Q&A Follow-up – Tools of Engagement: The Mechanics of Threat Intelligence
As a follow-up to our recently held Tools of Engagement – The Mechanics of Threat Intelligence: Analysis, Information Sharing and Associated Challenges webinar, questions answered by presenters Doug Wilson and Jen Weedon are listed below. To view the archived webinar, please click here.
1. We received some questions asking about work being done by Mandiant and others on open source intelligence sharing. We’ve got some questions about STIX and TAXII in comparison to other frameworks.
To succeed with sharing indicators internally or externally, you have to pick a standardized format. That can be anything, honestly, from a tab-delimited file to complicated XML. If you are looking at sharing outside your organization, there are a couple of different standards that are out there to look at.
OpenIOC is what Mandiant uses for recording and transmitting threat indicators. DHS funds a project through MITRE called STIX, with a transport and exchange mechanism that is called TAXII. IETF also has the MILE working group, which has a protocol named IODEF, which uses RID as its transfer and exchange mechanism. These are all ways of packaging up threat information and shipping them off to other people or organizations. We’ve been looking at interacting with both groups, and trying to make sure that OpenIOC interacts with both sets of protocols where it can.
A lot of people are still very uncomfortable with the idea of sharing openly, so a lot of the sharing that’s happening out there is going to be happening in smaller, closed groups.
The protocols that we have discussed are all open standards, whether somebody is sharing in a small group or somebody is sharing in a large group. Since they are all open and feely available, there’s not any restrictions to using them for sharing, and ultimately, we’re hoping that there are some corporations out there that are standing up sharing portals – there are also government entities that are doing this as well. We’re hoping that ultimately, people will be able to pick the tools that work properly for their particular situation. But whatever standard (or standards) shakes out as being the one most people use, it will need to be something that’s open and accessible.
There were several questions about sharing groups. If you’re not familiar with the idea of an ISAC, I looking them up online. ISAC stands for Information Sharing and Analysis Center. There’s an ISAC Council website that lists a bunch of the ISACs (not endorsed by Mandiant, but for reference: http://www.isaccouncil.org/memberisacs.html). Some of the larger ISACs have their own events and conferences, FS-ISAC is one that is engaged in adopting threat information sharing standards (such as STIX).
There are also specific groups for the Defense Industrial Base, or DIB. Associated with the DoD Cybercrime Center (DC3) is the DoD-DIB Collaborative Information Sharing Environment (DCISE) — details available here: http://www.dc3.mil/dcise/.
2. As an investment bank, how should we advise our clients concerning cyber security audit and compliance prior to making an acquisition?
We have seen threat activity around or related to acquisitions and mergers. Entities should be aware that advanced attackers are often quite aware of business decisions and movements in industries that they’re targeting, so you should take this into account when determining how you want to allocate resources for risk management.
We can’t directly advise any specific course of action, and folks should consult their counsel or their risk management personnel on specific actions, but on numerous occasions we have been asked to do investigations that center around acquisitions and mergers. We often advise our clients to consider doing threat assessments as part of the due diligence process when they are thinking of acquiring other companies. In addition, we conduct regular analysis on risk factors for companies who may be targeted by advanced threat actors to identify which variables may place them at higher likelihood of being targeted, and why. These variables may include the industry they’re in, their intellectual property, strategic partnerships, business strategy, and overseas operations.
3. What are the options – in other words, legal or technical – available to counterattack hackers from world nations who don’t respect international laws?
Mandiant does not endorse or support hacking back in any form. We suggest an in-depth incident response life cycle within your organization’s network and host, and an ongoing cycle of detection, response and containment. We also suggest reaching out to law enforcement or appropriate authorities responsible for national security.
4. What are the most important items to gather and share with a threat team for vulnerability analyses?
An accurate depiction of vulnerabilities in an enterprise can help inform risk management decisions. This should be a two-way communication. A team that deals with threats can prioritize responding to some threats above others if they know certain vulnerabilities or weaknesses exist within their environment, and then the threat team can talk with whoever does the vulnerability assessment if they think certain types of actors are more likely to exploit certain types of vulnerabilities, so those vulnerabilities have a higher priority for getting fixed.
5. What kind of training do you suggest for intelligence analysis, especially cyber threat intelligence analysis?
One of the most important things a company can do, or anyone that does threat intel in an office can do is to get the technical folks and the sort of more traditional intel analysts in the room together to observe sort of how the other side works.
It may not be possible to fully cross-train both types of personnel on each other’s disciplines, but the more interaction they have and the more folks get out of their comfort zones with what they’re used to doing, the better your teams will understand with each other. Communication is key, especially when dealing with technical and non-technical teams having to work together.
6. Strategic versus tactical – why would individual firms care beyond what protects them from immediate threats? In other words, why would they care about strategic over the tactical?
This gets into debates about attribution, categorization of threats and threat tracking, and what that matters, which is a large topic in and of itself. It really depends on where an organization is in terms of the maturity of its security capabilities.
