelligence is produced entirely by computers, from data identification and collection through to enrichment and analysis. A common example of operational threat intelligence is the automatic detection of distributed denial of service (DDoS) attacks, whereby a comparison between indicators of compromise (IOCs) and network telemetry is used to identify attacks much more quickly than a human analyst could.

Strategic intelligence focuses on the much more difficult and cumbersome process of identifying and analyzing threats to an organization’s core assets, including employees, customers, infrastructure, applications, and vendors. To achieve this, highly skilled human analysts are required to develop external relationships and proprietary information sources; identify trends; educate employees and customers; study attacker tactics, techniques, and procedures (TTPs); and ultimately, make the defensive architecture recommendations necessary to combat identified threats.

A common example of strategic intelligence is the use of threat actor TTPs to inform proactive security measures such as enhanced vulnerability and patch management or comprehensive security awareness training.

And it’s natural at this stage to wonder …

Which Is Better?

This question is problematic for two reasons.

First, it’s the natural question to ask when presented with two options, and second, it totally misses the point.

The reality of threat intelligence is that both operational and strategic intelligence are required. More than that, though, they actively rely on each other.

For a start, the fact that the end-to-end process for producing operational intelligence involves no human analysts is misleading. As Levi Gundert points out in his threat intelligence white paper, achieving an automated operational workflow is highly dependent on the presence of at least one talented and experienced data architect. This person is responsible for designing, creating, and calibrating tools that are capable of performing this vital intelligence function.

And the only reason that any analysts are available to produce strategic intelligence is because the operational “heavy lifting” is being done automatically by computers. If that weren’t the case, intelligence analysts would be totally bogged down with detail and false positives.

If this is starting to seem like a “chicken-and-egg” situation, let us help you out.

To build a world-class threat intelligence capability, the first thing you’ll need is at least one highly skilled and experienced human analyst. Once a person or team with the right skillset is in place, they will need to move through three stages:

1. Develop or procure the systems needed to automate the identification, collection, and enrichment of threat data and information.
2. Create and maintain the tools needed to produce operational threat intelligence.
3. Focus their attentions on the production of highly targeted and valuable strategic intelligence.

Sadly, many organizations never make it past stage one. Once they have an intelligence feed in place, they take action to mitigate the most basic threats using simple information such as IOCs and vulnerability announcements, and never progress to a level that would enable them to address real business needs and objectives.

If your threat intelligence capability is stuck at this level, you’re leaving a huge proportion of the business value of your threat intelligence feed on the table.

Don’t Settle, and Don’t Get Lost in the Woods

So far in this article, we’ve presented two clear and major dangers of developing a threat intelligence capability:

1. Settling for simple threat data and information, instead of fighting for intelligence.
2. Wasting valuable time and resources on producing intelligence that doesn’t further business goals.

To avoid these mistakes, you’ll need to keep pushing your analysts for more and better intelligence, while also stressing the importance of keeping things relevant.

Losing sight of either of these fundamental considerations can undermine the value of your program. Keep them at the forefront, though, and over time you’ll develop a truly world-class threat intelligence capability.

The post What Is Threat Intelligence? Definition and Examples appeared first on Recorded Future.

from Recorded Future http://ift.tt/2cGFJdT
via IFTTT

When most people think about threat intelligence, it calls to mind images of automatic threat feeds, analysts hard at work, and emergency security briefings.

What it doesn’t bring to mind are reports.

And that’s unfortunate, because the true value of threat intelligence is entirely dependent on how successfully it is communicated to the people in a position to act on it.

Threat intelligence reporting is often rushed, with little thought going into content, format, and audience. If you’d like to buck that particular trend, these are the steps you’ll need to take.

Be Intelligent

First off — and this should go without saying — the value of your reporting will always be limited by the quality of your threat intelligence.

If you’re producing outstanding, insightful threat intelligence and reporting on it in a timely fashion, most of the battle is already won. If, on the other hand, you’re working with little more than raw data and it’s taking you weeks to produce reports, there’s not a template in the world that will save you.

Producing real threat intelligence is a complex task, requiring dedicated and skilled analysts, so this is not a process that can be rushed.

But it runs deeper than that.

The whole purpose of threat intelligence is to inform action, and that simply can’t happen unless both the content and format of the reports are of a high standard. If your reporting is simply an afterthought, there’s a good chance the intelligence produced won’t be precisely what was needed.

Instead, you should start your threat intelligence process by determining which reports will be produced and for whom, so that when new intelligence is produced it can be acted on immediately.

