Partner Perspectives  Connecting marketers to our tech communities.
4/1/2015
10:15 AM
Hardik Modi
Hardik Modi
Partner Perspectives
Connect Directly
Twitter
RSS
100%
0%

Application of Threat Indicators: A Temporal View

Better outcomes will be achieved when we're applying temporal considerations to threat indicators.

A tremendous amount of energy is being spent on the harvesting, curation, distribution, and sharing of threat indicators and associated intelligence in the enterprise space.

The emergence of sharing groups and platforms, standards such as STIX/TAXII, reports of discovery of threat activity based on shared intelligence points, and multiple government mandates related to threat information sharing all point to the rapid maturity cycle that this space is experiencing. And while the process of delivering intelligence to enterprises requires continued focus to ensure incremental benefit for each new participant in the network, the systematic application of such intelligence is necessary to achieve the security outcomes we're all looking for. In this post, I'm going to explore the temporal nature of the application of indicators.

To put some definitions in place, I refer to the application of indicators (IP addresses, URLs, domains, MD5 hashes) to future activity as the prospective application of threat indicators. Correspondingly, the application of indicators to historical data such as log management and SIEMs is known as the retrospective application of threat indicators. Both of these techniques have value but occasionally in strikingly different ways, and this distinction is worthy of examination.

Prospective application is typically done in or near real time, such as when a data loss prevention (DLP) solution might look for IP theft in embedded content or for a specific user-agent string or signing certificate for SSL sessions. A match can result in a rapid response on the part of the enterprise, either automated through the security product or via the incident-response process.

Optimizing Value

But for all the virtues of the prospective process, by the time your sharing platform delivers indicators based on observations made elsewhere, it's likely that the specific malware or command-and-control infrastructure has already been used against you. Therefore, there's limited value in continuing to scan for indicators that are ephemeral such as file hashes or IP addresses. This is the conundrum that David Bianco talks about in his "Pyramid of Pain" theory.

However, there is considerable value in being able to look backward through the retrospective application of indicators. Typically, stored historical data isn't quite as rich, and there are trade-offs that have to be made in terms of the nature and duration of the data that gets stored. For example, your options on the network range from full-packet capture to simple firewall logs, and from hours to eternity. Modern security operations centers that "assume breach" are always interested in learning about recent encounters with the adversary, so the fact that a specific hash was observed in an email to a key executive a week ago is a clear signal that a campaign has begun or resumed.

As you venture into the world of threat intelligence and indicator sharing, you'll want to consider optimizations. This is true across the spectrum, whether you happen to be a producer, distributor, or consumer of threat intelligence, or even the provider of the technology that enables the operationalization of data. Enterprises should be evaluating their providers with these objectives in mind -- for example, demanding the ability to apply rich indicators to historical events.

Better outcomes will be achieved when we're applying temporal considerations to threat indicators that are distributed and operationalized. 

Hardik Modi is Director of Threat Research at Fidelis Cybersecurity. He has over 15 years of experience in network and security product design and research. At Fidelis, he leads the Threat Research Team, responsible for threat intelligence that powers Fidelis XPS Advanced ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
kate25
50%
50%
kate25,
User Rank: Apprentice
3/18/2018 | 12:47:23 PM
Thanks
Thanks, Hardik Modi for sharing this your point of view.

I go through this article but I have little bits of confusion on Threat Indicators.
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-14889
PUBLISHED: 2018-09-21
CouchDB in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local code execution vulnerability.
CVE-2018-14890
PUBLISHED: 2018-09-21
Vectra Networks Cognito Brain and Sensor before 4.2 contains a cross-site scripting (XSS) vulnerability in the Web Management Console.
CVE-2018-14891
PUBLISHED: 2018-09-21
Management Console in Vectra Networks Cognito Brain and Sensor before 4.3 contains a local privilege escalation vulnerability.
CVE-2018-12169
PUBLISHED: 2018-09-21
Platform sample code firmware in 4th Generation Intel Core Processor, 5th Generation Intel Core Processor, 6th Generation Intel Core Processor, 7th Generation Intel Core Processor and 8th Generation Intel Core Processor contains a logic error which may allow physical attacker to potentially bypass f...
CVE-2018-17317
PUBLISHED: 2018-09-21
FruityWifi (aka PatatasFritas/PatataWifi) 2.1 allows remote attackers to execute arbitrary commands via shell metacharacters in the io_mode, ap_mode, io_action, io_in_iface, io_in_set, io_in_ip, io_in_mask, io_in_gw, io_out_iface, io_out_set, io_out_mask, io_out_gw, iface, or domain parameter to /ww...