The Chinese general Sun Tzu said that if you know your enemy and you know yourself, you need not fear the outcome of a hundred battles. If he added that too much information about your enemy can be overwhelming, history does not record that.

Knowing the enemy is no less important to the security operations centers (SOCs) at financial organizations than to Han Dynasty military strategists. But the sheer volume of threat intelligence—the data an organization uses to understand the information security threats it could face, or breaches that have already taken place—is overwhelming cybersecurity professionals. In 2021, one of the main roles of non-profits and private sector companies that offer threat intelligence is curation and finding signals in the noise for clients and members.

When Anomali, a provider of cybersecurity tools, was founded eight years ago, the volume of indicators—identifiers of threat actors or events, such as IP or email addresses—that firms had to process was manageable, says its CEO, Hugh Njemanze. A customer might have had to deal with a database of about 100,000 risks or indicators, and feed those into the tools in their SOC systems.

“But just a year later, it was a million indicators that we were helping with, and then it was 10 million, and 100 million, and now it’s several billion indicators that are active,” Njemanze says. “It completely overwhelms not just the humans, but any tools they have. They need to find ways to filter down the volume of threat intelligence.”

Like good generals, chief information security officers (CISOs) too must understand the risks they face in the internet battlefield, where attackers range from everyday chancers sending phishing emails, to sophisticated spies hired by nation states (known as advanced persistent threats, or APTs). And there is a booming industry of vendors offering platforms and services for threat intelligence: the global industry is projected to grow from $10.9 billion last year to $16.1 billion by 2025, with security analytics to register most growth, as users want to find patterns in attacks across network infrastructure, according to market research.

Vendors like Blueliv, ThreatConnect, and Cyjax offer threat intelligence platforms with differing degrees of modularity; Cobwebs Technologies extracts targeted insights from big data; ZeroFox provides threat intelligence across the public attack surface. Many vendors, as Anomali does, provide access to data feeds from vendors like Symantec, CrowdStrike, and FireEye, which an organization can pull into its security and event management software (Siem) to collect logs and event data generated by apps and security devices.

So there is no lack of information out there. The problem in 2021 is that there is too much. As Njemanze says, Siem systems generate a huge volume of alerts. Not only is this tiring for those people who must monitor them, it’s also difficult to detect actual security threats. The problem is compounded by a shortage of qualified staff at many institutions. In a survey of cybersecurity professionals conducted last year, 31% said understaffing was the biggest challenge they faced; 18% said it was keeping up with the volume of security alerts.

Filtering solutions

Njemanze says vendors use a number of approaches to filter data for clients. “You could filter by certain classes of intelligence, so maybe you only care about IP addresses, or compromised files. We have built algorithms, and we have a dedicated lab of practitioners. They look for what is happening in real time, what is trending now, what has gone dormant,” he says.

“So we very aggressively curate our repository of threat intelligence to deactivate threats that are no longer active, to promote threats that are currently active, or targeting a specific vertical.”

Anomali’s Match tool matches large volumes of threat intelligence in a client’s Siem software with activity from its network. Siem software collects event logs, and Match compares that log to the Anomali database of threat intelligence, and returns the information. For example, it could show that there were six sightings of a particular bad actor in a particular month, the actor was first seen in this system, and the attack spread to another system. “Otherwise, you just have a repository of threat intelligence dumped on you, and it’s very hard to find something that can consume it. That’s why people tend to filter out the threat intelligence,” Njemanze says.

This backward look is important, he adds, as most attacks go unnoticed, sometimes for years.

Sharing is strength

Financial firms don’t just have to rely on the private sector for threat intelligence: they can also join an Information Sharing Center (Isac).

Isacs are non-profits organized by industry verticals that act as forums for the sharing of threat intelligence. Finance has its own Isac, called the FS-Isac, which was founded in 1999, and has a membership of thousands of financial firms in 70 countries. 

“The memberships of these Isacs feed information up to the organization as they recognize threats or attacks against their systems, and the community then shares it back out. It’s like a neighborhood watch concept, and it’s pretty powerful,” Njemanze says.

The deputy CISO of a New York-based investment firm that is an FS-Isac member says they believe it’s important to subscribe to an Isac.

“We benefit not just from learning about active threats, but also getting advice from other people in the same industry. You can say, ‘Hey, we have this problem, how did you deal with it? Is this something you are concerned about?’ Having that community of other security professionals who have dealt with similar situations is helpful,” they say.

The advantage of having this community on a platform like FS-Isac’s is important because these provide different levels of anonymity, they add. “Having it around a service gives you that comfort of non-disclosure and making sure there is no issue with sharing. You don’t want to share too much, but you also want to share enough that it’s helpful to both your own community and others.”

One of the FS-Isac’s main roles is making threat information meaningful and useful to its members, says Teresa Walsh, global head of intelligence for financial services information sharing at the non-profit. 

The FS-Isac sends out intelligence in a number of ways—via listserv, on special calls and briefings, and through research reports. It also has a centralized platform for threat intelligence sharing called Share and a recently launched chat app called Connect.

Share uses tagging technology to help users find information organized by category. “Users can share information on different types of cyber threats, how they are impacting their businesses, threats they hear about but don’t know much about, and more general information—how others are responding to Covid, or briefing their board on cyber risks,” Walsh says.

“They use each other as sounding boards for what works and what doesn’t and what is best practice, whether they are a huge multinational conglomerate or a small community institution serving a small customer base.”

One advantage the FS-Isac has is that it has thousands of members worldwide that have, over the years, become increasingly comfortable sharing threat intel with their peers anonymously. This is not a small thing—for financial organizations, admitting to a security breach can be a massive reputational risk and invite future attacks.

