Threat Intelligence is Dead

Chris McNab
Apr 27, 2018 · 5 min read

Long live security analytics!

At AlphaSOC we process network traffic to uncover compromised systems without relying on threat intelligence or indicators of compromise (IOCs). The rationale being that emerging threats without signatures are far more dangerous to our customers than off-the-shelf Trojans which are known to antivirus, content filters, and other tooling.

In this post, I describe the current state of affairs within many enterprises, and outline the way in which security teams are significantly improving the efficacy of their operations by increasing visibility and fidelity, and reducing unnecessary costs (e.g. hardware, software, API keys, and people).

The Status Quo

  • Security apparatus (network sensors, appliances, and alert sources)
  • Data aggregation and storage software (e.g. Splunk, Elasticsearch)
  • SIEM software (e.g. Splunk ES, IBM QRadar, AlienVault USM)
  • API keys for data enrichment (e.g. WHOIS, VirusTotal)
  • API keys for threat intelligence feeds (e.g. Anomali)
  • Hardware to support the data aggregation, storage, and processing
  • People to deploy, configure, maintain, and operate all of the above!

The flow of alert data from the security apparatus, through the SOC, and out to the orchestration and ticketing components is summarized below.

The SOC, as highlighted in orange, has a critical purpose: to provide a complete picture of the current threats posed, which are then dealt with (via the gray boxes to the right) to maintain the integrity of the environment.

Reliance on threat feeds and signatures however introduces gaps in visibility and erroneous alerts. Many anomalies simply cannot be identified using one-dimensional correlation with IOC lists, including:

  • DNS tunneling and data exfiltration
  • Phishing attacks using Unicode homoglyphs
  • Infected hosts using contemporary DGA algorithms
  • Infected hosts beaconing to unknown C2 destinations
  • Suspicious request clusters indicating infection (e.g. dynamic DNS traffic)

False positives are generated by products using both threat feeds and basic analytics tools (e.g. the Splunk Machine Learning Toolkit). Inaccurate DNS tunneling and DGA alerts are commonplace as advertisers and CDN operators increasingly use perplexing labels within their domains, for example.

SIEM products lack the context and processing power to differentiate good from bad and provide an accurate picture of the threats posed to an environment.

Benchmarking your SOC

Increasing Visibility with Analytics

The engine exposes an API which receives and processes network telemetry from our Splunk apps or Network Flight Recorder, as demonstrated below.

NFR is a lightweight open-source utility that allows us to gather data from disk for processing (e.g. Bro IDS, Suricata, Microsoft DNS, or BIND logs) or monitor a network interface to run as a traditional sensor on a mirrored port.

The AlphaSOC Analytics Engine performs a lot of heavy lifting, e.g.

  • Analysis of individual labels within each FQDN to identify anomalies
  • Time series analysis to identify beaconing and suspicious patterns
  • Retrieval of WHOIS data for each domain
  • Retrieval of reputation data for each FQDN (e.g. VirusTotal scores)
  • Generation of threats based on analysis of the above elements

Known good (benign) and known bad (malicious) categories are assigned and corresponding alerts generated. The remaining unknown items are inspected further to identify suspicious traffic patterns, as demonstrated below.

Through gathering reputation data, querying WHOIS, and evaluating the domains and IP addresses that flow through the system, we suppress false positives and errors that have plagued SOC analysts in the past. Every high- and critical-severity issue we flag via the cloud service is manually reviewed to minimize errors and provide actionable alerts to users.

Threat Hunting Benefits

Anomalies of particular interest may include:

  • Unknown dynamic DNS provider traffic
  • Traffic to new hosting provider and VPS domains
  • DNS requests with regular timing deltas (beaconing) to uncommon TLDs

Identifying Targeted Phishing Threats

AlphaSOC recently reported gitthub.io to GitHub upon finding traffic to the domain (which was valid, along with a Let’s Encrypt X.509 certificate) within a customer network, as below. We use the analytics engine to flag Unicode homoglyphs and other brand impersonation attacks. Read more here >

Closing Remarks

The common use cases and coverage gaps that we fill include:

  • DNS tunneling and data exfiltration
  • Phishing attacks using homoglyphs (Unicode and others)
  • Infected hosts using contemporary DGA algorithms
  • Infected hosts beaconing to unknown C2 destinations
  • Suspicious traffic patterns indicating infection (e.g. dynamic DNS events)

As the integrity of a network improves through iteratively resolving the high-severity alerts, the security team can start to actively hunt threats by focusing on the remaining low-severity anomalies and weaker signals within the data.

AlphaSOC

AlphaSOC Blog

Chris McNab

Written by

Author of Network Security Assessment (O’Reilly Media) and co-founder of AlphaSOC, Inc.

AlphaSOC

AlphaSOC

AlphaSOC Blog