Intelligence Powered Threat Detection

Hi.

I'm Mark Alba, chief product officer at Anomali.

And I'm joined today both by Joe Gehrke, our solutions architect.

And we're going to give you an overview of what we call intelligence-powered threat detection.

As we talk to customers, we've identified some serious challenges that a lot of organizations see within their security framework in how they identify threats and detect threats.

And these challenges seem to be common across industries, across segments, across size of companies.

The first thing is that there's a lot of noise in a security organization.

And this is noise coming from security controls that are pushing out alerts, as well as global threat intelligence.

And because of all of this noise, the intent, the original intent of trying to find a strong signal of an attack, gets lost.

And so an important objective for any customer is that they make sure that any global threat intelligence that they leverage as part of their security practice is as relevant as possible and does not contribute to the alert fatigue that a SOC organization or an intelligence analyst may have by having to deal with all of these alerts.

The second challenge that a lot of our customers encounter is that while you can identify a threat through global intelligence, you can get information on new threats that have been newly discovered.

The reality is a lot of these threats have existed in the wild for quite some time.

They may be advanced persistent threats that have penetrated your network, and they're lying there dormant, waiting to strike at any time.

We call these smoldering fires.

How do organizations very quickly identify whether or not they've been impacted with a threat and go back in time looking at data to identify where that threat happened?

And what was the impact of that threat?

And how do they do that without having to spin up old data that may be sitting in archives, which is both costly from a compute standpoint but also from a resource standpoint?

The final customer challenge that we encounter is that throughout a security organization, there is a need for global threat intelligence.

But even with organizations that have a solid threat intelligence team in place, a lot of what they produce gets thrown over the fence and is actually-- ends up being useless.

What I mean by this is that you can have a set of threat intelligence that may be appropriate for a CISO.

It may be high-level, giving you guidance on different types of threat actors, different types of attacks in different regions.

But if I'm a security engineer, what I care about are, what is the exploit code that's being used?

And can I use that exploit code to update my intrusion detection system signatures?

What are the mitigation strategies that I can take?

So, there's a need for customers to be able to use threat intelligence that's not siloed to a specific function but is actually built for that specific stakeholder in mind.

Threat intelligence today and how it's used to detect threats works pretty well, and it has worked pretty decently, but we can do a lot better.

So what does it look like today?

Threat intelligence gets developed by threat intelligence analyst.

It's either machine-readable threat intelligence or finished intelligence that gets pushed to security operation center.

That security operations center is able to synthesize that threat intelligence to be able to provide guidance on security controls and changes that need to be made to security controls, as well as prioritizing on vulnerability management activity.

This is a one-direction process where the threat intelligence is being used.

But there's a gap in this process.

So, looking at where we believe we should be taking this going forward in the future.

We believe this is actually bidirectional.

Starting with a threat intelligence team that's able to automate intelligence that's prioritized against intelligence initiatives that have been identified by that threat intelligence team.

Initiatives, things like looking at dark web, looking at specific malware, looking at specific actors, whatever is relevant to that specific organization.

Moving along, a security operation center is able to use a heads up display to monitor and prioritize that intelligence in real-time.

That's intelligence that they get in the dashboard that they have available at their fingertips.

So rather than waiting for a PDF finished intelligence report, they're getting it in real-time right in front of them.

And then a security engineer is able to get information from the SOC, which again is relevant to the task at hand.

They can receive course of action information like mitigation strategies, exploit code that can be leveraged as part of their daily activity to bolster their security posture.

But it doesn't stop there.

It's important for security engineers who are spending time with it to be able to expand on those intelligence initiatives based off of activity that they may be supporting within the organization.

So, for example, if a security engineering team is working with IT to expand the finance department with 10 new servers, there's going to be personal information on those servers.

Well, the organization has just expanded the attack surface.

That intelligence and the intelligence requirements associated with that new attack surface need to be pushed back to the security operations center.

The security operations center needs to be able to take that information to improve on their response strategies in order to be able to address those 10 new servers.

And then, finally, a threat intelligence team has to be able to take that new information.

What are those OASIS?

What is that platform?

Who are the threat actors that would be potentially exploiting those 10 new servers and be able to expand those original prioritized intelligence requirements to include all of that information on the expanded attack surface?

This is our view of using intelligence to power threat detection.

And it really focuses on orchestrating intelligence all the way through a security organization and making sure that threat detection is relevant to that intelligence that has been identified on the global scale.

When we talk about threat detection, our focus is on leveraging that global intelligence at scale, using threat detection that can take an indicator of compromise that's been observed within an organization's environment, and very quickly match it against any sort of threat model, or other intelligence at a global scale.

There's also the need for layers of threat detection, including sandbox detection as well as domain generation algorithm detection.

And across global intelligence, there's a need to ensure that all of that data can leverage machine learning to provide guidance on severity scoring.

We also believe that a threat detection solution that is powered by intelligence needs to be extensible.

It needs to be able to provide for big data support on the backend so that threat intelligence can be quickly indexed and searched across a large period of time going back years.

And we also believe that the form factor depending on a company's level of sensitivity to privacy of data should vary from cloud-based hybrid as well as on-premise.

And then finally, we believe that threat detection should be vendor agnostic.

We understand that a lot of organizations have different security controls in place, whether it's different vendors at the network, at the endpoint, or for identity management.

And a threat detection tool needs to go across all of those solutions.

