Daily Archives: May 3, 2018

Introducing ThreatConnect’s Intel Report Cards

Providing insight into how certain feeds are performing within ThreatConnect

As part of our latest release, we've introduced a new feature to help users better understand the intelligence they're pumping into their systems.  Intelligence can be a fickle thing; indicators are by their very nature ephemeral and part of our job is to better curate them. We find patterns not only in the intelligence itself, but in the sources of intelligence. As analysts, we frequently find ourselves asking a simple question: "Who's telling me this, and how much do I care?" We sought to tackle this problem on a few fronts in ThreatConnect in the form of Report Cards, giving you insight into how certain feeds are performing across the ThreatConnect ecosystem.  

First and foremost, we wanted to leverage any insights gleaned from our vast user base. We have users spanning dozens of industries across a global footprint. If a customer in Europe is seeing a lot of false positives come from a set of indicators, we want the rest of ThreatConnect users to learn from that. This is where ThreatConnect's CAL™ (Collective Analytics Layer) comes in. All participating instances of CAL are sending some anonymized, aggregated telemetry back. This gives us centralized insight which we can distribute to our customers. This telemetry includes automated tallies, such as how often an indicator is being observed in networks, as well as human-curated data such as how often False Positives are being reported.

Feed selection interface, driven by CAL's insights (27 March 2018)


By combining and standardizing these metrics, CAL can start to paint a picture of various intelligence feeds.  CAL knows which feeds are reporting on which indicators, and can overlay this information at scale with the above telemetry.  This has an impact at the strategic level, when deciding which feeds to enable in your instance. We're all familiar with the "garbage in, garbage out" problem -- simply turning on every feed may not be productive for your environment and team.  High-volume feeds that yield a lot of false positives, report on indicators outside of your areas of interest, or are simply repeated elsewhere may not be worth your time. Now system administrators can make an informed decision on which feeds they would like to enable in their instance, and with a single button click can get months of historical data.  These feeds are curated by the ThreatConnect Research team, who is doing their best to prune and automatically deprecate older data to keep the feeds relevant.

ThreatConnect's Intelligence Report card helps you better understand a candidate feed (27 March 2018)


The Report Card view goes into more depth on a particular feed. For each feed CAL knows about, it will give you a bullet chart containing the feed's performance on a few key dimensions, as determined by the ThreatConnect analytics team.  In short, a bullet chart identifies ranges of performance (red, yellow, and green here) to give you a quick representation of the groupings we've identified for a particular metric. A vertical red line indicates what we consider to be a successful "target" number for that metric, and the gray line indicates the selected feed's actual performance on that metric. We've identified a few key metrics that we think will help our users make decisions:

  • Reliability Rating is a measure of false positive reports on indicators reported by this feed. It's more than just a count of how many votes have been tallied by users. We also consider things like how egregious a false positive is, since alerting on something like google.com in your SIEM is a much more grave offense in our book. We give this a letter grade, from A-F, to help you identify how likely this feed is to waste your time.
  • Unique Indicators is a simple percentage of how many indicators contained within this feed aren't found anywhere else. If a feed's indicators are often found elsewhere, then some organizations may prefer not to duplicate data by adding them again. There may be reasons for this, as we see below with ThreatAssess. Nonetheless, this metric is a good way to help you understand how much novelty does this feed add?
  • First Reported measures the percentage of indicators which, when identified in other feeds, were found in this feed first. Even if a feed's indicators are often found elsewhere, this feed may have value if it's reporting those indicators significantly earlier. This metric helps you understand how timely a feed is relative to other feeds.
  • Scoring Disposition is a measure of the score that CAL assigns to indicators, on a 0-1000 scale. This score can be factored into the ThreatAssess score (alongside your tailored, local analysis). The Scoring Disposition is not an average of those score, but a weighted selection based on the indicators we know our users care about. This metric helps answer how bad are the things in this feed according to CAL?

The Report Card also contains a few other key fields, namely the Daily Indicators graph and the Common Classifiers box. The Daily Indicators chart shows you the indicator volume coming from a source over time, to help you understand the ebbs and flows of a particular feed. The Common Classifiers box shows which Classifiers are most common on indicators in the selected feed. Combined, these can give you an idea of how many indicators am I signing up for, and what flavors are they?