Why Share Threat Intelligence at All?

When you get right down to it, producing threat intelligence is an expensive and difficult process. It requires dedicated analysts, most likely a paid-for platform, and lots of time spent producing complicated reports.

Naturally, then, you’ll want to make the most of it. But the thing you have to remember is, you can’t do everything yourself.

To maximize the value to your organization, you need to share the intelligence you produce as widely as possible.

Quite apart from anything else, there’s a good chance you don’t even realize how threat intelligence could benefit the different areas of your organization. You probably don’t know everything each team does, so how could you possibly know what would benefit them unless you ask?

Sharing threat intelligence within your organization will help spread awareness of security issues among non-technical audiences. Even better, it can greatly improve your ability to implement proactive and cohesive security and defense mechanisms, making use of the collective knowledge and experience of your various technical teams.

And what’s not to like about that?

Ask Around

The precise audience for threat intelligence varies within each organization, but there are a few no-brainers.

Red teams, for instance, are high on the list of potential clientele, at the very least for intelligence relating to the latest vulnerabilities or threat actor tactics, techniques, and procedures (TTPs).

Equally, if you discover that attacks targeting a certain software suite have increased dramatically in recent months, your vulnerability management team would like to know.

Your security operations center (SOC) and incident response teams are also bound to benefit from intelligence on the latest threats and TTPs, not to mention any analysis of recent attacks on similar organizations.

And if we’re aiming for the greatest possible benefit to the organization, key leaders and board members have more ability to influence operations than anyone.

But those are obvious examples.

Even your help desk can benefit from threat intelligence, particularly if it helps them to identify and escalate potential breaches early instead of simply processing them with all the other logged calls.

The point is that you don’t know who needs threat intelligence, so you need to ask. Make an open offer to all areas of your organization that, if they need threat intelligence for any reason, they can have it.

You’ll want to retain control of exactly how and when reporting occurs, rather than granting access to the source — you’re the experts after all — but the true goal is to maximize the benefit to your organization and that means getting the intelligence to the people who need it.

Formatting: More Than a Formality

Once again, let’s set our sights firmly on the prize. The value of threat intelligence is in understanding threats to your organization and taking the operational actions necessary to combat them.

The content of your reports is one side of this, but it isn’t the whole story. Like it or not, the format of your reports is also important.

All of your hard work will be completely wasted if, for any reason, your audiences can’t understand or can’t act on the reports you send them. With that in mind, here are some of the points you’ll need to consider when producing threat intelligence reports.

Each audience is different.

There is a huge difference, not least in technical understanding, between your executive board and your red team. Clearly the content of the reports you send to these audiences will differ, but that isn’t enough.

Non-technical audiences, particularly senior managers, need headline facts and figures to make decisions. Sure, they’ll probably need further explanation in some cases, but they’ll almost never need (or want) the technical stuff. An easily understood single page report or in-person presentation will be far better received than five pages of detail.

Operational teams, on the other hand, are likely to need far less explanation, and may well like to see source data combined with your analysis.

Ultimately, you’ll need to ask each audience exactly what they need and in what format.

Setting up a bespoke reporting structure might seem like a big job now, but in the long run it will be far more impactful.

Reports must be processed into existing workflows.

This is a point that’s almost always ignored, but which makes a tremendous difference to the value each audience gains from your reporting. Most teams have their own operational procedures, and if they’re going to make the most of your threat intelligence, it will need to fit into that structure.

Help desks, for instance, will usually process outstanding tasks into a workflow application of some sort, and it will make their lives much easier if your reports are in a format that makes this process simple. Equally, each organization’s executive board functions slightly differently, and it pays to find out how, when, and by whom your reports will be read.

Don’t forget, these are the people who set your budgets.

More isn’t always better.

Information overload is a real concern when it comes to threat intelligence. If you lay too much at one audience’s feet all in one go, reading and actioning your report can easily become overwhelming.

Instead, work with each audience to develop a priority system, and always highlight the most important intelligence first. You can always provide less urgent intelligence in a separate report, but don’t risk overwhelming your audience with detail, particularly if they’re non-technical.

The Feedback Loop

Once you’ve developed bespoke reports for each audience, you might feel that your work is done.

Sadly, that isn’t the case.

For a start, it’s highly unlikely that you’ve done everything perfectly the first time around. There are bound to be requests for changes to the content and format of future reports, and even if you did get everything right, first-time reporting needs are constantly evolving. You’ll need to be flexible and proactive to stay on top of things.

