Traditional threat intelligence is generally useless against new zero-days, vulnerabilities and attack techniq...
Threat intelligence you get from threat feeds is useful for describing active threats and the characteristics -- or indicators -- that identify them; however, it won't tell you what elite coders and cyber adversaries are secretly working on. For that information, you'll need to look elsewhere -- no one wants to be patient zero at the onset of the latest threat or zero-day attack.
White hat hackers working on the front lines of cybersecurity can get this data for you by working disguised as black hats. They win the trust of criminal hackers, gain access to closed forums on the dark web, and retrieve new attack tools and data about new malware, stolen credentials that are for sale, access to compromised computers, and data dumps.
Infosec professionals can benefit from knowing what white hat hackers have to offer. Depending on a security professional's position in an organization, he may choose to contract, hire or recommend white hats before a new threat reveals itself.
What threat intelligence won't tell you
Traditional threat intelligence comes from threat feeds and sources, such as the SANS Internet Storm Center and US-CERT.
Traditional threat intelligence includes semi-actionable data that is machine-consumable, like Indicators of Compromise, which include malware hashes, command-and-control server IP addresses, hostnames, and file paths, said Francisco Donoso, a veteran security expert and head of managed security services architecture at Kudelski Security.
Despite containing so much data, traditional threat intelligence sources only share information about two kinds of threats. Non-actor-specific threat intelligence provides information about ongoing attacks and tools, said Ryan Olson, a contributing author of Cyber Fraud: Tactics, Techniques and Procedures. These are threats and tools you can learn about based on attacks the industry has already witnessed. These threats do not necessarily target a specific company or industry.
Organization-specific threat intelligence informs you about known active threats that target you or your enterprise specifically, Olson said. So, if an attack focuses on the finance industry and you are in that industry, these threats could directly affect your organization, if, for example, you use the software the criminal hackers are targeting.
However, traditional threat intelligence won't tell you whether you have specific vulnerabilities in your systems and what new tools and threats criminal hackers are developing. White hat hackers, however, can not only provide penetration testing, but they can also gather information about threats specific to your organization and its IT environment.
Why traditional threat intelligence can't help you here
Traditional threat intelligence begins with patient zero, which is the first system affected by an attack. This threat intelligence is useless against nonpublic zero-day attacks and entirely new vulnerabilities and attack techniques, like when weaponized AI and Meltdown, Spectre and Process Doppelganging first arrived on the scene, said Rene Kolga, a Certified Information Systems Security Professional and 10-year veteran cybersecurity expert.
The Meltdown and Spectre attacks target new vulnerabilities in computer processors, while Process Doppelganging is a new fileless code injection technique for malware that evades detection. Weaponized AI, meanwhile, is any malware or attack method that benefits from the use of artificial intelligence.
As sophisticated as these attacks sound, it's not tricky for hackers to leverage new attacks.
"It is so easy to modify a malicious binary using a packer or crypter," Kolga said. "Anyone can do it in minutes using tools that cost from $25 to nothing that you can find on the internet."
Packers and crypters are software applications that alter malware files using techniques such as encryption, compression and obfuscation to evade detection by security products. In last year's Copperfield attack in the Middle East, malware writers used a $25 crypter called BronCoder, according to Kolga.
"Cryptex is another popular one," Kolga said. "However, it looks like authorities arrested its creator earlier this year."
An attacker can upload new malware to nodistribute.com, which uses 35 top antivirus engines to test whether they can detect malicious code, Kolga said. Because the site does not distribute the scan results to anyone, no one can add data about these threats or signatures to threat intelligence or antimalware tools.
While this is a good source of information, the exercise demonstrates how easily malicious code can sneak past traditional threat intelligence services.
Editor's note: Stay tuned for part two of this series on white hat hackers and threat intelligence services, which will discuss the value of monitoring the dark web and black hat communities.