April 23, 2015 By Peter Allor 3 min read

 

Since threat intelligence is a learning exercise, we understand that the perimeter is no longer a viable defensive strategy. Rather, it has become a strategy based on situational awareness of our operating environment. An often cited fact is that approximately more than 80 percent of all breaches originate from an external source, so the question now is how to react quicker to such attacks. As we collectively employ better defensive mousetraps to catch or blunt attackers — hopefully prior to losing our crown jewels — the opposition is rapidly sharing new methods and exploits to use against us.

If the Security Game Is Fast, Why Are We Losing the Footrace in Threat Intelligence?

There has been an explosion of threat intelligence and data at security teams’ fingertips. From the new data on malware and attack methods that are overwhelming security professionals and teams in volume and velocity to the multi-silo security products producing volumes of data, more personnel are required to operate defense measures. The challenge now is how to gather and consume this exploding defensive data into a coordinated response and protection plan across and between organizations. We are slowly bringing our resources to coordinate against a determined foe. Hence, the game is afoot in our new brand of information warfare.

So what do we do now to keep pace and take control of our security intelligence focus on situational awareness? Ideally, we are feeding threat intelligence from multiple sources into our security products. More importantly, we can automate our ingestion of this data into strategies from similar streams of digestible protections and warnings.

Currently, this is where many of our defenses falter. The outside stream of defensive information is not structured into a useful set of protocols and formats for our protections to readily consume and act upon, relegating many organizations to undertake this manual, labor-intensive process. When you are under fire, the return on this process is painfully slow. We tend to have trouble with quickly identifying an attack methodology and employing protections before our data is exfiltrated. We lose the next round when the attackers switch methods to keep our defense off-balance. Further, most organizations simply do not have the resources to deploy to manually keep up with this rate of chance — not to mention, it is not their core competency. We need to make this process fast and simple. Enter the world of machine-readable data formats and exchanges.

A Machine-Readable Exchange by Many Names

Should we go with IODEF, MILE, STIX or TAXII? Is this just more alphabet soup? Not really, but the key here is figuring out what is informative for defensive information-sharing and operations and whether it is slated universal adoption. We clearly have a need for this, and to that end, there are signs of the marketplace adopting these formats and protocols and leading contenders moving into the world of standards adoption. That is a good sign for all of us.

There is certainly some heavy lifting to do yet in making the machine-readable formats part of our threat intelligence fully ready for use across all industries and to facilitate a more direct exchange of information among organizations. We all need to pitch in to climb that mountain and gain the high ground against our collective adversaries. This goal is worth the effort as our internal and external constituents demand quicker responses so only a few will experience the pain of the attack and the rest will remain protected. After all, the attackers have been exchanging this type of data for years; it’s time we turned the tables back on them.

Be Among the first to Experience the IBM X-Force Exchange

Image Source: iStock

More from X-Force

FYSA – Critical RCE Flaw in GNU-Linux Systems

2 min read - Summary The first of a series of blog posts has been published detailing a vulnerability in the Common Unix Printing System (CUPS), which purportedly allows attackers to gain remote access to UNIX-based systems. The vulnerability, which affects various UNIX-based operating systems, can be exploited by sending a specially crafted HTTP request to the CUPS service. Threat Topography Threat Type: Remote code execution vulnerability in CUPS service Industries Impacted: UNIX-based systems across various industries, including but not limited to, finance, healthcare,…

Getting “in tune” with an enterprise: Detecting Intune lateral movement

13 min read - Organizations continue to implement cloud-based services, a shift that has led to the wider adoption of hybrid identity environments that connect on-premises Active Directory with Microsoft Entra ID (formerly Azure AD). To manage devices in these hybrid identity environments, Microsoft Intune (Intune) has emerged as one of the most popular device management solutions. Since this trusted enterprise platform can easily be integrated with on-premises Active Directory devices and services, it is a prime target for attackers to abuse for conducting…

You just got vectored – Using Vectored Exception Handlers (VEH) for defense evasion and process injection

10 min read - Vectored Exception Handlers (VEH) have received a lot of attention from the offensive security industry in recent years, but VEH has been used in malware for well over a decade now. VEH provides developers with an easy way to catch exceptions and modify register contexts, so naturally, they’re a ripe target for malware developers. For all the attention they’ve received, nobody had publicized a way to manually add a Vectored Exception Handler without relying on the built-in Windows APIs which…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today