You’ll also need to know which aspects of the previous report have been actioned. After all, you can hardly claim to be providing threat intelligence if you no longer know what is and isn’t relevant to your organization.

To achieve this, you’ll need to set up a reliable feedback loop with each audience. Your vulnerability management team, for instance, will need to tell you which vulnerabilities have been addressed and which are outstanding. Equally, your red team will need to tell you which threats have been investigated, and which haven’t.

Over time this feedback loop will enable you to tailor each report precisely to the needs of its audience. Not only that, it will provide you with an invaluable knowledge of the types of intelligence each team values, enabling you to do an even better job in the future.

Keep It Simple

After reading all of this, you may be feeling daunted by the prospect of developing a powerful threat intelligence reporting process.

In reality, though, simple is best.

It is important to give each team exactly what they need in the format they need it, and it is important to get regular feedback and improve over time.

But that doesn’t mean it has to be complicated.

If you’re able to implement the steps laid out above, you’ll quickly find that threat intelligence reporting can be a simple and powerful process, and that the results speak for themselves. Done right, threat intelligence reporting and dissemination enable a far more proactive and joined-up approach to security, that will dramatically reduce your organization’s risk profile.

If you think your organization could benefit from exceptional threat intelligence, download the latest white paper from industry expert Levi Gundert — it covers the TTPs used by threat actors every day, enabling you to revolutionize your organization’s cyber security program.

The post How to Maximize the Return From Your Threat Intelligence Reporting appeared first on Recorded Future.

from Recorded Future http://ift.tt/2d87Esg
via IFTTT

Do you want to read the full report? Download your free copy now.

To learn more about the approach and findings, register for our webinar this Friday, September 15, 2016 at 10:00 AM ET (3:00 PM BST).

Operational defenders want threat intelligence to add tangible and quantifiable value to their organization’s security. As a provider of real-time threat intelligence, we strive to provide measurable benefits to our customers, who have reported back some impressive results.

For example, one customer went on record to say that Recorded Future helped reduced the amount of malicious traffic entering their network by 63%.

Inspired by the anecdotal feedback from our customers, we commissioned Codis Technologies, an information security consulting firm specializing in incident detection, incident recognition, and process automation, to conduct a lab test to measure the quantifiable value — in terms of productivity and security — that a SOC (security operations center) analyst gains from integrating Recorded Future with a SIEM (security information and event management) solution.

The results showed that one SOC analyst, in a controlled environment, experienced a 10x gain in productivity after Recorded Future real-time threat intelligence was integrated with a SIEM.

For the lab test use case, Codis Technologies chose to apply threat intelligence to firewall logs in a SIEM. Effective monitoring of firewall logs enables organizations to detect relevant threats that could otherwise be missed.

However, creating actionable security events from these high-volume/low-context log sources is a time-consuming challenge, especially when firewalls usually account for 50% or more of daily log volume. The lab test compared the effort required to triage the same report both with and without Recorded Future and and found an increase in analyst productivity and additional security benefit when Recorded Future was used.

To make the test more realistic Codis Technologies also enriched the same report with free OSINT (open source intelligence) feeds which did not significantly change our findings with Recorded Future. What makes this possible is Recorded Future’s threat intelligence powered by machine learning which provides automation, rich context, and risk prioritization — this is unmatched by predominantly manual means and existing technologies.

To download the full lab test report, click here.

To learn more about the approach and findings, register for our webinar this Friday, September 15, 2016 at 10:00 AM ET (3:00 PM BST).

We would love to hear your questions, comments, and suggestions on the report so feel free to email us at info [at] recordedfuture [dot] com. You can also request a personalized live demo.

The post Lab Test Reveals 10x Productivity Gain From Real-Time Threat Intelligence for SIEMs appeared first on Recorded Future.

from Recorded Future http://ift.tt/2cUsszh

via IFTTT

Security awareness and strategic threat intelligence are mandatory elements of any organization’s ability to ward off cyber events. The threat landscape can appear vast and unwieldy, putting additional barriers in the way of creating a successful threat intelligence program.

During a recent webinar, Joe Walbert and Mike Kirk, senior information security analysts with TIAA, explained how they and their team use Recorded Future as part of a holistic threat intelligence program to promote security awareness while giving the organization the tools to proactively, effectively, and efficiently identify threats.

TIAA is the leading provider of financial services in the academic, research, medical, cultural, and government fields, with $854 billion in assets under management.

