Last week, we talked about getting ahead of cybersecurity threats, discussing traditional approaches to this problem, and how Fletch makes it all a lot easier. Now, once you have a strategy for getting ahead of those threats, you're going to want to stay ahead of them. That's where teams run into a lot of hurdles.
It's a real challenge. There's a lot of different types of threats covered by media outlets, social media channels, and even cybersecurity publications. It’s hard to figure out what to prioritize for most organizations.
In fact, we talked about how most threat intelligence teams tend to cherry pick threats. It’s a lot like forecasting the weather or forecasting stocks. Good threat teams are able to do some forecasting because they know their environment, but it takes a lot of footwork to even get to the point where you can start making assumptions about the threats that are out there.
A lot of times the media outlets will focus on exotic threats. The exotic threats are the fun ones to talk about, but rarely are they the most important for most organizations, and are oftentimes quite the distraction for many threat teams or executives.
What a threat intel team does is to choose which threats to track, forecast those threats, and based on those forecasts decide where to invest your defenses. These decisions need to be data-driven. They need to be based on what the security tooling is telling you, and what your engineers and developers are working on.
As we discussed in our last video, Log4J was a good example of that: good threat intel teams knew that there was something happening early on. They knew it involved a particular library, and eventually they knew the name of the library even before the media started calling it Log4J. But organizations that did not see that initial chatter were running fire drills when it finally hit mainstream media.
Sometimes this information is organized and told in a very well thought out coordinated way. Remember when the original HeartBleed vulnerability was discussed? That was a much more coordinated communication effort compared to Log4J, where everyone was left to fend for themselves. And as a result, it was a huge fire drill for a lot of teams.
When we talk about staying ahead of threats, we’re really talking about staying ahead of the threats as they evolve. Not all threats evolve, some just kind of come out. People leverage them, they attack with it for as long as it's profitable or as long as it benefits them, and that's it. But the majority of the threats that matter do evolve. They evolve over several different aspects:
- The threat’s scope. This includes what platforms, application stacks, libraries, etc. are targeted by or leveraged as part of this threat. The humans behind these threats can get quite creative as they try to accomplish their objectives.
- The impact of a threat. Changes to impact include elements such as the number of victims, as well as the business impact of the threat. Business can be impacted by the amount of data stolen and that data’s value, fines, loss of customers, decline in stock value, etc.
Threat actors can change who they target as their victims. It could be that particular threat group started out going after, but then switches gears and goes after healthcare. All are factors that are part of the calculus of which threats to prioritize.
This is why the Fletch Trending Threats app tracks the evolution of every major threat, giving teams guidance about the near term fixes, mitigations, or at least how to add some speed bumps to slow the threat down. The Fletch expert team also gives guidance around the long term fixes that categorically resolve this issue so that if it ever crops up again in the news, your organization is not impacted. Recommendations about systemic process changes, education of employees, or even making sure that those backups are in place so you are more resilient.
To give an example of threat evolution, here is a kernel-level vulnerability from Apple that we started tracking quite a while ago. We noticed several things about the threat as we were tracking it, which led to changes in the severity itself. We first saw it as critical, and that's because it was a zero-day with no patches when it first came out. It went down to a medium and then back up to critical. But what were the factors that actually made us change that severity rating as the threat evolved?
One factor is that we're doing evidence based analysis of the details of every article that discusses a given threat vulnerability or security issue. In this particular case because this issue was brand new back in August, and the article detailed a new set of current vulnerabilities within Apple’s Mac OS that was enough to flag this particular article as critical. It was also brand new. We had never seen this vulnerability CVE identifier before, so we tagged this threat as “emerging”. A couple of weeks later, media coverage on this threat had increased, triggering another alert in Fletch. But since no additional material information was shared (you can see that the number of indicators stayed the same), the Severity was set to medium. The guidance was centered around “Hey, in case you didn’t patch when we told you about this before, you might want to patch now.”
However, six days later, when additional information was disclosed about how these particular vulnerabilities were part of a larger set of vulnerabilities, Apple decided to resolve with their latest OS update. This was enough to change the severity to Critical, because not only was it covering the previous two zero day vulnerabilities, it was covering a total of 12. That was quite a jump in six days.
With more actionable information available, it was important to bring this to the attention for the operators to help them reprioritize. To answer questions like “should we roll out another patch for this or not?”
Another advantage is that Fletch has the ability to automatically track all the major threats, not just some of them. That’s a massive improvement the way things are done today. Threat Intel teams have limits to their bandwidth, so they have to select which threats they track, and the data they gather is typically a “point-in-time” assessment. Those assessments can go stale quickly, and keeping the data relevant can be taxing on teams. Instead, Fletch continuously tracks every major threat, so humans don’t have to.
Within the Fletch Trending Threat app, you’ll see a tag for each step of a threat's lifecycle:
- Emerging: Is used when we first identify something that we haven't seen before -- on average this is 7 days ahead of when most people in security would hear about a given threat
- Trending: We use this tag once we start to see the community and a number of media outlets report on this particular issue or threat - you still have time usually to get ahead at this point
- Mainstream: Once a certain quantity of the information is picked up by mainstream media outlets, and it’s all over Twitter – meaning you can expect someone in leadership to tap your security team on the shoulder “Hey, I read about this thing in the news, are we impacted by it?”
You can answer that question by taking 10 minutes to connect your existing EDR, vulnerability management, and DAST tools to Fletch. Fletch will automatically correlate what it learns daily against your security tools, delivering custom reports like the one below to your inbox every day.
To get more information, you can open the Trending Threats app to see which threats are new, which have recently evolved, and what these changes mean to you- information to help you know what to prioritize daily so you can always stay ahead of threats.
If you’re already signed up with Fletch, you should already see the new tags and summaries in the product. If you’re not a subscriber to Trending Threats, you can sign up here.
