The world faces a rapidly changing array of advanced cyber threats that pose a greater danger than ever before.
The New Cyberthreat Landscape
The headlines are ablaze with the latest stories of cyberattacks and data breaches. New malware and viruses are revealed nearly every day. The modern cyberthreat evolves on a daily basis, always seeming to stay one step ahead of our most capable defenses.
Every time there is a cyberattack, government agencies gather massive amounts of data. To keep pace with the continuously evolving landscape of cyberthreats, agencies are increasingly turning toward applying advanced data analytics to look at attack data and try to gain a deeper understanding of the nature of the attacks. Applying modern data analytics can help derive some defensive value from the data gathered in the aftermath of an attack, and ideally avert or mitigate the damage from any future attacks.
Analytics Pushes Data-to Decision Speed Limit
The one constant about today’s cyberthreat landscape is it is always evolving. The most sophisticated threats are constantly changing to adapt to whatever defenses are mounted against them. The day you think your defenses are sufficient is the day you are likely the most vulnerable. That’s not to say all defenses are vulnerable.
Many attacks are the same types organizations have been defending against for years. They know what they are and how they happen. Most of the security solutions already in place deal with them sufficiently. Some 80 percent of the attacks organizations experience each day are of a known variety.
It’s that other 20 percent that causes the most damage. Besides being more complex than traditional threats security solutions were designed to handle, they’re also relatively new. The complexity and unfamiliarity many organizations have with these new threats vastly increases the chances of them penetrating defenses.
This new era of cyberthreats arguably began with the Conficker worm, first detected in late 2008. This worm exploited vulnerabilities in Microsoft’s Windows operating system. In total, the Conficker worm infected millions of government, business and home systems in more than 190 countries.
Quality and Quantity
Organizations are currently threatened not only by the depth and complexity of the attacks themselves, but also the sheer number of attacks being thrown at them. That’s largely a result of the recent industrialization of the malware industry. Commodity exploit kits have emerged that incorporate the skill and expertise of the best malware coders.
“Essentially what you have is almost a parallel of what you’ve seen in the commercial software industry,” says Bob Stasio, IBM’s senior product manager, IBM i2 Enterprise Insight Analysis (i2EIA). “What these guys have done is put their skills into easy to use kits that sell online or on the Dark Web for a couple of thousands of dollars or cheaper.”
GovRAT is one recently discovered kit, for example. This kit bundles malware with fake digital certificates attackers can use to breach public key infrastructures (PKI). The author actually advertises it as an ideal tool for APT campaigns, and reportedly sells it for around $1,200.
Just one of the GovRAT botnets that was found and identified suggested the kind of haul hackers can achieve with this type of toolkit. Compromised accounts and infected network hosts were reportedly found at the U.S. Army, Defense Manpower Data Center, U.S. Marine Corps and defense subcontractor sites.
Cyberthreat Analysis is Essential to Defense
Cyberthreats have evolved to where the most dangerous include a subtle, complex and constantly changing mix of technical expertise and unpredictable creativity. Consequently, traditional cyberdefenses have struggled to keep pace. Designed to counter more clearly defined attacks, they’ve had a hard time tackling these highly agile and far more amorphous threats.
Increasingly sophisticated cyberthreat analysis solutions help organizations meet this challenge. Using intelligence analysis techniques similar to other domains such as military operations, the aim is to collect data that relates to threats from as many relevant sources as possible. Then analyze that data develop a clear picture of the what, where, how and why of both current and potential threats.
Cyberthreat analysis “combines the disciplines of information security, forensic science and the ability to understand how to conduct an investigation; with a historical, intelligence analysis discipline,” says Bob Stasio, IBM’s senior product manager, IBM i2 Enterprise Insight Analysis (i2EIA).
Many organizations understand the importance of threat intelligence to their cybersecurity. However, most can’t get much traction either collecting the right data or extracting from it accurate intelligence. The Ponemon Institute revealed that exact situation in a recent survey. Fully twothirds of the 700 or so technology professionals they queried said they understood the importance of threat intelligence in keeping up with potential attackers.
Collecting and categorizing data used to mean a laborious effort on the part of analysts. They would sift through reams of sensor information and logs and deposit the results in spreadsheets or other forms. Even then, extracting any kind of actionable analysis wasn’t easy.
Ideally, that type of data visualization environment lets analysts represent all applicable information in a variety of different ways, such as entities, events and timelines; and through links that show associations between people and entities or with other attributes. That way, analysts can not only strip away any noise hiding important information, but can more easily see associations that wouldn’t be as clear in a non-visual environment.
Analysis is Essential
Cyberthreat analysis is defined by an intelligence cycle that works from an understanding, based on these questions, that an organization doesn’t know from the onset the threats arrayed against it, where they are coming from, what they can do and how the organization can respond. That runs counter to traditional cybersecurity, where the threats and available protection are more or less known entities.
An important part of cyberthreat analysis is to know an organization’s risk to security breaches. That means knowing such things as the effectiveness of existing security controls and security patch processes, the location of the most sensitive data, and where the computer and devices that can access the network and data reside.
As with other aspects of the intelligence cycle that drives cyberthreat analysis, risk analysis done right will provide in near real time a detailed look at an organization’s security posture and its potential risk profle.