The term “threat intelligence” is quite trendy right now. For many, threat intelligence is a term used to describe IOC feeds that are plugged into security infrastructure to identify suspicious or malicious activity.
For us, it describes a whole lot more. As a company, we’ve been actively gathering and assimilating threat intelligence for over 25 years. Many of us deal with threat intelligence on a daily basis. And it drives our everyday work.
As far as we’re concerned, threat intelligence refers to everything from the minute details gathered from reverse engineering a malware sample, to trends and patterns we see in data gathered by our systems, to the tactics used by attackers and defenders, and finally, to a mile-high view of the global threat landscape.
It’s more than just data, though. Good threat intelligence is about knowing what’s going on in the world, how attacks work, how malware works, what vulnerabilities exist, how vulnerabilities are being exploited, how criminal gangs operate, what tools hackers are using, and how hackers breach companies.
Here at F-secure, we gather threat intelligence using a number of different techniques.
Data analysis provides us with technical threat intelligence that we use to drive day-to-day activities. Our back ends process hundreds of gigabytes of data on a daily basis. This data arrives in the form of samples, URLs, emails, IP addresses, file paths, and object hashes, to name just a few! We get data from honeypots, customer submissions, our Security Cloud, and from partner sample feeds such as those provided by Virus Total.
After a process of filtering, analysis, and metadata extraction, incoming data is passed through a series of rule engines, expert systems and data analytics, resulting in output that is used to determine trends in the global threat landscape, identify new and prevalent threats, improve our protection components and even (attempt to) forecast the future.
F-Secure has an entire consulting arm dedicated to helping other companies with threat assessment, incident response, penetration testing, compliance auditing, and improving security culture. They’re called CSS which stands for Cyber Security Services.
These guys are frequently tasked with breaking into companies (with full consent, of course) in order to achieve a defined objective. Sometimes, these red-team exercises are run as “capture the flag” events. But not always. If you’ve ever seen the movie “Sneakers“, that’s what these guys do. And yes, sometimes they’re tasked with physically breaking into a business. Many of them walk around with lock pick sets in their kit.
Our Cyber Security Services teams provide us with threat intelligence on how hackers do their jobs, how they circumvent defenses, and how they stay hidden in networks. They get a lot of important information from their experiences investigating breaches and performing incident response activities. We apply their findings when building our own products, and also when we do forensic investigations and clean-up for other companies.
But it’s not just these activities that give us good threat intel. Since we’re a software house, we perform threat modeling exercises on our own components, and we do a fair amount of fuzz testing. And as part of these efforts, we have people dedicated to keeping track of the global vulnerability landscape.
On the research side, we have several fellows dedicated to reverse engineering malware and exploits from the wild. By digging into how these threats work, we gain detailed knowledge on infection vectors, anti-emulation tricks, stealth strategies, botnet communication protocols, and a whole lot more. By looking at new variants of the same families of malware, and by comparing similar families, we can see how these pieces of software are evolving over time and make predictions about tactics or features that might arise in the future.
Finally, a lot of us do industry research by searching, following threads and good old-fashioned reading. Keeping up-to-date with threat intelligence is a lot about keeping up with news, publications, conference presentations, research papers, and online discussions. Some of us (such as @Mikko) frequently receive tips from our friends, partners, and contacts in the industry.
We keep current on topics from across the entire information security spectrum. Examples can range from big-picture geopolitics to low-level kernel programming. Generally speaking, we have a lot of people keeping current on topics such as information security, security research, vulnerability analyses and disclosures, reverse engineering, hacking tutorials, and various “black hat” topics. Twitter is also our good friend.
With so many people involved in collecting threat intelligence, we get plenty of opportunities to educate the rest of our fellows. And that’s often the fun part. Who doesn’t enjoy seeing a “horror show” and/or hacking demonstration?
At the end of the day, we all get a great deal of satisfaction out of gathering threat intelligence, whether it’s learning about attacks, reversing some new malware, or writing better algorithms to correlate and pull data out of our systems. And I think that enthusiasm plays a big part in making things tick around here.