Actionable threat intelligence gathered by a massive telemetry feed can be a huge asset to any organization prepared to receive and apply the information. However, some organizations with less-developed security postures may need to remediate more immediate issues before they're ready to act upon threat intelligence.
To learn more about how telemetry and threat intelligence can improve your organization's security stance, we turned to experts from Cisco Talos. They explained that the current war in Ukraine offers an excellent example of how information extracted from Cisco telemetry can benefit both Cisco customers and non-customers.
"We are building telemetry and data capture into the entire product line in everything Cisco builds, starting at the network level and going all the way to the endpoint," said Cisco Talos Principal Engineer Ryan Liles. "We can use that information to make determinations about new and emerging threat actors, existing threat actors, and the way that they are evolving their techniques to attack individuals, enterprises, and governments."
Cisco Talos says that its primary goals and methods are threefold.
- To stop more, you have to see more: The collection of telemetry data from Cisco products and services throughout the enterprise, from employees working remotely to the data center.
- Rapid analysis for greater threat context: Multiple petabytes of data arriving from Cisco’s vast network of worldwide client devices at once are analyzed by Cisco and cross-correlated to quickly identify patterns of behavior, events and file trajectories. “Just by the sheer volume of data that we have, we're able to correlate that and pick out from all of the noise,” Liles said.
- See once, protect everywhere: This useful information is then sent out to Cisco client devices worldwide, across product lines, to stop and prevent the newest threats as they appear “If one person has seen something,” explained Cisco Secure Endpoint Senior Product Manager Adam Tomeo, “everyone has seen it and can now identify, isolate the threat, and alert the appropriate teams for action.”
Open dissemination of information
Much of this information is disseminated freely by Cisco through the Cisco Talos blog, through the open-source Snort, ClamAV and SpamCop rules that Cisco maintains, as well as through Cisco Talos podcasts, a newsletter, an open forum and social-media feeds.
Cisco also works closely with the NetSecOPEN network-security evaluation team, the MITRE ATT&CK framework and the MITRE Engenuity ATT&CK endpoint-security evaluation tests. (Read more about the latter in CyberRisk Alliance’s paper “MITRE Engenuity ATT&CK: What it is and how to use it for stronger security posture”.)
Talos discovery: WhisperGate targets Ukraine
In January, the Talos blog detailed a new wiper campaign targeting Ukrainian institutions called WhisperGate that "downloads a payload that wipes the MBR, then downloads a malicious DLL file hosted on a Discord server, which drops and executes another wiper payload that destroys files on the infected machines."
"In gathering up all the intelligence on this, building out indicators of compromise and then publishing detection signatures, detection rules for these types of attacks, we are proactively and pre-emptively attempting to protect Western customers from this if [the attackers] decide that they would like to change targets from their current work over in Ukraine to any of the Western countries," Liles said.
Managing the flow
Cisco customers also get information gleaned from the telemetry feed in the forms of product and software updates. Yet providing such information isn't just a matter of hooking up the client and turning on the data firehose.
A customer might be overwhelmed by the amount of information coming in, and unless there were some sort of way to separate the signal from the noise, there wouldn't be much point in getting all that data.
Many firms, small and large, haven't developed their security programs to the point where they're able to receive and implement this threat intelligence. Instead, these firms may need to fix issues pertaining to known threats before they can afford to worry about future ones.
To see how your firm can benefit from threat intelligence, and whether it's ready to do, read our report "Cisco Talos: Where Threat Intelligence and Endpoint Security Connect.”