All of these insights are designed to help you make better decisions throughout your security lifecycle. Ultimately, the decision to add a feed should be a calculated one. When an analyst sees that an indicator was found in a particular feed, they may choose to use that information based on the Reliability Rating of that feed. You can leverage these insights as trust levels via ThreatAssess, allowing you to make such choices for every indicator in your instance.

We'll continue to improve our feed offering and expand upon our Report Cards as we hear more feedback from you, so please feel free to Tweet us @ThreatConnect.

The post Introducing ThreatConnect's Intel Report Cards appeared first on ThreatConnect | Enterprise Threat Intelligence Platform.

Cybersecurity pervasiveness subsumes all security concerns

Given the increased digitization of society and explosion of devices generating data (including retail, social media, search, mobile, and the internet of things), it seems like it might have been inevitable that cybersecurity pervasiveness would eventually touch every aspect of life. But, it feels more like everything has been subsumed by infosec.

All information in our lives is now digital — health records, location data, search habits, not to mention all of the info we willingly share on social media — and all of that data has value to us. However, it also has value to companies that can use it to build more popular products and serve ads and it has value to malicious actors too.

The conflict between the interests of these three groups means cybersecurity pervasiveness is present in every facet of life. Users want control of their data in order to have a semblance of privacy. Corporations want to gather and keep as much data as possible, just in case trends can be found in it to increase the bottom line. And, malicious actors want to use that data for financial gain — selling PII, credit info or intellectual property on the dark web, holding systems for ransom, etc. — or political gain.

None of these cybersecurity pervasiveness trends are necessarily new for those in the infosec community, but issues like identity theft or stolen credit card numbers haven’t always registered with the general public or mass media as cybersecurity problems because they tended to be considered in individual terms — a few people here and there had those sorts of issues but it couldn’t be too widespread, right?

Now, there are commercials on major TV networks pitching “free dark web scans” to let you know whether your data is being sold on the black market. (Spoiler alert: your data has almost certainly been compromised, it’s more a matter of whether you’re unlucky enough to have your ID chosen from the pile by malicious actors or not. And, a dark web scan won’t make the awful process of getting a new social security number any better.)

Data breaches are so common and so far-reaching that everyone has either been directly affected or is no more than about two degrees of separation from someone who has been. Remember: the Yahoo breach alone affected 3 billion accounts and the latest stats say there are currently only about 4.1 billion people who have internet access. The Equifax breach affected 148 million U.S. records and the U.S. has an estimated population of 325 million.

Everyone has been affected in one way or another. Everything we do can be tracked including our location, our search and purchase history, our communications and more.

But, cybersecurity pervasiveness no longer affects only financial issues and the general public has seen in stark reality how digital platforms and the idea of truth itself can be manipulated by threat actors for political gain.

Cyberattacks have become shows of nation-state power in a type of new Cold War, at least until cyberattacks impact industrial systems and cause real world harm.

Just as threat actors can find the flaws in software, there are flaws in human psychology that can be exploited as part of traditional phishing schemes or fake news campaigns designed to sway public opinion or even manipulate elections.

For all of the issues that arise from financially-motivated threat actors, the security fixes range from relatively simple to implement — encryption, data protection, data management, stronger privacy controls, and so on — to far more complex issues like replacing the woefully outmatched social security number as a primary form of ID.

However, the politically-minded attacks are far more difficult to mitigate, because you can’t patch human psychology. Better critical reading skills are hard to build across people who might not believe there’s even an issue that needs fixing. Pulling people out of echo chambers will be difficult.

Social networks need to completely change their platforms to be better at enforcing abuse policies and to devalue constant sharing of links. And the media also needs to stop prioritizing conflict and inflammatory headlines over real news. All of this means prioritizing the public good over profits, a notoriously difficult proposition under the almighty hand of capitalism.

None of these are easy to do and some may be downright impossible. But, like it or not, the infosec community has been brought to the table and can have a major voice in how these issues get fixed. Are we ready for the challenge?

The post Cybersecurity pervasiveness subsumes all security concerns appeared first on Security Bytes.