CYBER THREAT ARTICLE - RANTINGS OF A CYBER SECURITY ANALYST (DECEMBER EDITION)
Rantings of a Cyber Security Analyst - (December Edition)
I recently attended an EC Council course for Cyber Threat Intelligence (CTIA) and through the
course, I realized how large the gap is,
especially for smaller businesses.
In today’s context, the threat landscape is ever changing. Cyber Threat Intelligence helps by
equipping the security team with knowledge
of what to look out for, what are the key infrastructure or service being attacked, or correlate
with IOCs seen within the environment with
external intelligence on what part of an IOA the IOC belongs to and hopefully identify the TTP
of the attack which enables identification of
the security gap within the environment.
This is no easy feat, and it is not as simple as buying a product. You can purchase CTI feeds, get a TIP or any other related CTI solution, but they are just helping with collection of the information, allow easy correlation and access to the collected data. This requires skilled analyst with expertise to know what they are looking for and how the data can be converted into intelligence which helps the organization.
I have always liked the above image, as I feel it accurately shows the complexity of providing the impact. Some organizations make the mistake of collecting threat feeds and assuming that provides an outcome of better security.
There is a need to generate strategic, operational, and tactical cyber threat intelligence for
the organization. I will not go deep into this
as it would be an extremely wrong write up, but on a high level: -
- Cyber Threat Intelligence – Identifies the Who and Why, which provides organizations with crucial insights. This is often used by the C-Suite individuals, which allow them to understand threats the organization is facing and allows them to make risk-based decisions regarding staffing, technologies, cybersecurity requirements and budgets.
- Operational Cyber Threat Intelligence – Addresses the How and Where, which is used by the incident responders, network defenders, forensic analysts and so on. The CTI provides technical context, with a focus on the IOC, related links, and whether they might be found in the environments they are responsible for securing. Context is critical for operational users because every environment is unique in how they use various technology stacks.
- Tactical Cyber Threat Intelligence – Focuses on the What and is used by every organization. From the largest organizations with dedicated SOCs, to the smallest who only have a few cyber defenders or may have outsourced to a Managed Security Service Providers (MSSP). Users of tactical cyber threat intelligence are on the frontlines of an organization’s cyber defenses. Tactical users leverage CTI provided IOCs, content, and context to directly prevent threat actors’ attacks on their organizations.
Some of you may find the above too “advanced” and probably think your organization is too small
and there is simply not enough resource to have
such a team. The harsh reality is the adversaries do not care.
Be it a company with users count of 5 or even 1000, chances are, you have similar solutions in
place. Do you have an Exchange server? MSSQL? Webservers?
From large enterprises to a small supermarket, if you have an IT infrastructure, you will have
similar weaknesses. Be it Windows or Linux servers, there
is no difference based on the size of the company.
Take for example, a recent trend of attacks which focuses on vulnerable builds of MSSQL. Various
threat actor groups started scanning the internet for
exposed and vulnerable MSSQL servers. Depending on the threat actor, some will deliver
cryptominers, while others perform ransomware attacks. All these
done through exploitation of the MSSQL server. In my personal experience, I saw this firsthand
affecting organizations of different sizes. Financial
institutes, supermarkets, manufacturing companies. It was not an attack specific to an
organization type. Do you think the adversary would check on
what company is this before launching the attack? Being opportunistic, if there is a security
gap, they would go for it.
With Cyber Threat Intelligence, these companies would have been able to see this trend and
knowing this affects MSSQL. The operational users would check their
environment for all their MSSQL servers and see if they are exposed to public and if they are
running on a vulnerable build. A more advanced team would begin
a threat hunt to see if the server has already been compromised and investigate for any
persistency or suspicious object on the server.
If for some reason, patching is not possible, this would go towards the C-Suite for strategic
planning. Maybe spending on a network IPS to mitigate the threat while putting down policies for
patch management as the strategic plan to mitigate this risk.
A personal experience I had was when identifying signs of a breach through a vulnerable MSSQL
server, the customer said this server is an application from a
third-party application vendor. The vendor insisted not to patch for some odd reason, and it was
left as-is. The server is part of the organization’s network
with access to other systems. It irks me, but there was no further action, nor was this
intelligence and security risk being brought up to the management
of the company. In this case, it is a ticking timebomb waiting to go off.
The sad truth is all organizations require cyber threat intelligence to truly be a step ahead
and to reduce the risk of a breach. Realistically, it is hard to
build a proper team. It would not be as simple as hiring a bunch of engineers. Ideally, the team
should also consist of host analysts, malware analysts,
forensic analysts, and threat hunters. These are all very specific skillsets which even large
enterprises do face issues hiring. This would be even worst
for smaller companies which may have only a single general IT personnel.
There are MSSP and other vendors providing such services, which I highly recommend all
organizations to consider this as an option versus building your own security team.
Be it to compliment your existing SOC or simply to offload these monitoring and threat hunting
responsibilities, should the organization be too small to justify building a SOC.
One thing I would caution is to find out how in-depth the service is. A vendor may charge cheap,
but all they provide is log monitoring and flagging out alerts to you. Without a
threat hunter in your organization, would this alert help or provide any improvements to your
security?
Getting the right service to compliment your organizations current capabilities is key.
If the service is simply selected based on a compliance of requiring monitoring and storage of
data, you are setting up for failure and eventual breach.
Biography
Harvey Goh
Harvey Goh is a cyber security specialist having been in the cyber security industry for over 15
years as a technical personnel.
Currently he is working as part of Sophos’ Managed Threat Response team. He is also a member of
AiSP CTI SIG, EXCO and volunteer
at CSCIS CTI SIG.
Views and opinions expressed in this article are my own and do not represent that of my places
of work. While I make every effort
to ensure that the information shared is accurate, I welcome any comments, suggestions, or
correction of errors.