Once upon a time, peoples’ lives had an air of mystery. We didn’t know where our friends were at all hours of the day and couldn’t tell which events they were going to, let alone what they had for breakfast (complete with pictures).
Those days are long gone; the age of over-sharing is upon us. The immediate impact on my day job may not be obvious, apart from my own weakness for refreshing my newsfeed. But in fact, social media is one of the easiest ways for attackers to gain inside information on a target.
Think about LinkedIn. Why would a hacker bother running a blind scan to find targets when he could just log in online and have a browse. LinkedIn profiles reveal a target’s network, the system administrators and even the systems they are working on.
I’m not trying to deny social media’s benefits; it’s a powerful business tool for sure, but it also poses a big threat to security. As a result many companies enact policies that require employees to remove specific details about their jobs.
Sharing is Caring
However, the principles behind social media can actually be used to increase organizational security. Social media is all about sharing, whether it’s images of your latest holiday or an update about your promotion. This principle, while perhaps not the most natural for us IT folks, can be applied to share information about threats. The team can then join arms and create a stronger defense than if they were going it alone.
Granted, this is easier said than done and will no doubt set off some subconscious warning bells, with fears that sharing certain information could give attackers an advantage. While it’s important to consider the information that is being shared, as an industry we’ve come to terms with the fact that going it alone is no longer an option. We have to move beyond sharing basic virus definitions or IDS signatures.
When applying this in real life, I decided to think like my attacker. Disheartening realization then ensued, as the reality is that attackers are far ahead of defenders and have been for some time now. They’re also a bit ahead of the times in terms of this sharing-is-caring ethos. Many have been sharing information about vulnerabilities and tactics much more efficiently than defenders.
While there will still be the occasional lone wolf, the reality is that hackers are much more likely to be part of an underground community sharing tools and tactics faster than any one company can keep up with. I decided it was time we turned the tables.
Now I’m not saying I’m the first to have thought of this, but in the last few years we’ve seen deeper integration through detection and protections infrastructure.
“Threat feeds will not guarantee security – actually, you should be skeptical of anything that claims to guarantee security – but it’s a move in the right direction”
Harnessing Threat Feeds
First on the sharing agenda: threat feeds. Threat feeds are a much trumpeted technology to share attack information quickly. They enable your infrastructure to dynamically detect and respond to new threats. I started out with a couple of straightforward lists of IP addresses and network blocks associated with malicious activity then upped my game to complex behavioral analysis.
Threat feeds will not guarantee security – actually, you should be skeptical of anything that claims to guarantee security – but it’s a move in the right direction towards creating collective defense arrangements. And it’s not like this information is coming from a friend on Facebook; most of the data in today’s feeds is submitted anonymously. But again, it’s a start.
Protective technology vendors are embracing sharing too, and not just on their own social accounts. Some of those offering antivirus and firewalls have created their own threat feeds, available to customers willing to pay a little more for a premium subscription service. These are, however, usually only designed to work with a specific vendor’s technology, meaning they are limited to how deep they can be leveraged throughout your IT organization.
In order to be most effective and secure your place as IT guru, you’ll likely want to embed such data in other places in your infrastructure. Sometimes it’s fairly easy to get the raw data from these feeds to do just that, but not always. There are also vendor-agnostic threat feed sources worth looking into. For example, some security information and event management (SIEM) tools include such features.
Since no man is an island, I took to sharing the ‘sharing plan’ with the wider team. I set up a unified dashboard that contained information about the state of the networks and systems and included other IT pals in action reports from incident responses. The more they understand how threats have been discovered, the more vigilant they can be in their own sleuthing to detect anomalies and flag issues in their systems.
At the end of the day, social media might pose a threat, but it also highlights an opportunity even more important than identifying where to visit for brunch. If we IT pros get better at openly sharing and using valuable threat and attack information, our defenses will be all the stronger for it.