PC PORTAL

Experienced. Trusted. Solutions.

brightcloud threat intelligence

By

Essential Threat Intelligence: Importance of Fundamentals in Identifying IOCs

The supply chain attack that Trojanized a SolarWinds update to infect and spy on the IT management platform’s customer base continues to be analyzed. Early reports have called the methods highly sophisticated and the actors highly trained. We do know that IP addresses, a command and control server and a malicious product update file were used. While details continue to come to light with further investigation, one thing is clear has been made clear by the incident: the fundamental elements of tactical threat intelligence still have a critical place in a layered cybersecurity strategy.

Tactical threat intelligence typically focuses on the latest methods threat actors are using to execute attacks. It’s examines indicators of compromise (IOCs) like IP addresses, URLs, system logs and files to help detect malicious attacks. This type of threat intelligence is most often deployed in network and security devices like firewalls, SIEMs, TIPs and other tools, and is usually set to apply policy-based settings within these devices based on intelligence criteria.

Recent attacks continue to prove that these fundamental tactical threat intelligence pieces are still critical. While web filtering and URL classification, IP reputation, and file detection and reputation may be less flashy than threat actor profiles and takedown services, they continue to be the building blocks of core threat intelligence elements that are key to stopping attacks.

These IOCs – files, IPs, URLs – are proven methods of attack for threat actors and play a consistent role in their malicious campaigns. Having tactical intelligence concerning these internet items is one key step security and technology providers can take to ensure their users are better protected. For tactical threat intelligence to be effective it must be both contextual and updated in real-time.

Why context matters


Context is what allows threat intelligence providers to take a mass amount of data and turn it into something meaningful and actionable. With context, we can explore relationships between internet objects and better access their risk.

As the recent SolarWinds attack shows, IOCs are often interconnected and rarely only one is used. Seeing the connections surrounding various internet objects, like a benign website that may be one step away from a malicious IP address, allows us to map and analyze these objects not only as they are classified but in their contextual relationships. These relationships allow us to better predict whether a benign object has the potential to (or is even likely to) turn malicious.

Real-time intelligence

Over the course of a year, millions of internet objects change from benign to malicious and back many times as cybercriminals attempt to avoid detection. Showing a single IOC at a single point in time, as happens with static IP blocklists, doesn’t paint the full picture of an object’s activity. Both real-time and historical data, however, canhelp in the development of a reputation score based on behavior over time and common reputational influencers such as age, popularity and past infections. It also helps to protect users from never before seen threats and even predict where future attacks may come from.

Once the fundamental intelligence is present, it’s also critical to make sure policies are enabled and configured correctly to best take advantage of the threat intelligence. In the instance of the SolarWinds attack, when we evaluated the initial data we found that seven of the IP addresses used in the campaign were previously identified by BrightCloud® Threat Intelligence months prior to discovery of the attack. These IP addresses were marked as high-risk and had fairly low reputation scores. In addition, the IPs consistently remained in the high-risk category throughout the year, meaning there was a high predictive risk these IPs would attack infrastructure or endpoints. Depending on the threshold set in the policy, many end users could have already been prevented from experiencing malicious behavior initiating from one of these identified IP addresses.

Necessary, not sufficient

Many security companies treated the Orion software update released by SolarWinds as one coming from a trusted partner. That factor contributed to the widespread success of the suspected espionage operation. It also allowed the threat actors’ reconnaissance operations to go undetected for months.

But Webroot BrightCloud® Threat Intelligence associated the IP address with a botnet in the summer of last year. A properly configured security tool using Webroot BrightCloud Threat Intelligence data would have blocked communication with the command and control server.

When used as part of a wider defense in depth strategy, essential threat intelligence components and proper policy configurations that apply that intelligence can help to make vendors and their partners more resilient against complex attacks.

The post Essential Threat Intelligence: Importance of Fundamentals in Identifying IOCs appeared first on Webroot Blog.

