Intelligence Diversification
Intelligence Diversification
Why your organization should use a wide range of threat and vulnerability intelligence tools
As our dependence on technology continues to grow, so do the number of emerging threats facing its functionality and security. By the time an organization has researched and remediated the latest vulnerability impacting its infrastructure, ten more have taken its place. Patching vulnerabilities and threat hunting are the never-ending battles facing cybersecurity professionals daily. Most analysts and researchers fight this battle by utilizing vulnerability scanners and databases, antivirus and antimalware tools, trusted vendor sites/databases, security websites, and by simply staying up to date on the latest cyber threats and attacks through news’ sources and social media. At this point, not a day goes by without an organization making headlines for falling victim to a security incident.
For many researchers and analysts, it is tempting to become comfortable with a specific vendor/site for their cybersecurity questions and concerns. Some may say, “A potentially malicious hash? I’ll just throw it into VirusTotal and see if it is harmful” or, “AlienVault OTX will notify me of any IOCs; I don’t need to look elsewhere.” As reputable as these vendors may be, no one is perfect. What one vendor deems malicious could fly under another vendor’s radar, or even worse, the vendor may define something as non-malicious when it in fact is! When using only one source for your intelligence, you open up the chance of two things happening. One is identifying something legitimate as malicious, or the worse of the two, defining something malicious as legitimate.
Starting with the latter, identifying a process/action as legitimate when it is not can have very serious consequences. Taking a source’s word that a hash isn’t malicious, when it in fact is, could allow malware to enter and infect you, your customers, or your network. Just taking the time to consult another vendor/source could have stopped an entire network compromise dead in its tracks. Here at InfusionPoints, analysts have alerted customers to suspicious activity that was indeed malicious after checking with sources that deemed it to be safe! Although, occasionally, instances could occur in which the activity being observed seems sure to be malicious even though every source consulted validates it. While this is not common, you could be in the presence of an unknown vulnerability. In these instances, do not hesitate to reach out to Microsoft, AWS, Google, or whomever the vendor may be to raise concerns and receive confirmation of what is occurring. While this should be used as a last resort, consulting online forums to gain insight into what other analysts and security professionals are experiencing with a particular threat or vulnerability can help immensely. Just note that the final determination on whether a particular process is or is not genuine, should not be the say-so of someone on Reddit.
Defining a harmful process/service as legitimate can have a slew of obvious, and potentially immediate, ramifications. Continuously labeling genuine events as malicious can also cause problems. While some may say that this is simply erring on the side of caution, there are less obvious issues that can arise. Not wanting to thoroughly validate your suspicions can result in members of your team, your customer’s team, or a vendor wasting valuable time and resources chasing down harmless leads. Taking ten seconds to confirm can save someone else down the line hours. Lacking source diversity in your intelligence toolbelt can also result in you or your entire team losing credibility if the alarm is constantly sounded because one source or database insists that something may be harmful.
In conclusion, having a wide range of threat and vulnerability intelligence tools at your disposal is a great way to save time, educate you and your team, and also work to improve your effectiveness and credibility with customers. When this is put into practice, they are only alerted to events that require more attention and are not constantly forced to look into things that do not need to be investigated.