Here’s a TIP: automate your threat intelligence

By on 23 Oct 2020

Category: Tech matters

Tags: , , , , ,

Blog home

Microsoft’s security researchers are currently hard at work trying to disrupt the networked infrastructure of the Trickbot botnet operators, to prevent them from wreaking havoc during a particularly important election year.

Stomping out botnets is notoriously difficult work that involves scouring the Internet for servers that control and command the myriad of infected computers and Internet of Things devices that criminals use to launch denial of service attacks, spam floods and malware deployment.

So far, the anti-Trickbot disruption effort is holding up, and the criminals behind it have not been able to restore their infrastructure yet.

Microsoft is not working alone to disrupt Trickbot. It’s a collaborative effort that spans many different economies with providers sharing data with each other continuously.

“Additionally, our partners and the hosting providers we work with — who have been crucial to our progress — have been sharing information that has uncovered more command-and-control servers,” Microsoft’s Vice President of Customer Security and Trust, Tom Burt, wrote in a recent update on the Trickbot disruption.

How do you share threat information quickly and effectively, making sure that those who need the data always get it? Because that’s vital: thanks to efficient information sharing, Microsoft and its partners have been able to discover and take down malware within hours and sometimes, just a few minutes.

Traditionally, threat intelligence sharing has been done via email. APNIC Security Specialist, Adli Wahid, cautions that email is not the best way to do it, however.

“For starters, it’s difficult to integrate email content effectively with threat information sharing and, for example, intrusion detection systems. Important data can disappear in attachments,” Adli said.

“There’s also a fine irony in using email to share security information. Email has become a major threat vector by itself through phishing and malware hiding in attachments, not to mention the never-ending spam floods that filters have to do battle with,” he added.

If you use a threat intelligence platform (TIP), it bypasses the above problems and you have a managed database application for automated information gathering, sharing, storing and correlation with other systems” Adli said.

There is an overwhelming amount of existing threat intelligence, with more being created every day.

Extracting the data from emails and attachments is time-consuming and suboptimal, to say the least, and this is where a TIP can make all the difference, by automating that work.

A TIP can automatically handle threat intelligence feeds and correlate that data to find connections between malware attributes and indicators, and attacks and analysis.

Information sharing between analysts can be controlled in a flexible manner, and be instant and automatically synchronized between different communities.

Another feature here is that the sharing doesn’t stop when one person submits information.

The community in question can comment on the information and add to it, confirm sights and do other things like flag false positives. This gives users the confidence that they can use the information for their own purposes.

Taking the threat intelligence and automatically exporting it as rules for intrusion detection systems (IDSs) can provide a valuable time-advantage for faster — and better — detection of attacks.

There are commercial TIPs and also the popular open-source and community-driven MISP Project.

MISP started out as the Malware Information Sharing Platform in 2011, when Belgian Defence Forces developer, Christophe Vandeplas, grew frustrated with indicators of compromise (IOC) being shared via email or through attachments that could not readily be parsed by machines for automation and synchronization.

Long story short, MISP turned out to be what many security people had been looking for in their never-ending battle to protect against a growing number of threat actors and a sea of information that requires automation to manage.

More than 6,000 organizations worldwide now use MISP. The project has received funding from the European Union and has a large number of community contributors.

MISP runs on Linux distributions, and can also be set up using Docker containers, or as a VMware image.

Kitisak Jirawannakool, Information Security Consultant at the Thai Bankers’ Association, was instrumental in setting up the Thailand Banking Computer Emergency Response Team (TB-CERT), which runs MISP as its IOC-sharing platform on Ubuntu Linux in the cloud.

“We collect the IOC from many sources, correlate, and also analyse the potential threats to our members,” Kitisak said.

TB-CERT members can then access the information collected and stored in MISP, or synchronize to their own servers, Kitisak explained.

Sharing and validating IOC information in MISP has been very helpful for TB-CERT members, who can use it to protect their infrastructure.

It is a step up from IOC sharing via email, which cannot be automatically added to other security equipment, Kitisak said.

“For myself as a threat analyst, I use MISP for validating the information and share some useful IOC that I analyse for our members,” he added.

Watch Kitisak presenting on TB-CERT at the APNIC FIRST Security Session at APNIC 48.

The Trickbot experience shows the value of sharing threat information, and not just consuming it.

This isn’t always so easy and what works in one community could be difficult to achieve elsewhere, due to cultural reasons or competitors not wishing to share information with each other.

The banking sector with its strict secrecy regulation and reputational risk management makes information sharing especially difficult.

“The biggest challenge of running MISP is how to control the confidentiality of the information.

When any members share information with the platform, we have to control the information,” Kitisak said.

To enable the sharing of sensitive information, TB-CERT uses the Traffic Light Protocol (TLP), as defined by the Forum of Incident Response and Security Teams.

The use of TLP is done as an agreement that TB-CERT members respect, Kitisak said.

MISP can classify and enforce TLP across the user communities, as well as other instances of the TIP that are connected.

Read: Enhancing Traffic Light Protocol with IEP

Overall, MISP has been a success for TB-CERT. To get started with MISP, Kitisak suggests first understanding the objectives of using a TIP.

These can be requirements such as validating IOCs, cross-referencing with security information and event management (SIEM) systems, or orchestrating with other security equipment used inside organizations.

“Then, learn how to use MISP to meet those requirements,” Kitisak said.

MISP is free to download and comes with extensive training materials that can be found on the Github open source repository.

Juha is a technology writer and journalist, based in New Zealand. He is a contracted contributor to the APNIC Blog.

Rate this article

The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.

Leave a Reply

Your email address will not be published. Required fields are marked *