The necessity for better management of the enterprise includes the need for more advanced intel threat tools.
The need for a Proactive Defensive Cyber Intel Threat tool.
There’s a need for better Cyber Security/Endpoint Security as evidenced by the various Cyber Attacks against such notable companies that have been in the news this year. The evolution of commerce on the internet, which had once been a friendly domain has now become a target used by malicious and criminal individuals.Unfortunately, what was a breakthrough in technology that aided in the development of the internet has become a point of entry for attacks. DNS was first standardized in 1984 as a means to generate a human readable label for an underlying IP address. This is the Internet's system for converting alphabetic names into numeric IP addresses. For example, when a Web address (URL) is typed into a browser, DNS servers return the IP address of the Web server associated with that name.
This breakthrough enabled the user community to create unique named websites, that enabled the creation of ecommerce. That once friendly cooperative environment has now been replaced with a need for better proactive cyber security technology. Unfortunately, the Internet security industry's ability to take down criminal infrastructure at domain registries, hosting providers or ISPs is not timely enough to be effective.
Organizations have been relying on a concept of multiple layers of security, and utilizing various agents, some locally such as antivirus software to protect valuable computer assets. Meanwhile criminals have improved their modes of attack, and the threats have evolved to defeat the security strategies employed by organizations. As noted by the attacks being seen against the antivirus software itself.
The antivirus software runs with a privileged user account, and once the attackers have successfully altered the antivirus code they are able to manipulate that endpoint and run as a privileged user. In response to the types of attacks, organizations have developed various security tools to combat threats. The methodologies have produced newer security measures, but the criminals/thieves find more creative ways around these initiatives. Defense minded companies have developed Analytic Platform’s to share Cyber Threat Intel.
Sharing this Intel Threat data that has been collected has led to better recognition of threats. However, these patterns of attacks which they catalog and keep a database of, depends on a timely recognition of monitoring and detection to thwart these attacks. There is a push for organizations to report these analyses results in a consistent, well-structured manner to help companies and IT professionals automate the processes used in detecting, preventing, and reporting security incidents.
Some in the industry argue that documenting IOCs, and threats helps organizations and individuals through the sharing of information among the IT community, as well as by improving incident response and computer forensics. The Open IOC framework is one way to consistently describe the results of malware analysis. Other groups such as STIX and TAXII are making efforts to standardize IOC documentation and reporting. Indicators of compromise, or IOC are an important component in the battle against malware and cyberattacks.
While they are reactive in nature, organizations that monitor for IOCs diligently and keep up with the latest IOC discoveries and reporting can improve detection rates and response times significantly. This approach is done after the fact, and after a breach or threat has been detected or is ongoing. Indicators of compromise (IOCs) are “pieces of forensic data, such as data found in system log entries or files, that identify potentially malicious activity on a system or network.”
Indicators of compromise aid information security and IT professionals in detecting data breaches, malware infections, or other threat activity. By monitoring for indicators of compromise, organizations can detect attacks and act quickly to prevent breaches from occurring or limit damages by stopping attacks in earlier stages. Indicators of compromise act as breadcrumbs that lead infosec and IT pros to detect malicious activity early in the attack sequence.
These unusual activities are the red flags that indicate a potential or in-progress attack that could lead to a data breach or systems compromise. In practice IOC’s are not always easy to detect; they can be as simple as metadata elements or incredibly complex malicious code and content samples. Analysts often identify various IOCs to look for correlation and piece them together to analyze a potential threat or incident.
Indicators of attack are similar to IOCs, but rather than focusing on forensic analysis of a compromise that has already taken place, indicators of attack focus on identifying attacker activity while an attack is in process. Indicators of compromise help answer the question “What happened?” while indicators of attack can help answer questions like “What is happening and why?”
A proactive approach to detection uses both IOAs and IOCs to discover security incidents or threats in as close to real time as possible. While almost all market Intel Threat Platforms hold promise, they are lacking in the fact that they’re reactionary. A modern successful Intel Threat Platform should be proactive, and should have active intelligence that not only monitors, and detects virus’s and malicious activity, but disrupts those threats. Companies should consider a system that is more than just a monitor of events.