Category Archives: Threat Intelligence Insights

The Naughty or Nice List: Cyber Edition

Hackers are making a list, checking it twice, and they’re going to find out if you’ve been naughty or nice… with your cyber habits. Around the holidays we reflect on our actions from the past year wondering if we’ll end up on the Naughty or Nice list, and cybercriminals are evaluating the same thing. However in their case, they are looking for those of us who haven’t secured our data, networks, and other confidential/sensitive information, so they can exploit these security vulnerabilities.

When it comes to good cyber hygiene habits, we often put off the basics like updating our passwords or patching our systems because it isn’t convenient – and that’s how the bad guys get you. Taking a couple of minutes out of your day to keep up with your online security may seem like a pain, but it is the best way to make sure you’re staying safe and will pay off in the long run.

This holiday season keep yourself and your organization from being an easy target for cybercriminals. To help you determine how secure you are, we put together a cheat sheet of good and bad cyber habits.  See if your cyber actions – or inaction – made the Cyber Naughty and Nice list!

The Nice List:

1. Leverage online privacy settings

Social media is a great way to share your thoughts, important events, and pictures. But there is such a thing as sharing too much. Though we post online to share things with friends, family, and people with similar interests, do you know exactly what you are sharing?

Unless your privacy is on the highest setting, strangers can see your personal posts, making it easier to determine your location and other personal information that could help them develop a targeted a phishing campaign against your, or learn something like your mother’s maiden name to crack a privacy question.

2.  Download from trusted sources

Downloading files is something we all do every day and often don’t think twice about. At work, we download word documents, PDFs, and other files. Even at home we frequently download music, videos, and games. How can we make sure that we are downloading the files we think we are downloading?

  • Ensure that you have updated all antivirus and antispyware software and your firewall is running before starting your download.
  • Download executable files (.exe) with extreme caution. These are files used in programs to run your computer. However, they are commonly used in viruses.
  • Be wary about downloading anything, as people can call their files anything they like.


3. Turn off your geolocation on social media

Making headlines recently was a string of celebrity home burglaries that weren’t as random as they appeared to be. Rihanna, Robert Woods, and Yasiel Puig were all targeted based on their social media postings, touring, or travel schedules.

When posting on social media some platforms automatically include your location or it can be an option. Always think twice before posting with your location, it can make it a lot easier for people to commit crimes like stalking or burglary if they know exactly where you are and when you are not at home.


4. Verify who you are talking to online

We might not always be talking to who we think we are, whether on social media, a networking site, or even email. An increasing number of attack methods are utilizing emotional connections/information found online to target unsuspecting victims.

Angler Phishing is a newer method taking social media by storm. The attack targets people reaching out for customer support on social media by engaging with them using a fake customer service account. Cybercriminals try to coax potential victims into giving them their account credentials or other personal data. To make sure you don’t fall for this scam, take these steps before giving away sensitive information to a customer support accounts:

  • Go to the official company website and reach out to their support from there. Also look for an official social media account that you can reach out to for support.
  • Look for account verification before engaging with a support account, verified accounts use a blue badge with a check mark to identify they are verified.

Business Email Compromise (BEC) is another exploit of which to be weary. In a BEC scam, the attacker gains access to a corporate email account and spoofs the owner’s identity to defraud the company or its employees, customers, or partners for sensitive information or money. These emails can be difficult to spot, so what are some ways you can “spot the spoof”?

  • Create intrusion detection system rules that flag e-mails with extensions that are similar to company e-mail. For example, legitimate e-mail of would flag fraudulent e-mail of
  • Create an e-mail rule to flag e-mail communications where the “reply” e-mail address is different from the “from” e-mail address shown.
  • Color code virtual correspondence so e-mails from employee/internal accounts are one color and e-mails from non-employee/external accounts are another.

The Naughty List:

1. Re-using/Weak passwords

A survey found that 55% of IT leaders have reused the same password throughout their work and personal life. Using the same password for multiple accounts might make it easy to remember your credentials, but if a cybercriminal gets one password then he/she now has access to multiple of your accounts. Having a separate password for all of your accounts helps to ward off hackers and keeps your accounts safe.