Because of the volume of reporting centralized on Share and, more recently, Connect, the FS-Isac has been able to draw inferences that might have gone unnoticed otherwise and feed those back as insights to its membership.

Targeted attack

Perhaps the most dramatic demonstration of this capability came in the wake of attacks on the New Zealand Stock Exchange (NZX). In August last year, a massive wave of internet traffic deluged the NZX’s website, slowing it down to the point where the country’s main board could not post market announcements. The exchange shut down trading for the day but was attacked again on reopening. The exchange had to suspect activities every day for four days, halting trading in cash, debt, equities, and derivatives markets.

As Bloomberg reported in February, the NZX had been the victim of a distributed denial of service (DDoS) attack, an unsophisticated but often effective attack that enlists thousands of systems infected with malware (sometimes called “zombie armies”) into making requests of a targeted server, flooding it with traffic and shutting it down. The NZX moved its servers out of reach to the cloud, but the malicious hackers moved on to targeting companies listed on the exchange, and to other organizations.

The attackers sent target firms emails in which they claimed to be from notorious APTs like the Lazarus Group and Fancy Bear. The extortion emails threatened more DDoS attacks if they weren’t paid sums in Bitcoin.

At the time these attacks were spreading around the world, it was not clear they were linked. However, as FS-Isac members began to receive the extortion emails, the organization was alerted and began connecting the dots. FS-Isac said in February that its analysis found that the extortion emails and DDoS attacks seemed to follow a similar modus operandi and seemed to indicate that these were connected events that proceeded in a systematic way across the globe.

Apart from NZX, targets ran the gamut from large banks to fintechs, insurance companies, asset managers, and loan companies. The FS-Isac said at the time that none of its members paid the ransom, and none saw significant damage after the deadline for their Bitcoin ransoms.

Walsh tells WatersTechnology that FS-Isac’s membership gave the organization an advantage—because its members were willing to share their experiences, the body could take in that data, and understand that the extortion emails and DDoS attack were connected; that the unsophisticated hackers were almost certainly not Fancy Bear or Lazarus Group; and it could track the hackers as they systematically targeted firms in first Europe, then the Americas, then Asia-Pacific.

Share generates alerts at various stages of urgency; for instance, if a member reports an incident, or new research is issued, members will see that in their cues. Those alerts accumulate over time, and FS-Isac can analyze them for patterns, as it did while the DDoS extortion campaign unfolded. For ongoing events like that, Walsh’s team can centralize and analyze information and then build visualizations to make it easier for members to consume.

“You do have to tailor it to your audience. People are not going to read massive amounts of data. So you could, for a DDoS attack, include 10,000 IP addresses [of the botnet], but the most important thing is when did the attack happen, what did it attack exactly—your public-facing websites or less visible infrastructure?” Walsh says.

“We started with a simple Excel spreadsheet and just compared the different attributes to the attack we were seeing to understand how the members were experiencing all this, and then sharing it with each other.”

Connect was also useful during the DDoS extortion campaign, Walsh says. “People had a lot of questions about everybody else’s experiences. What type of threat did you get? Were they demanding payment? How did you respond, how did you brief your staff? Did you answer the emails? … It was almost like a support group,” Walsh says. 

Those individual experiences enabled, in the aggregate, a crowd-sourced analysis of events, and the FS-Isac could then reach out to other members to find those that might have experienced similar extortion attempts but had not shared them.

Know thyself

To make inroads into all the information at their disposal, firms must look inward as well as turn to outward help. After all, while knowing your enemy is important, as the second part of Sun Tzu’s adage goes, you also must know yourself.

Aite Group senior analyst Tari Schreider says that many CISOs take a “more is more” approach to threat intelligence. “One tendency I see in financial institutions is where, when flush with cybersecurity investment cash, they go out and subscribe to as many different threat intelligence sources as possible. The intelligence itself is useful, but if you’re not interpreting it correctly, you might misread it and end up putting defenses in the wrong place,” he says.

A better strategy is to start small and build up slowly to what the organization needs, taking care to understand its special vulnerabilities and what information is actionable along the way.

“To really understand threats, you must take intelligence and enrich that data to compare to your own attack surface and understand where you are vulnerable. Then you risk score the vulnerabilities, and that is the risk to your organization,” Schreider says.

He says that it’s crucial that the work of analyzing threat intelligence not be confined to the SOC, or siloed in any one department of an organization. The deputy CISO of the investment firm agrees, saying communication with the business and compliance functions is probably the most important—and often most difficult—part of their job. Schreider says an organization should have a comprehensive threat intelligence platform into which it feeds intel, but that intel should be contextualized to the infrastructure and the business of the rest of the firm.

While firms may see themselves as individual siloes, hackers do not. “Your attack surface is a bowl of tasty threat vectors,” Schreider says. “Hackers view your organization as an attack surface on which you just happen to have front-office technology, back-office technology, network technology, etcetera. They look past classical organizational constructs and see threat vectors, asset vulnerabilities and exploit potential.”  

Covid-19 and the shift to remote working made this attack surface even more diffuse, he concludes. “Covid-19 made organizations’ attack surface look like Play-Doh and spread it all over the place. Your network endpoints are now your employees working in their homes, they become the weak link in the security value chain. And they have caught the eye of the hackers. Whereas you would have a trader sitting on the trading floor, that individual is now at home trading securities. The same security protocols that exist on a trading room floor just don’t exist in a home setting. Hackers know this and will always follow the path of least resistance,” Schreider says.