Enhancing Security Awareness

Walbert began the webinar by explaining that threat intelligence teams can assist security teams with awareness campaigns by providing information about threats that resonate with multiple audiences inside the organization, both technical and non-technical. He said that sharing relevant security stories with cyber contacts at TIAA pays large dividends.

External reference monitoring, he continued, helps them identify information that might pose a threat to the business. Technical indicators, sensitive information such as leaked passwords or usernames, and reference publish times can all be analyzed and correlated within Recorded Future to alert on potentially impactful future threat actor activity.

Kirk next shared how, through Recorded Future, organizations can monitor external references from social media, news stories, forums, etc. related to domains.

Recorded Future empowers users to monitor the open, deep, and dark web for credential leaks.

This search returned a rather large pool of results, but Kirk continued to demonstrate how Recorded Future provides the ability to further refine results. The number of references for a given URL then begins to bubble certain stories to the top of the list, helping threat analysts focus on what really matters to the organization. These “relevant contextual news stories,” said Walbert, “whether they’re technical or non-technical, will promote security awareness and let your organization’s employees get a sense of the threats and trends within a global context.”

Bringing Imminent Threats to the Forefront

The pair then demonstrated the Recorded Future API and how TIAA uses it to automate the application of threat intelligence. Using the API, analysts will “begin to see patterns emerge that may be included in strategic planning efforts.”

TIAA uses real-time threat intelligence from the web for proactive event alerting.

Kirk also reviewed an approach to identifying all new vulnerability events reported within a given time period. The ability to focus in on a specific timeframe can offer up a clearer picture to threat analysts, and help them warn the organization about imminent threats.

Again, showing a query in Recorded Future, Kirk selected an event against a vulnerability and identified CVE to search within a source set for the NVD. This provided an authoritative list of vulnerabilities published within a certain period which could be exported and used to develop a threat framework and tracking mechanism for all related CVEs that a threat analyst could review, process, and rate.

Intel Cards for IP addresses, hashes, and vulnerabilities have risk scores.

Intel Cards include the latest information about a CVE published by NIST NVD.

This section summarizes other entities reported together with the primary entity for the Intel Card.

Intel Cards include a timeline(s) of entity reporting for the last 60 days.

Additionally, Walbert showed Recorded Future’s alerting feature, which helps with “a programmatic approach” for vulnerability intelligence.

Turning Data Into Threat Intelligence

Kirk and Walbert wrapped up with a demonstration of how TIAA uses the Recorded Future Intel Cards and partner integrations to cross-correlate events and find additional situational awareness and context for threat indicators.

Intel Cards supply an on-demand summary of essential information related to a specific IP address or CIDR.

Intel Card Extensions provide complementary threat intelligence from other security providers.

The key, said the analysts, is to understand how an organization can operationalize and integrate threat information “to work smoother, faster, better, smarter, etc.” They continued to say that, by integrating with the Intel Cards and applying different available data sets, an organization’s analyst or incident responder is “better armed.”

To learn more about how Recorded Future is helping TIAA with situational and security awareness, watch the full presentation.

The post How TIAA Uses Threat Intelligence to Enhance Security Awareness appeared first on Recorded Future.

from Recorded Future http://ift.tt/2bW0q4x

via IFTTT

Activity Based Intelligence, or ABI, is an intelligence methodology developed out of the wars in Iraq and Afghanistan used to discover and disambiguate entities (e.g., people of interest) in an increasingly data-rich environment (most of it unclassified and open source). It is geospatial in nature, because it seeks to link entities and events through their locations, rather than by text.

ABI has four main ideas — or pillars — which form the basis of how to understand and use data to discover unknowns.

In their ground-breaking book, Activity Based Intelligence: Principles and Applications, Vencore Director of Analytics, Patrick Biltgen and my good friend and former colleague, Stephen Ryan summarize the four pillars as follows:

Georeference to Discover: focusing on spatially and temporally correlating multi-INT data to discover key entities and events; Data Neutrality: the premise that all data may be relevant regardless of the source from which it was obtained; Sequence Neutrality: understanding that we have the answers in the data collected at any time to many questions we do not yet know to ask; and Integration Before Exploitation: correlating data as early as possible, rather than relying on vetted, finished products (from single INT data), because seemingly insignificant events in a single INT maybe be important when integrated across multiple INTs.

In his keynote speech at GEOINT 2016, the director of NGA, Robert Cardillo, stated that his challenge to NGA is to succeed in the open. Mr. Cardillo also called for the rejection of “outdated ideas about the value of open source data.” ABI analysts have long rejected those ideas and demanded better access to OSINT because we adhere to the pillar of Data Neutrality.

