Is Threat Intelligence Actually Fueling Prevention?

Written by

Phishing remains all too easy for today’s hackers, with the latest ruse involving emails purporting to be from the World Health Organization concerning Ebola. A major problem with digital communication is that it's often difficult to differentiate between an authentic email and one that’s been falsified. Basic security intelligence is championed as a crucial way of protecting business infrastructure – whether it’s looking for unusual changes in URL hyperlinks or the anomalous use of certain names in email ‘from’ fields – as this can indicate if malicious activity is at work inside a business, or attempting to penetrate it. However, a big question is ‘how much of the threat intelligence data gathered is actionable?’

Looking back at 2014, Heartbleed was probably the most shocking security story ­­­­­­­– not least because it gave hackers a lot of opportunity for collateral damage. Scammers exploited the story of the bug, sending unsuspecting citizens email messages asking them to log in to sensitive accounts. If you typed ‘Heartbleed’ into a search engine in the midst of the storm, an infinite amount of data would be available online – but that doesn’t help solve the problem of how to make sure you’re not affected.

Of course, the highly publicized Target data breach, where 40 million credit cards and 70 million identities of shoppers were stolen also cannot go without mention. While these two events indicate the challenging environment businesses find themselves operating in today, both reveal how long it can take for information on specific data breaches to become available and subsequently useful. Indeed, it has taken some 12 months to learn that the Target breach originated from a successful phishing email attack on its HVAC vendor, which installed malware on the vendor’s computers.

Important questions asked when faced with a breach often include: what is the threat and what is the attack vector? Who is the ultimate target? Is it widespread across my organization or targeted directly at my CFO or some other C-level exec? If you don’t know the answer to these questions straightaway, it is very hard to prioritize time and business. Returning to Heartbleed offers a useful example; on news of the vulnerability, many companies discovered last minute that they had a disparate number of web services and web properties. As such, it took a lot of time and effort to work out if they were running a vulnerable version of OpenSSL across their network.

The Cryptolocker Study

Cryptolocker made its first appearance in September 2013 and involved malware that successfully infected its target, encrypting network drives and then moving on through the network unless a ransom of $400 worth of Bitcoins was paid. Interestingly, the scale of Cryptolocker’s success (ie the number of people paying) is up for debate: the University of Kent reported that ‘the conversion’ rate was 41%, while Symantec went in 10 times less at 3% and Dell even lower at 0.4%. All in all, this essential research reveals a very complicated picture, but does not give us workable intelligence that can be used for prevention in the future.

Useful data that can be turned into prevention can be established by using insight provided by DMARC technology. DMARC acts as a ‘virtual handshake’ between email sender and receiver, ensuring only authenticated email is delivered to customers. With regards to Cryptolocker, DMARC information for one known attack reveals that during a span in April the criminals attempted to use a well-known domain to send a malicious email containing a malware attachment. The attack ran in three waves with different subject lines to optimize the persuasive effect on end users. And, due to the sheer number of hosts involved, we can tell it was a botnet sending spam messages involving about 20,000 hosts during each wave of the attack.

Interestingly, by looking at the third wave we can see that while a single IP address sent 1375 messages during the campaign, it also sent four emails alleging to be from Yahoo UK’s website. Furthermore, when we look at the same host after the attack, we can see that some mail continued to come from this host, but gave up on the first company’s name and started to focus attention on Yahoo and ­­­­­­­– a clear demonstration of how the botnet was repurposed to take aim at major ISPs. This is actionable data.

Ultimately, while we know there is no silver bullet, choosing resources that monitor email data in real-time and produce actionable intelligence on where an email is originating from and where it is going is fundamental to stopping a compromise. 

About the Author

Agari CEO Patrick Peterson joined IronPort Systems in 2000 and defined IronPort’s email security appliances. In 2008, after Cisco’s acquisition of IronPort, he became one of 13 Cisco Fellows. In 2009, he spun-out email security technologies he developed at IronPort/Cisco into a company he founded, Agari, which secures the email channel. He chairs the technical committee for the Messaging Anti-Abuse Working Group (MAAWG) and holds BS and MS degrees in electrical engineering from Stanford University


What’s hot on Infosecurity Magazine?