Industry Trends

Threat Intelligence – Cyber Defense – Part 2 of 3

By Anthony Giandomenico | May 17, 2016

In my last blog post, we walked through, at a high level, who the various threat actors are, and looked at a blended attack chain to get an idea of how “bad guys” are stealing data or causing disruption.  (

As a quick reminder, we also discussed the seven phases of the attack chain: reconnaissance, weaponization, delivery, exploit, command and control, internal reconnaissance, and maintaining. In this blog I’ll focus on how we can take that information and, within each phase of the attack chain, build a defensive posture that is more in line with today’s tactics: 

 Reconnaissance – In this phase, the attacker needs to understand as much as they can about your organization, network, and business partners.

  • Be aware of and monitor external scans because they may be a prelude to an attack.  Look for patterns and anomalies from attack attempts as well. 
  • Identify “watering holes” – Identify common websites that your employees may go to not only for business purposes, but also for leisure.  These sites are often researched and identified by the bad guys as well, who then plant malware in these legitimate websites.  Once your employee visits an infected site, malware is downloaded onto their machines and then introduced into your network. You need to monitor these sites closely with content filtering and/or proxy tools. 
  • Social media monitoring – Use some of the free social media monitoring tools to help identify information about your company and employees that may have been posted.  There is a lot of information on the Internet, such as names and titles, organizational structures, new projects or systems, or mergers and acquisitions that the bad guys can use against you. 
  • Vendor management – Take a look at all the vendors your company does business with and note what level of access they have into your environment. Build a template with key questions and considerations to assess the security of any third party, and determine the minimum requirements your vendors need before they can do business with your organization.  You should also closely monitor those conduits. 

Weaponization – This is the phase where an attacker selects, and sometimes even builds malicious code to exploit identified vulnerabilities within the target, so it’s helpful to know whether you’re more likely to be attacked by a nation-state threat, cybercriminals, or a combination.

  • If nation-state attacks are more likely for your organization, focus your efforts on putting processes and technology in place to respond to zero-day threats. Technology is available to help you isolate the sensitive data on your endpoints or identify malware using non-signature detection.  Segmenting your network architecture is also a good way to at least minimize the impact of a potential breach once you’ve identified it.  I will discuss this further in the internal reconnaissance phase, but you will also want to think about anomaly detection and user profiling within your network.  When it comes to zero-day threats, the key is detection.
  • If you believe cybercriminals pose a higher threat to your organization, concentrate on developing a good vulnerability and patch management program.  Most cybercriminals use tools developed in the cybercrime ecosystem.  One of those tools is an exploit kit, which typically contains exploits focused on publicly known device, operating system, and software vulnerabilities.  By consistently patching known vulnerabilities you’ll have a better chance of keeping criminals from compromising your network.  When researching vulnerability and patch management technologies, make sure your solutions can identify all your assets, operating systems, applications, and vulnerabilities.  Some technology solutions can also overlay your policies to determine the priority.  

Delivery – Because threats can come from both inside and outside your organization, and can be either intentional or accidental, you need a variety of programs and processes in place to identify threats and risks.

  • Phishing emails are by far the most common method of malware delivery. Yet most companies don’t have a training program that makes employees aware of the increasing levels of sophistication these attacks often use. A variety of technology is available on the market to help both train and test your work force in online, interactive scenarios.  It’s important to do this as a continuous process to ensure that this training and testing is updated and adapts to the latest attack methods. 
  • Invariably, even with the best training, an employee will click on an attachment in a malicious email and load attack software or malware onto their system and into the network. You need to employ content security technology for email and web traffic designed to identify and remove malicious attachments. Solutions that include sandbox tools are especially important as they can detect previously unseen or sophisticated malware. I will discuss this technology in more detail in later sections.
  • Disgruntled employees may plug infected USBs into your environment to deliver malware, introduce command and control or other hacking tools, or simply collect data. Look at technology that can detect and block unwanted devices and identify potential data loss to a USB device. User-behavior analysis can also help detect users who have a pattern of non-compliance.  
  • Drive-by malware can be delivered through infected sites (as mentioned previously) as well as advertising delivered on websites or attached to email. Threat actors can infect an advertising server, which can then impact thousands of websites that pull from that advertisement server. Be sure your employees understand this vulnerability. Keep in mind that most advertising sites has very limited to no use in a business environment, so consider blocking all advertisement within your network. 

Exploit – Since many exploits occur through a phishing attack, a strong vulnerability and patch management system is key.

