There’s usually at least one lesson to be learned from most movies. Whether the lesson is profoundly inspiring or simple, it is typically applicable to some aspect of everyday life.
Take Back to the Future, for example. We’re all familiar with how Marty McFly and Doc Brown use a Delorean to travel from 1985 to 1955, 2015, and 1885. There are plenty of lessons to be learned from the trilogy – like don’t let others manipulate you, stand up for yourself, and get rich quick schemes don’t work in the long haul.
Beneath the surface, however, there is an important lesson to be learned for cyber security – always look back to better prepare for future threats. Similar to how Marty and Doc used future knowledge to ensure things went as planned in 1985, analysts can look to the past to prepare for future cyber threats using historical intelligence.
As we’ve seen from recent headlines, cyber security breaches occur far too often and frequently due to known attack methods. Organizations are finding that they aren’t investing enough money and resources in their cyber security efforts, leaving sensitive information vulnerable because they’re taking uninformed approaches to protection. Organizations that are only reactive to threats and don’t proactively monitor for adversaries that effect their industry before they’re an active threat are at a defensive disadvantage.
Historical intelligence enables organizations to shift to a more proactive approach to cyber security. With historical intelligence, analysts can proactively identify adversaries' tactics, techniques, and procedures (TTPs) so that they can stitch together analytic techniques to exploit those behaviors, thereby bridging the gap from past to present. In doing so, organizations can proactively identify potential indicators for their adversaries’ activity before it is used maliciously. Further, by identifying and exploiting adversaries' tactics regularly, organizations can remain on top of changing TTPs rather than reacting to new attack methods.
Recent breaches like WannaCry, CrashOverride, and the DNC hack are a result of adversaries targeting organizations and exploiting vulnerabilities or the soft spots in their defense. Often times, these attacks have various indicators and tactics that are indicative of a particular hacking group – such as a nation state adversary or cyber criminal ring. These indicators are typical tactics that adversaries of a particular group use for success. In layman’s terms, the intelligence on these attacks – including the indicators, how the attack was conducted, and the tactics used to prepare for and execute the operation – are the historical knowledge that Marty and Doc use to orient themselves while time traveling.
Let’s take a look at how historical threat intelligence can benefit organizations with a real-world example: Fancy Bear, the advanced persistent threat (APT (News - Alert)) behind breaches at the DNC, DCCC, and WADA and activity targeting the German Parliament and Emmanuel Macron’s campaign in the 2017 French election. Throughout several attacks since early 2015, Fancy Bear used the same self-signed SSL certificate so that users believed the webpages they were accessing via phishing emails were secure. By reviewing the IP addresses associated to this SSL certificate, analysts can identify the domains associated with the certificate and IP addresses, further building out the known Fancy Bear infrastructure. Analysts can then use those domains to identify hosting and registration tactics that Fancy Bear leveraged so that security tools and researchers can monitor for them in real time moving forward.
Just like Marty and Doc, analysts are back in 1955, so to speak, now that all these various indicators have been identified. To return to the present, analysts must connect the dots, or establish links between these domains and the WHOIS registration and hosting information. Based on all this information, historical intelligence identifies various tactics as they appear and prioritizes alerts based on previous associations between tactics. Now that analysts have returned to the present, they are equipped with the historical intelligence to proactively thwart cyber threats to their network.
Historical intelligence is a key tool in a proactive cyber defense. By identifying and exploiting adversaries’ tactics regularly, organizations can shift to a proactive approach to cyber security. Similar to how Marty ensured his parents would still get together (after he accidentally interfered with their romance), analysts are ensuring that they are stopping incidents before they cause harm. In short, this proactive approach doesn’t require analysts to rely on the Delorean for better cyber outcomes.
Steve Lakeman is a ThreatConnect researcher