Creating Your Own Threat Intelligence
During my time in a previous role, I remember attending a vendor presentation where the salesperson listed all the reasons why I needed to invest in a third party threat intelligence service. Most of the pitch was aimed at the attack trends happening in my industry and how to stay safe. His presentation got me thinking about what threat intelligence would be most relevant to me. Specifically I thought about which types of users would be targeted, what I was worried about losing, and where I should look for attack indicators. I started examining different event logs within my infrastructure that I knew no one else was analyzing – many of them weren’t even security logs – and I was amazed at the wealth of data out there just waiting to be analyzed.
I believe third party threat intelligence offerings can be an integral part of an enterprise information security program. However, I also think you can leverage existing systems to create your own intelligence. A big piece of your organization’s cyber security story can be uncovered with a minimum amount of log analysis.
Here is a pair of tips on how to do just that.
Start Logging Events That Can Be Analyzed
Turn on logging features where they are available and write code that logs critical events in custom applications. If your servers, network devices, applications and PCs aren’t logging, there’s no way to know what’s happening. I’d recommend forwarding those logs to a centralized security incident and event management system, but even if you don’t have the budget for that, ensure the logs are saved somewhere. The longer you can keep them without impacting system performance, the better. Looking at two hours’ worth of logs doesn’t give you enough events to trend activity over time. Looking at 60 days’ worth of data can provide reliable trending information.
Where possible, it’s also a good idea to fine tune what you’re logging otherwise you’ll be stuck sifting through a host of unnecessary logs. My favorite example of this is an old Windows log clarifying that “A handle to an object was requested.” There were thousands of entries but they were all useless. Newer versions of Windows Server allow you to make your logs granular so you only get what you need. This helps when trying to identify certain types of logged behavior.
Where to Find Threat Intelligence
Personally, the perimeter firewalls and DNS are my favorite place to start. If you do have computers that are talking to the bad guys, this is where you’re going to find it. For example, let’s suppose you are using Office 365 and the majority of outbound requests from your network are to Office 365 IPs. That would make perfect sense and would indicate expected behavior. If the majority of requests are to an IP address in Russia that you can’t identify, you likely have a problem. The firewall is also a good place to watch for denial of service patterns. If you total the allowed and denied requests per minute and baseline it over time, it will provide you with a nice graph of what “normal” looks like. Then you can set up alerts when the amount of requests starts to spike to “abnormal” levels. If requests suddenly triple or quadruple without any business correlation, it could be an indicator of a denial of service attack.
From a user perspective, I like going to three distinct places – antivirus, web filtering, and device blocking. These systems will tell you who’s downloading malicious files, what bad websites users are going to, and if they’re plugging in unauthorized USB drives or smartphones. Logs for failed installs at the PC level will tell you who’s trying to install unauthorized software. The nice part about these logs is they can be traced to a user and you can take action. This level of intelligence can indicate where future problems are likely to come from internally.
It’s also a good idea to review Active Directory group membership on a recurring basis. Think about how often someone gets added to an AD group because they need temporary access to data. How often is that group purged of temporary users? You can also look at the logs to determine who is adding, changing, and deleting group membership as well as the users themselves. The logs for VPN and multifactor authentication can provide a wealth of information about remote access. It’s important to know who’s working remotely, what time are they working, etc. The intelligence gained here provides insight into who’s likely to be comprised. For example these users may not connect to the home network often enough to receive patches and antivirus definitions.
Event: Your cybersecurity questions answered
Want additional advice on building and maintaining more effective cyber security initiatives within your organization? Join me on April 13 at Arraya Solutions’ first-ever Security Forum. During this free, half-day event, I’ll present on a variety of topics, including the most dangerous emerging threats and the proper way to build an incident response team and plan. This event will provide today’s IT leaders with some of the knowledge and skills needed to guide their organizations to success in a business world plagued by high-tech threats.
Space is limited so reserve your spot today: arraya.rocks/events.
Feel free to send any questions you’d like to have answered prior to the event to https://www.arrayasolutions.com/contact-us/ or use social media (LinkedIn, Twitter, and Facebook) to leave me a comment on this post.