Cyber Threat Intelligence and National Framework for Turkey
Cyber-attacks are increasing and changing face. Today cyber-attacks are more sophisticated and targeted. Nowadays cyber attackers are mostly state sponsored or backed by large crime groups.
From DDoS attacks to advanced persistent threats (APTs) they are conducting highly sophisticated and coordinated attacks to carefully selected targets. Different individuals and groups in this rogue market are cooperating very well during these attacks. They can coordinate and initiate a cyber-attack in a matter of minutes. Recent distributed denial of service attacks and botnet activities against different institutions are examples of how coordinated cyber criminals can be.
Unfortunately detecting and responding to these attacks is very slow. Attacks can be coordinated and initiated in hours, but detecting and responding to them may take months and years. Lack of strong cooperation between prevention mechanisms and organizations is one of the causes. So prevention fails partly due to not cooperating very well, and partly not being able to respond in timely manner.
There is a need for new approaches to increase speed and effectiveness of cyber-attack detection and prevention mechanisms. These approaches should accelerate detection process and enable getting automatic prevention measures in short period of time. Cyber threat intelligence is one of these approaches. It provides actionable intelligence that can be used to prevent current cyber-attacks.
Cyber threat intelligence is raising trend in security industry. Today many security vendors like FireEye, Mandiant, IBM, McAfee established central threat intelligence databases and integrate it with their products. Microsoft and HP recently announced that they will launch real-time threat intelligence feeds to public access.. Also there are public web sites and commercial firms supplying threat intelligence feeds.
Organizations like NATO and European Union are also working on cyber threat intelligence projects for their systems. Some NATO member countries implemented such system at national level.
Actually automatic threat detection and elimination concepts are not new. They are widely used in military systems.
There are similarities between cyber-attacks and attacks/threats in physical world. If we look at military systems, there are a lot of systems developed to monitor and prevent malicious activities of adversaries. One of them is missile Defence systems. There are 3 in typical missile Defence system. These parts are :
Monitoring and detection: In this part unknown/enemy missile and rockets approaching to airspace are detected by radar systems. Tracking radar systems detect enemy missile and rockets approaching to nation airspace and inform control centre.
Battle management and control centre: Target data about approaching missile is received from tracking radar for processing. At that point threat is analysed and possible impacts are evaluated.
Intercepting missile firing unit: After analysing threat impact, automatic preventive action is started. Antimissile launcher sends interceptor missile to target in accordance with live updates. Intercepting missile catches target and target warhead is detonated in neutral area, before target reaches final destination. As a result threat is intercepted and collateral damages are reduced or eliminated.
How Does Threat Intelligence Model Work ?
Like missile Defence systems threat intelligence system consists of 3 parts. These parts are threat identification and data collection, threat analysis, response and prevention.
Phase 1 : Threat identification and data collection: At this phase information about current cyber-attacks is collected in central place. It is similar to phase 1 in missile Defence system. Information about cyber-attacks can be external or internal. External data is obtained from public sources outside the company. Here attacks are detected by external bodies and attack information including IP address, URL, Malware information etc. İs passed to central database. External data sources can be Spam RBL list, Botnet tracker sites like SpyEye, Zeus Tracker, commercial threat intelligence feed, CERT/SANS/NVDB advisories, public IP and file reputation databases and social media sites like twitter. Internal data is obtained from internal IT security components. These components can be firewalls, intrusion detection systems, log management and SIEM, web application firewalls, honeypots, antivirus/endpoint protection software.
Phase 2 : Threat analysis and assessment: At this phase collected data is categorized and analysed to better understand the nature of cyber threats. Characteristics of cyber-attack like IP address, URL, Malware hash may vary and expire in hours and days. Also data collected (especially external data) should be inspected against false positives and misinformation. Different techniques like validation, correlation, cleaning and de-duplication, reputation checks, heuristics, behavioural and contextual analysis are used. As a result actionable intelligence about current cyber threats is obtained.
Phase 3 : Response and prevention: Last phase is creating preventive actions from analysed data. Actionable threat intelligence produced in previous phase is converted in automatic prevention action feeds. These feeds are converted to ruleset for each security products. Firewall block rules, IDS signatures, antispam rules, DDoS prevention actions, antivirus signatures are some examples of these rulesets. Produced rulesets are automatically pushed to all relevant appliances connected to threat intelligence system. As a result, preventive action about specific threat is automatically implemented in all perimeter protection products in minimal time and no user intervention.
National threat intelligence framework for Turkey
In order to prevent cyber attacks targeting government institutions, military systems and critical infrastructure facilities in Turkey effectively there is a need to develop a national cyber threat intelligence and Defence system. In this centre information about cyber attacks targeting facilities in Turkey should be collected, analyzed and automatic preventive actions should be issued quickly.
Unlike missile Defence systems, this system should include not only military bodies but all relevant shareholders. Government agencies, critical infrastructure facilities, military forces, private sector, financial institutions and academic research organizations should participate to this system.
Also close cooperation with security vendor is vital for such system. Security vendors can integrate their own threat centers with this system to build better prevention. In such model flow of information can be in 2 way.
From vendors to threat center : vendors can send threat information about recent attacks they detected to threat center. In threat center information is analyzed and resulting preventive rulesets are automatically send to all participants in system.
From threat center to vendors: in this scenario attack detected in any government agency is informed to threat center. Threat center informs security vendors about the attack. Security vendor get attack information and automatically issue rule update for their products. For firewall vendor, update is in firewall block rule for relevant attack IP address, for antivirus vendor update is in virus signature update, for antispam gateway vendor update is in RBL rule for sending IP address and hash of file used as an attachment. Generated updates are automatically pushed to all security vendor products running in country. As a result detection of one attack to one agency triggers prevention mechanism and further attack with same pattern targeting other agencies is automatically blocked.
Example scenario:
Cyber-attack targeting a financial institution is discovered in the wild by academic research institute. Attack begins with phishing e-mails with attachment containing custom malware and continues with installing trojan from known URL with drive-by download technique. Research institute analyses attack and issue a report explaining attack details. In report IP address sending e-mails, example phishing e-mail subject and body, attached malware hash and possible filenames, URL address used to download custom trojan and IP address of command & control servers are included. Report is sent to national cyber threat center. National threat center extract threat information from report and automatically issue prevention rules. Prevention rules are issued for firewalls, antispam gateways and URL filtering products. For firewalls automatic block rule for IP address are generated. For antispam gateway rule including mail subject, mail body and hash of attached file is generated. For URL filtering block rule for said URL is generated. Generated rules are pushed automatically to all firewall, antispam and URL filtering products connected to threat centre.
Also antivirus vendor is informed about attack. Antivirus vendor generates virus signature update including signature for malware coming in phishing mail attachment and drive-by download trojan. Generated signature is pushed to all antivirus software instances of antivirus vendor.
As a result threat is identified and automatically prevented from spreading to other financial institutions and government agencies.
Conclusion
Cyber-attacks are increasing and getting more sophisticated. Crime groups and individuals work closely and in good coordination to perform these attacks. To effectively respond and prevent cyber-attacks close cooperation is needed. There is a need to build a threat monitoring and prevention centre to detect and prevent cyber-attacks targeting critical military and civilian facilities in country. This centre should continuously monitor cyber-attacks from external and internal threat information sources and produce actionable intelligence. Automatic preventive actions should be taken based this actionable intelligence.
