Tailored Threat Intelligence Includes:
Technique detection versus indicators of compromise detection
It is easy to find indicators of compromise (IOC’s) such as the hash of a file and detect anywhere that hash exists. The same is true for IP addresses. Because it is so easy, many attempt to base their threat intelligence and detection capabilities on these items. Unfortunately, hashes and IP’s are also easy for attackers to change.
Technique based detection focuses on detecting not the malware or control channels used by attackers, but the techniques they use. For example, point of sale malware dumps memory. By detecting when memory is dumped on a point of sale machine, you can effectively detect all POS malware.
Developing technique based detection capabilities is much harder than looking for IOC’s, but they are also much more effective in the long term. Because of this, Booz Allen’s Managed Detection and Response Services deliver Tailored Threat Intelligence and technique based detection, not just IOC’s, tied to the attacks you experience.
Real world example of Tailored Threat Intelligence
Booz Allen was introduced to one of its customers when we responded to a breach tied to the theft of their single sign on (SSO) web page. A hacker was able to recreate their internal SSO page and post it on an external server. Combining this legitimate looking SSO page with a phishing attack, the attacker was able to harvest numerous credentials from the organization.
For several months this organization played whack-a-mole with this attacker by blocking the domains they used to host the fraudulent SSO page. This ultimately proved futile as the attacker simply stood up a new domain for each new phishing attack.
After engaging Booz Allen’s Managed Detection and Response Service, we were able to use our Tailored Threat Intelligence and the Booz Allen Defense Platform to create defenses that identified any time the customer’s SSO page came into their environment from the Internet. Their legitimate SSO page was only served up internally, this because a very effective detection capability that essentially took the SSO + Phishing technique off the table for the attacker. With this defense in place, the attacker was forced to move on.
In this example, Booz Allen created Tailored Threat Intelligence and detection capabilities that only this customer cared about. No other company would care if the SSO page in question was served up to them from the internet. However, for this particular customer, that intelligence and detection capability was very valuable and highly effective.