Rantings of a Cyber Security Analyst - (December Edition)

I recently attended an EC Council course for Cyber Threat Intelligence (CTIA) and through the course, I realized how large the gap is, especially for smaller businesses.

In today’s context, the threat landscape is ever changing. Cyber Threat Intelligence helps by equipping the security team with knowledge of what to look out for, what are the key infrastructure or service being attacked, or correlate with IOCs seen within the environment with external intelligence on what part of an IOA the IOC belongs to and hopefully identify the TTP of the attack which enables identification of the security gap within the environment.

This is no easy feat, and it is not as simple as buying a product. You can purchase CTI feeds, get a TIP or any other related CTI solution, but they are just helping with collection of the information, allow easy correlation and access to the collected data. This requires skilled analyst with expertise to know what they are looking for and how the data can be converted into intelligence which helps the organization.

I have always liked the above image, as I feel it accurately shows the complexity of providing the impact. Some organizations make the mistake of collecting threat feeds and assuming that provides an outcome of better security.

There is a need to generate strategic, operational, and tactical cyber threat intelligence for the organization. I will not go deep into this as it would be an extremely wrong write up, but on a high level: -

• Cyber Threat Intelligence – Identifies the Who and Why, which provides organizations with crucial insights. This is often used by the C-Suite individuals, which allow them to understand threats the organization is facing and allows them to make risk-based decisions regarding staffing, technologies, cybersecurity requirements and budgets.
• Operational Cyber Threat Intelligence – Addresses the How and Where, which is used by the incident responders, network defenders, forensic analysts and so on. The CTI provides technical context, with a focus on the IOC, related links, and whether they might be found in the environments they are responsible for securing. Context is critical for operational users because every environment is unique in how they use various technology stacks.
• Tactical Cyber Threat Intelligence – Focuses on the What and is used by every organization. From the largest organizations with dedicated SOCs, to the smallest who only have a few cyber defenders or may have outsourced to a Managed Security Service Providers (MSSP). Users of tactical cyber threat intelligence are on the frontlines of an organization’s cyber defenses. Tactical users leverage CTI provided IOCs, content, and context to directly prevent threat actors’ attacks on their organizations.

Some of you may find the above too “advanced” and probably think your organization is too small and there is simply not enough resource to have such a team. The harsh reality is the adversaries do not care.

Be it a company with users count of 5 or even 1000, chances are, you have similar solutions in place. Do you have an Exchange server? MSSQL? Webservers? From large enterprises to a small supermarket, if you have an IT infrastructure, you will have similar weaknesses. Be it Windows or Linux servers, there is no difference based on the size of the company.

Take for example, a recent trend of attacks which focuses on vulnerable builds of MSSQL. Various threat actor groups started scanning the internet for exposed and vulnerable MSSQL servers. Depending on the threat actor, some will deliver cryptominers, while others perform ransomware attacks. All these done through exploitation of the MSSQL server. In my personal experience, I saw this firsthand affecting organizations of different sizes. Financial institutes, supermarkets, manufacturing companies. It was not an attack specific to an organization type. Do you think the adversary would check on what company is this before launching the attack? Being opportunistic, if there is a security gap, they would go for it.

With Cyber Threat Intelligence, these companies would have been able to see this trend and knowing this affects MSSQL. The operational users would check their environment for all their MSSQL servers and see if they are exposed to public and if they are running on a vulnerable build. A more advanced team would begin a threat hunt to see if the server has already been compromised and investigate for any persistency or suspicious object on the server.
If for some reason, patching is not possible, this would go towards the C-Suite for strategic planning. Maybe spending on a network IPS to mitigate the threat while putting down policies for patch management as the strategic plan to mitigate this risk.

A personal experience I had was when identifying signs of a breach through a vulnerable MSSQL server, the customer said this server is an application from a third-party application vendor. The vendor insisted not to patch for some odd reason, and it was left as-is. The server is part of the organization’s network with access to other systems. It irks me, but there was no further action, nor was this intelligence and security risk being brought up to the management of the company. In this case, it is a ticking timebomb waiting to go off.

The sad truth is all organizations require cyber threat intelligence to truly be a step ahead and to reduce the risk of a breach. Realistically, it is hard to build a proper team. It would not be as simple as hiring a bunch of engineers. Ideally, the team should also consist of host analysts, malware analysts, forensic analysts, and threat hunters. These are all very specific skillsets which even large enterprises do face issues hiring. This would be even worst for smaller companies which may have only a single general IT personnel.

There are MSSP and other vendors providing such services, which I highly recommend all organizations to consider this as an option versus building your own security team. Be it to compliment your existing SOC or simply to offload these monitoring and threat hunting responsibilities, should the organization be too small to justify building a SOC.

One thing I would caution is to find out how in-depth the service is. A vendor may charge cheap, but all they provide is log monitoring and flagging out alerts to you. Without a threat hunter in your organization, would this alert help or provide any improvements to your security?
Getting the right service to compliment your organizations current capabilities is key.

If the service is simply selected based on a compliance of requiring monitoring and storage of data, you are setting up for failure and eventual breach.

Biography

Harvey Goh

Harvey Goh is a cyber security specialist having been in the cyber security industry for over 15 years as a technical personnel. Currently he is working as part of Sophos’ Managed Threat Response team. He is also a member of AiSP CTI SIG, EXCO and volunteer at CSCIS CTI SIG.

Views and opinions expressed in this article are my own and do not represent that of my places of work. While I make every effort to ensure that the information shared is accurate, I welcome any comments, suggestions, or correction of errors.