Organizations across the globe are waking up to the reality that advanced targeted attacks represent one of the biggest threats to their business ever seen. Confidential corporate data, business critical IP and valuable customer information is all potentially at risk from this new type of attack. Preventing exposure of these enterprise “crown jewels” has become a major priority for IT and business leaders. One of the best ways of doing so is to build reliable threat intelligence so that expert teams can spot advanced threats early on and deal with them appropriately.
A new type of threat
Corporate IT systems have advanced a long way from the monolithic Windows desktop environments of old. Today, thanks to virtualization and cloud computing, coupled with the relentless push towards BYOD, IT managers have to cope with systems a great deal more complex than before, with a much larger attack surface. While traditional threats persist, they have now been joined by a new breed of more advanced, harder-to-detect, customized attacks designed to steal those “crown jewels” which are so essential to organizations everywhere.
Typically, after thorough investigation into the targeted organization, attackers will begin such threats with a simple phishing email, tricking an employee into clicking on a malicious link or downloading a malware-ridden attachment. Once inside the corporate network, the attacker will move laterally, searching for the assets they wish to steal. All this is designed to happen quietly, under the radar, evading traditional security defenses. Such attacks can lay hidden for weeks, months or even years, exfiltrating data and sending it out to the attackers all the while.
Threat Intelligence: a key weapon in the armory
Thankfully, such threats are not completely impossible to spot. Although designed to operate covertly, they do leave traces which some tools can detect. Registry changes, file changes, event log entries, service changes, and mutexes are all tell-tale signs of a breach. Monitoring in- and out-bound traffic, meanwhile, could yield indicators of compromise such as domains or IP addresses related to a command & control (C&C) servers, or use of unusual ports and protocols on critical systems.
Even though zero-day exploits and customized malware can be used in such attacks, organizations can still detect attacker activity by monitoring network traffic closely, because C&C protocols tend to remain relatively consistent. Threat intelligence programs are therefore a vital tactic in spotting and blocking such attacks, helping to collect, correlate and pass along this key data to the relevant security teams.
Threat intelligence can comprise not just the tools used by cyber criminals, but also their tactics and procedures – together known as TTPs. All can provide useful insight for security researchers.
The Enterprise Fights Back
To help organizations as they look to build and make use of threat intelligence programs, Trend Micro has released a handy guide. The Enterprise Fights Back (IV): Building Threat Intelligence is the latest in a series of papers from Trend Micro offering a wealth of practical advice for organizations faced with the problem of combatting advanced targeted attacks.
Part four outlines the importance of threat intelligence, highlighting some of the key indicators of compromise and listing real-world examples of how some past attack indicators can be used to identify new attacks. We also discuss the importance of setting up a threat intelligence group and appointing analysts to interpret log data, as well as leveraging additional intelligence sources such as those generated by Trend Micro’s APT-hunter tool, Deep Discovery. This tool also allows organizations to access external, global threat intelligence like that from the Trend Micro Smart Protection Network™.
Advanced targeted attacks are here to stay, but there are ways and means to detect and stop them before they get to your most valuable data. With this latest report, Trend Micro is giving your organization the information it needs to begin building threat intelligence today.
Please add your thoughts in the comments below or follow me on Twitter; @jonlclay.