Using Twitter as a source of Indicators of Compromise

At CyberSift we strive to turn threat data into threat intelligence. These two are not one and the same, there is a subtle difference which we can summarize succinctly as follows:

threat data + context = threat intelligence

One of the best ways to add context to alerts that get sent to a security analyst is to try to give some auxiliary information about the actors in an alert. Let’s say an alert gets triggered because a certain file communicates to an unusual address. A typical analyst would run through a series of questions:

  • Which file started this communication? Do I know what process owns or created this file?
  • Do I know what the process is? Does it’s hash match anything known?
  • What about the IP address it communicated to? Is it reputable?
  • Even if it is reputable (e.g. Dropbox API address), is it normal for this process to be communicating to the IP address (for example, a malware may be trying to ex-filtrate data via Dropbox)

At any point while asking the above questions, the analyst may decide that the alert is benign or abnormal. CyberSift helps answer each of the questions above, but for this article let’s explore how exactly we can answer the third question:

What about the IP address it communicated to? Is it reputable?

There are a multitude of threat data feeds that can help answer this question, from free to commercial offerings. One very useful and free source of IP address indicators of compromise (IoC) is Twitter. Yep — that’s right — everyone’s favorite social media tool also helps cyberdefence in it’s own way due to the efforts of a dedicated few.

These few run special systems purposely exposed to the internet just to see who comes knocking. These systems are known as “honeypots” and can act as an early warning system. Honeypots can detect previously unknown IP addresses that are involved in suspicious activity such as scanning, or brute-force attempts. These IP addresses are then reported via a tweet for all to see, for example:

Obviously, any connection attempts made to/from your network to such IP addresses would bump up the malicious aspect of an abnormality. It’s a good idea to follow these twitter accounts to cross-reference alerts with the IP addresses that they report and bump up their severity if there’s a match. It’s a free and easy way to get information from a global network of honeypots. The Twitter feeds we follow include:

Do you have any other twitter feeds you follow to gather threat data? Tell us about it in the comments below…


The importance of data mining in the field of cybersecurity

In a very interesting article on TechCrunch, Michael Schiebel writes about the various ways in which security analysts can learn from data scientists. He makes a couple of points that are worth highlighting.

Today, hacking is a much more complex art than it used to be: It no longer only involves just scanning and penetrating the network via a vulnerability. Yet the traditional security tools used by most companies are often inadequate because they still focus on this

As any security professional can attest to, hacking nowadays has become easier than ever. Just a few years ago, script kiddies were relegated to using the venerable Nmap and brute force programs like THC Hydra. Nowadays it’s a different story. There are a plethora of highly sophisticated (and effective) exploit tools such as Metasploit, the Social Engineering Toolkit and Powershell Empire. These tools are easy to learn, easy to extend, and excellent at what they do. Not only that — most of the tools are free and open source. At any stage of the attack lifecycle hackers can find amazing tools to help them do their job.

Yet we as cybersecurity vendors are lagging behind especially when it comes to tool-sets. As Michael states:

Most tools are still role-based, with signatures, detection and response rules. That’s their downfall.

Again, we couldn’t agree more. Signature based tools still play an important part in cyber defense, but the defense-in-depth principle requires us to deploy tools which can mitigate those threats which pass through our outer rings of defense. Luckily, cyber defense tools are evolving, with the help of open-source innovation in both security and big data fields.

Focus on the abnormalities

This is what it’s all about. Effectively finding abnormalities in your network has a couple of very important benefits to your organization:

  • It forces you to be more aware of your networks and systems. You are required to investigate abnormalities and effectively determine if an abnormality is expected or malicious. The more aware you are of your environment, the less time it takes you to realize when something goes horribly wrong (like in the event of a hack…)
  • With the proliferation of advanced attack vectors (like the steganographic attacks I recently wrote about) and cloud computing, it’s very easy for hackers to use legitimate services to carry out their attacks in such a way as to avoid tripping signature based alarms. Signatures that target AWS or Twitter would be triggered so many times that they would be ignored, even though they are potential avenues of attack already being exploited by hackers. Abnormality detection systems can flag connections which use these services in weird ways (too much data being transferred, too many connections being done, periodic connections to previously unused endpoints, and so on…)

At this stage it’s important to note that abnormalities do not automatically mean malicious activity… an anomaly based system highlights those events that deviate from the norm. There are several examples of genuine anomalies which are not malicious:

  • Marketing executes a successful campaign resulting in a flood of connections to your webservers
  • A misconfiguration is introduced during one of your changes to a backup system which causes high volume traffic to flow through the wrong network path
  • Your organization engages with customers in new markets, leading to your network having new traffic patterns to previously non-contacted countries and Autonomous Systems

These are practical examples of how an anomaly based system increases your team’s awareness of the environment. This leads me to prefer referring to anomaly based systems as cyber-awareness platforms rather than simple “cyber-defense”.

The real problem in most organizations is that too much security alert data is coming in too fast.

Michael again hit the nail on the head here. If your security analysts are investigating too much data, then no wonder we’re seeing alarming headlines such as:

Most companies take over six months to detect data breaches (by ZDNet)

Anomaly based IDS help your analysts focus on those alarms that can be important, reducing their mitigation time and efficiency — and at the end of the day this is what translates to cost savings for the organization

Here at CyberSift we are building next generation anomaly detection systems which are based on the above principles and add an effective layer of defense which counters new threats as they emerge without the need of signatures or rules, all the while increasing your team’s cyber-awareness of their systems and networks. Stay tuned for exciting developments…

Read the full article “What your security scientists can learn from your data scientists to improve cybersecurity” here.