It is more important than ever to incorporate threat intelligence into your security practice. However, there are many different types of threat intelligence, each with their own merits and uses; the specific type of threat intelligence I will be discussing here is peripheral threat intelligence. These are the external Indicators of Compromise (IOCs) and threats that are beyond your organization’s four walls.
There are three types of threats to consider: compromised credentials, poor network hygiene, and social engineering. Each of these are highly prevalent and represent large risks to organizations in different ways.
Compromised Credentials are the King of Breaches
According to the Verizon 2016 Data Breach Investigations Report, 63% of confirmed data breaches in the last year involved using compromised credentials. The public has seen many of the breaches in the news and is now more aware of just how effective they are. The most common way that an adversary obtains compromised credentials is when an employee uses their company credentials to sign up on a third party website, and as a result, exposes their credentials via clear text.
These IOCs are particularly valuable to adversaries because people often recycle their passwords and they can then use these credentials to gain a foothold into their target companies. The scary part is that the bad actor does not even always even need the credentials of the company’s employees. They can go after the company’s supply chain partners who may have access into the company infrastructure.
Credentials from each of these sources are then bought and sold online in places like Pastebin and the Dark Web. So in this case, you need to incorporate email address IOCs that includes yours and your supply chain’s domains.
Poor Network Hygiene Hides C2 Infrastructure
In this instance, I’m not speaking about scanning your own network for vulnerabilities, but instead we’re focused on monitoring your organization’s IP space for compromised hosts that might be used by malicious actors. Say your organization has a compromised host with a static IP address, then an attacker can map a malicious domain name to a DNS A-record within your organization to turn and use your own infrastructure as a Command-and-Control (C2) host. These hosts can be webservers hosting malicious content.
Other scripts may then start vulnerable or unexpected services, which are then discoverable. At this point, systems from your IP space or your supply chain’s IP space may start showing up in threat intelligence lists as bot IPs, scanning IPs, brute force IPs, and spam IPs. Monitor and search these sites and lists to make sure your infrastructure is not on them, but if your hosts or your supply chain’s hosts end up being on these lists, take the appropriate remediation steps and alert them as well.
Social Engineering is on the Rise
Social engineering is a very effective tactic because it exploits people and psychology rather than technical controls. They can be used to phish you or set up a C2 domain. Alarmingly, 30% of phishing messages were opened according to the 2016 Verizon Report. This is up from 23% in the 2015 report. Around 15% of those people who opened the email then went and clicked to open the malicious attachment or link.
When you look at these numbers, it makes sense why phishing is on the rise. Protecting your organization and your supply chain involves moving a up a little bit in the maturity curve because it involves creating your own threat intelligence. You first need to create an inventory list of your IP space and domains. From there, you will need to think like a bad actor and create threat intelligence that would match an IOC that they might create. For example, this might be a typo-squatted domain that you create manually or via a domain generation algorithm (DGA).