With significant data breaches making headlines over the last six months, most notably the U.S. Government’s Office of Personnel Management (OPM), organizations managing critical networks and data are watching their worst nightmares play out on a public stage. As these organizations hustle to shore up their defenses in the wake of new breaches, security intelligence is playing a large role in helping key decision makers cut through the glut of security information, and understand which threats are relevant. But how do analysts determine the relevance of a threat?
The indicators of compromise (IOCs) outlined in my last blog post can be used as a baseline for developing intrusion sets and tracking attack campaigns and threat actors. When launching an attack, threat actors use a variety of vectors and infrastructure, which Verisign iDefense analysts – as well as analysts across the cybersecurity community – correlate to group attacks, tracking actors and determining attack methods. Tracking and analyzing how an adversary targets your organization, and developing insight into their tactics, capabilities and intent, contribute to an organization’s effective risk mitigation strategy. Campaign analysis allows an organization to focus its monitoring, incident response procedures, training efforts and internal security controls more effectively on those assets and personnel that a threat actor will likely target for compromise.
I previously provided a brief overview of how Verisign iDefense characterizes threat actors and their motivations through adversarial analysis. Not only do security professionals need to be aware of the kinds of actors they are up against, but they should also be aware of the tactical data fundamentals associated with cyber-attacks most commonly referred to as indicators of compromise (IOCs). Understanding the different types of tactical IOCs can allow for quick detection of a breach, as well as prevention of a future breach. For purposes of this overview, Verisign iDefense breaks IOCs into three distinct categories: email, network and host-based.
The threat landscape has rapidly expanded over the past few years, and shows no signs of contracting. With major establishments in both the public and private sectors falling victim to cyber-attacks, it is critical for organizations to identify the motivations, modus operandi (MO) and objectives of adversaries in order to adequately and effectively defend their networks.
Understanding the taxonomy of cyber-attacks is the first step in preparing an organization against exposure to them. Verisign iDefense Security Intelligence Services classifies cyber-attacks into three categories: hacktivism, cybercrime and cyber-espionage.
Verisign outlined its vision for a revolutionary new approach to Distributed Denial of Service (DDoS) protection by announcing the availability of the Verisign OpenHybrid™ architecture, which helps organizations protect their critical assets and applications across distributed environments from DDoS attacks, using a single solution. By integrating intelligence from a customer’s existing security defenses, Verisign OpenHybrid™ provides timely detection and restoration of services in the event of an attack, while providing increased visibility of DDoS threats across multiple environments such as private datacenters and public clouds.
In an earlier blog post on the topic, I noted the increasing scale and complexity of DDoS attacks, and the strong need for organizations to enable awareness and mitigation of attacks across on-premise devices, in addition to both public and private cloud environments using standards based open protocols.
Today we are pleased to announce two important updates in our path toward enabling open DDoS protection: the availability of Verisign OpenHybrid™ for Corero SmartWall TDS and Verisign OpenHybrid™ for customers hosted in the Amazon Web Services Elastic Compute Cloud.
The mission of defending an enterprise or organization today is a complex and challenging task. Our personal and professional attack surfaces have never been greater and they are only expected to grow as organizations and individuals continue to increase their reliance on the connected digital world for a variety of tasks. Security practitioners must protect not only their enterprise assets but also guard against threats to their supply chain and business ecosystem. This, coupled with the fact that the cyberthreat landscape continues to evolve in terms of actors, tactics and motivations, has created a perfect storm for organizations that must now move toward an intelligence-driven, holistic security approach in order to keep pace.
Throughout 2014, Verisign iDefense Security Intelligence Services witnessed cybercriminals increasing their focus on attacking mobile devices and point-of-sale systems, and global events continuing to drive hacktivist activity and other operations in frequency and severity. In addition, end-of-life and legacy operating systems continued to plague organizations’ office automation and industrial control system networks, including ATMs. This fundamental shift in the tactics, techniques and procedures (TTPs) used for cyber-attacks, as well as new tools, delivered a powerful combination of blended attacks that includes distributed denial of service (DDoS) attacks, malicious code obfuscation and detection evasion. In 2015, the security community’s continued vigilance and agility toward these changing cyber-attacks must be strengthened by partnering and sharing real-time, actionable threat intelligence when detected.
I am thrilled to let you know that as of today, Risk I/O, a respected vulnerability threat management platform, will be leveraging Verisign iDefense vulnerability intelligence data as a part of its threat processing engine through a licensing agreement between the two companies.
As I have written in the past, intelligence-driven cybersecurity is critical for today’s ever-evolving cyberthreat landscape. Verisign iDefense vulnerability intelligence includes vulnerability, attack and exploit data, such as unpublished zero-day vulnerabilities, collected from over 30,000 products and 400 technology vendors around the world. This data will complement the threat processing of Risk I/O’s SaaS-based vulnerability threat management platform, which continuously aggregates attack data, threat data, and exploit data from across the internet, matching this data with customers’ vulnerability scan data to generate a prioritized list of vulnerabilities that are most likely to be exploited.
According to the Verisign 2014 Cyberthreats and Trends Report, cyber intelligence has matured from an industry buzzword to a formal discipline, which has implications for vendors and security leaders. As few as seven years ago, cyberthreat intelligence was the purview of a small handful of practitioners, limited mostly to only the best-resourced organizations—primarily financial institutions that faced large financial losses due to cybercrime—and defense and intelligence agencies involved in computer network operations. Fast forward to today, and just about every business, large and small, is dependent on the internet in some way for day-to-day operations, making cyber intelligence a critical component of a successful business plan. That said, there are a wide variety of ways organizations can go about creating a cyber intelligence program.
I have the unique opportunity to speak with clients and partners on this topic from a variety of different industries as a part of my support for Verisign’s Intelligence-Driven Security program. I’d like to share some pragmatic tactical and strategic approaches to sourcing and applying cyber intelligence that I have gleaned through these activities and my own experience. The following is a brief overview of six approaches, along with key considerations that can help organizations of all types create a cyber intelligence program, build and align to a desired strategy, and create frameworks that — if executed properly — can become a defensive force multiplier.