  • If possible, standardize on one browser for your workforce, and make sure it’s patched and up to date.
  • Limit the use of plug-ins such as java or flash; if your employees don’t really need them, don’t use them.
  • Be sure that employees understand that what looks like a regular document could contain malicious scripts.
  • Most malware can use evasion techniques to circumvent traditional AV technology. And, of course, there are variants of malware that haven’t been discovered yet. Utilize sandbox technology to move suspicious content to a secure area where its behavior can be safely triggered and analyzed.  And because there can be multiple ingress and egress points on the network, make sure your sandbox solution can gather suspicious files from all points within your network. 
  • Some other basic controls to use to augment your vulnerability and patch management process would be reducing administrative privileges on endpoint devices, along with application whitelisting.  This will help reduce the overall attack surface of your systems, and should make it more difficult for an attack to succeed.   

Command and control – To defend at this stage, you need application control at the perimeter to inspect application streams and detect malware communicating back to their malicious infrastructure.

  • Because malicious communication tools will often tunnel through other protocols, you’ll need application security to inspect the communications stream.  Also, many times command and control communications are encrypted using secure socket layer (SSL) and TOR, so looking into SSL inspection tools is your best defense here.  It allows you to intercept, open, inspect, and then forward encrypted traffic once you have determined that it is clean. This can usually be done at the edges where NG Firewall and Proxy technology exists.  Keep in mind that you might run into some privacy issues, so talk with your legal team before implementing.
  • In addition to using application controls, reputational databases can be used to help identify nefarious IP addresses, domains, and URLs. A good approach is to typically use a combination of application control, reputational databases, and URL filtering to monitor, inspect, and secure traffic. 
  • A Quick Note: even with the combination of the above, you may still miss communications due to things like domain-generated algorithms. In the next phase, I’ll mention how to leverage analytics and machine learning to identify malicious behavior patterns.

Internal reconnaissance – No defense strategy is guaranteed to stop every attack. Once determined attackers manage to breach your perimeter defenses and begin to move laterally across your network to find the data they want, you’ll need a robust incident response process and technology to detect them.

  • Be sure you have a good incident response plan.  When an incident occurs, people tend to panic, so a proper plan detailing steps to take and people to contact can help you become more thorough and efficient. You want to avoid a knee-jerk reaction.
  • Once an attacker is inside your network, they have bypassed your edge protection layer; however, you still have a chance to minimize the impact of the beach by segmenting your network into security zones. This will allow you to create various choke points to help isolate the breach and monitor and secure traffic as it moves between security zones.  This will give you more granular visibility inside your network where most organizations traditionally have little to no threat intelligence.
  • Given that a threat has managed to circumvent your defenses, there was most likely no signature available to detect it. This is why adopting anomaly-based and behavioral-based detection is a good idea.  This technology leverages big data analytics and machine learning tools to understand what normal traffic looks like so that unusual or unexpected traffic patterns and device behaviors can be quickly identified.  Many startup companies and SIEM vendors are trying to solve the detection problem this way. 
  • I mentioned sandboxing technology in the exploit phase as a means to identify unknown malware. Of course, once you identify it, you also have to act on it.  Make sure your sandbox technology can interact with other enforcement points—such as your email security technology, NG firewalls, endpoints, as well as various others—to take action.  Some SIEM vendors will also allow for automated responses to common or routine investigations. 

Maintaining – At this point in the attack chain, your malicious “visitors” will try to extend their visit for as long as possible as they continue to siphon data from your network. 

  • Document your company’s servers that contain sensitive data and make sure they do not have access out to the Internet.  This will make it more difficult for the bad guys, because they’ll need to find a staging server to transfer data onto before exfiltrating data to their destination. 
  • Also, identify all attack paths into and out of your servers with sensitive data, and monitor these paths more closely. Pay particular attention to the ones that have access to servers that then have access to the Internet. 
  • To avoid an attacker going undetected for long periods of time, consider Operational Threat Intelligence (TI).  This will provide you with early indictors of compromise that will then help identify a threat in your network, along with the full scope of the breach. You can find freely available TI feeds online, as well as commercial ones that can be ingested into your SIEM or Threat Intelligence platforms.
  • And again, remember that sophisticated malicious code is designed to remain undetected by traditional AV scanning. So don’t assume that if a scan comes up clean on a machine that there’s no malware. You may need to invoke more detailed forensic procedures to truly identify whether or not the machine is clean—especially if the device contains sensitive or compliance-related data. 

Remember, this is just a high-level overview of what you can learn from understanding the tactics of the bad guys.  Don’t rely on this alone to build your security defense. Instead, use this information to complement your company risk analysis results, and combine it with best security practices and, when possible, guidance from certified security consultants.

Stay tuned for the next blog where I will break down the attack chain even further to show how granular you can get in identifying and stopping even the most sophisticated attacks.