Every year, Verisign iDefense Security Intelligence Services produces its Cyberthreats and Trends Report, which provides an overview of the key cybersecurity trends of the previous year and insight into how Verisign believes those trends will evolve. This report is designed to assist in informing cybersecurity and business operations teams of the critical cyberthreats and trends impacting their enterprises, helping them to anticipate key developments and more effectively triage attacks and allocate their limited resources.
Throughout the course of my career I’ve been blessed to work with some of the most talented folks in the security and cyberthreat intelligence (CTI) mission space to create a variety of different capabilities in the public, private and commercial sectors. Before I came to lead the Verisign iDefense Security Intelligence Services team about five years ago, I had to evaluate external cyber-intelligence vendors to complement and expand the enterprise capabilities of my former organization.
At the 2015 Qualys Security Conference (QSC) in Las Vegas, Jayson Jean, director of iDefense Vulnerability Intelligence, and Research Engineer Rohit Mothe, discussed the ways in which Verisign iDefense Security Intelligence Services have provided key context around public and zero-day vulnerabilities, and by association, helped customers make better-informed decisions around threat mitigation. A core concept discussed in their talk is that threat mitigation often starts with recognizing and prioritizing mitigation of software vulnerabilities.
Managing risk can require difficult decisions about what to patch or mitigate now, and what will have to wait. This is due to the fact that most businesses operate under a “resource-constrained” model and don’t have the staff or funds to patch everything immediately. But making these decisions accurately and quickly requires the context that security intelligence provides.
Black Hat USA 2015 is behind us. Through all of the presentations, celebrations and meetings, one thing was very clear to me and the iDefense Security Intelligence Services crew in attendance: online security practitioners and their constituents face a more complex threat landscape than ever before. From some pretty intense software vulnerabilities to even scarier remote-control hacking of automobiles, the “bad guys” have some pretty serious tools at their disposal.
With significant data breaches making headlines over the last six months, most notably the U.S. Government’s Office of Personnel Management (OPM), organizations managing critical networks and data are watching their worst nightmares play out on a public stage. As these organizations hustle to shore up their defenses in the wake of new breaches, security intelligence is playing a large role in helping key decision makers cut through the glut of security information, and understand which threats are relevant. But how do analysts determine the relevance of a threat?
The indicators of compromise (IOCs) outlined in my last blog post can be used as a baseline for developing intrusion sets and tracking attack campaigns and threat actors. When launching an attack, threat actors use a variety of vectors and infrastructure, which Verisign iDefense analysts – as well as analysts across the cybersecurity community – correlate to group attacks, tracking actors and determining attack methods. Tracking and analyzing how an adversary targets your organization, and developing insight into their tactics, capabilities and intent, contribute to an organization’s effective risk mitigation strategy. Campaign analysis allows an organization to focus its monitoring, incident response procedures, training efforts and internal security controls more effectively on those assets and personnel that a threat actor will likely target for compromise.
I previously provided a brief overview of how Verisign iDefense characterizes threat actors and their motivations through adversarial analysis. Not only do security professionals need to be aware of the kinds of actors they are up against, but they should also be aware of the tactical data fundamentals associated with cyber-attacks most commonly referred to as indicators of compromise (IOCs). Understanding the different types of tactical IOCs can allow for quick detection of a breach, as well as prevention of a future breach. For purposes of this overview, Verisign iDefense breaks IOCs into three distinct categories: email, network and host-based.
The threat landscape has rapidly expanded over the past few years, and shows no signs of contracting. With major establishments in both the public and private sectors falling victim to cyber-attacks, it is critical for organizations to identify the motivations, modus operandi (MO) and objectives of adversaries in order to adequately and effectively defend their networks.
Understanding the taxonomy of cyber-attacks is the first step in preparing an organization against exposure to them. Verisign iDefense Security Intelligence Services classifies cyber-attacks into three categories: hacktivism, cybercrime and cyber-espionage.
It makes me cringe when I hear operators or security practitioners say, “I don’t care who the attacker is, I just want them to stop.” I would like to believe that we have matured past this idea as a security community, but I still find this line of thinking prevalent across many organizations – regardless of their cyber threat operation’s maturity level.
Attribution is important, and we as Cyberthreat Intelligence (CTI) professionals need to do a better job explaining across all lines of business and security operations how the pursuit of attribution, manifesting itself in adversary analysis, can be employed to improve an organization’s resource allocation and security posture.
The mission of defending an enterprise or organization today is a complex and challenging task. Our personal and professional attack surfaces have never been greater and they are only expected to grow as organizations and individuals continue to increase their reliance on the connected digital world for a variety of tasks. Security practitioners must protect not only their enterprise assets but also guard against threats to their supply chain and business ecosystem. This, coupled with the fact that the cyberthreat landscape continues to evolve in terms of actors, tactics and motivations, has created a perfect storm for organizations that must now move toward an intelligence-driven, holistic security approach in order to keep pace.
Throughout 2014, Verisign iDefense Security Intelligence Services witnessed cybercriminals increasing their focus on attacking mobile devices and point-of-sale systems, and global events continuing to drive hacktivist activity and other operations in frequency and severity. In addition, end-of-life and legacy operating systems continued to plague organizations’ office automation and industrial control system networks, including ATMs. This fundamental shift in the tactics, techniques and procedures (TTPs) used for cyber-attacks, as well as new tools, delivered a powerful combination of blended attacks that includes distributed denial of service (DDoS) attacks, malicious code obfuscation and detection evasion. In 2015, the security community’s continued vigilance and agility toward these changing cyber-attacks must be strengthened by partnering and sharing real-time, actionable threat intelligence when detected.