The longer your password is the better. Instead of using just one word as your password, consider using a passphrase. A passphrase consists of multiple words strung together along with symbols, numbers, and upper and lowercase letters. To help you keep track of all of your passwords, consider using a password manager.


2. Using public WiFi for secure transactions

When using public WiFi you have no direct control over its security. To avoid hackers and cybercriminal getting your personal information wait until you are on a secure WiFi network. If you really need to use public WiFi, always use a VPN to help secure your information.


3. Installing applications from unverified sources

Downloading apps from unverified sources can open up a big bag of malware on your device, and likely turn your device into a bot. Before downloading an app, make sure you read reviews and inspect the vendor or developer that created it.

Applications should not have permissions that are not necessary to perform. An application with a long list of permissions might not be exactly what you think it is, and you should think twice before downloading it.

Examples of legitimate permissions an app might ask for:

  • Contacts
  • Location
  • Calendars
  • Microphone
  • Camera
  • Cellular Data


4. Ignoring software updates

WannaCry ransomware infected 200,000 unpatched Windows machines in May 2017. The patch needed to prevent WannaCry from infecting machines was available two months before the attack began, in March 2017.

Updating your computer’s software always seems to pop up at the wrong time but it is essential to your network security. Many hackers exploit unpatched software to gain access to computers and other devices.

How to keep your software secure and up-to-date:

  • Set up automatic updates if available for your computer operating system, browser, and applications.
  • Pay attention to software installation messages. Always make sure to pay close attention to the message boxes before clicking ‘OK’, ‘Next’, or ‘I Agree’.
  • Use antivirus software and antispyware. Equip all of your personal and organization’s devices with these, and remember to update software regularly.


Even if some of your habits fall on the naughty list it is never too late to turn it around. Practicing safe cyber hygiene not only helps keep your secure, but also your organization. Employees are the first line of defense against cyber attacks and they should be armed with the right knowledge, tools, and tactics. The best gift you can give your your organization this holiday season is ensuring your employees have the knowledge needed to get on the nice list because Santa isn’t the only one watching.

The post The Naughty or Nice List: Cyber Edition appeared first on LookingGlass Cyber Solutions Inc..

Don’t Be a Victim of Opportunity: Keep Your Network from Being Exposed by Mass Scanning

Threat actors are continuously looking for the easiest way into your network. Whether access is gained by social engineering your office assistant for his or her network credentials or by taking advantage of unpatched vulnerabilities, the less time and effort the bad guys have to put in, the bigger the return on investment.

How does mass scanning play into this? Mass scanning can reveal vulnerabilities in any internet-connected device: this includes IoT devices, personal computers and mobile devices, as well as critical infrastructure and even industrial control systems. Connected devices can be exploited at scale and cause havoc, as exhibited by the Mirai botnet and the 590,000 residential routers compromised by Russian Advanced Persistent Threat 28 (APT28, aka Fancy Bear).

A single scan can pinpoint vulnerable devices that can be exploited with malicious tools. The infected device can then be leveraged to scan for and exploit vulnerabilities on other devices on the network. The technique can also identify if there are any open ports or misconfigured certs on your network or on the networks of your third parties. This is important because overlooking these types of vulnerabilities is like leaving your doors open –  you are essentially inviting criminals to enter.

Continuing with the house analogy, conducting a mass scan is the equivalent of checking the door to see if it is unlocked and if anyone is home. Now, imagine that every home has 65,536 doors, each of which serves a particular purpose. These doors represent the ports that can be available for each Internet Protocol (IP) address. Each port is used for a specific purpose or by a specific program. For example, port 80 is used for HTTP traffic (unencrypted Internet browsing), and port 25 is used for outgoing emails. A port scan is sending a message to the IP address on a specific port (checking a specific door); if the machine using the destination IP has that port “open” (if the person responsible for that particular door is home and answers), it will send an acknowledgement message back. If the port is “closed” (the person is not home and no one answers), no response is given. Because every device that is directly connected to the Internet must have an IP address, and the number of IP addresses is finite, a specialized software, or a script, can send data packets to each and every IP address (homes checked) and record the answers (doors answered), or lack thereof, as they are received. This would be the equivelant of a door-to-door survey. There are three main types of scans:

  • Horizontal: Horizontal scans describe scanning the entire IP space on the same port. For example, one can horizontally scan the Internet on port 80 to see which computers/devices allow unencrypted Internet browsing traffic.
  • Vertical: Vertical scans are when every port is scanned on a single machine.
  • Block: Block scans can send multiple messages on various ports to different IP addresses. The most complete block scan would scan all the IP space on the entire range of ports.

