Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

7/25/2014
01:40 PM
100%
0%

Researchers Develop 'BlackForest' To Collect, Correlate Threat Intelligence

Researchers at the Georgia Tech Research Institute develop the BlackForest system to help organizations uncover and anticipate cyberthreats.

Whether it's on the ground or in cyberspace, knowing that an army is going to attack you ahead of time is a nice advantage to have.

That idea is the linchpin of BlackForest, a new cyber intelligence collection system developed by experts at the Georgia Tech Research Institute (GTRI). The system is meant to complement other GTRI systems that are designed to help companies and other organizations deal with sophisticated attacks.

The system works by collecting information from a variety of sources on the public Internet, such as hacker forums and other sites where malware authors and others congregate. The system then connects the information and relates it to past activities to help organizations figure out if and how they are being targeted.

Users can identify sources of information along with keywords to focus on, says Christopher Smoak, a research scientist in the GTRI's Emerging Threats and Countermeasures Division.

"The system collects information from those sources and builds a common picture of the linkages provided by the information," he tells Dark Reading. "Analysts may then utilize the interface to customize the relationships generated if desired. Further, the system also integrates a number of automated analysis mechanisms to provide a baseline clustering, classification, and correlation capability."

For instance, "we may be interested in tying a username on a forum to a user in an IRC channel," he says. "This can help us in identifying interesting people, tools, and information through various linkages. Identifying someone on a forum that has previously posted credit card information as being related to someone active in IRC speaking of a future attack may lead us to conclusions about the type, scale, and potential target for such an attack."

As another example, if attackers are coordinating a DDoS attack via social media, the BlackForest system can measure the scale of involvement, as well as who is participating, who is coordinating, and other attack specifics. This can be used to prevent attacks as organizations learn more about common methodologies for communication and coordination.

There is also value in organizations tracking certain forums to see whether data has leaked.

"You have to monitor what's out in the wild that your company or organization owns," Ryan Spanier, head of the GTRI's Threat Intelligence Branch, said in a press release. "If you have something of value, you will be attacked. Not all attacks are successful, but nearly all companies have some computers that have been compromised in one way or another. You want to find out about these as soon as possible."

Smoak offered a hypothetical example about a company named Acme that wants to protect itself. "We monitor open-source data to identify any references to Acme. All of these references are automatically cross-referenced with other collected data, which happens to provide a linkage to a known threat actor. We can utilize what we already know about this actor to identify potential targets and techniques."

Two other GTRI cyber security systems are already available -- Apiary, a malware intelligence system that helps corporate and government security officials share information about the attacks they are fighting, and Phalanx, which helps fight spear phishing attacks.

"We want to provide something that is predictive for organizations," Spanier said. "They will know that if they see certain things happening, they may need to take action to protect their networks."

Brian Prince is a freelance writer for a number of IT security-focused publications. Prior to becoming a freelance reporter, he worked at eWEEK for five years covering not only security, but also a variety of other subjects in the tech industry. Before that, he worked as a ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
imeena
50%
50%
imeena,
User Rank: Apprentice
7/29/2014 | 2:46:28 PM
online Demo?
Sounds great!!! I hope you will soon have an online demo
securityaffairs
100%
0%
securityaffairs,
User Rank: Ninja
7/25/2014 | 5:35:03 PM
another step in the right direction
Threat Intelligence and Information sharing are principal discipline and practices to implement and adopt to mitigate cyber threats. BlackForest is just another piece of a greater puzzle, another step in the right direction, but we need a strong commitment and a global effort to make effective such initiatives.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .