Building an Early Warning System: Determining UrgencyBy Mike Rothman
The Early Warning series has leveraged your existing internal data and integrated external threat feeds, in an effort to get out ahead of the inevitable attacks on your critical systems. This is all well and good, but you still have lots of data without enough usable information. So we now focus on the analysis aspect of the Early Warning System (EWS). You may think this is just rehashing a lot of the work done through our SIEM, Incident Response, and Network Forensics research – all those functions also leverage data in an effort to identify attacks. The biggest difference is that in an early warning context you don’t know what you’re looking for. Years ago, US Defense Secretary Donald Rumsfeld described this as looking for “unknown unknowns”.
Early warning turns traditional security analysis on its head. Using traditional tools and tactics, including those mentioned above, you look for patterns in the data. The traditional approaches require you to know what you are looking for – accomplished by modeling threats, baselining your environment, and then looking for things out of the ordinary. But when looking for unknown unknowns you don’t have a baseline or a threat model because you don’t yet know what you’re looking for.
As a security professional your BS detector is probably howling right now. Most of us gave up on proactively fighting threats long ago. Will you ever truly become proactive? Is any early warning capability bulletproof? Of course not. But EWS analysis gives us a way to narrow our focus, and enables us to more effectively mine our internal security data. It offers some context to the reams of data you have collected. By combining threat intelligence you can make informed guesses at what may come next. This helps you figure out the relevance and likelihood of the emerging attacks.
So you aren’t really looking for “unknown unknowns”. You’re looking for signs of emerging attacks, using indicators found by others. Which at least beats waiting until your data is exfiltrated to figure out a that new Trojan is circulating. Much better to learn for the misfortunes of others and head off attackers before they finish. It comes back to looking at both external and internal data, and deciding to how urgently you need to take action. We call this Early Warning Urgency. A very simple formula describes it.
Relevance * Likelihood * Proximity = Early Warning Urgency
The first order of business is to determine the relevance to your organization of any threat intelligence. This should be based on the threat and whether it can be used in your environment. Like the attack path analysis described in Vulnerability Management Evolution, real vulnerabilities which do not exist in your environment do not pose a risk. A more concrete example is worrying about StuxNet even if you don’t have any control systems. That doesn’t mean you won’t pay any attention to StuxNet – it uses a number of interesting Windows exploits, and may evolve in the future – but if you don’t have any control systems its relevance is low. There are two aspects of determining relevance:
- Attack surface: Are you vulnerable to the specific attack vector? Weaponized Windows 2000 exploits aren’t relevant if you don’t have any Windows 2000 systems in your environment. Once you have patched all instances of a specific vulnerability on your devices, you get a respite from worrying about that exploit. This is how the asset base and vulnerability information within your internal data collection provide the context to determine early warning urgency.
- Intelligence Reliability: You need to evaluate each threat intelligence feed on an ongoing basis to determine its usefulness. If a certain feed triggers many false positives it becomes less relevant. On the other hand, if a feed usually nails a certain type of attack, you should take its warnings of another attack of that type particularly seriously.
Note that attack surface isn’t necessarily restricted to your own assets and environment. Service providers, business partners, and even customers represent indirect risks to your environment – if one of them is compromised, the attack might have a direct path to your assets. We will discuss that threat under Proximity, below.
When trying to assess the likelihood of an early warning situation requiring action, you need to consider the attacker. This is where adversary analysis comes into play. We discussed this a bit in Defending Against Denial of Service. Threat intelligence includes speculation regarding the adversary; this helps you determine the likelihood of a successful attack, based on the competence and motive of the attacker. State-sponsored attackers, for instance, generally demand greater diligence than pranksters. You can also weigh the type of information targeted by the attack to determine your risk. You probably don’t need to pay much attention to credit card stealing trojans if you don’t process credit cards.
Likelihood is a squishy concept, and most risk analysis folks consider all sorts of statistical models and analysis techniques to solidify their assessments. We certainly like the idea of quantifying attack likelihood with fine granularity, but we try to be realistic about the amount of data you will have to analyze. So the likelihood variable tends to be more art than science; but over time, as threat intelligence services aggregate more data over a longer period, they will be able to provide better founded and more quantified analysis.
How early do you want the warning to be? An Early Warning System can track not only direct attacks on your environment, but also indirect attacks on organizations and individuals you connect with. We call this proximity. Direct attacks have a higher proximity factor and greater urgency. If someone attacks you it is more serious than if they go after your neighbor. The attack isn’t material (or real) until it is launched directly against you, but you will want to encompass some other parties in your Early Warning System.
Let’s start with business partners. If a business partner is compromised, the attacker may be able to jump from their network to yours, using a direct network connection or stolen credentials. Many business partners have trusted access to or credentials on your systems. So you should start proximity analysis by categorizing your different types of business partners and grouping them by access to your critical data. How can you determine if a business partner has been compromised? Emerging proprietary intelligence services and other industry information sharing groups monitor organizations and industries, assess their vulnerabilities, and determine the risks they pose to partners.
Likewise, you can and should monitor service providers as potential indirect attack vectors. As more and more critical data moves to SaaS environments and infrastructure migrates to cloud computing providers, risk to your providers should be factored into your early warning analysis. Again, services exist to monitor service providers (as they do with other business partners) which can alert you to potential risks. Also ensure your service provider has some kind of notification SLA in place to give you a heads-up when they detect an attack.
Customers tend to be one step removed compared to business partners and service providers. Customers typically don’t have the same kind of direct access as partners or providers, but can still pose a risk, such as login credentials being stolen and used by an attacker. You can track customer issues by monitoring news feeds, SEC filings for breach disclosures, and data breach reporting site such as DataLossDB. The proprietary threat intelligence services can also monitor specific high-risk customers.
The relationship between proximity and urgency is different for each company, and must be evaluated in terms of available resources. Clearly direct attacks are urgent, but determining the importance of various other constituencies depends on their access to critical information and track record. Like an “asset criticality” rating in a risk scoring calculation, you can tune the numbers a bit to reflect your professional judgement of the risk presented by each group. A certain business partner might be a train wreck from a security standpoint, demanding an increased proximity factor due to the threat posed by an attack on them. On the other hand a mature and advanced business partner likely handle can an attack, leaving you free to focus on different partners and customers.
Now that you understand the analysis aspects of early warning and how they are used to determine urgency, our next post will wrap up the series with selection and deployment. We will start by talking about what the platform needs to look like, then move on to putting the process into action and getting a quick win with the Early Warning System.