Scanning the entire Internet sounds like a challenging and resource-intensive task, but, in fact, publicly-available tools, scripts, and services can scan all 3.7 billion IPs in minutes. And actors, both good and bad, are actually doing it.

Don’t Leave Your Ports & Certs Unattended

While academic and security researchers, commercial companies, and malicious actors all mass scan the Internet for different purposes, malicious actors use this technique for more nefarious reasons. Port scanning is one of the first steps of active reconnaissance a threat actor performs before attacking a system. This scanning allows the actor to identify which ports are publicly accessible, what services are running on available ports, if the services are secured, and which are vulnerable. When the attacker identifies a vulnerable service, the port is then used to exploit the vulnerability and gain access to the system. Threat actors will always take the low hanging fruit (an exposed port or vulnerable service) where available.

Older devices that are running outdated and vulnerable software abound. Those devices can be exploited and remotely controlled to extract valuable information or used to infect other vulnerable devices and conduct disruptive operations. Today, malicious actors can weaponize security vulnerabilities within 24 hours of their disclosure. Once weaponized, actors can look for and exploit vulnerabilities immediately after they are disclosed, giving network defenders and system owners very little time to patch and secure their systems. Internet of Things (IoT) devices are even more vulnerable and can be exploited within minutes of being connected to the Internet.

What Your Organization Can Do

For end users and network defenders, blocking unwanted Internet traffic on unnecessary ports and ensuring security updates are promptly and/or automatically installed are generally effective against most malicious activities associated with mass Internet scans. To protect their internal networks from scanning activities, most corporations use hardware solutions that act as a central gateway that routes all traffic in and out of the network and blocks scanning attempts on unused ports. Advanced network defense solutions, such as LookingGlass’ IRD-100™, can be programmed to ingest relevant and vetted data instantly detecting and mitigating scanning activity on vulnerable or unsecure ports, including high-risk traffic from your third party vendors and supply chain. Organizations can also invest in a technology that provides situational awareness of the cyber landscape so you can pinpoint where you have vulnerabilities on your or your third party networks, such as open ports and misconfigured certs.


The post Don’t Be a Victim of Opportunity: Keep Your Network from Being Exposed by Mass Scanning appeared first on LookingGlass Cyber Solutions Inc..

Oops I Did It Again: The Truth About Insider Threat

Insider Threat Blog

You’ve likely heard the urban legend of the babysitter who gets a phone call from a killer and – spoiler alert – the call is coming from inside the house. Similarly, some of the biggest threats to your organization aren’t originating outside of your walls, but from the inside.

While the term “insider threat” is normally associated with employees going rogue and purposefully leaking/stealing/selling confidential information, what many people don’t realize is that accidental leaks can cause the same amount – or even more – damage. In fact, 51% of organizations deemed accidental/unintentional insider threat to be their biggest concern when asked to choose between either malicious or accidental insider threats.

Who is behind these accidental threats?

Now you’re probably thinking, how could someone unintentionally expose sensitive company information? Most often, it can be attributed to:

  1. Employees –  30% of phishing messages are opened, which is the most utilized tactic for launching an attack. More often than not, your employees are accidentally opening emails with a malicious attachment, giving the bad guys a way into your network to expose employee/customer information, intellectual property, and other proprietary information.
  2. Third Parties – This doesn’t just apply to vendors, but also independent subsidiaries, suppliers, etc. Essentially anyone connected to your network. Without the proper visibility into your third parties’ security posture, you have no idea if their cybersecurity is your weakest link.

Top enablers of accidental insider threat

The causes of accidental insider threat are nothing new – they are the exact same as any “normal” threat to the organization. Though these are basic cybersecurity issues that most are aware of, they are sometimes overlooked because they’re “what everyone already knows”.

