Since threat intelligence is a learning exercise, we understand that the perimeter is no longer a viable defensive strategy. Rather, it has become a strategy based on situational awareness of our operating environment. An often cited fact is that approximately more than 80 percent of all breaches originate from an external source, so the question now is how to react quicker to such attacks. As we collectively employ better defensive mousetraps to catch or blunt attackers — hopefully prior to losing our crown jewels — the opposition is rapidly sharing new methods and exploits to use against us.

If the Security Game Is Fast, Why Are We Losing the Footrace in Threat Intelligence?

There has been an explosion of threat intelligence and data at security teams’ fingertips. From the new data on malware and attack methods that are overwhelming security professionals and teams in volume and velocity to the multi-silo security products producing volumes of data, more personnel are required to operate defense measures. The challenge now is how to gather and consume this exploding defensive data into a coordinated response and protection plan across and between organizations. We are slowly bringing our resources to coordinate against a determined foe. Hence, the game is afoot in our new brand of information warfare.

So what do we do now to keep pace and take control of our security intelligence focus on situational awareness? Ideally, we are feeding threat intelligence from multiple sources into our security products. More importantly, we can automate our ingestion of this data into strategies from similar streams of digestible protections and warnings.

Currently, this is where many of our defenses falter. The outside stream of defensive information is not structured into a useful set of protocols and formats for our protections to readily consume and act upon, relegating many organizations to undertake this manual, labor-intensive process. When you are under fire, the return on this process is painfully slow. We tend to have trouble with quickly identifying an attack methodology and employing protections before our data is exfiltrated. We lose the next round when the attackers switch methods to keep our defense off-balance. Further, most organizations simply do not have the resources to deploy to manually keep up with this rate of chance — not to mention, it is not their core competency. We need to make this process fast and simple. Enter the world of machine-readable data formats and exchanges.

A Machine-Readable Exchange by Many Names

Should we go with IODEF, MILE, STIX or TAXII? Is this just more alphabet soup? Not really, but the key here is figuring out what is informative for defensive information-sharing and operations and whether it is slated universal adoption. We clearly have a need for this, and to that end, there are signs of the marketplace adopting these formats and protocols and leading contenders moving into the world of standards adoption. That is a good sign for all of us.

There is certainly some heavy lifting to do yet in making the machine-readable formats part of our threat intelligence fully ready for use across all industries and to facilitate a more direct exchange of information among organizations. We all need to pitch in to climb that mountain and gain the high ground against our collective adversaries. This goal is worth the effort as our internal and external constituents demand quicker responses so only a few will experience the pain of the attack and the rest will remain protected. After all, the attackers have been exchanging this type of data for years; it’s time we turned the tables back on them.

Be Among the first to Experience the IBM X-Force Exchange

Image Source: iStock

More from Threat Research

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

An IBM Hacker Breaks Down High-Profile Attacks

On September 19, 2022, an 18-year-old cyberattacker known as "teapotuberhacker" (aka TeaPot) allegedly breached the Slack messages of game developer Rockstar Games. Using this access, they pilfered over 90 videos of the upcoming Grand Theft Auto VI game. They then posted those videos on the fan website GTAForums.com. Gamers got an unsanctioned sneak peek of game footage, characters, plot points and other critical details. It was a game developer's worst nightmare. In addition, the malicious actor claimed responsibility for a…

Dissecting and Exploiting TCP/IP RCE Vulnerability “EvilESP”

September’s Patch Tuesday unveiled a critical remote vulnerability in tcpip.sys, CVE-2022-34718. The advisory from Microsoft reads: “An unauthenticated attacker could send a specially crafted IPv6 packet to a Windows node where IPsec is enabled, which could enable a remote code execution exploitation on that machine.” Pure remote vulnerabilities usually yield a lot of interest, but even over a month after the patch, no additional information outside of Microsoft’s advisory had been publicly published. From my side, it had been a…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…