Thinking you might have a problem and knowing you’ve got a problem are two very different things. Which is why threat intelligence has become such a massive market in its own right, with off-the-shelf security products and services reputed to have created a global market worth over £585 million in 2014, according to IDC.
Good threat intelligence is highly prized but paid-for solutions are expensive, making it hard to justify expenditure. This creates a kind of chicken and egg situation. How do you track or quantify risks to the organisation without the technology to do so? Without that knowledge, how do you focus security spend, or equate the value of that spend? Are you addressing real threats or shooting in the dark?
Relying on external sources for threat intelligence also tends to create a reactive strategy, so the organisation is immediately operating defensively rather than creating its own threat intelligence. Unfortunately, this is where we are today, with many organisations struggling to justify investment and relying upon external sources for generic threat intelligence that may or may not be relevant.
>See also: Can Facebook win the workplace?
Recognising an opportunity for sharing threat intelligence, Facebook has just announced its intention to launch a new social media network for cyber security professionals called ThreatExchange (it uses ThreatData, already used to detect threats on Facebook’s own site and similar mechanisms used by partners Yahoo! and Pininterest). The API-based platform will bring a whole new meaning to the term ‘social security’ enabling users to share information on malware and phishing attack and connect with others in similar fields with opt-in closed group access.
Yet platforms already exist for sharing this type of real-time intelligence, with the likes of VirusTotal allowing users to exercise their social conscience and publish exploits and test suspicious files or URLs in a self-governing community.
ThreatExchange may be free, it may be community driven, and it may have the backing of some major social media plaforms behind it. But is it replicating what we already have? And how much value is there in generic reactive intelligence, particularly in a world where malware is becoming more targeted?
Undiscriminating attacks are now on the wane, with reports suggesting that certain sectors – notably legal, entertainment and retail – are seeing more APTs (advanced persistent threats), which use slow burn tactics to discreetly infiltrate the business.
Similarly, spear phishing is replacing generic phishing as the email attack of choice, with the attacker researching and profiling suitable candidates to target within the organisation. Both attacks are highly targeted and engineered to exploit the vulnerabilities of a specific organisation or sector.
Any intelligence worth it’s salt therefore needs to be context-based. That may sound like wishful thinking or you may think it would require a ruinous spend on technology but gathering real-time threat intelligence is surprisingly easy. Ironically, it’s the very social media platforms now vying to publicise threat intelligence that tend to provide the best bait for gathering information. The social media profiles used on Facebook, Twitter and LinkedIn can just as easily be used to create bogus identities for staff that work in the organisation and trap all sorts of nasties.
Social media platforms make the ideal environment to create a company-specific honeynet. They’re cheap to create, monitor and maintain, particularly if you use bots to sustain them. Take the time at the beginning, when you create the profiles, to ensure they’re convincing. Make the fake roles relevant to the intellectual property or valuable content held by the company, such as those that handle credit card data, customer records or business performance data. Establish connections, do status updates and give the shadow staff legitimate company email addresses and you will soon begin to attract spear phishers.
When it comes to deducing what specific attacks are popular or what vulnerabilities are most often exploited, honeypots are a great source of intelligence. A honeypot is simply a server created to look vulnerable, but isn’t. They vary from high interaction (used to study hacker behaviour, they trap individual keystrokes and feed false information) to low interaction (used for attracting worm activity and mass scanning, they look for one type of anomalous or malicious activity and quantify it). A good commercial use is a fake mail server, to attract and tar-pit spam.
The attacker will typically seek to set up a back door to an interesting network, possibly using a zero day vulnerability, before searching for data. This will require a certain amount of network traversal, which means port scanning from system to system, and running exploits to steal credentials. When the attacker scans for vulnerabilities it will trigger an alert, informing you a hacker is on the internal network.
A word of caution though: the honeypot should be isolated, and not placed anywhere near the corporate network. Also, if you’re not comfortable collecting malware, there are several online sources available, such as the Honeynet Project. But do take care to isolate these samples or this code could create real problems.
Armed with this DIY threat intelligence, the CSO can then make a case to the board by demonstrating the existence of real threats, and the value to be had in addressing these. This initial evidence can then be used to secure budget and investment in threat intelligence solutions that can effectively monitor areas of vulnerability.
DIY threat intelligence will of course only you get you so far. Iterative intelligence, a term coined by IDC to describe threat intelligence that is community-based, with the benefit of historical and predictive threat profiling, are where the technology is heading. But to get us there, organisations need to prove threats are real and spend is justified.
Constructing a social media honey trap is a more than worthwhile investment of time and resource. It may not be quite what Facebook had in mind, but it’s certainly a great way of using social media to share threat intelligence and improve security.
Sourced from Ken Munro, Pen Test Partners