September 13, 2016
Joe Franscella

A Brief History of Threat Analytics

<p>The field of cyber-security intelligence progresses by striving for an automated means of identifying patterns before a breach. The market was created by a great need for individuals and large enterprises to defend themselves against directed attacks, viruses, and insider threats.</p><p>The philosophies informing cybersecurity began before the internet itself. Coding information to protect it was an ancient technique used by early societies. Interlopers work to penetrate these defenses, which are then bolstered. This cycle has prevailed from ancient societies, through our great world wars, and continues into the private and international hacking intrigues going on today.</p><p>Early dangers were delivered via floppy disc, as few computers were linked. Not long after the Internet became usable to early adopters, someone found a way to exploit its power. <a href="" target="_blank">The first viruses replicated themselves</a> and later were made to copy, destroy, or leak data.</p><p>A large-scale financial hack made the news headlines in the 1990s. The response to the <a href="" target="_blank">$20 million dollar financial hacking crisis</a> was heard across the world. Both data holders and hackers realized the power hackers possess and their potential for damage. Malware and phishing hacks became more prevalent and the makers of security platforms stepped up their efforts.</p><p>Firewalls and SIEM tools create a perimeter which alerts users to many signs of trouble. These tools can block traffic from unknown or suspicious sources. Known malware programs can be identified and “scrubbed” from a computer if the definitions are created and in place. These tools rely on a traffic log in addition to the definitions. As hackers continued to find more system vulnerabilities and code more malicious tools, they also began spacing out their attacks to evade tripping said alerts. Soon after that, platforms began keeping longer logs. The cycle persists.</p><p>Having an impenetrable perimeter around your network was once the gold standard for network security. Knowing the ease with which hackers can crack a weak password or execute a successful phishing campaign, the great wall model has gone out of vogue. Different methods for identifying threats were developed using a hybrid of traditional investigation tactics and shrewd programming. A threat intelligence platform relies on multiple data sources that are <a href="">analyzed together to produce informative, actionable alerts</a>.</p><p>Honeypots were first conceptualized by a researcher. Digital deception traps appear to be exploitable environments but they are actually designed to waste hackers’ time and fool them into incriminating themselves. This is a very powerful tool that can now be downloaded free of charge as the Modern Honey Network, an open source project. The honeypots must be deployed properly to collect accurate portrayals of hackers and their activities. MHN was created to facilitate sharing of threat data and to make threat analytics accessible to more users. Analytics are only as good as the data they are based on, so there are initiatives to encourage IoC sharing.</p><p>Threat analytics are made possible by the volume of data collected. Signs other than cookie-cutter definitions have been recognized as precursors to a successful hack. Using evidence based reasoning and input from actual hackers, Indicators of Compromise can be identified. These alerts become even more useful when the threat analytics platform is set up with your own assets, vulnerabilities, and enemies in mind.</p><p>Early security software held all of this data locally and was brought up to date periodically with revised definitions from the vendor. As the <a href="{page_3232}">volume of reference data grows</a>, processing the threat analytics becomes a bigger job for the respective processors. New models exist for comparing client traffic logs to a list of existing threats and analyzing traffic patterns for other anomalies. The client logs can be uploaded to a central processor or the library of threat definitions can be cloud-based.</p><p>By looking at the trajectory of research and analysis on hacking behavior, we see that challenges continue to arise. If threat analytics has taught us anything, it’s to look objectively at the bigger picture and be ready for anything.</p><p>The future will present continued challenges to cyber security pros and the public who rely on them. If you haven’t already, find a dynamic threat analytics platform that can rise to the occasion.</p><p><span class="hs-cta-wrapper" id="hs-cta-wrapper-bd3e320b-6f5f-47ad-ae30-589597d266a4"><span class="hs-cta-node hs-cta-bd3e320b-6f5f-47ad-ae30-589597d266a4" data-hs-drop="true" id="hs-cta-bd3e320b-6f5f-47ad-ae30-589597d266a4" style="visibility: visible; display: block; text-align: center;"><a class="cta_button" cta_dest_link="{page_3457}" href=";placement_guid=bd3e320b-6f5f-47ad-ae30-589597d266a4&amp;portal_id=458120&amp;redirect_url=APefjpEMgR4LIM7tv1v2gewH3Kz_MyyH4dc7p_hS-CDSACjXeHuqdjvvzDFOS5Y23ZGSjZ9fv0VmuWevNFDuuDJTQFsj3lD-vIclCP581I-D4HclZvtAD_HMqLLc9YAfY7ZH0SsLjzHQUt7CsqxOPlMHfHRi8bClDHGAI3dTH5LVfoesKLgIL7wnjrT-CGlqF_2zeZqcy5gWzjRFBNsphrvGK0nDXVuLrSsVTPHYxJEGWZSZS1JnuEGevRsnQE_WB2NdvZMgBTH05kmSHYt948lvJb2EFCek0At58aj7B2pqyA90w4BRD1Pz_6v_URlJ9C7N4PQX07a2R47cJnh5U06FZdrqGRRFjQ&amp;hsutk=2767d93d6471d657e0c9f660e4b58ef8&amp;;;pageId=4355747911&amp;__hstc=41179005.2767d93d6471d657e0c9f660e4b58ef8.1456736058655.1478822660171.1478831861868.179&amp;__hssc=41179005.1.1478831861868&amp;__hsfp=1335165674" id="cta_button_458120_bfe9d714-b9a1-4733-8b89-44b169eb6a53" style="margin: 20px auto;" target="_blank" title="Download Here">Download Here </a> </span> <script charset="utf-8" src=""></script> <script type="text/javascript">hbspt.cta.load(458120, 'bd3e320b-6f5f-47ad-ae30-589597d266a4', {});</script> </span></p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.