Computing pioneer Alan Kay once said, “Context is worth 80 IQ points.” On the IQ scale, where average is about 100 and Einstein is 160+, context could propel you into the genius category pretty handily. For cybersecurity professionals who know that the industry has no shortage of threat data, context is the lever that turns threat data into threat intelligence.
In a previous column I described how the path to threat intelligence starts by organizing the multiple data feeds many organizations subscribe to and translating it into a uniform and useable format. This global threat data gives you some insight into activities outside of your enterprise. But to turn that data into intelligence you need to augment and enrich it with internal threat and event data. By correlating events and associated indicators from inside your environment (for example from sources including your security information and event management (SIEM) system, log management repository and case management systems) with external data on indicators, adversaries and their methods, you gain the context to understand the who, what, where, when, why and how of an attack. More specifically,
Who and what: The actors or groups behind the attack, if they are government sponsored, and what they typically target (size of organization, industry, geography).
How and where: The tactics, techniques, and procedures (TTPs) the adversaries use to make decisions, expand access and execute their objectives; their capabilities and the methods they employ be it exploit kits or other types of attacks “as a service” or the infrastructure they utilize; and what systems are targeted and possibly affected.
The SamSam ransomware attack offers an example of the role of context in helping organizations understand how adversaries operate and make better decisions about how to deal with an attack.
Typically executed via an exploit kit or a phishing campaign, ransomware seeks to deny the targeted organization access to files or data unless they pay a fee for unlocking them. The SamSam ransomware variant, however, doesn’t rely on end-users clicking on a malicious link or attachment. It compromises unpatched servers, such as JBoss application servers, to gain a foothold in the network and then moves laterally to compromise additional machines which are held for ransom.
As was widely reported, SamSam appears to target the healthcare industry and was the variant used in March 2016 to compromise the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington, DC area. The attackers requested 45 Bitcoins (about $18,500) to restore files it had encrypted on multiple Windows systems. MedStar didn’t pay the ransom because it had a backup of the files. It was also able to detect the attack early and prevent it from infecting additional systems. Soon after, the FBI issued a confidential warning that included indicators of compromise (IoCs) to help other security teams monitor for SamSam infections.
As you can see from this example, when context is applied correctly, you can begin to build an intelligence profile that describes your adversaries, their campaign methods, indicators of their actions, and events that occur. This also allows you to better detect and scope an attack that bypassed your existing layers of defense. It provides information such as what this specific threat actor’s attacks look like and where else they have gone inside the network.
Context transforms your threat data into intelligence. The next step is to use that intelligence for better decisions and action. In the SamSam example, that action included patching vulnerabilities, network segmentation and off-site backup solutions.
Einstein acted on his genius-level IQ to create the Theory of Relativity. With your threat IQ elevated you may not be able to invent a new way of looking at the world, but you’ll be ready to look at data in a new way and turn it into actionable intelligence.