We KNOW that the web offers a wealth of information, but heretofore, its size and scale presented a number of challenges to an analyst, namely that data from the web is unstructured, vast, and lacks context, making it difficult to collect and process. After overcoming the issue of accessing the world wide web safely, the next question we faced was, “where do I even start?”

In this blog post, I will focus on how Recorded Future complements the Data Neutrality pillar through structured open source intelligence, or OSINT.

How Recorded Future Structures the Web

Recorded Future is inherently data neutral, as we value the intelligence that we glean from the breadth of our coverage. Our intelligence engine harvests data from over 750,000 (and growing) sources of data — all unstructured text — in the open, deep, and dark web.

This data is then given structure by the automated creation and recognition of entities and events — terms all ABI analysts understand — which can be anything that we want to discover, understand, and resolve.

Of note, in Recorded Future, these terms are broader than in the traditional ABI lexicon, as they include proxies, locations, and transactions (such as Twitter handles, threat actor groups, or locations in the geopolitical realm as well as things like IP addresses connected to domains, phishing emails delivering malware, and exploits in the cyber domain).

When Recorded Future ingests a reference from the web (e.g., something that somebody posts on the internet, whether via Twitter, information security blog, or forum) it catalogs that data point around the entities and/or events. We accomplish this through machine learning and natural language processing — meaning that collection and processing of data is automated.

What this does is not insignificant; first, it takes the burden of collection and processing of data off of the analyst (which I can tell you from experience can take an inordinate amount of time and bandwidth). Second, it creates an ever-increasing pool of data points of which an analyst can query for and be alerted to specific information. Queries like these might include:

• “Give me all domains ever used with X piece of malware.”
• “Show me all tweets with negative sentiment within a one-kilometer radius of X location.”
• “Show me all tweets and foreign news reports referencing X military equipment and specific hashtags throughout X location.”
• “What are the latest zero-day exploits being discussed in criminal forums.”

Anonymous Hunting

Finding this information quickly, persistently, and comprehensively through traditional internet search engines or from a handful of favorite open source sites is nearly impossible.

Recorded Future mitigates this challenge for the analyst, enabling access to the wealth of information safely and efficiently, through cloud technology, data encryption, two-factor authentication, and decoupling user information.

This means that an analyst can be on the unclassified web — a must for truly utilizing OSINT’s potential — and do so comfortably knowing that one’s presence and searches are protected.

Dark Web Sources

Let’s not gloss over Recorded Future’s coverage of deep and dark web sources.

There is a wealth of information in these areas (such as black markets and criminal forums) that any standard internet search engine, or OSINT analyst for that matter, is unable to access. The “chatter” on these sites holds myriad clues for analysts that could potentially connect the dots in a variety of intelligence issues. To then enable analysts access to this kind of information without having to actually go to these sites is nothing short of revolutionary.

Multiple Languages

You might be thinking, what if these sites are in foreign languages?

Recorded Future has you covered with our natural language processing, or NLP. Currently, we natively process data in seven languages — English, Spanish, French, Russian, Farsi, Chinese, and Arabic — with two more languages on the horizon. This means that Recorded Future understands what is being discussed and can pick up threat information in these languages.

Furthermore, we provide a mechanism for in-platform translation, so if you see a reference written in Chinese, you don’t have to go out to Google Translate, you can simply click the Translate button right from within the platform.

Multi-Year Archive

In a nod to Sequence Neutrality, where the answers to our intelligence questions might be held in the data we collected previously, Recorded Future maintains a repository of six years’ worth of data. This allows an analyst to query historical data when another data point leads him or her there, and potentially find the key to unlock previously unanswered questions.

Finally, in response to Mr. Cardillo’s challenge to the companies showing at GEOINT to offer more trial accounts and API keys, Recorded Future provides no-cost “pilots” for prospective clients and the ability to purchase an API token to pull in data.

How would this look? In the most traditional interpretation, structured, georeferenced data would be pulled from Recorded Future’s data repository and incorporated into a single GIS framework — such as ArcGIS — for correlation with data from other “INTs.”

Conclusion

This sort of access to all parts of the web that I have described above has never before been possible, which is why I am so excited about this technology.

Fortunately, I was able to represent Recorded Future at GEOINT 2016 and explain to GEOINT officers how our technology enables ABI analysis.