By

How to Stop Shadow IT, Manage Access and Ensure Security with Cloud Applications

Today, the average enterprise uses over 2000 cloud applications and services, and we expect this number will continue to grow as more businesses realize the efficiency, flexibility and collaboration benefits these services bring. But the use of cloud-based applications also comes with a few caveats; for example, the apps themselves may pose potential security vulnerabilities, and it’s also hard to prevent employees from using unsanctioned applications outside of the approved list (aka “shadow IT”), meaning critical business data could be floating out there in the ether without proper encryption or access controls.

When implementing these types of solutions, security should be a central concern in the vetting process. Unfortunately, it isn’t.

The State of Security with Cloud Applications

A full 92% of enterprises admit they have a gap between current and planned cloud usage and the maturity of their cloud security program. Meanwhile, 63% of web-borne malware and 15% of phishing attacks are delivered over cloud applications. And although 84% of organizations report using SaaS services at their company, more than 93% of those said they still deal with unsanctioned cloud app usage.

Even though cloud transformation is a strategic focus for many businesses, CISOs and IT teams are often left out of the discussion. That may be because the adoption of cloud services is generally billed as quick and easy with a rapid time to value, while IT security vetting processes don’t typically boast the same reputation. That often means that, for reasons of speed and perception, security may be treated as an afterthought — which is a potentially devastating oversight.

As adoption continues to grow, it’s critical for enterprises and small and medium-sized businesses (SMBs) alike to balance their cloud application use with security and access control; otherwise, the benefits they see may quickly turn into regulatory compliance nightmares, data loss disasters and security breaches.

Bringing Security and Visibility to Your Cloud Transformation

To improve visibility into the cloud applications being used, and to create usage policies and address security risks, many businesses are turning to Cloud Access Security Brokers (CASBs). CASB services are typically placed between the businesses who consume cloud services and providers who offer them, effectively protecting the gateway between a company’s on-premises IT infrastructure and the cloud service provider’s infrastructure. As such, CASBs can provide a central location for policy and governance simultaneously across multiple cloud services — for users and devices — and granular visibility into and control over user activities and sensitive data. They typically help enforce data-centric security policies based on data classification, data discovery and user activity surrounding data.

Faced with a continually growing and changing number of cloud applications and services, it’s critical to have accurate, up-to-date cloud-specific intelligence, not only for CASBs but also other security tool providers who provide support and policy control capabilities around cloud applications.

To better enable CASBs and security device vendors to identify and categorize cloud applications Webroot recently released its newest service: Webroot BrightCloud® Cloud Service Intelligence. This service is designed to offer full visibility, ensure security, enforce compliance, and identify shadow IT through three components: Cloud Application Classification, Cloud Application Function, and Cloud Application Reputation.

By embedding these components into a CASB solution or other security device, partners can identify a given cloud application, classify it by purpose, and control access to it based on the application’s group, name, and the action being performed. Additionally, customers can assess risk and compliance for all cloud applications with a reputation score. Cloud Service Intelligence can also be layered with other BrightCloud® services, such as Web Classification and Web Reputation, for a complete filtering solution that won’t impact product or network bandwidth.

Next Steps

The use of cloud applications is only going to continue to grow. Actionable threat intelligence can provide critical data around which cloud applications are being used within an organization, how they are being used, and what their security reputations may be. Armed with this kind of visibility and security information, enterprises, businesses, and the CASB and security providers who serve them can reduce risk and minimize shadow IT for a stronger overall cyber resilience posture. Learn more about this new service and its applications in our datasheet.

The post How to Stop Shadow IT, Manage Access and Ensure Security with Cloud Applications appeared first on Webroot Blog.

By

Employee Spotlight: The Human Faces Behind Artificial Intelligence

Webroot BrightCloud® Threat Intelligence relies on the collective power of millions of devices working together. But what sometimes gets lost is the actual humans behind bringing this technology to market. In this Employee Spotlight, we talk to Account Development Executive, Jordan Gray, who works with C-level executives to integrate threat intelligence solutions within their environments.