So with that, I want to pass it over to Joe.

And he's going to give us a real use case of how to use Anomali threat detection to be able to identify threats that have been newly discovered on a global scale.

Take it away, Joe.

Thank you, Mark.

So, first, let's start by looking at the source of the threat intelligence.

And we'll use Sunburst as an example.

But just know that Sunburst is not unique in a lot of ways.

It's not unique in the number of indicators of compromise that are associated with it.

It's not unique in the notion that it had a long dwell time.

It certainly is unique in its sophistication and its impact.

But it shares a lot of those characteristics that are common across different malware families, different preaches.

And we see these being reported dozens and dozens of times every day.

So step one in this whole process when our customers and their analysts are asked to answer that simple question, have I been impacted by sunburst?

Is to collect the intelligence in a usable way.

And a threat intelligence platform does just that.

When we're talking about detecting these sophisticated attacks, speed is absolutely critical.

We must get that intelligence immediately.

We must organize it in a meaningful way so that we can quickly operationalize this.

Without a threat intel platform, analysts could easily find the indicators of compromise associated with Sunburst.

There was no secret there.

They were widely published.

But there is plenty of manual effort that would be involved in collecting that information, putting it in a usable format, and then taking that out to the tools within the organization, and searching for incidents of those IOCs across maybe multiple tools, and perhaps even running the issues where you don't have enough data to even answer that question simply.

So, that's it for step one.

Getting the data in one spot, making it usable, and having to continuously update.

It's another important aspect of this is the continuous kind of feedback and updating of intelligence over time.

We know that Sunburst is specific to a vulnerability found in solar and software.

But there was a whole proliferation of different drop malware that was used to further exploit some of that vulnerability.

Things like teardrop, things like Cobalt Strike.

So I'm going to go through a few things here to show how customers can approach this question of have I been impacted using threat intelligence.

And there's a couple of ways that we do this at Anomali.

One would be allowing that the ad hoc nature to say, well, let me just go hunt for Sunburst in my environment.

And typically, that takes two approaches.

The first I would like to show is around our natural language processing lens component.

When you're looking at a blog as an example or any web page, there's going to be intelligence found on that page.

And we can quickly not only tell you what do we know about that intelligence but also have you been impacted?

Meaning, have I observed this in my own environment.

And this is very common for our customers back in December to go to these blogs to Microsoft, to others that had done research on this vulnerability, and published those very early file hashes, the DGR related domains.

And when reading this, you could click a button and instantly know, what do we know about this from the threat intelligence standpoint, and have I actually seen this inside of my own environment?

Here the answer is very clearly yes, I actually have seen this in my environment.

And now, all of a sudden, I have a pivot point, and I can view the details of the events that were cited.

So it's a very powerful tool to answer that question very, very quickly based on current news as it comes out.

So this is one ad hoc approach to answering that question.

The other ad hoc approach that's very common is to simply say, within the match solution, how have I been impacted by Sunburst?

And we can do that very quickly.

Here I'm just going to run a search against Sunburst, and it comes back instantly.

Yes, I have had impacts against Sunburst.

And if I drill into what that actually means, you'll see that we have executed a search against almost all of my historic event data.

This is, in this instance, a year plus.

And instantly, I'm returned with those results that say, while we have seen one of those 3,000 IOCs or more across over That is very powerful.

Not only from an analyst standpoint because at the time savings, but now there is no communication failure between those asking the question, have I been impacted by Sunburst?

And the analysts that have to collect the tactical intelligence.

We just simply ask, have I been impacted by Sunburst?

Now, these two methods that I've just shown are ad hoc in nature.

What's critical to this again back to that speed component.

We want to make sure that as intelligence is reported, we are automatically looking back in time for evidence of that threat intelligence.

And so, this would have already been correlated in our customer's environment.

As soon as the intelligence is reported by FireEye, by Microsoft, by Palo Alto by others.

We are instantly taking that intelligence and looking back in time to let you know if we've encountered this.

Then we can prioritize our response to any correlations that do occur.

And we can prioritize that based on the nature of the threat intelligence, the nature of the event or both.

And very clearly here, when we see indicators of compromise associated with a high severity campaign, we can take an action that would prioritize this at the highest level.

Taking it another step further, we also employed DGA detection.

So, there are going to be lots of cases where malware families use DGA for their communications.

We automatically will detect DGA activity.

So the threat intelligence does not need to be reported first in order for us to detect communication or suspicious communication that appears to be based on DGA.

And then finally here, the other nice results of this whole process is our ability to view very quickly summarize results as they relate to the Sunburst activity.

So we can see here that when I apply a filter to my view here, I'm able to quickly get a view into Sunburst activity over time.

I can change the timeline to see well.

Did I see anything early on in the detection phase back in December?

Have I seen anything recently?

We know this is an ongoing campaign.

And then, further, I can view the impacted assets.

So we are bringing together all of the intelligence, all of the events that are relevant to answering that question have I been impacted?

All the way down to the point where you can identify exactly what an asset looked like at the time it was impacted.

And back to the point earlier, Sunburst unique in a lot of ways, particularly for the sophistication, but not unique in its characteristics from a threat intelligence standpoint.

The quicker that we detect something like this, the more likely we are to catch it early in the kill chain and prevent it from getting to a phase where there's actual damage done.

And we saw that very clearly with Sunburst.

Thank you for joining us today, and you can contact us for a custom demo at that Anomali dotcom request to.