Building an Edge in Threat Intelligence

So many aspects of our personal and business lives have moved online. The Internet provides the fabric for all our digital interactions. Having a single global network fabric has made it so much easier to digitize our social lives and our business transactions. Unfortunately it has also made the lives of cybercriminals who want to steal from us or disrupt our lives much easier too.

Our fast-paced digital lives are mirrored by the fast-paced world of cybercrime in which new threats and threat groups are emerging and evolving with increasing speed. This creates challenges for anyone trying to develop the knowledge, or Threat Intelligence, needed to detect the activities of cybercriminals so that we can respond to threats before they are able to breach our digital defenses.

The challenges of developing threat intelligence

With attacks generating huge amounts of logs and an ever-growing number of threat actors evolving their attacks at a phenomenal rate, this poses challenges for anyone developing the threat intelligence we need to detect digital attacks.

When we go about developing threat intelligence, we need to think about more than just the ability to recognize threats and threat actors. We need to pay careful attention to a number of factors which will determine the value of the intelligence we develop:

1. Relevance: Threat Intelligence must provide information, such as Indicators of Compromise or (IoCs), which is directly applicable to the organizations we are aiming to protect. It needs to relate to the software and systems that they use, so that threats can be detected in their environment.
2. Timeliness: The IoCs (such as IP addresses, strings, hashes or behavioral fingerprints) which are linked to a threat are often only useful for a short period of time - sometimes only weeks or days. As a result we need to deliver intelligence quickly, to make sure that we can keep up with the latest tricks of the bad guys.
3. Fidelity: It isn’t enough to be able to detect threats as soon as they are in the wild. The intelligence we develop needs to accurately detect threats and avoid false positives. In other words, we need to be able to trust that our intel will reliably unearth threats, but that we also won’t cry wolf every time we see a new alert.
4. Depth: TI needs to provide comprehensive insights into the tactics, techniques, and procedures (TTPs) employed by threat actors, along with detailed analysis of potential impacts and implications.
5. Breadth: Apart from understanding threats in depth, we also need to understand a wide range of threat sources and vectors, including malware, vulnerabilities, threat actors, and attack trends, to provide a holistic understanding of the threat landscape.
6. Actionability: We don’t only need to build the knowledge to detect threats. This knowledge needs to be accompanied by actionable recommendations and guidance for implementing effective security controls and countermeasures to mitigate identified threats and vulnerabilities.

Creating an Edge in Threat Intelligence

NTT has been protecting its clients from digital threats for over 20 years. Over this time we have seen an incredible evolution in the activities of cybercriminals and the tools they use. As the bad guys have evolved, NTT has kept pace evolving its capabilities and using the resources at its disposal to build its own warchest of threat intelligence. To start with, NTT’s size provides wide exposure to cyber threats, both inside NTT and within its clients.

What gives NTT a more unique edge in this fight is the fact that it operates one of the world’s largest Tier 1 Internet backbone networks. Tier 1 ISPs are the largest global carriers of Internet traffic, with massive networks spanning multiple continents. They provide the “glue” that connects the Internet at a global level and the majority of Internet traffic traverses their networks. In the case of NTT, more than 40% of Internet flows pass through its backbone.

From a threat intelligence perspective, this gives NTT a unique vantage point, providing visibility of the activities of cyber threat groups as soon as they begin their attacks. By analyzing the details of hundreds of thousands of flows every second NTT’s threat intelligence researchers are able to build insights into the activities of threat groups as soon as they begin a campaign, providing the early warning needed to be able to counter threat groups before they do harm.

Building Insights from a Firehose of Data

NTT’s Global Threat Intelligence Center (GTIC) is responsible for processing and analyzing data and telemetry from across the NTT group to develop and curate threat intelligence which is used to protect NTT and its clients. This includes the flow data received from NTT’s Tier 1 backbone.

Because of the huge volumes of data it needs to process, GTIC has focused on automation and efficiency. This provides clients with the benefit of intelligence that is developed quickly and is always up to date. This ability to develop intelligence quickly from a firehose of data acts as a force multiplier when combined with the work of NTT’s R&D labs and data gathered via NTT’s large client base.

GTIC starts by operating multiple concurrent monitoring jobs which scour Internet telemetry for malware activity or pointers to threat actor infrastructure. This provides insights into the communications between breached devices and malicious infrastructure, allowing GTIC to unmask Command and Control (C2) servers used by threat groups to launch and control their attacks. This work is complemented by in-depth monitoring which allows deeper and more detailed tracking of campaigns and botnet controllers. This detailed analysis uncovers trends in the activities of threat groups. The knowledge gained this way makes it possible to keep a step ahead of the bad guys and even counter their operations. For example the insights gained in this way proved extremely valuable in the Microsoft-led disruption of Trickbot.

Deriving Outcomes from Threat Intelligence

The ultimate goal of threat intelligence is to protect organizations from attack by providing the actionable insights needed to implement and countermeasures required to prevent attacks by cybercriminals and the tools to detect and respond to any attempts by cybercriminals to breach our digital defenses. For NTT, this represents a realization of its goal to use technology for good.

The Global Threat Intelligence Report, published by GTIC on an annual basis, with quarterly updates, provides an easy-to-understand view of the insights gained by GTIC through its work. The recommendations shared in the GTIR provide readers with an understanding of the developing trends in the threat landscape. The guidance provided by the GTIR helps organizations bolster security controls against evolving threats.

The services provided by NTT to detect and respond to threats provide clients the ability to use the fruits of GTIC’s labor to protect themselves from cyberattacks. Samurai XDR plays an especially important role here by making the tools needed to build an enterprise-grade security operations capability accessible to organizations which lack specialized security teams and the budget required to build this capability in-house. To make it easy to establish a SecOps capability, all new Samurai XDR clients enjoy a 30 day free trial, with full functionality and no commitments.