  1. Phishing attacks
  2. Weak/reused passwords, well as password sharing
  3. Unlocked devices
  4. Business email compromise
  5. Utilizing unsecured Wi-Fi networks

As an organization, what best practices can you implement to protect yourself from these accidental threats?

Keep a Clean Machine

To protect employee computers from malware, viruses, or other cyber threats, make sure they are remembering to keep anti-virus and anti-spyware up-to-date. If you can, regularly push automated scans to employee devices to help catch malware or viruses quickly, stopping attacks in their tracks.

Lock Down Your Login

Protecting login credentials is crucial, always use the strongest authentication process offered. Some of these authentication methods include biometrics or other forms of multi-factor authentication. Following these steps makes it more difficult for the bad guys to access your important accounts that can lead to confidential customer, employee, or company information.

Back it Up

It is always a good idea to make an electronic copy of important business documents that are saved in a secure cloud or on an external hard drive. This will help your business secure important data in case a computer or device is compromised – whether from ransomware,  hacker, etc. – and the data deleted.

When in Doubt, Throw it Out

Train your employees to be on the lookout for email, text, social media messages, or any online communication that seems suspicious. Phishing attacks have become more sophisticated, making them more difficult to spot. If you receive a message that seems slightly suspicious, even from a known source, it’s best to just toss it or send to your internal fraud department. This tactic will help you avoid becoming a victim of scams like the Business Email Compromise (BEC), also known as “man-in-the-email,” where attackers spoof an employee or executive email and then utilize social engineering in order to defraud a company. They’ll typically target higher-level employees who have access to funds or other financial/payment information. BEC campaigns have gained more traction in the past few years, seeing an 87% increase in incidents from 2016 to 2017.

Assess Your Third Party Risk

When thinking about insider threats, taking a look at the security posture of your third parties who have access to your network, data, and facilities seems like a no-brainer. Think of a third party like one of your employees; they likely the same access – and sometimes even more – than employees. Still, organizations aren’t emphasizing their third parties’ security posture enough, as 32% of global organizations do not evaluate third party cybersecurity.

Not all third parties are created equal in the risk that they bring to your organization. Here are some questions you should be asking when evaluating third party risk:

  1. What level of access does your third party have to your systems and network?
  2. How sensitive is the information they can access?
  3. What kind of damage is done if the information or system is exposed?

Once you have an idea of the type of data access and how much risk it brings to your organization, you can start to prioritize your third party security.

Addressing Risk from the Inside Out

Digital risk can originate anywhere, but more often than not it’s from those with insider access to your organization – whether third party or regular employee. Keeping the organization safe from cybercrime is the responsibility of each user, with the help of the enterprise. As cyber threats become more sophisticated, employees, executives, and even third parties need the right training and tools to stay current on the newest and prevailing cybersecurity threats. This knowledge will help them stay vigilant in their actions and understand how one accidental click could create a domino effect that could compromise your organization.

To learn more, contact us.

The post Oops I Did It Again: The Truth About Insider Threat appeared first on LookingGlass Cyber Solutions Inc..

Spooking the C-Suite: The Ephemeral Specter of Third-Party Cyber-Risk

Spooking the C-Suite

Halloween movies are the perfect metaphor for breaking down today’s scariest supplier breach tropes.

If data breaches were a film genre, third-party cyber-risk would be the talk of producers and casting agents; it’s where the money is. Like a relentless killer who cannot seem to be destroyed, third-party breach scenarios dominate the headlines. The scares are all different — compromised health recordsweapons designs, or automakers’ trade secrets — but the plot is the same: leaked and stolen files via compromised contractors, supply chains, or business partners.

From my vantage point counseling senior executives on cyber-risk management, it is easy to see why the ephemeral specter of third-party cyber-risk haunts the C-suite. It’s because when you’re operating in your company’s own familiar environment, you often miss the warning signs of danger lurking — until something hits you. Leaders complain they can spend untold sums and time ratcheting down their company’s internal security measures only to see their data and reputation suffer the consequences of errors and carelessness at other companies, seemingly out of their control.

Let’s break down a few third-party breach tropes and how to confront them:

The Partner You Don’t Know

Creature from the Black Lagoon

Photo Credit: “Creature from the Black Lagoon”, Public Domain, from the Florida Memory Project hosted at the State Archive of Florida.

