Threat Analysis: How the Rapid Evolution of Reporting Can Change Security
With the advancements in data reporting gleaned from security information and event management (SIEM) tools and adjacent solutions, every security team today can face information overload and paralysis. To gain clarity within this murk, the practice of threat analysis has emerged and continues to evolve with time. With it, security professionals can find and fix the most pressing issues among the incidents reported daily.
Noisy vulnerability management tools can generate too many tasks. Poorly tuned threat intelligence systems may not filter signal from noise and provide too much data that can keep teams occupied with repeated, low-value tasks. The dozens of point security solutions require specific knowledge and mastery, which takes time to achieve and maintain. Add the ongoing shift from a perimeter defense mindset toward compliance and risk-based approaches. It becomes clear why teams find it harder than ever to focus efforts on threats that can generate the worst impact.
Businesses and governments have analyzed threats to find and sort potential risks. The basic questions of threat analysis remain the same:
The more attacks and data there are, the harder it becomes to answer these questions quickly. While SIEM cybersecurity can be a benefit, it can also make this problem worse.
With the rise of IT networks and the internet, threats to businesses and other entities have moved into cyberspace. In the past five years, sources of cyber threats have rapidly evolved.
Beyond the run-of-the-mill cyber criminal attacks that became commonplace in the past decade, state-sponsored actors have also been executing high-profile cyberattacks. More recently, these actors have multiplied with the rise of advanced persistent threat (APT) groups that function as government attack and industrial espionage arms, often augmenting their skills.
These APTs are growing more refined and are showing behaviors similar to digital criminals, making attacks harder to classify and attribute.
On top of the varied threats coming from nation-states and organized crime groups, an endless flow of opportunistic, automated or scripted attacks has been flooding the internet.
Driving the rise in these cases is a mature, thriving underground market for customized exploits and ransomware, attack toolkits, stolen payment data, stolen credentials and phishing campaign services. Attackers can rent botnets of compromised computers or Internet of things (IoT) devices, like printers and cameras, to carry out attacks.
Cyberattacks and all their components are a commodity nowadays, often operated in “as-a-service” models that provide technical skill and wares for those willing to pay. The bar for running attacks, even on the more hardened targets, is low.
As the global attack surface grows, numbers and types of exploits have grown, as well. There were roughly 20 times as many common vulnerabilities and exposures (CVE) alerts in 2019 as compared to 1999. In response, today’s entities deploy dozens of controls that require constant fine-tuning to cover the full range of potential threats. It’s no surprise security teams can no longer patch all possible openings or tune all controls manually.
To make matters worse, old threats reemerge with new twists. Witness the well-known Emotet malware. First spotted in 2014, Emotet adapted as its malicious coders tweaked it to evade detection and control. It became the most active malware threat in 2018 and 2019 and then went dormant. The most recent resurgence in July 2020, came when Emotet botnets started sending emails populated with malicious URLs or attachments.
Emotet attacks are usually accompanied by additional attacks, such as Ryuk ransomware, that take advantage of Emotet to spread their malicious payloads. Nowadays, Emotet is used by multiple organized cybercrime groups, often working with one another.
This is the new norm. It highlights the reasons for the constant rise in security incidents that teams have to triage and deal with, and their growing need for better, faster insight into what matters most.
Providing reliable and effective cyber threat analysis of a constantly evolving landscape requires skill, automation, the right tools and prioritization of threats. As more analysis techniques and tactics emerge over time, data is being produced far more quickly. Scaling coverage without adding resources, all while maintaining context and staying accurate, is key.
Against this background, companies have shifted from viewing cybersecurity as an insurance policy to viewing it as a critical part of business. SecOps teams don’t have time to analyze all the reports and grasp all of the changes required to block attacks. They must rely more on automated filtering and prioritization tools such as breach-and-attack simulation (BAS) to understand which threats are of real concern and which are covered by existing controls.
A threat intelligence team using a BAS platform can quickly gain more useful data to improve threat analysis reporting. Threat analysts may believe a specific actor or APT is likely to target their industry (and their company). With a BAS threat analysis model, they can gain more insights into the techniques, tactics and procedures (TTPs) involved. Narrowing down the potential attack scenarios can enable analysts to load playbook attack methods in order to validate the protection provided by the current security setup. Also, the analysts can see how an attack might play out, seeing potential entry points and chances for horizontal movement. They can spot a shift from lesser targets to higher-value targets once an attacker gains access to high-level systems.
The tests also can show groups of behaviors that indicate a higher likelihood of an attack, even when the volume of clear indicators of compromise (IOC) are limited.
Telling signals, such as a spear-phishing attempt, an obfuscated malicious macro in an attachment or other breadcrumbs, can be combined to provide a more complete threat analysis framework. These specific behaviors as separate alerts just cause alert fatigue. When linked through smart threat analysis reporting, they paint a fuller picture of an evolving attack.
This action-based approach shifts threat analysis in a more proactive direction, allowing it to forecast where attackers are going. This can decrease response times from days or weeks to hours or even minutes. Seeing these patterns is possible with machine learning systems that can identify novel patterns of malicious activity on their own based on past cases from log files and other artifacts. These systems can mix pattern-matching across more variables and learn across networks, well beyond one entity.
Attacks are certainly evolving, but security professionals are making strides to stop those attacks every day, too. We’re hopeful about the future of threat analysis. It has evolved so quickly during the last decade and is constantly improving.
Teams can now run continuous attack simulations based on tens of thousands of known vulnerabilities and attack playbooks. Industry frameworks and tools, such as MITRE’s ATT&CK knowledge base, enable the rapid dissemination of information and updates on the latest TTPs.
Machine learning systems can automate much of the Tier-1 pattern matching activities to allow threat analysts to focus on higher-value analysis. Threat analysis has moved beyond simple signatures to understanding compound and complex behaviors that indicate likelihoods of attack. This means that threat analysis can, if properly planned and run, offer better guidance to vulnerability management and incident response teams and reduce the workload of burdened SecOps teams by helping them focus on the exploits, APTs and attacks that pose the greatest risks to their business.