There are numerous different elements and obstacles that contribute to the challenges of data protection in the current threat environment. However, a leading issue is ensuring protection against the latest, emerging attack styles and breach strategies. After all, how can an organization ensure the security of its most critical information and assets if they don’t know what types of intrusions they should be specifically guarding against?
This is where threat intelligence comes into play, helping to identify and spread awareness of the latest information security threats and the best ways in which to protect against these attack approaches.
Gartner defines threat intelligence as “evidence-based knowledge … about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” One of the best ways to support this knowledge and devise the most successful responses to emerging threats is by studying these elements within their native environment. This includes, namely, the Dark Web, where hackers create, buy, sell and trade in malware.
Gathering malware samples to support knowledge of threats
The basis for threat intelligence begins with the collection of unique malware samples and identifiers, including those all related to a single malware family. These samples are then used to establish robust intelligence databases, which can be leveraged to pinpoint activities and processes associated with specific attacks, as well as to inform the best protection strategies.
As TechTarget contributor Frank Siemons pointed out, around 360,000 new malware samples are discovered each and every day. In this way, hackers are continually updating and improving their attack approaches and intrusion styles, building upon successful past breaches, and learning from unsuccessful attempts.
This makes threat intelligence more important than ever before – a robust database can pinpoint known samples and help draw parallels between identified attack styles and emerging threats. What’s more, the pace at which new threats are created means that participation in threat intelligence is an important pursuit across the board. The more businesses and individual users know about current threats, the better prepared they can be to guard against them.
The Dark Web: An opportunity for threat intelligence
As needs increase for more in-depth and up-to-date threat intelligence, the Dark Web provides an ideal study environment for researchers building threat databases. SC Magazine contributor and Security Stronghold CEO Charles Stockwell explained that because this is where cybercriminals come to buy, sell and trade goods and services – including malware, and much more – there is much that security researchers can learn.
“By exploring the Dark Web, security teams have the potential to collect actionable intelligence,” Stockwell wrote. “This includes malware capabilities, new tactics, compromised technology, and the direction of future attacks.”
Stockwell and his Security Stronghold research team set out to do just that and delved into the Dark Web over the course of four months to get a better sense of ransomware capabilities. The organization surely isn’t the only firm to undertake such a pursuit – Trend Micro researchers regularly examine current threat processes within the Dark Web and beyond. Some of our most interesting Dark Web findings can be found in this report.
Stockwell and his researchers worked to investigate ransomware marketplaces within the Dark Web, communication with ransomware developers and sellers within marketplace forums, and gathering insights and intelligence from these communications.
As Security Stronghold researchers discovered, however, not all of their efforts would be fruitful, and he advises that organizations with the resources and support to conduct these types of initiatives should focus on the “big wins.”
“In the beginning, much of what The Security Stronghold team spent their time on did not result in actionable intelligence,” Stockwell admitted. “Soon, however, we realized that we should focus on the big wins. These ‘wins’ are discoveries that will result in actionable intelligence for your organization. This intelligence will be different for every organization.”
Trend Micro delves into the French Underground
As Trend Micro researchers have shown, threat intelligence is a global pursuit, and underground marketplaces are surprisingly well connected.
“Over the years, Trend Micro researchers have forayed deep into various cybercriminal underground marketsaround the world,” Trend Micro noted in our blog. “These ‘visits’ revealed how the more mature markets – those of Russia and China – played ‘big brother’ to younger ones – those of Germany, Japan, Brazil and North America.”
Through a look at the French underground, researchers noticed several similarities and differences between this market and the underground markets of North America. While American markets are more accessible – including to experienced hackers as well as novices and even law enforcement officers – the French environment is more closed-off and well-hidden.
“[I]ts players also operate with extreme caution,” the blog noted.
Tips and best practices for successful threat intelligence
While everyday businesses certainly shouldn’t be poking around in the Dark Web – leave that up to security experts with the right knowledge and resources, like Trend Micro – there are ways in which enterprises can support threat intelligence and improved data protection.
First and foremost, it’s important to establish a threat intelligence strategy within the business. This includes the ability to identify incoming threats as well as potential weaknesses that could open the door to security hackers. Such pursuits also align with NIST Cybersecurity Framework functions, including, specifically, the Identify, Protect and Detect functions.
As CSO contributor and Cybersecurity Snippets CSO Jon Oltsik noted, a 2015 report showed that many threat intelligence programs within businesses were “relatively immature,” with 40 percent being in place only about two years. Even today, not much has changed, and Oltsik recommended that organizations work to be more mature in their threat intelligence efforts, and “move beyond cybersecurity/operational use of threat intelligence alone.”
In order to achieve this, experts suggest implementing an “outside-in” model, that includes initiatives to track cybercriminals and their activities and to understand and address current business risks. In addition, mature organizations also work to take part in internal threat hunting, where admins actively explore their infrastructure for elements like kill chain indicators, compromised platforms and weak third-party security processes.
Threat intelligence is a critical pursuit for every organization. To find out more about how up-to-date data security and threat research can support your business, connect with the experts at Trend Micro today.