In its just released report examining the background and drivers of threat intelligence sharing, McAfee researchers said the security industry is facing "critical challenges" in exchanging intel with partners.
Released on Thursday, the "McAfee Labs Threats Report: April 2017," studies the architecture and inner workings of Mirai botnets, as well as other security attacks across industries. It also profiles the landscape of malware, ransomware and other security threats in Q4 2016.
For instance, the report found that the consequences of the October public release of the Mirai source code enabled a slew of copycat botnets and a spurt in offerings of “DDoS-as-a-service” scams based on Mirai, which detect and infect poorly secured IoT devices. This resulted, the report explained, in lowering the bar for entry to inexperienced users who, via the underground marketplace, could easily purchase or rent the ability to launch DDoS attacks exploiting weaknesses in IoT devices lacking efficient security.
To move threat intelligence sharing to the next level of efficiency and effectiveness, McAfee Labs suggests focusing on three areas:
Triage and prioritization. Simplify event triage and provide a better environment for security practitioners to investigate high-priority threats.
Connecting the dots. Establish relationships between indicators of compromise so that threat hunters can understand their connections to attack campaigns.
Better sharing models. Improve ways to share threat intelligence between our own products and with other vendors.
Meanwhile, on the Mac OS, the number of new Mac OS malware samples grew 245 percent in Q4 due to adware bundling. Total Mac OS malware grew 744 percent in 2016, the report found.
Where does this leave the security personnel charged with protecting enterprise networks? A good defense incorporates the sharing of threat intelligence, not only with private industry but among vendors, the researchers said.
Among the top findings in the 49-page study was that security personnel are faced with what McAfee termed a massive signal-to-noise problem in their efforts to recognize and mitigate the highest-priority incursions. One of the biggest challenges they face, the researchers said, was that miscreants are capable of distracting defenders by filing false threat reports that overwhelm threat intelligence systems. Also, if not handled properly, data from legitimate sources can be tainted.
When queried how sophisticated attackers evading defense systems, Vincent Weafer, vice president of McAfee Labs, told SC Media on Friday that breach event attacks are often described in terms of their technical sophistication, their use of zero day exploits or complex malware. "But the reality is that more frequently sophisticated attackers take time to do surveillance on their targets well ahead of that actual attack taking place and may not actually need to use complex malware."
Sometimes, he added, that surveillance can take place over several months using combinations of public data (Facebook, LinkedIn profiles) to build up a picture of the key personnel. Then, using embedded malware attackers can learn what defense tools are in place or what tools or services are being used that might lead to attacks via their supply chain. "Using that knowledge, they can decide on the most likely attack strategy and test their attacks on operating systems, applications and defense tools using that specific environment. So by the time they run the attack they have high confidence that it should execute," Weafer told SC.
Security personnel are also faced with the problem of overload. That is, so much data can be received, much of it redundant, that time and efforts are wasted. To combat that, the researchers advise that sensors "must capture richer data to help identify key structural elements of persistent attacks."
Time is of the essence as well, the McAfee study found. If it arrives too late, threat intel will only aid in the recovery process. Here too it's up to threat sensors, this time in relating information in near real-time so as to keep up with attacks.
It's also inherent that those assessing threat intel be able to correlate the data flowing in, recognizing relevant patterns and focusing on vital information soa s to notify their SOC teams.
As far as assessing threat intel better to correlate the data flowing in and recognizing relevant patterns, Weafer told SC that the top three challenges enterprises typically experience in identifying critical attacks are
- the time/effort/skillset required to investigate a given indicator of attack, understand it's full impact, and make a determination,
- their ability to discover under-the-radar attacks and
- the time/effort to coordinate incident response once an attack has been confirmed.
To defend enterprises, Weafer told SC, on a technical solution level, there are multiple EDR, trace, data analytics, visualization and scoping tools that can aid in detection, scoping, prioritization. "At McAfee we are embracing the model of integration solutions to deliver protect, detect and correct by automating and accelerating the threat defense lifecycle as well as use of the open ecosystems like OpenDXL, or initiatives, like Cyber Threat Alliance, to transform multiple technologies into a single cohesive system."
It's all about connecting the dots and untangling complexity, he explained.
Weafer recommended that before jumping into any decision on analytic tools and services, that security personnel shopping for solutions start with a basic security strategy that integrates multiple aspects of defense lifecycle. This should begin by understanding the attacker's motivations in targeting their enterprise and identifying the key risk factors for theft, loss of service and reputation damage. It's also necessary, he said, to identify early reconnaissance activities. He also advises using encryption, authentication and deception techniques, minimizing direct connections to critical assets and running attack simulations – red team-blue team exercises – to test implementations.
"The bottom line," Weafer said, "is the need to implement fast responses and zero malware policies, watch for low level event data across multiple sensors and constantly test and measure effectiveness of control points."