One of the most often discussed items in our security consulting revolves around the use of IOC (Indicator of Compromise) information. These IOC's are provided in feeds in most cases and are indicators for attacks that have occurred IN THE PAST.
What is problematic with this approach is 3 fold. The reasons we do not really like utilization of IOC's if because of the following:
IOC data is from attacks that have occurred in the past
IOC data is stale by the time it is disseminated
IOC data does little to detect the constantly changing environment of threats targeting us all
Many organizations think that by subscribing to threat intelligence feeds that they are very well protected against attacks. We believe that they are very well protected against detecting malware that was previously known but are doing nothing to detect zero day and new targeted malware that was written to specifically attack your organization. In short if it hasn't been seen before, you will probably not detect it with a signature.
Jigsaw Security Analytics
Jigsaw Security detects attacks with signatures (again these are after the fact, known threats, to detect unknown or targeted attacks we have to do some very specific things to find those attacks. So how do we do some of this? Below are a few examples of the models implemented on our commercial sensor products:
Detection of request to non existent domains
Detection of domain fluxing
Detection of suspicious content that is non RFC compliant
Illegal Content Alerting - Child Pornography as an example
Use of encrypted streams of data with Geo Location detection - I.E. file transfers to countries to which you may not do business or have a need to be communicating
Network communications patterns recognition and alerting
These are just some of the models that are implemented in our commercial product. If a customer has a need for a specific use case, Jigsaw Security developers can create custom detection modules for use with our products.
So if it's not useful for detecting an attack, what are Threat Feeds good for?
In short, threat feeds are best used as a reference to see if an Internet connected host is problematic (IE. being hacked over and over as an example). They are also useful to tell if an attack attempt has come from a TOR node or a proxy, VPN, etc. They are not an indication of what is happening now. They are only of historical usefulness and should not be used as a block list.
Threat Feeds are also useful for seeing how widespread a malware campaign is and how far reaching or effective a level of activity or campaign is having an impact on the Internet at large.
Threat Intelligence
Threat Intelligence is the act of collecting and protecting resources based on human intelligence. Our analyst are in constant contact with hackers in underground forums, chat rooms, IRC and other methods such as tracking of anonymous information sites. In short the best intelligence comes from direct contact with threat actors which can take years to build trust levels. The team at Jigsaw Security has years of experience and makes direct contact to figure out who is being targeted and how.
Many of the threats faced are not widely known and that is why our threat intelligence is so useful. Threat Intelligence through human collection is superior to all other methods of collection. In fact not all threats are technical in nature so in some cases indications of problems will come from non technical sources.
Detecting Insider Threats
Our biggest asset that we as Jigsaw Security bring to the table is the ability to find insider threats and mitigate the risk associated with intellectual property theft. We have years of experience finding insiders that are responsible for millions in losses (actually $20 Billion in losses in 2017) to these companies that are affected. In many cases companies are worried about cyber security risk and are overlooking the obvious fact that insiders have access to the information that would help a competitor steal methods and processes without being detected.
Our Jigsaw Threat Mitigation Model (sm) prevents this sort of activity through the use of policies and procedures on personnel, training, safety, manufacturing processes and the use of contractors. We utilize AI and machine learning to detect the movement as well as the use of documents through the use of sophisticated document tagging that let's us follow documents throughout their useful lifespan. In addition we conduct surveillance and implement access controls to determine if information is leaving your workspaces.
While we concentrate on insider threat activity, we also protect against network breaches and disclosures of information with our off site advance analytic platform, analyst interaction with threat actors, red teaming and other activities.
To find out if you have insider threats active in your work environments, give us a call and we will outline how we detect and stop threats of the human kind. You now human based threats are the worst kind of betrayal, and we can detect and stop it using technology as well as our investigative skills. Our protected threat model is not a cyber protection model but rather a method for implementing NIST and DHS CDM models in a consistent and effective manner.