Just as the Creature from the Black Lagoon terrified boaters who stumbled onto his turf, many companies don’t learn of a third-party’s privileged access until a breach flops onto the deck and begins costly disruptions. Given how technology and business forces constantly evolve, it is very easy to overlook business partners who have accumulated through decentralized and delegated sourcing, M&A, and other shifts.

The best way to avoid a terrifying Halloween surprise (or any other time of year, for that matter) is to create cross-functional vendor management teams including sales, development, and marketing. These overseers can interface with both the chief information security officer’s (CISO) organization and other stakeholders, like the CFO. This will maintain an updated, central radar screen of third-party relationships to ensure that security, financial, and other controls are all evenly applied.

The Trusted Partner Who Proves to Be Risky

Dr. Jekyll probably aced his security interviews and contract negotiations. After all, he’s a scientist! But what oversight mechanism kicks in when a company you trust one minute becomes the equivalent of Mr. Hyde the next?

The solution requires more than annual audits, one-time compliance checks, or the threat of litigation. It’s better for companies to configure alerts that fire on the names of IP and business partners whose names turn up on the Dark Web, paste sites, or the wider cybercrime underground. Often, the first occurrence of breached data offers telltale indicators of whether the material was targeted directly, or spilled out of a larger third-party breach. Early-warning measures like these help minimize needless exposure by helping find and remedy vulnerable systems.

The Promise and Peril of New Technology Frontiers

Dr. Frankenstein thought he could make death obsolete. In Event Horizon and Ex Machina, brilliant minds create new technologies that are awe-inspiring at first — but soon reveal terrifying, unintended consequences. Protagonists begin these films coolly and seemingly in control of technology that pushes boundaries but end up with more than they bargained for, and a total loss of control.

Today’s ubiquitous third-party data breaches fortunately do not cause loss of life or the rise of sentient machines. However, many a company has rushed to embed a hot new service provider’s remarkable technology without necessarily realizing or weighing the inherent risk being shouldered in the process. For example, companies that turned to a popular online chat tool, including Best Buy, Sears, and Delta Airlines, were affected when the high-profile, category-defining vendor behind the chat platform was hit with malware.

In fairness, any outsourced technology can be breached — not only those of hot, emerging startups. But this underscores the point that companies need to follow the trail to see where their data goes and “who” has access to “what.” While it’s unrealistic to expect a customer service leader to know her or his company’s entire risk appetite, it underscores the need to have cross-functional team-based approaches to sourcing and major investments in any new technology partner — particularly those running code on your site or in your product.

The Cliffhanger

THE END… or is it? When the 3:00 a.m. phone calls, harried email threads, tired spokespeople, and empty takeout containers subside after an exhausting data breach response, employees feel partially relieved. Yet they are also wary of “What else is out there?” This is akin to how our heroes feel after they finally destroy the last alien or zombie — right before the camera pans to an egg or one more infected person right before the credits roll. Hollywood and merchandisers love to set things up for a sequel, but executives and CISOs would be doomed to failure if they find themselves trapped in a reboot of the same breach screenplay six months later.

After every third-party breach affecting their business or a peer company, security leaders need to take stock of what happened, and study precursor activities or preconditions that allowed excessive risk to go unchecked. In some cases, attackers might have been remarkably lucky, or the root cause could be the result of unimaginable oversights in vendor behavior and decision-making.

It is true no organization can find everything that might be lurking in the night to do them harm. But taking a deeper look at these telling patterns can equip security professionals to speak up when they start hearing familiar assumptions and clichés from scripts they have seen too many times before.

Originally Posted on Dark Reading:—threats/spooking-the-c-suite-the-ephemeral-specter-of-third-party-cyber-risk/a/d-id/1333145 

The post Spooking the C-Suite: The Ephemeral Specter of Third-Party Cyber-Risk appeared first on LookingGlass Cyber Solutions Inc..

Keeping Our Nation’s Lights On… Cyber Threat Intelligence to Safeguard our Infrastructure

Allan Blog-Keeping Our Nation's LIghts On

Imagine if our national electrical grid were to stop functioning with no immediate hope of re-establishment. The likelihood of such an event might not seem high but the impact on every home, business, and person in the nation would be significant.

