BOSTON -- Threat intelligence can be invaluable in strengthening an organization's ability to quickly detect or...
prevent resourceful cyberadversaries, but not all threat intel feeds are created equal; even the most reputable sources need to be tested for fidelity.
That was a key message offered Thursday at Hewlett-Packard Co.'s Security Research Live event held here by the HP Security Research (HPSR) team.
"The adversary is well-resourced and very skilled," said Dan Lamorena, senior director of software enterprise security products at HP. "We may have security budgets, but they are a money-making business."
Worse yet, attackers are often able to exploit enterprises because those organizations don't tend to basic information security hygiene. The most commonly exploited problems, according to HPSR, are poor patching processes (HPSR found that the most compromised vulnerability of 2014 was a flaw in Windows that was patched in 2010), server misconfigurations, the growth of BYOD and shadow IT -- both of which make perimeter security a much more nebulous proposition -- and the explosion of new, previously unseen malware.
Jewel Timpe, senior manager of threat research at HP, repeatedly mentioned that many of the attacks seen in 2014 were performed using vulnerabilities that were 2 to 4 years old, yet at the same time, pointed out that new malware is on the rise. HPSR noted in its 2015 Cyber Risk Report, released this week, that nearly 140 million unique malware samples were found in 2014, and that it expects that number to rise to 200 million in 2015.
One emerging method to combat these trends, said Timpe, is threat intelligence.
"Threat intelligence is one of the most important aspects of security that people don't talk about enough," said Nick Lombardi, director of IT at Bedford, Mass-based cloud services vendor Data Intensity LLC, who attended the event. "There is immense value in correctly analyzing threat data."
Vetting threat intelligence sources
Security engineer Matthew Cwieka and IT SOC content development advisor Jonathan Nunez from Woonsocket, R.I.-based retailer and health care company CVS Health Inc., presented their organization's practices for getting the most from threat intelligence, specifically vetting threat intelligence sources.
Nick LombardiDirector of IT, Data Intensity
The five major sources for threat intelligence data are: free indicator feeds, paid feeds, bulletins, internal intelligence gathering and strategic partnerships. Cweika noted that free feeds will bring the most challenges in terms of accuracy, but even information from paid feeds and bulletins should be put through regression testing, and have IPs and domains investigated to avoid accidentally blocking too many addresses.
"I've been burned before," Cwieka said. "Bulletins might list an IP address linked to dozens of domains, only one of which was relevant. Or, a domain would be listed without a history of related IPs."
Cwieka also described the need to accurately interpret bulletin data, which is often targeted at a wide audience, but can be valuable for gathering situational awareness and context. Nunez said that it is important to evaluate all gathered data for relevancy to an organization, and having well-defined procedures for threat intelligence data handling.
"Solid threat intelligence handling will ensure agile and effective posturing against emerging threats," Nunez said. "Data gathering and long-term trending can be used to back feed SIEM, drive security initiatives, and [can be] used by executive leadership in decision making."
Cwieka emphasized the need for testing and analysis of threat intelligence data before building certain sources or practices into a security policy, as well as long term trending and reporting on the accuracy and relevance of threat intelligence data. He said this can be key to pinpointing problems in consistent vectors, patching gaps, finding commonly attacked users or systems, determining persistence attackers, and providing data for sharing with partners.
"We may compete in some business arenas," said Rick Hanson, vice president of worldwide sales and enterprise security products at HP, in reference to the growing vendor competition in the threat intelligence realm, "but, at the end of the day, we're all in it together when it comes to security."
Does your SIEM integrate threat intelligence feeds? Learn how to get started.