What brought you to Webroot?

In 2018, I was looking for a career change away from insurance. After doing some extensive research into the market, I decided that the tech industry, particularly in Ireland, was right for me as more and more tech companies start setting up offices here. After initially setting up a call with a recruiter to discuss a role at Webroot, I fell in love with the product and company vision. The rest is history!

What is your role in the company?

My main role requires me to conduct high level discovery calls and sessions to BANT qualify C-Level and VPs before passing qualified opportunities onto our Sales Director to discuss integration and pricing in detail.

Have you ever had any close calls with malicious actors?

Thankfully, I never had any close calls with real malicious actors. However, about six months into my role at Webroot, I was successfully phished by our IT department who were sending out simulated phishing emails at the time. They sent me a delivery notice from a courier that was sending me a parcel and I clicked the link without checking. Nonetheless, I brushed up on my security awareness training afterwards! Lesson learned from me.

What are the top three malicious actors you think people should be concerned about?

Coronavirus scams are spreading nearly as fast as the virus itself. As of Jan. 3, the Federal Trade Commission (FTC) had logged more than 298,000 consumer complaints related to COVID-19 stimulus payments, 68 percent of them involving fraud or identity theft. They’ve also shut down hundreds of suspected phishing sites, which promise vaccines and other aid. That being said, our Tier-1 URL filtering can really help organizations block access to malicious sites keeping them and their customers safe.

Malware is the second big threat facing businesses. It encompasses a variety of cyber threats, such as trojans and viruses. It’s a general term for malicious code that hackers create to gain access to networks, steal data or destroy data on computers. Malware usually comes from malicious website downloads, spam emails or from connecting to other infected machines or devices. Businesses can stay safe by using Webroot’s industry leading endpoint protection.

Ransomware is one of the most common cyber-attacks, hitting thousands of businesses every year. They’ve grown more common recently, as they are one of the most lucrative forms of attacks. According to Forbes, ransomware payments have more than doubled in the last 12 months.

How have malicious threats evolved since the early days of the internet to now?

Cyber threats are evolving every day. Hackers are constantly looking for new ways to exploit individuals and organizations. It’s becoming easier for even amateur hackers to access high-level malicious software, with the availability of ransomware as a service (RaaS).  This allows highly skilled cyber criminals to create malware and sell it off to other cyber criminals, making a profit without the risk of deploying the malware themselves.

How have our defenses evolved to match the growing threats that malicious actors represent?

Webroot is currently using 6th Generation machine learning (ML), which uses complex neural networks that allow the machine to more accurately and autonomously identify relevant patterns and concepts within continually growing amounts of telemetry from Webroot customers.

What specifically is Webroot doing with regards to its threat intelligence platform to combat these increasingly sophisticated attacks?

Webroot’s threat Intelligence platform continues to improve every day. We have a uniquely diverse customer base, from consumer to small and midsize businesses and all the way up to the enterprise. So, we see every type of online threat. Also, we have started to work closer with our partners to identify how we can solve industry problems such as the cloud access security broker (CASB) market and become leaders within these market segments.

Where do you think the future of threat intelligence is headed? 

The market is still growing. Research suggests threat intelligence could be a $13 billion market by 2023. Organizations of all sizes are starting to use threat intelligence. I personally think cybersecurity will move from reactive to proactive. Threat intelligence will effectively predict and prevent attacks at the earliest stage, and sooner or later, underpin the whole concept of proactive cybersecurity and organizational risk.

What else are you into besides threat intelligence?

I am a big football fan, or soccer as the guys in the U.S. would say. In my free time, you’d find me watching Manchester United play while having a Guinness or spending time going on road trips with my girls when COVID and the weather permits. 

The post Employee Spotlight: The Human Faces Behind Artificial Intelligence appeared first on Webroot Blog.