There are many reasons why an organization may become the focus of attention of one or more attackers. Factors such as industry sector, geolocation, online presence, and activity levels all play a part in attracting interest. Add in topical considerations where specific events can make an organization attractive to attack for financial gain or intellectual property theft, or attracting journalistic interest or the attention of special interest groups such as activists or protestors. An organization that traditionally has a low profile and limited exposure to cyber threats may one day find itself the focus of worldwide attention by highly organized and competent attackers. An event as simple as the announcement of a merger and acquisition, or the patenting of an innovative solution, can trigger attacks from opportunist criminals or hostile governments. Without prior warning, such attacks have a high probability of success if the organization is not fully protected and on its guard.
What is threat intelligence?
The more basic cybersecurity protective solutions are designed to look for known attack vectors and prevent them from affecting organizations, from anti-virus products scanning for telltale signatures of malware code to firewalls blocking traffic known problematic sources. These solutions are great, but they only protect against the threats that are both known about and can be defeated. Cybercriminals and hostile nation-states are sophisticated and organized. They can devote time and effort to researching new attack vectors that won’t be picked up by reactive defenses until the security defense vendors have spotted the new threat, devised countermeasures, and rolled out updates to their users.
This is where threat intelligence services come into play, providing real-time information on attacks that are currently happening and new attack vectors that are yet to be used in anger. Cyber threat intelligence (CTI) encompasses the collation and analysis of information from a diverse range of sources. A great example of CTI in action is the recent work done by LMNTRIX Labs in identifying a global phishing campaign directed at organizations that form the COVID-19 vaccine supply chain. Companies producing chemicals used in the manufacturing processes to the specialist storage and logistics companies were all targeted by a highly organized and capable threat actor. The collated intelligence enabled the targets of the attacks to be warned and countermeasures deployed.
The LMNTRIX Intelligence services’ philosophy is the collaborative sharing of information to make the interconnected world a safer place for our clients. All the good guys face attacks all the time by the bad guys, and the good guy’s information systems generate a lot of data about what is happening to them. So why not share all this information to come up with the complete picture for everyone. All organizations need to collaborate and correlate all their relevant data collected quickly and efficiently to advance the value of threat intelligence. After all, attackers are also known to share methods and tactics, and there is a thriving market for sophisticated attackers to sell malware kits to anyone who wants to buy an off the shelf attack. Sharing intelligence will shine a light on these threats, making them easier for everyone to spot and counter.
How can intelligence come from raw information?
This raw information about current and potential new threats requires specialist analysis to extract the critical information pertinent to the organization that is consuming it. Otherwise, there is a counterproductive risk that they can be overwhelmed with irrelevant information that masks a clear and credible threat to them. The analyzed information feed can then influence decision-making processes or ideally be utilized by automated, integrated cybersecurity solutions. The threat information must include actionable measures to protect against the identified exploits and any advanced or zero-day threats to be of greatest value to the consumer. This is a proactive approach that complements traditional reactive products.
What can LMNTRIX Intelligence do for you?
Here is where LMNTRIX Intelligence can assist our clients with our Active Defense solution. We take intelligence data from a wide variety of sources. This currently includes over three hundred threat feeds gathering raw data from commercial third party information feeds, vendors, open-source intelligence feeds, external reputation services, and our own propriety sensor network. This includes our own sensor network (honeypot sensor deployments) at our client’s network perimeters to attract and record attacks while gathering valuable intelligence about the attacks’ modes of operation.
We are continuously developing this service, intending to aggregate many more data sources in the future. The proprietary technology behind LMNTRIX Intelligence allows us to deliver earlier detection and identification of adversaries’ presence in your organization’s network. The key to this proprietary technology is examining millions of discrete data points from a broad range of sources to distill trends from the raw information and identify the most critical, widespread, and potentially damaging threats. This is achieved by making it possible to correlate millions of threat indicators against real-time network data. Our sources include underground intelligence that we have been mining for the past 5 years and includes data crawled dating back 12 years consisting of over 6 billion identities, 700 million documents and over 200 thousand data breaches allowing us to consistently detect external threats. This level of visibility also gives us insight into the number of organisations that sweep their breaches under the carpet even after we alert them of the breach out of good faith. This monitoring service includes:
- Monitoring of personal private information (PII) on sale across multiple forums and auction sites to alert clients when credentials may be compromised and allow them to investigate the source of the data leakage and to take precautionary actions
- By collecting information (credentials, IPs and personal data) from botnet control panels the detection of any client machines being controlled through malicious malware through the active monitoring of dark web command and control servers allowing affected devices to be cleansed and the root cause vulnerability that enabled infection to be investigated and resolved.
- Detection of malware and spam specifically targeted against our clients to allow preemptive verification that such threats will be successfully countered by existing security solutions or, where necessary, additional security controls added if any weakness or vulnerability is identified
- Detection of evidence that attacks may be planned or in progress against our clients allows measures to be taken that will prevent or halt any malicious actions. When an attack has resulted in an on-going breach that cannot be controlled using available technology, we can negotiate with the attackers on behalf of clients to halt any malicious actions and minimize consequential damage.
- Detection of phishing attacks from mailboxes and online repositories trying to steal user credentials of the affected Organization.
- Detection of stolen credit card information, such as Expiration date, CVV2, card holder, etc.
- Detection of illegal mobile applications that are being publicly published without the Organization’s authorization.
- Detecting and preventing the creation of dangerous files in your websites and servers, detect targeted malware and gain early warnings of information leaks due to a malware attack.
- Detection of brand abuse in different Web 2.0 repositories, such as blogs, forums, websites and advertisements (AdWords abuse).
- Searches in public or cloud documental repositories, P2P networks and deep Internet for documents and confidential information that should not be publicly available.
- Detection of information about hacktivist groups seeking to attack technological assets of an Organization and detects of 0-day/1-day that might affect IT assets of an Organization.
- Detection of underground activities that can be dangerous, discovers data sales (from credentials to secrets) and uncovers document leakages.
Benefits of the LMNTRIX Active Defense solution
Today Active Defense consumes over 650 million indicators of compromise (IOCs) from our intelligence exchange sharing community as well as those generated by our incident response and forensic analysis processes. This massive volume of raw data that we process using our machine intelligence analysis processes allows us to develop a comprehensive threat intelligence picture. This automated intelligent programmed solution takes machine learning and problem-solving techniques to the next level, using deductive logic to process the raw data, identify patterns and trends, and identify critical information for our clients. In comparison, a typical very large next-generation firewall (NGFW) can only handle around a few hundred thousand IOCs to put this in context while a small NGFW can handle no more than 30k IOCs. By processing such vast quantities of intelligence information, we can provide our clients with a more thorough cyber defesne service.
Our approach enables us to detect attacks at every point along the attack lifecycle, making it possible to stop them in their tracks and mitigate threats before any material damage to your organization has occurred.
- Access to comprehensive threat intelligence
- Advance warning of targeted threats and attacks
- Detection of unknown vulnerabilities and breaches
- Situational awareness of current threats and trends
- Optimization of existing tools to match threat landscape
- Support for informed, proactive cyber defense planning and decision making
- Expert advice and guidance
In Summary, LMNTRIX Intelligence provides access to more data and atomic indicators from LMNTRIX telemetry, Active Defense cyber operations, incident response teams, and LMNTRX Labs than we have ever exposed.