Opinion: Threat intelligence is the judo move needed to take down hackers
Advanced techniques for quickly tracking and analyzing the behavior and tactics of criminal hackers gives companies the tools to defend against emerging cyberthreats.
When a prominent financial institution was hit in 2014 by hackers taking advantage of a previously unknown software flaw, it wasn't long before details about the vulnerability spread on social media, underground forums, and technical listservs.
Hackers mobilized to turn the software bug into an exploit kit – the Sweet Orange kit – so others could use it to carry out attacks by deploying it against new targets. The kit was advertised on Russian forums and it was – and continues to be – updated regularly.
The speed at which software exploits spread around the deep Web, giving technically skilled criminals the chance to find ways to use it, didn't give other financial institutions much time to patch the holes in their infrastructure to stay ahead of attackers.
But at firms that scour the darker corners of the Internet to learn what hackers know and are selling – such as Recorded Future, where I'm the cofounder and chief executive – we were able to get ahead of the problem. Our technology alerted one of our clients – another large US financial institution – to how they were vulnerable and enabled them to quickly prioritize and patch systems to nullify the threat before they were hit.
That's the value of cyberthreat intelligence. Equipped with an information advantage we're able to outsmart the opponent. At the highest level, we can use intelligence to inform decision-making – all the way from strategy and policy to technical prioritization and blocking and tackling at the network level.
In many ways, being able to quickly analyze and respond to threats is the judo move of cybersecurity that can knock out the attacker. To challenge these kinds of sophisticated opponents, we need more than brute force. The judo master uses intelligence and preparation to beat the opponent. The judo move against the digital foe is cyberintelligence – an information advantage mined from the Web.
Many proposals are currently floating about as the best way to defend against enemies on the Web. One of the most talked about is information sharing. Indeed, brilliantly executed information sharing does have an opportunity to be a strong countermove on the attacker – but many obstacles remain in the way.
As logical as it seems to share information, a surprising number of counterincentives stand in the way of meaningful sharing. Legal and financial obstacles are abundant – and since cybervulnerabilities are just that, potential vulnerabilities, there are many intelligence and information advantage reasons entities hold back on sharing.
Sharing vulnerabilities might expose where an organization is weak. Corporations express that sharing intelligence with the government is a one-way street – data goes in but doesn’t come back. Cyberintelligence data may seem like technical data but might very well include private data on individuals – and sharing that opens up multiple challenges. Finally, there are indications that security, for better or worse, it starting to be perceived as a competitive advantage, and this could also hinder sharing.
Others suggest more offensive ways of fighting back – such as going after the hackers. But this is risky. As a country, we certainly have the wherewithal to strike back, but what happens when a private company hits back at another company that's engaged in economic espionage? What if a US company inadvertently takes down a significant part of another nation's critical infrastructure in the attack. The blowback could be far more damaging that the original hack. We would not allow this kind of retribution in the physical world, and we should not allow it in the digital realm, either.
But by developing more effective ways to use real-time intelligence we can detect, limit, and even prevent attacks.
Executing an attack does leave traces. There may be traces on networks and equipment. There may be malware code left behind. Attacks happen in sync with geopolitical and business events. Actors may have work schedules or time endeavors with political anniversaries. Actors often state their intents on social media before and after attacks. And they discuss their approaches and intents in the underbelly of the Internet.
When you know where to look, and how to use the information you find, there's plenty to learn when it comes to improving cyberdefenses. It's this kind of intelligence that allows for outsmarting a nimble, distributed, and asymmetrical cyberfoe – and it's the ultimate takedown.
Christopher Ahlberg is the cofounder and chief executive officer of Cambridge, Mass., threat intelligence firm Recorded Future, which received funding from Google Ventures, IA Ventures, and the CIA backed venture capital outfit In-Q-Tel.