December 31, 2014
Greg Martin

2015 - The Year of Empowerment

<p>It seems there isn't a day that goes by without the report of a new breach or security vulnerability that will "crash the Internet."  Over the last few years, many mainstream media reports have only further victimized and some industry experts are offering opinions without specific knowledge or fact. This response is counter productive and can limit strategic advancements in our industry.  </p><p>It is clear we may never know the full story about the recent breaches, but from this moment forward I'd like to challenge industry experts to share threat intelligence - IOCs, TTPs, and general education and at the same time, hold their tongue and admit if they don't have all of the facts to support a media story. I feel that empowering the larger information security community throughout 2015 will help drive long term adoption of new security practices and help us take back some ground that we've lost. </p><p>To begin,  we must understand that many of these breaches have been ongoing for some time and we’ve just begun to detect and respond effectively. Because of advancements in monitoring capabilities, tool-sets, and great work from Incident Response organizations such as <a href="">Crowdstrike</a>, <a href="">ISight Partners</a>, <a href="">Flashpoint Partners</a>, and many others, we have an opportunity to respond to the threat in a much more strategic way.</p><p>Over the past four or five years I’ve watched mature information security teams enhance their security posture by sharing and using threat actor data, commonly known as Indicators of Warning (IOW) and Indicators of Compromise (IOC). The concept of IOC’s isn’t new – however historically only a select few had interest in sharing. One of the more widely known initiatives to drive public IOC sharing is <a href="">Shadowserver</a>. This non-profit organization offers security organizations of any size reporting on infected hosts and poorly configured devices that affect the individual organization. Collectively, IOW’s and IOC’s can help kick-start an intelligence driven approach to security. However, IOW/IOC offerings are only part of the picture. A true intelligence capability also involves capable teams of individuals with a variety of disciplines. </p><p>I enjoy building layered teams. What works for some organizations may not work for all, however I've had the opportunity to work with some of the greatest and in my experience, these layered teams are the most successful.</p><p><strong>Analysts</strong></p><p>These are individuals who respond to and triage events feeds and alerts. They should focus their efforts broadly and have a number of tools at their disposal, IDS, IPS, Packet Capture Devices, SIEM, and Antivirus to name a few. Their job isn’t to look for the needle in the haystack; it’s to identify the haystacks that have the most needles. Typically I like to start new employees in this role, even if it’s only for a short time. The experience will help them develop normal traffic patterns and understand the organization. </p><p>MSSP’s and off site security workforce are great in this role and by focusing on new talent, the team is forced to document and understand observables in a way that makes the processes repeatable.</p><p>The most relevant and capable CISO I ever had the pleasure to work with took the opportunity to work a week along side a SOC Analyst when he started with the organization. He still visits the SOC regularly and works along side the analysts.</p><p><strong>Hunt Teams</strong></p><p>These individuals are generally more senior with the organization and have good experience with normal traffic patterns for the environment. They use this experience to identify suspicious behaviors such as VPN connections from Anonymous VPN providers or Hosting providers; Beacon Activity or suspiciously large data connections to odd IP space. Of course the Hunt Teams should also have the ability to automate their findings and push that automation back down to the analyst tier. Hunt teams are generally cross-staffed by engineers with capabilities that extend beyond traditional Blue Team. Many come from a Red Team/Pentest background and understand adversary techniques.  As a former hunter, DNS Time Traveling was my favorite technique for identifying badness. Passive DNS databases, such as <a href="">mnemonic PassiveDNS</a>, <a href="">Farsight’s DNSDB</a>, and <a href="">BFK</a> hold a wealth of knowledge that deserves a blog post of its own.</p><p><strong>Intelligence Specialists</strong></p><p>A smaller group of individuals that understand the who and why of various attack groups and are capable of spotting patterns to enhance the overall intelligence picture is a great addition to any team. I also task my intelligence specialists with monitoring the organizations supply chain. From DNS, Hosting and Email providers to SaaS applications, any external provider should be routinely monitored for signs of compromise. Lets face it, we all supply somebody; the more people who are constructively looking out for each other, the better. Furthermore, Intelligence teams should keep an eye out for competitor attacks. Chances are if an actor is interested in a competitor of yours, they are likely interested in you as well. Either you've been visited or eventually you will be.  </p><p>In my opinion, Intelligence specialists should be the communication channel between various organizations. They generally are a bit more paranoid and communicate information in a secure way, while maintaining a strong peer relationship with others in the industry. Many of the intelligence analysts are part of their industry related “Information Sharing and Analysis Centers” (ISAC) already, so the relationship is already developed.</p><p><strong>Incident Responders</strong> </p><p> Dedicated incident responders are a key resource, if your organization can afford them. At a minimum, an incident response coordinator should handle communication to leadership, track next steps and lessons learned. They should be cognizant of carefully following procedures such as chain of custody and evidence preservation that other security operators may not be familiar with. As the saying goes, its not if you'll have an incident, its what you'll do during the incident that matters. During an all-hands on deck event, I've observed many times that critical job functions are paused to support the event and other team members take on the role of incident responder. Responders should be careful not to leave an area unguarded due to an incident investigation.</p><p><strong>Management</strong></p><p>Information Security Leadership should strive to meet compliance related objectives while remaining proactive and forward thinking. A 25-mile per hour speed limit in an area where everyone is 18 and drives fast cars will never be effective. Balancing organizational and business needs with proactive strategies is key. Often times the management role is overlooked, however no one can empower the industry like the forward thinking managers. Breaches will not cease in 2015. Organizational response to the breaches will drive customer and investor confidence. The CISO's role is vital; he or she should be meeting with customers, investors and the board regularly, driving the intelligence and confidence of their world-class security team. </p><p><strong>Tools</strong></p><p>Depending on your environment, host based tools may not be beneficial. I've challenged every host-based vendor I work with to come up with an off-box solution to the problem they've solved with an on-box solution.  As we evolve to a single device for work and personal use (BYOD) and move towards more “Cloud” focused solutions like Desktop as a Service, the opportunity for asset tracking and host based management tools will diminish. Look forward to your organizations 2015-2016 predictions; do they involve less IT oversight and more self-reliance and user empowerment tools? </p><p>Threat Intelligence Platforms like <a href="">ThreatStream</a> act as a framework for managing indicator collection, dissemination and collaboration. We recognize the challenges facing an IPV6, BYOD, and the "Internet of Things" world we are approaching.  My team: ThreatStream Labs, is tackling those challenges head on and continues to look for new, innovative ways to make intelligence actionable, available in real time. By operationalizing the actionable indicators, we can help make your entire security team more efficient to identify that rogue insider or stealthy-previously uncategorized advanced adversary. </p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.