For a few months now I have been looking closely at open source intelligence providers as a sort of plug-in to my university's emerging threat assessment center. Along the way I received an email from a salesperson at a company called SiloBreaker. I had never heard of it so I fired back an email to see what it was all about. The salesperson promptly arranged an ongoing – daily – email stream that gave me an idea of a few of SiloBreaker's capabilities, so I asked to see the whole thing. It knocked my socks off. Let's start with a bit of background.
AT A GLANCE
Product Silobreaker Premium
Price Starts at $25,000 per year subscription.
What it does Open source cyber intelligence collection and analysis tool.
What we liked If you are into cyber intelligence, this is among the coolest tools you'll find today. If you have an organization that can benefit from OSINT – and most can – this is a must-have.
What we didn't like Nothing. This requires some getting used to if you really want to exploit its various paradigms, but once you have that done it's a pretty smooth ride.
Today, intelligence experts talk about “target-centric” intelligence. Unlike old school, target-centric does not get bogged down in an obsolete intelligence cycle. That results in more actionable intelligence faster. In cyber intelligence, we tend to be concerned about the bits and bytes. What attacks are landing on my – and other's – doorstep? Where do they come from (attribution leading to the last inbound hop can be very challenging)?
The bits and bytes really don't tell us much. We need the data streams, but we also need context. Those bits and bytes are guided – directly or indirectly – by humans. You cannot get the right answer until you ask the right question… but, we don't always know what the right question is so we are hamstrung for the answer. That's where Silobreaker comes in. It helps define the question, then helps find the answer. It provides context for the data streams.
With intelligence, especially cyber intelligence, the name of the game is situational awareness. That comes from reading lots of news items, blogs, social media, etc. In fact, Silobreaker does that well – to the tune of around 50,000 sources, more than 300 specific major malwares, thousands of vulnerabilities (from the CVE), and tracking 200-plus hacker groups. Then it applies proprietary algorithms to figure out what it has and to make that content available for a variety of queries, some automated and some manual. Specific target groups – such as various industry sectors – can be followed in conjunction with this raw data, which allows the setting of watch lists.
When you connect this open source intelligence with the bits and bytes you begin to get a solid picture of what is happening, to whom, and when. Applying that to your environment adds a dimension of actionable intelligence that is not commonly used. For example, using this approach, my center at Norwich University produces a weekly threat assessment report. An agency of a state government was able to identify three specific attacks because it had forward-looking intelligence. While they knew of the attacks, what they didn't know was where they fit in the trends of attacks, attacking groups and malware. This allows the agency to escalate those events from isolated anomalies to trending problems that it may see again.
Silobreaker is a rather interesting company in that, when formed in the UK in 2005, its core business was not cyber intelligence. Over the years, demand has pushed it in that direction and the company has developed a significant, two-pronged offering in that area. Silobreaker can be employed as a SaaS service (Silobreaker Premium) or as a server in one's enterprise – behind a firewall – as Silobreaker Enterprise Software. In either deployment, the key to the company's success is in its suite of proprietary algorithms and its deep Internet search capability. We have tested the SaaS version with excellent results and have been able to correlate Silobreaker open source intelligence (OSINT) with bits and bytes from such sources as IP Viking and the SANS Internet Storm Center. That, added to monitored data at our Advanced Computing Center has provided an excellent picture of cyber activity and cyber activity trends.
There are multiple ways to collect and analyze Silobreaker data. For example, you can easily create your own dashboard and include only those things that are important to you. You might watch trends within your own industry, trending malware, trending attacks, etc. You can relate those back to your particular business environment. So, we can watch trending attacks, hacker ops and malware that relates particularly to the banking industry, for example.
Trending is the key analysis tool. Things happen. They don't usually happen in isolation, but sometimes they do. What is important, though, are the trends that we can use predicatively to help erect proactive defenses. Silobreaker generates trend information using heat and time series. These show, graphically, the trends over whatever time period you want. Heat shows within one day or one week at time series set by you. The system uses a 360-degree analysis approach that looks at the interactions between trending items, rather than looking at them in isolation.