dns

Threat Intelligence

A Brief History About Why Threat Intelligence Came Into Existence

In the early days of endpoint Antivirus products, vendors needed a way to catalog all the known viruses so that their products could confirm whether a file contained a virus. Their threat intelligence department did this by taking a sample of each known virus and generating a Signature, which represented the contents of the file. In other words, a fingerprint. These virus signature lists were distributed with antivirus software. As time went on and new viruses were detected, each vendor's threat intelligence service distributed updates to their virus signature list. These updates were issued regularly and in a variety of different ways. Updates were released monthly, quarterly, and in some cases, only once per year. As the malware developers gained expertise, their malware became more sophisticated and included mechanisms to evade classic Signature based scanning by being able to change their file contents at will. Because the file contents changed, their signatures also changed, allowing malware to sneak by the older antivirus products. This gave rise to a single type of malware becoming an entire malware family of perhaps hundreds of thousands of different files, also known as Polymorphic malware, and each performing the same bad behaviors. This problem also happens when do it yourself malware kits are placed for sale on the dark web, not to mention the proliferation of Malware-as-a-service organizations. Now we have a new issue. The classic one-to-one signature approach, in which each known malware file represented by one signature in the signature file, is obviously not going to scale well. Given the potential that the number of new variations of malware will count in the millions or more each day. To handle this new ability for malware to morph into new forms, the vendors' threat intelligence services created ways to detect entire families of malware using only one signature. This is done in a variety of different ways, but they all detect commonalities across the malware family.

Heuristic Detection

Up to now, we've been talking about malware that has been seen and is therefore known to the vendors' threat researchers. What about malware variations that have not yet been seen? Signature based detection methods will not work to detect these types of threats, vendors created sandboxing products, which take a suspect file and place it in an environment where its behaviors can be closely analyzed. If the file does something malicious while in the sandbox, it is flagged as malware. This is known as Heuristic detection, and it looks for anomaly behavior that is out of the ordinary. In fact, vendors create proprietary heuristic algorithms that can detect never seen polymorphic samples of malware. Depending on the particular sandbox product and its configuration, the owner of the sandbox can propagate this new knowledge not only across their own network security environment. But also send the details to the vendors' threat intelligence service so that it can be shared worldwide and protect more people.

Artificial Intelligence As A Detection Method

Beyond sandboxing, the future of detecting previously unknown malware includes the threat intelligence service's use of Artificial Intelligence as and Machine Learning to rapidly grade the security threat potential of files as they traverse the network. And it's not just about files. The threat intelligence service catalogs the knowledge about existing or emerging attacks, including:

  • The specific mechanisms of the attack

  • The evidence that the attack has happened, also known as the Indicators-of-Compromise IoCs

  • Implications of the attack

  • Attribution of the adversary

  • The potential motivations

The Sharing Of Threat Intelligence

As the techniques used by bad actors continue to evolve and become more sophisticated, it's more important than ever to share threat intelligence in real time, across the entire network security environment. If some security components know about the attack while others wait for periodic signature updates, the attackers may sneak past defenses and cause harm. Security products and threat intelligence services that can act together in real time stand the best chance of stopping these attacks. And the sharing of threat intelligence doesn't stop with each vendor's product lineup, although you would think that after putting in the work required to gather, analyze, and catalog threat intelligence, each vendor would keep that information secret. Almost all vendors share this intelligence with the wider security community. This happens through formal memberships in organizations such as the Cyber Threat Alliance, local, national, and international Computer Emergency Response Teams CERTs, as well as numerous private trusted partnerships with other vendors, independent security researchers and law enforcement. This real time-sharing of threat intelligence allows for a more complete picture of the attack, because no single vendor is going to have all the data, and it isn't the threat intelligence that sets vendors apart. It's what they do with the intelligence with the technology in their products.

PreviousWi-FiNextSOAR

Last updated