Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

1/3/2019
10:30 AM
Tim Helming
Tim Helming
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Redefining Critical Infrastructure for the Age of Disinformation

In an era of tighter privacy laws, it's important to create an online environment that uses threat intelligence productively to defeat disinformation campaigns and bolster democracy.

When we think of critical infrastructure in the cyber context, we tend to think about industrial control systems for power plants and water treatment facilities, or the electronic ballet box. But in today's environment, when disinformation is a major threat vector to our national security, it's important to expand these preconceptions.  

Let's start with the basic tenet that an informed citizenry is foundational to the integrity of a democratic system.  In that context, certain sources of information — especially those outside of entertainment or commerce — can also be considered critical. The concept of a newspaper of record, which was established long ago, is a good example, along with their modern equivalents such as radio, television, and Internet media. These institutions play an important role in shaping public opinion and policy decisions.

Although news sources have always carried some degree of editorial bias, the bias in journals of record is based on an assumption that, whatever the bias, the foundation of the reported information is personal observation and recorded fact. Now that "alternative facts" have become mainstream, understanding sources of (mis)information and combating overt information warfare operations demands the rigor of critical infrastructure protection.

The Unintended Consequences of Privacy Regulations
We are also seeing the potentially detrimental effects of well-meaning privacy legislation, which has been enacted at a particularly inopportune time given the rise in fake news and election meddling. The European Union's General Data Protection Regulation (GDPR), the California Consumer Privacy Act of 2018, and the Canadian Personal Information Protection and Electronic Documents Act are all positive steps forward in protecting citizens. But, as is so often the case, these well-intentioned efforts have unintended consequences.

While there is no doubt that privacy regulation aims to safeguard citizens' private data, these new laws are also hampering cybersecurity efforts — specifically, in the context of security analysts' ability to gather and share threat intelligence about suspicious or malicious online infrastructure. As a particularly concerning example, privacy rules have taken a large bite out of the data available through the domain Whois services, making domain ownership largely opaque to investigators. This is significant, because analysis of infrastructure through a combination of DNS and registration data has been a mainstay of threat intelligence operations for years.

It's true that threat actors have used Whois privacy for years to cover their tracks. But they have also routinely used bogus registration information to cover their tracks. Sooner or later, many of them slip up, and those mistakes help investigators and analysts crack open emerging or ongoing attack campaigns. That's why it is critical that security researchers have access to registration and infrastructure information that can identify the actors behind cyber incidents of all kinds — including fake news campaigns and outright election tampering. Threat research from FireEye on Iranian operations further emphasizes the importance of this kind of  threat intel.

This One Weird Trick to Save Democracy
OK, "save democracy" is perhaps a bit of hyperbole, but the underlying point is valid: Using threat intelligence productively in the effort to defeat disinformation campaigns is important for creating an online environment that bolsters democracy in an age of tighter privacy laws. While the removal of identifying information from domain Whois records has put a crimp in adversary infrastructure analysis workflows, it is by no means a showstopper. With the current privacy limitations on how data can be used and shared, cybersecurity professionals simply will need to understand how their efforts to combat threat actors are affected.

The good news is that analysts and hunters still can very effectively identify and combat cyber threats. But it will require going beyond Whois with shifts in long-ingrained workflows and practices used in adversary analysis. For example:

  • Registration details certainly have been some of the lowest-hanging fruit for developing an actor persona or mapping a campaign. But there is a wealth of other data that can often be just as effective. Examples include DNS records (including Start of Authority, or SOA, records, which are email addresses), as well as web content such as SSL/TLS certificates, tracking codes, website titles, and screenshots. When actors create the infrastructure for an attack campaign, they often reuse many of these elements across multiple domains. It would be costly in terms of time and, in some cases money, for them to do otherwise. This is to your advantage when correlating threat actor assets.
  • Remember that doxing isn't your goal (unless you're in law enforcement, perhaps). When trying to understand an emerging or evolving attack campaign, the most valuable aspect of attribution is to identify a persona (like a "John Doe" profile in physical crime investigations) that ties together the domains, IP addresses, web assets, malware files, and other components of the campaign. You don't need an actual, genuine identity. Even in the days of open Whois records, it was very hard to be certain that a given identity was legitimate.
  • Once a persona or correlated set of attack infrastructure has been identified, it becomes easier to take concrete actions such as searching for the discovered items (domains, IPs, URLs, etc.) in log archives or SIEMs, creating blocking rules to cover the entire campaign, or creating watchlists to monitor for ongoing evolution or expansion of the attack infrastructure.

What's Next
The last two major US elections turned a sharp spotlight on the security (or lack of security) of the mechanisms that allow democracy to operate. Long after the votes have been counted, forensic analysis will seek to understand what, if any, impact was made by adversarial online activity, while intelligence analysis will similarly examine whether disinformation campaigns were effective in influencing electoral outcomes. The ability to comprehensively, accurately, and efficiently analyze threat actor infrastructure and campaigns is a core requirement of such work.

The good news is that there are excellent data sources, tools, and practices to enable security and intelligence professionals to shed light on, and ultimately protect against, adversaries who seek to hide in the Internet's shadows.

Related Content:

Tim Helming, DomainTools Director of Product Management, has over 15 years of experience in cybersecurity, from network to cloud to application attacks and defenses. At DomainTools, he applies this background to helping define and evangelize the company's growing portfolio of ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
MITRE Releases 2019 List of Top 25 Software Weaknesses
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He's too shy to invite me out face to face!"
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15138
PUBLISHED: 2019-09-20
The html-pdf package 2.2.0 for Node.js has an arbitrary file read vulnerability via an HTML file that uses XMLHttpRequest to access a file:/// URL.
CVE-2019-6145
PUBLISHED: 2019-09-20
Forcepoint VPN Client for Windows versions lower than 6.6.1 have an unquoted search path vulnerability. This enables local privilege escalation to SYSTEM user. By default, only local administrators can write executables to the vulnerable directories. Forcepoint thanks Peleg Hadar of SafeBreach Labs ...
CVE-2019-6649
PUBLISHED: 2019-09-20
F5 BIG-IP 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 and Enterprise Manager 3.1.1 may expose sensitive information and allow the system configuration to be modified when using non-default ConfigSync settings.
CVE-2019-6650
PUBLISHED: 2019-09-20
F5 BIG-IP ASM 15.0.0, 14.1.0-14.1.0.6, 14.0.0-14.0.0.5, 13.0.0-13.1.1.5, 12.1.0-12.1.4.1, 11.6.0-11.6.4, and 11.5.1-11.5.9 may expose sensitive information and allow the system configuration to be modified when using non-default settings.
CVE-2014-10396
PUBLISHED: 2019-09-20
The epic theme through 2014-09-07 for WordPress allows arbitrary file downloads via the file parameter to includes/download.php.