ABI requires access to all available sources of data; access to OSINT is a mandate for today’s threat intelligence capability. Analysts must be able to observe human activities, networks and relationships, and events and transactions across all domains of the operational environment. Recorded Future is an enabling technology — one that provides analysts the access to structured data on the open, deep, and dark web. Indeed, as those outside of government begin to understand this methodology, the technologies that enable analysts such as those developed by Recorded Future will be key to success across industry.

The recently announced partnership between Recorded Future and Vencore will “leverage the OSINT collection capabilities of Recorded Future in support of Vencore’s mission to support and integrate technologies, tools, and data sources” in support of ABI and other advanced analytics like Object Based Production, or OBP.

Stay tuned for my next blog post about how Recorded Future complements OBP!

The post Enabling OSINT in Activity Based Intelligence (ABI) appeared first on Recorded Future.

from Recorded Future http://ift.tt/2bRbr83

via IFTTT

Every hour of every day you are either hunting or being hunted. The only question you have to ask is which side do you want to be on?Eric Cole, PhD, SANS Analyst and Network Security Expert

86% of IT professionals say that their organization is now involved in some kind of threat hunting. Today, businesses are increasingly looking to combine an effective defense against attackers with proactively identifying the tactics, techniques, and procedures (TTPs) of threat actors.

Traditionally, investments would be made in technology and security professionals expected to work with that technology to defend a network. Moving to a posture we would describe as an active cyber defense is driving a change to the role technology plays in combating risk. A finer balance between the skills of people and the capabilities of technology must be struck if threat hunting is to become de facto in cyber security strategy.

IT security professionals recognize that their goal is no longer just to respond and stop threats but also to find adversaries already in the network. Most organizations are investing effort in this way already and it certainly helps to minimize the amount of damage and loss caused by an attacker. But responding to known indicators of compromise (IOCs) to identify threats is just the start of what’s possible with the right threat hunting people and tools in place.

To illustrate this point, seasoned computer security professional David Bianco created the “Pyramid of Pain.”

What the pyramid is showing here is although adversary TTPs are the most difficult indicators to detect and verify, they’re also the most useful for implementing new security controls.

Recorded Future can be used for powering proactive analysis of new threat actors and TTPs, including identification of new and evolving malware and exploit kit modifications as well as applying intelligence from criminal forums.

Recent improvements in Recorded Future technology are based on a simple methodology for alerting on potential new TTPs:

1. Maximize (wide) the hunting criteria
2. Minimize (narrow) the context

Maximize: Hunting Criteria

We’ve created broad lists of hunting terms and formalized them as recognized entities in Recorded Future. These entities belong in one of five current categories which represent individual ontologies:

• Technology building blocks
• Malware
• Fraud
• Red team
• Control systems

Each ontology is a good place to start hunting, depending on the topic of interest. “Technology building blocks” is the widest set of criteria (terms apply to technologies, programming languages, protocols, etc.) but will also ensure wider coverage of potential new TTPs.

Minimize: For Best Context

Now we can constrain the ontologies above to the most granular media types and languages in Recorded Future to produce maximum fidelity with minimum noise.

For example, we alert on the red team ontology daily, but only within forums, paste sites, and code repositories because that’s where TTPs are most likely to appear. We can further constrain the context by adding a second criteria which is language.

So for the red team ontology, we alert daily on paste sites in multiple languages separately (including Arabic, Farsi, French, Spanish, Russian, Chinese, and English). We do the same for forums and code repositories. If all seven language alerts fire across all three media types then we receive 21 alerts for that ontology.

Below are a couple of examples to show this methodology in action.

The alert above is configured specifically for malware entities that appeared in a forum(s) AND were written in Farsi (in the past 24 hours). This particular alert fires a few times per week, is extremely high fidelity, and easy to review quickly. In this case, the new Remcos RAT was identified because of references to the “Delphi” and “Encryption” entities.

In this second example there are a greater number of references (in the full alert), but also potentially useful information in the form of an Iranian website (twff.ir) that was successfully attacked via SQL injection by a group of Saudis who posted the resulting database to Pastebin.

English language alerts are obviously the largest and when combined with “technology building blocks” and any media type (forums, paste sites, or code repositories), there are a greater number of results requiring analysis.

If you have the analyst horsepower to review daily TTP alerts, these ontologies will produce new TTPs. The ontologies aren’t set in stone, they’re merely pre-configured starting points. You can add or subtract from the ontologies as you see fit to refine your own hunting methodologies.

Read our previous blog post to see how this methodology has been used to uncover and analyze Cknife, a new web shell originating in China.

Get Started

Would your security team benefit from understanding threat actor TTPs? See this alerting improvement in action today by requesting a demo of Recorded Future.

The post Turbocharge Your Threat Hunting Capability With Intelligent TTP Alerting appeared first on Recorded Future.

from Recorded Future http://ift.tt/2bGfEyo
via IFTTT

Over the past few years, cyber security has made its way onto every organization’s radar. Hardly a week goes by without another high-profile breach, and with each new headline cyber security budgets across the globe are growing ever larger.

But unfortunately, simply spending more money isn’t enough. To avoid the cost and embarrassment of a data breach, you’ll need to understand your adversaries.

Most threat actors fall within four main groups, each with their own favorite tactics, techniques, and procedures (TTPs). By gaining a deeper understanding of threat actors, you’ll be able to assign your cyber security budget to fund the right activities.

Cyber Criminals, Organized and Otherwise

When thinking about cyber criminals, many imagine some nerdy hacker sitting in his mom’s basement eating potato chips. This couldn’t be further from the truth.

These days cyber crime is far more organized than ever before, and last year it even overtook the drug trade to become the most profitable illegal industry. To give you some idea of scale, it’s estimated that victims in the U.S. paid over $24 million in 2015 to groups using ransomware trojans, and that’s just one attack vector.

These groups are well equipped, well funded, and they have the tools and knowledge they need to get the job done. But to really understand cyber criminals, you just need to know one thing: their motives.

Overwhelmingly, cyber criminals are interested in money. Either they’ll use ransomware to extort money from you, or they’ll steal data that can be sold via dark web markets.

Common TTP

Right now, cyber criminals are all about mass phishing campaigns. It’s low cost, easy to pull off, and promises a truly staggering return on investment. Sure, spear phishing is still a big concern, and it’s much harder to defend against, but for pure bang-for-your-cyber-criminal-buck nothing beats a good mass phish.

Typically these campaigns are used to deliver malware payloads (often ransomware), and emails usually include a strong social engineering component. For instance, recipients are often asked to open or forward attachments such as office documents which in turn activate malicious software when opened.

How to Defend Against It

Keep in mind the cyber criminal’s focus on profit. If they can’t convince you to pay a ransom or sell your data, you’re useless to them.

Since phishing is the current weapon of choice for cyber criminals, the best defenses are email filtering and authentication systems. By scanning all incoming and outgoing email for suspicious content (e.g., executable files, “spammy” language, or similarity to previously intercepted emails), you’ll be able to block and quarantine the vast majority of malicious spam. High-quality threat intelligence is extremely beneficial here, as it can be used to constantly improve spam filters and prevent the latest phishing emails from finding their mark.

Equally, some phishing emails originate from domains and IPs that are easily blocked. Using technologies such as Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) will help you avoid a lot of headaches.

Hacktivists

Unlike cyber criminals, hacktivists are generally not motivated by money. Instead, they have a burning rage inside them that for whatever reason has been directed at you.

Remember the stereotypical hacker we mentioned earlier? A hacktivist could easily fall into that mold. They often work alone, making their attacks extremely difficult to predict or even respond to quickly — but don’t underestimate them.

Many hackers, ethical or not, are actively involved with the cyber security industry in some capacity. But whether they’re a network administrator, a mid-level IT guy, or even a college student, there’s no way of knowing in advance who they are or when they’ll strike.

Of course it’s difficult to really pin down a hacktivist’s motives in advance, but it is possible to predict their actions. Since they aren’t interested in money, hacktivists are usually in the business of cyber vandalism. If they do aim to steal your data, it’s probably because they expect to find something incriminating, or simply wish to cause you embarrassment.

Common TTP

According to Control Risks, hacktivists overwhelmingly favor attacking websites. Since its website is often the most publicly facing aspect of an organization, this makes perfect sense.

But how do they do it? Well, for many years now, DDoS (distributed denial of service) attacks have been a firm favorite. To initiate a DDoS attack, a hacktivist must first take control of a large number (usually thousands or tens of thousands) of computers, which they typically achieve by using malware spam campaigns.

Once they have control, the hacktivist will use his “botnet” to repeatedly send simple requests (e.g., viewing a webpage) to a specific website over and over again.

The amount of traffic generated by a DDoS attack can be truly staggering, and often leads to site crashes and large hosting bills for the website owner.

