"The long and the short of it is that intelligence is a poor indicator that does not tell you anything" about what's going on in the company, said Shoard, delivering his presentation on threat intelligence-gathering at ITWeb Security Summit 2015, in Midrand, yesterday.
Shoard is responsible for the design and implementation of threat detection and defence mechanisms, and oversees the development of detection methodologies, reporting measures and response procedures. He specialises in harnessing the power of frontline technical data solutions, like SIEM, and big data platforms to deliver actionable threat intelligence.
Traditional indicators of compromise (IOCs) are fairly simple, he said, explaining most security vendors will provide a company with a list of bad domain names, malicious files, e-mail addresses (phishing senders) and IP addresses (known to be linked to threat activity).
"Those four types of indicators of compromise are very common on the market. What do they mean without investigation and research? When you find only one of those indicators of compromise on your estate, what does that mean to your organisation?"One would argue that means nothing to you. It just means something bad has happened on your estate – either post the event you've detected it, but you don't really know what's going on; or it has blocked it and you don't know what was coming or who's trying to get at you."
Shoard explained one way of creating more data about an attack is by adding relationships between the four indicators. "I can start to build a picture of what that hacker is trying to do to me."
The next step, he said, is to add internal intelligence to these linkages, which allows for risk-scoring of particular entities that have been targeted within an organisation. This is followed by adding external context, and then adding metadata to the indicator, he explained.
"This gives me more IOCs, helps me to understand who the targets are within my organisation; to a certain extent it gives me attribution, but definitely gives me intent. It tells me who this attack is designed for and what it's after," he said.
"I can take that intelligence and turn it into something actionable. I can prioritise my vulnerability management and prioritise how I use intelligence coming into my organisation, to make my organisation more secure by [giving direction to] that intelligence."
Speaking about the ubiquitous hacking medium of WiFi, Dominic White, CTO of information security company SensePost, said the company's Mana toolkit had been updated to include a range of improvements.
The new version of Mana, which incorporates SensePost's post-launch research, was available as of yesterday. The research involved rogue access points – wireless access points that mimic real ones in an attempt to get users to connect to it.
The range of tools in Mana is wide-ranging, but the toolkit simplifies attacks. The kit can be run on a Linux device or in a virtual machine, needing only a suitably capable wireless interface card, he said.
A single command launches a series of tools, starting by investigating wireless clients and networks in the area. Clients are forcibly disconnected if already associated with a network, and then encouraged to reconnect to a fake access point controlled by the toolkit.
Credentials are captured and decrypted. A man-in-the-middle attack gives clients the appearance of an Internet connection, and traffic is then captured and analysed, said White.
The toolkit can also create a fake WiFi hotspot service to dupe users into connecting, and new capabilities can push network profiles or digital certificates to a target device, allowing easier attacks against encrypted traffic.
According to Michael Ossmann, founder of Great Scott Gadgets, the NSA playset was inspired by the NSA ANT catalogue – a 50-page classified document listing technology available to the US National Security Agency (NSA) to aid in cyber surveillance.
He said the NSA playset is a set of security tools used by nation states to attack computer systems. "By sharing and building these tools, we are democratising technology, making it available to everyone."
The more of these kinds of security hardware built by the information security community, the more they will find ways of stopping these kinds of attacks, Ossmann pointed out.
"If we don't understand what the vulnerabilities are, we are never going to make systems hardware less vulnerable to nation states attacks. The more we build these things, the closer we are to building the next-generation technologies that take these playsets into account." The reason for the NSA playset is to raise awareness within the security field, understand the threats and find countermeasures, he added.
An example of the NSA playset, he revealed, is the SLOTSCREAMER, which is configured to access memory and IO; it is cross-platform and transparent to the operating system – with no zero-day needed. "The open hardware and software framework that we will release will expand the user's NSA playset with the ability to tinker with DMA attacks to read memory, bypass software and hardware security measures, and to directly attack other hardware devices in the system."
Another example is the KeySweeper device, which works like a typical USB wall charger. It "sniffs" and logs keystrokes made on nearby wireless keyboards. A device sends these decrypted, logged keystrokes to a hacker remotely.
Our comments policy does not allow anonymous postings. Read the policy here