If an organization’s security interests are strictly operational and are just looking at turning stuff away from the firewall and blocking things, the idea of this longer-term view of threat actors is not going to be interesting, because they are just looking at what can immediately stop the bleeding. As an organization becomes more mature in their security posture and starts to evolve it into basing security off of threat intelligence, they will be able to appreciate the use of strategic intelligence. But this requires an investment of a lot more resources, and investment in personnel and programs that are not normally considered standard for traditional “information security” yet.
7. Is threat intelligence a myth?
Again, this depends a lot on the maturity level that a security program is at. It’s not a myth, but it might be useless to entities that do not have the resources or focus to do anything with threat intelligence.
We’ve seen that attribution is one area where people can go down a lot of rabbit holes. Some folks spend a lot of time arguing about the merit of attribution, and can get wrapped around the fact that attribution down to a specific human being is nearly impossible on the Internet. It doesn’t necessarily matter who is at the keyboard unless you’re a nation state or you’re somebody who’s going to be somehow doing an international lawsuit against a particular person.
But the groups of actors, and what is motivating these groups to make them want to act against your enterprise, should be of interest to you. If you want to be proactive about securing your network and distributing resources to protect your network, it helps to know that someone is using a particular type of attack and they’re not using another set of attacks. This may help you determine how to allocate resources for defense.
If you have less resources, if you have a less mature security posture, if you’re not as involved in terms of where you are in the life cycle of getting a sophisticated security program set up – and a lot of people are having a hard time getting down that road because you have the classic problems of justifying your budget, or convincing your CEO that they care – you’re not necessarily going to care about a strategic view of threat actors.
But if you’re someone who’s invested more in security, you have a larger investment in spending money on this and doing some sort of defense that is informed by a strategic viewpoint, it’s going to matter a lot more, and we’re seeing a lot more major companies turning in this direction, over time. So there could be naysayers, but the market is slowly speaking out against them.
8. What are some resources for analysts and detailed methodologies and curriculums as well as buying threat intelligence and reviews on different products and services?
Without going into specifics on the latter question, there are certainly a lot of industry research organizations that have racked and stacked different threat intelligence providers and their solutions.
I guess it really gets to what you can consume. Like Doug was saying, if you have the resources and the political will inside your organization to consume more strategic intelligence, you may have different needs and pursue different solutions providers.
In terms of developing a threat intel capability, there are certainly lots of firms out there, including Mandiant, who consult on what you need to do to mature in that sense.
9. Is there public or closed IOC sharing platforms besides ioc.forensicartifacts.com?
A couple of other entities out there are using OpenIOC publicly. If you are familiar with the company AlienVault, their lab, when they do posts of threat information and blog posts about malware, will include an IOC as part of their sharing.
We also do that with some of our blog posts and forum posts. Some of those are open and some of those closed to our customers, depending on the level of content. There, unfortunately, is not a wonderful public open sharing site for all of the IOCs out there other than http://ioc.forensicartifacts.com.
Most people are still kind of uncomfortable with the idea of sharing openly, so you’re going to see closed communities springing up here and there and, over time, they’re going to open up or improve or share with larger audiences. We hope to continue to contribute to that conversation as it evolves.
10. What are the sources of IOCs
IOCs can come from a variety of sources. In Mandiant’s case, they are a product of a wide variety of different sets of input throughout our business units, curated over time by our intel team. We capture IOCs from our investigative work, from feedback from our product and managed services customers, and from a wide variety of intel sources, including examining malware and network traffic. Organizations could create IOCs from their own knowledge of threats that they face, but usually they use a combination of their knowledge plus information gleaned from other security or intelligence sources.
11. What kind of IOC would you recommend sharing publicly or just in closed groups, so attackers don’t know detection methods?
IOCs don’t necessarily give away detection methods. Specific pieces of intelligence may give away sources and methods, and you need to determine risk to your intel sources before sharing anything. However, in most cases, especially if you are already trying to combat an opponent that has launched attacks against your networks, they probably assume that you can capture anything that they may deploy against you. If you are using external sources of intelligence, the situation becomes more complex, which is where having trained intelligence staff and experienced analysts can help you make appropriate decisions. The risk tolerance of each organization is going to be different, so it will likely be something that you will have to tailor to your organization’s limits.
12. What are some products that can be used for capturing/managing intelligence?
We have previously discussed the use of threat intel in the form of IOCs. The freely available Mandiant IOC Editor can be used to write and edit IOCs, and Redline can consume IOCs for host based investigations. Both of these complement the commercial Mandiant for Intelligent Response® offering.
Mandiant IOC Editor https://www.mandiant.com/resources/download/ioc-editor
Additionally, during the webinar we were also asked about tools for gathering and cataloging more strategic intelligence. None of these are endorsed by Mandiant. However, some examples of tools to consider are:
13. Do domains and IPs alone attribute activity to an actor if the actor was seeing using a domain or an IP once?
Attribution to actors is a complicated and time-consuming process. Actors’ use of certain domains or IPs as part of their attack infrastructure is only part of the story. Threat groups also frequently share infrastructure, malware, or other tools. There’s certainly no 1:1 correspondence between IPs and domains and specific actors, especially if you’ve only observed the correlation once. They’re useful data points for more thorough analysis.