• TREND MICRO
  • ABOUT
Search:
  • Latest Posts
  • Categories
    • Android
    • AWS
    • Azure
    • Cloud
    • Compliance
    • Critical Infrastructure
    • Cybercrime
    • Encryption
    • Financial Services
    • Government
    • Hacks
    • Healthcare
    • Internet of Everything
    • Malware
    • Microsoft
    • Mobile Security
    • Network
    • Privacy
    • Ransomware
    • Security
    • Social Media
    • Small Business
    • Targeted Attacks
    • Trend Spotlight
    • Virtualization
    • Vulnerabilities
    • Web Security
    • Zero Day Initiative
    • Industry News
  • Our Experts
    • Ed Cabrera
    • Rik Ferguson
    • Greg Young
    • Mark Nunnikhoven
    • Jon Clay
    • William “Bill” Malik
  • Research
Home   »   Security   »   Actionable Intelligence Improves Targeted Attack Investigations

Actionable Intelligence Improves Targeted Attack Investigations

  • Posted on:February 19, 2014
  • Posted in:Security
  • Posted by:
    Jon Clay (Global Threat Communications)
0

As I get ready to attend this year’s IBM Pulse conference (February 23-26 in Las Vegas), where I’ll be delivering a keynote session on how organizations can better use actionable intelligence in their efforts to deal with targeted attacks, I ask myself why traditional security is not as effective as it should be in dealing with this attack vector.  True targeted attacks are ones where the attacker has investigated the target group or organization to determine whether or not they have something of value to the attacker.  Reconnaissance is done today using Open Source Intelligence (OSInt) tools to help them identify who to attack, how to attack, and what is of value to them.  It is very likely that the attacker will develop custom threats to use in infiltrating the victim’s system or network.  In most cases, if the attacker is planning to use malware, the malicious code will be tested using criminal underground services to identify if the code is detected by security vendor’s file-based scanners.  As such, they will only utilize the malware that is undetectable and more likely to bypass the victim’s traditional security defenses.  Once inside the victim’s system or network, the attacker will likely laterally move to other systems in an effort to identify those systems that have access to the data they want to steal.  This stage of the attack may not utilize traditional malware as some may think; more likely, the attacker will use hacking tools available to him/her as well as stolen credentials.  Once the attacker has identified the data they wish to steal, they will package it up and exfiltrate it to themselves in order to monetize their theft.  Exfiltration can take many different forms, from email, ftp, http, or any number of other protocols to upload the typically encrypted data to their drop zones.

The challenge today that most traditional security solutions face is that they cannot provide enough information, and more importantly, context, about a security event identified within the compromised target.  Each stage of an attack is usually done on a different area of a network and a different system or device, and at different times.  For example, the infiltration is typically a spear phishing email using either a weaponized attachment or an embedded malicious link to an employee PC.  From there, the attacker laterally moves to a server hosting the data they want to steal.  The Command & Control infrastructure which the attacker has to use will be hosted on any number of machines within the victim network.  The stolen data can be stored and then exfiltrated from systems that give them access to external communications.  While any of these actions may be detected by traditional security solutions, unless the victim’s IT or security personnel can identify that the security incident is part of a broader attack, it may likely be overlooked.

In my keynote, I will be discussing how Trend Micro’s Custom Defense solution has the capability of offering more information with the right kind of context to deliver the actionable intelligence needed to identify a possible breach by giving security teams information such as types of attacks, concentration of attacks, timeline of attacks, and origin of attacks. The solution also combines their local threat intelligence with our global threat intelligence derived from the Trend Micro™ Smart Protection Network™ by correlating each attack component with any associated other threat vectors.  When a security admin can see an internal IP that is communicating to a region of the world where their organization doesn’t have any history of communication, they have the opportunity to do more investigation.  Or when an email attachment is sandboxed and found to communicate to a known C&C server that has been used in other attacks on their industry, they can sound an alert that they may be under attack.  Automating the threat intelligence from Trend Micro into a SIEM solution like IBM’s QRadar can also allow the organization to correlate information from other security vendor solutions in which they are using giving even further context of what may be occurring inside their network.

When a single security event has context associated with it, and can be correlated with other events that may be occurring in other areas of their infrastructure, the organization can take appropriate action to develop a plan to investigate, identify, mitigate, and cleanup attacks that will likely occur in the future.  As threat defense experts, Trend Micro has been analyzing the threat landscape for 25 years and adapting to the changing tactics used by criminals over the years.

Related posts:

  1. Cyber threat group and its new targeted attack campaign: Rocket Kitten and Operation Woolen-Goldfish
  2. Making Threat Intelligence Actionable through Unparalleled Visibility and Analytics
  3. Targeted Attack: The Game
  4. Targeted Attack Landscape: A Continuing Threat

Security Intelligence Blog

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits

Featured Authors

Ed Cabrera (Chief Cybersecurity Officer)
Ed Cabrera (Chief Cybersecurity Officer)
  • Ransomware is Still a Blight on Business
Greg Young (Vice President for Cybersecurity)
Greg Young (Vice President for Cybersecurity)
  • Not Just Good Security Products, But a Good Partner
Jon Clay (Global Threat Communications)
Jon Clay (Global Threat Communications)
  • This Week in Security News: Ransomware Gang is Raking in Tens of Millions of Dollars and Microsoft Patch Tuesday Update Fixes 17 Critical Bugs
Mark Nunnikhoven (Vice President, Cloud Research)
Mark Nunnikhoven (Vice President, Cloud Research)
  • Twitter Hacked in Bitcoin Scam
Rik Ferguson (VP, Security Research)
Rik Ferguson (VP, Security Research)
  • The Sky Has Already Fallen (you just haven’t seen the alert yet)
William
William "Bill" Malik (CISA VP Infrastructure Strategies)
  • Black Hat Trip Report – Trend Micro

Follow Us

Trend Micro In The News

  • Advanced Cloud-Native Container Security Added to Trend Micro's Cloud One Services Platform
  • Trend Micro Goes Global to Find Entrepreneurs Set to Unlock the Smart Connected World
  • Winners of Trend Micro Global Capture the Flag Demonstrate Excellence in Cybersecurity
  • Companies Leveraging AWS Well-Architected Reviews Now Benefit from Security Innovations from Trend Micro
  • Trend Micro Announces World's First Cloud-Native File Storage Security
  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © 2017 Trend Micro Incorporated. All rights reserved.