The widespread ramifications of such an attack is the very reason why our nation’s critical infrastructure –electric grids, power plants, etc. – is a prime terrorist target to those intending to cause significant harm to our nation, and at the minimum propagate fear and mass hysteria.

Having worked in the cybersecurity industry for more than three decades, and as LookingGlass’ CTO, there is nothing more important to myself or our company than to use every available asset and capability to provide our critical infrastructure providers with enhanced security against these types of attacks.

So, with the stakes set high, let me introduce what LookingGlass views as key ways to fortify critical infrastructure provider’s security posture.


Insight #1: Know the adversary and the target(s)

The first step is always to know the who, what, why, and would an adversary would attack. The mitigation response for one risk or actor group may not apply to another group. Some actors may be interested in fraud (via system data manipulation) whereas others may be motivated to sabotage or cause harm with intent to disrupt operational systems rendering them useless. Depending on the target and outcome, the actors may use similar tactics, techniques, and procedures (TTPs) or potentially different TTPs. All of this re-enforces the importance of quality intelligence so you can better profile and understand potential adversaries and their objectives.

Consider developing a matrix similar to the one below that identifies high-level motives and use that matrix to develop strategies on threat response across each identified motive.

Figure: High-Level Adversary Categories and Objectives

Figure: High-Level Adversary Categories & Objectives



Actor Example: NullCrew

  • Founded in 2012 to support Wikileaks founder Julian Assange
  • Responsible for multiple high profile cyberattacks
  • Preferred targets: Cable Companies & ISPs
    • Also targeted financial services companies, universities, Department of Defense, & technology companies such as Sony and ASUS
  • Members of NullCrew include: Zer0Pwn, rootcrysis, nopnc, and Siph0n
  • On February 1st, 2014, NullCrew claimed to have hacked Bell Canada and compromised their database server
  • Prior to the claim, the group published a list of leaked Bell Canada client information containing usernames, email addresses, plain-text passwords, and some credit card data


Insight #2: Understand the attack surface

Understanding the attack surface allows you to develop an understanding of where your organization is vulnerable and thus open to an attack, as well as any potential attack method. This is extremely significant when considering risk brought about by third parties.

Three aspects to scoping the attack surface are shown below.

Figure: Understanding the Intelligence Driven Attack Surface

Figure: Understanding the Intelligence Driven Attack Surface

Internet Intelligence

  • Collect the organization’s Internet point of presences and of all related organizations. This should also include how those networks are connected and how traffic is routed to them.
  • Consider monitoring Border Gateway Protocol (BGP) for route changes as well as CIDR ownership announcements to detect either malicious reconfiguration or hijacking attempts.
  • Depending on the size of critical infrastructure being protected, monitoring for all changes and other relevant meta-data (e.g. ownership/containment) for these networks it could potentially be a significant undertaking. Therefore, we recommend to either plan for large capacity data and processing or consider methods that only focus on specific networks and systems.
    Figure: Example of CIKR Internet POPs

    Figure: Example of CIKR Internet POPs


High-Quality Threat Intelligence

Once you have a well-defined understanding of what systems and processes to protect within your critical infrastructure, the next step is to collect relevant and actionable threat intelligence.There are many sources of threat intelligence that could be relevant to your critical infrastructure. Intelligence selection and refinement is a key part of maximizing the benefits to security operations. Consider choosing intelligence that can provide insight into the behaviors associated with malicious activities and any indicators (network, social, host) that can give insight into active attacks. Types of intelligence for consideration:

  • Structured Threat Intelligence
    • Malware hosting/distribution particularly malware that has been crafted to attack Critical Infrastructure and Key Resources (CIKR) systems or by actors known to attack CIKRs
    • Virus/Botnet infection known to infect CIKR systems
    • Command-and-Control activity that may be detected in any phase of the kill-chain
    • Malicious/Scanning behavior
    • Spamming or Phishing observed that would target users or systems within CIKRs
    • Questionable Asset Use within CIKR networks or connected networks
    • Emergent vulnerabilities specifically relevant to CIKR systems
    • Malware network parameters and malicious certificate information that can be used to detect such behavior
  • Unstructured Threat Intelligence
    • Compromised Account Credentials of organization admins and known third parties that are responsible for CIKR maintenance
    • Reported breaches of third parties, especially those that are responsible for some aspect of CIKR systems
    • Vulnerabilities found/announced in a third party’s product that could be used to attack the CIKR environment
    • Suspicious domain registrations & spear phishing exposure that would result in attacks being launched against CIKR infrastructure identified during the internet intelligence phase.
Figure: Example of Unique Threat Types and Threat Instances

