Last Updated on February 23, 2023
What is cyber threat intelligence and how are businesses leveraging it today? Does it have reactive or proactive use cases, or maybe a little of both?
To cover cyber threat intelligence from all angles, a recent episode of The Virtual CISO Podcast features Raveed Laeb, VP of Product Development at Kela. Pivot Point Security CISO and Managing Partner, John Verry, is the host.
Proactive and reactive use cases
Raveed has seen both proactive and reactive applications for cyber threat intelligence.
“You can go and actively collect things that bad actors know about you,” offers Raveed. “One of the things we do is monitor online markets in which threat actors sell access to compromised credentials. Imagine one of your employees being infected with a very simple malware that steals credentials from their machine. And then these credentials are up for sale in an online market for anyone who wants to buy them. [Our service] allows our clients to proactively understand that an attack on an employee has happened and go remediate that attack before an actual bad person buys the credentials and does something with that.”
A typical reactive threat intelligence use case might be analyzing NetFlow data to extract “observables” of interest within your network traffic. This data can then be compared with cyber threat intelligence feeds to sift out potential alerts.
What sets Kela apart?
How are most Kela clients using the intelligence they’re getting?
“I’m a tiny bit biased,” Raveed admits. “But I’d say that what we do best is collect intelligence from the same places that cyber threat actors use as well. So that’s forums and markets and instant messaging platforms, and so on. And what we then try to do is extend the notion of attack surface management and threat intelligence to really show you what bad people are seeing about your organization.”
That can be anything from credentials posted in markets to employee emails posted in third-party breaches. Or it can be your brand mentioned in discussions within illicit communities. These insights lead clients to root causes faster and help them defend themselves more proactively and efficiently.
No single kill chain
Adding to the challenge of leveraging specific threat intelligence is that cyber-attack chains don’t usually begin and end with the same hacker organization.
“We’re used to thinking about an attack as a linear thing, starting at point A where someone does something bad in my network up until point Z where I’m being monetized in one way or another, like via ransomware,” explains Raveed. “In reality, what we see is a lot of small kill chains and not one big kill chain. Like where you can see someone who infects an employee’s system with malware, and then sells the credentials in a market. That’s a small attack cycle that happened.”
From there, someone else visits that market, sees for sale some VPN credentials for a US-based organization, buys them, pivots through the network, establishes a foothold… Then stops there and offers that network access for sale, being an initial access broker. Then a different hacker buys the access and infects all the machines on the network with ransomware.
What Kela and some other vendors are looking to do right now is proactively insert themselves into these different attack chains to provide strategic intelligence and help clients prevent the initial infection, such as what led to credentials being sold in a cybercrime forum in the first place.
Raveed points out that, while a multi-hacker attack chain can unroll very quickly, there is inevitable some time delay between handoffs. This helps the defenders, especially if they have cyber threat intelligence.
“If that takes a day or two, it gives you a window,” Raveed points out. “If someone did every step in the process, they could get through those steps very, very quickly.”
However, Raveed notes that “the threat actors are becoming much quicker and more streamlined.”
Sales turnaround in hacker forum can be just a few hours, or even less.
Marketing makes hackers more visible
Talking about current defender advantages in the endlessly changing cyber threat landscape, Raveed shares that today’s marketing-driven cybercrime supply chain helps the good guys.
“They share information and adverts on forums and markets, and they kind of have to bob their head out a tiny bit above the water to advertise what they have if they want to make money,” relates Raveed. “That provides you with visibility that you usually wouldn’t have had five or seven years ago, because the cybercrime financial ecosystem wasn’t as developed as it is now.”There’s also a bit of competitive braggadocio and pride of place among hackers that can sometimes help thwart attacks or bring criminals to justice.
In demystifying cybercrime attack procedures and “the dark web,” Raveed asserts that, “We try to explain and show that cybercrime is a financial market. It’s an ecosystem. And, as an ecosystem, you can map it out, you can understand it, you can research it. You can establish key competitors within that ecosystem, and see how they talk to one another and what it is they do and how they make money. And you can use that intelligence to make better decisions as to how to better defend yourself.”
To hear this “reality centered” podcast with Raveed Laeb, click here.
What do you think? Is Digital Business Risk Management the Future of Attack Surface Management?