How to Defend Against It

Defending against DDoS attacks isn’t easy. First, you’ll need your incident response planning to be spot on. Not only that, you’ll need to identify the signs of DDoS attacks early on, and give yourself the best possible chance to mitigate the attack before it reaches its inevitable conclusion.

Finally, there are a number of DD0S mitigation products and services on the market, so give serious consideration to investing in one of these.

State-Sponsored Attackers

In recent years, we’ve all heard a lot about state-sponsored attacks and cyber espionage. In reality state-sponsored attacks are far less common than cyber crime and hacktivism, but they are nonetheless a real and concerning trend.

Unsurprisingly, state-sponsored attackers aren’t usually interested in your money.

At least, not directly.

Instead, they want your data, and that means gaining sustained access to your IT infrastructure. If your organization operates in a particularly sensitive market where proprietary data is jealously guarded (e.g., technology, pharmaceuticals, or finance), you’re at a greater risk of gaining the attentions of a state-sponsored hacking group.

Common TTP

Since state-sponsored attackers need long-term access to your IT infrastructure, their preferred TTP is known as the advanced persistent threat (APT). Unfortunately, this term is less precise than you might hope.

In essence, because so much is on the line, state-sponsored groups will often work on multiple attack vectors simultaneously, even if they already have access to your infrastructure. In this way, they can collect sensitive data over a long time period, rather than simply performing a smash-and-grab operation.

Sadly, although the average time to detect a breach fell substantially last year, it’s still in the region of five months. Needless to say, nobody wants a state-sponsored hacking group intercepting their private data for even a day, so five months is clearly too long.

How to Defend Against It

Since APTs make use of multiple attack vectors, there’s no single security silver bullet to keep your organization safe. Instead, you’ll need to build a strong, consistent, and ongoing security program that includes both the fundamentals (e.g., vulnerability and patch management) and the more advanced (threat intelligence).

Effective cyber security is a marathon, not a sprint, so if you’re starting from scratch you certainly won’t be able to do everything. Focus on building up your cyber security program one piece at a time, and always look for ways to improve.

Ultimately, even with state-sponsored groups, if you can make their job really difficult, there’s a good chance they’ll go elsewhere in search of easier targets.

The Insider Threat

Don’t be fooled into thinking that all insider threats are the same. Some are simply normal employees who want to be helpful and end up giving away sensitive data to the wrong person. Others feel maligned by their organization, and want to get their own back. Still more are real user accounts which have been compromised by an external attacker.

But whatever their circumstances or motives, insider threats are dangerous, and often hard to spot.

They may aim to vandalize assets as a form of revenge, steal proprietary assets for resale on the dark web, or simply send sensitive data to anybody who asks. And the hard part, of course, is distinguishing these actions from all the legitimate activity that occurs every day on your network.

Common TTP

Although insiders do sometimes commit acts of vandalism, information is usually their target. Insider threats have led to some of the largest data breaches in history, so protecting confidential data should be your organization’s primary concern.

How to Defend Against It

First off, your well-meaning employees should be at the top of your list. Most people want to be helpful, and this trait can be (and often is) abused by hackers to achieve their goals. Security awareness training is an absolute must here, because after all, you may have disgruntled employees, but you’ll always have gullible employees.

For compromised or malicious insiders, a different tactic is needed. Since they’ll be looking for sensitive data, using honeypots in combination with user behavior analytics will enable to you identify those users who are actively searching for data they shouldn’t have.

And once you’ve identified them, you can follow their behavior more closely, and quickly put together the evidence you need to confront them.

Whatever You Do, Be Proactive

When building your cyber security capability, understanding your adversaries is essential. And of course, you can’t develop a security capability that only considers a single type of threat actor.

The best cyber security capabilities in the world belong to organizations that take proactive steps to stay ahead of their attackers. They develop a detailed knowledge not only of their adversaries, but also of the latest and greatest threat actor TTPs. With this information, they constantly improve their security mechanisms, and search for new ways to identify, track, and repel attacks.

If you’d like to take a more proactive approach to cyber security, download our popular white paper written by industry expert Levi Gundert titled, “Understand Your Attacker: A Practical Guide to Identifying TTPs With Threat Intelligence.”

This guide will help you gain a deeper understanding of the different threat actor TTPs that you’ll likely be facing in the coming months and years. And from there, you can proactively build a cyber security capability that your organization can be proud of.

The post Proactive Defense: Understanding the 4 Main Threat Actor Types appeared first on Recorded Future.

from Recorded Future http://ift.tt/2bKAR7N
via IFTTT