Figure: Example of Unique Threat Types and Threat Instances

Connecting Human & Machine Insight

Intelligence derived from machine correlation of raw security data alone might not yield the same results as an effective machine + human intelligence combination can provide. Machine algorithms can be effective at processing large volumes of data and well-known patterns that can be easily computed without ambiguity. In some cases, machine algorithms can learn to improve their function provided sufficient data (training data) and appropriate learning algorithms are applied with suitable guidance from skilled experts.

However, the human-being may also have context that the machine does not (data gaps). We can fill those gaps with human analysis for additional understanding and insight that is not easily quantified into a program.  Additionally, the human element can identify multi-factor context and relationships across unrelated network behaviors that without substantial effort, machine-learning systems would not identify with sufficient accuracy.

For critical infrastructure protection, having human expertise complement machine-driven analysis is a vital check-and-balance for both detection and response, especially when making automated decisions to mitigate threats driven by intelligence.

Figure: Aggregated Threat Risk Across CIKR Sectors

Figure: Aggregated Threat Risk Across CIKR Sectors

Insight #3: Profile and identify the (weakest) links

For many critical infrastructure providers, the weakest link in their attack surface may not be their organization but a third party provider or supply chain organization on which they rely. The risk introduced by organizations who are not directly managed by your organization is highly dependent on the relationship those organizations have to the business operations and their access to critical systems. If a third party organization has admin rights to controlling or monitoring critical infrastructure systems, that organization has the same amount of risk for becoming a target as the primary owner of the equipment.

Continuous monitoring and assessments of third parties and supply chain organizations should be built-in to your security program to bring awareness and active response to weak spots in your attack surface. Consider the following questions when assessing third parties:

  1. Do we know and understand active application vulnerabilities in our own org as well as our third parties?
  2. Can a third party be used to attack our infrastructure? If yes, what are the detection and response strategies for such an attack and how do they differ from an external adversary?
  3. Do we know what data has been leaked from our third parties or supply chain? If a third party is compromised how can that impact our own security posture?

Here are some key elements to monitor for both your organization and all third party vendors:

  • Network Footprint
  • System Compromises & Infections
  • Account Compromises
  • External Facing Vulnerabilities
  • Domain & Spear Phishing Risk
  • Intelligence Indications & Warnings


Insight #4: Effective Business Process Integration

One of the key factors to improved CIKR protection is how well the threat intelligence practice is integrated into the business processes that manage those CIKR systems. It is not just what data is collected but how efficiently data is refined, how effectively is data enriched, and the subsequent processing that can affect changes to the security response of the organization.

This is particularly important when CIKR networks provide potentially life-saving services and the processes to identify and respond to threats to those networks must be highly efficient and responsive. Data-processing systems and workflow processes do not exist in isolation of each other and organizations must implement methods that connect those elements with the data in a meaningful manner that supports the security team and their operations.

The security team should focus on reducing incident time to resolution; increasing the capability of detection (& mitigation effectiveness) and numerous other important operational metrics driven by a mature intelligence processing model.

Figure: Example Intelligence Data to Reporting Operations Workflow

Figure: Example Intelligence Data to Reporting Operations Workflow

Protecting our nation’s critical infrastructure is an important issue that organizations need to prioritize. If some of the topics I outlined seem a few years down the road for your organization, then consider starting with the basics: continuously update and patch systems, regularly change passwords, train employees to identify and report cyber threats, and start implementing automation of mitigation to address known threats into your systems.

If you would like to learn more about how LookingGlass can help secure your critical infrastructure, contact me @tweet_a_t or our team @LG_Cyber.


The post Keeping Our Nation’s Lights On… Cyber Threat Intelligence to Safeguard our Infrastructure appeared first on LookingGlass Cyber Solutions Inc..