New Challenges for Information Security Tasks

A recent study by research company Gartner devoted global current trends in the field of information security. It, in particular, predicts that 60% of organizations in the world by 2025 will adopt the concept of zero trust as a starting point for their security. Moreover, as noted in the study report, more than half of these organizations will not be able to realize the benefits expected from the implementation of zero trust. The fact is, Gartner experts explain, that the zero trust concept is not just a new security tool, but rather a comprehensive set of principles regarding cybersecurity and ensuring access to information systems. So in this case, we are talking not so much about the introduction of information security products as about a new culture of transparent communications.

In addition, Gartner analysts predict that by 2025 cybercriminals will be actively and most importantly - successfully use technological environments to harm organizations and people. This is not only about seizing control over data, but about attacks that are aimed at seizing control over entire infrastructures. Figuratively speaking, we are talking about a wide replication of the attack on the American pipeline system Colonial Pipeline, which stopped the work of all pipelines of this oil infrastructure and forced the US president to declare a state of emergency, on other enterprises in different sectors of the economy.

New trends in information security threats

New risks associated with the current "hot" geopolitical situation are being added to the above global trends today. Thus, StormWall recorded a radical increase in the late 2021- early 2022 DDoS attacks - at times their strength reached 1.2 Tbit/s.

If earlier the flow of requests at the level of 200-300 thousand per second was considered almost incredible, then this spring the flows of requests exceeded a million requests per second, - said Igor Lyapunov, vice president of information security at Rostelecom at the TAdviser SummIT conference at the end of May. - And under the smoke screen of DDoS attacks there were targeted attacks.

The botnets then evolved with subsequent regional distribution depending on where the targets targeted by the attackers are located. Despite the fact that the power of attacks has decreased, their effectiveness has generally increased, StormWall notes, since the power of the filtering points available to most Anti-DDoS service providers in different regions is insufficient to repel current powerful narrowly targeted attacks.

Igor Lyapunov also notes that the vector of attacks has seriously changed. Already at the very beginning of SVO, Darknet has a free tool for organizing attacks and all the leaked databases of Russian accounts.

Unprotected corporate databases are a significant characteristic of the current state of affairs in the field of information security. In the period between the 1st quarter of 2021 and the 1st quarter of 2022, Group-IB specialists conducted a global study and found that by the end of 2021 the number of publicly available databases in the world was 308 thousand, and in the 1st quarter of this year their number reached 399200.

It is a little encouraging that most of them were stored on servers in other countries: the USA, China, Germany, France and India. But the fact that almost 7,500 "ownerless" bases were on Russian servers in the spring is clearly an incentive for action.

Experts Group-IB warn that unprotected data bases are easy prey for cybercriminals and can lead not only to leaks, personal data but also targeted attacks on organizations. Accordingly, the number of phishing fraudulent partner programs will also grow, attackers will begin to actively develop phishing partners for the financial sector. This type of fraud may become a more high-tech replacement for calls from fake ones, according to Call centers Group-IB.

For example, accounting program M.E.Doc suddenly sent out malicious Petya code to all its users, and monitoring program SolarWinds suddenly gave remote access to 300,000 companies' networks to unknown hackers. Everything happened after hacking into the servers of software suppliers, where the attackers introduced the functionality they needed.

This is a big challenge for the whole domestic ITindustries-:, free software which is very popular today, cannot be made trusted. In addition, gaps in the knowledge of IT and information security specialists of companies of their own infrastructure were revealed: technological development is ahead of the ability of employees to keep all the necessary knowledge in mind.

Information security technologies of today and tomorrow

The paradigm of the security architecture itself has changed: instead of a model of a reliably protected fortress (with thick perimeter walls that are difficult to cross) - layered defense, prompt detection of an attack and quick response even before the intruder could cause any significant damage.

Source: Rostelecom, May 31, 2022

If we add to this picture of the world the needs of import substitution in the field of information security, it becomes clear why experts have no doubt that the Russian market for information security funds will actively grow in the coming years. Their points of view differ only in assessing specific growth rates: from 7% per year from 2021 to 2025 (J'son & Partners Consulting), 8% in 2021 ("Informzaschita"), 10-15% in 2021 (Positive Technologies), 25-30% (R-Vision).

The volume of the Russian information security market in 2021 reached 98.6 billion rubles, according to Rostelecom-Solar (8% growth compared to the previous year). According to a study conducted by this company, the public sector remains the main driver of the information security market of the Russian Federation: this segment will grow at an average rate of 13% in the coming years and will reach 43.8 billion rubles by 2025. with the total volume of the information security market at 131.8 billion rubles.

New corporate information security tools meet the new conditions. Moreover, both the present and the future of information security are connected with intelligent IT solutions. Thus, in the global market, according to Capgemini Research Institut research for 2019, most organizations use AI technologies to detect cyber threats, and almost half of respondents said then that their AI budgets in the field cyber security will increase in 2020 by an average of 29%

Источник: Capgemini Research Institute , совместное исследование Skolkovo Foundation и Anti-Malware.ru, 2020 г.

The defenses follow here attackers who use artificial intelligence (AI) mechanisms to form new ways of highly effective attacks.

Countering such attacks requires complex analytical solutions, says Ruslan Kosarim, Deputy Technical Director for Business Development at Angara, and today you can see how classic solutions are being modernized with AI, achieving more effective protection. This is what happened with network security and endpoint security solutions. AI helps to find anomalies in data, processes, user behavior. It is the property to quickly analyze large streams of heterogeneous events and find abnormal suspicious combinations in them that helps to solve a wide range of information security problems today. And the role of such tools in the current situation with information security threats is generally difficult to overestimate.

Source: Capgemini Research Institute, a joint study by the Skolkovo Foundation and Anti-Malware.ru, 2020

Identifying Shadow Digital Assets

The steady growth of digitalization of business processes and operations leads to the constant growth of digital assets. At the same time, some of them find themselves in the "shadow": access to them is possible from the outside, but the organization itself does not control and does not protect them.

{{quote 'The emergence of uncontrolled IT resources puts organizations at serious risk, says Tim Boback, head of Attack Surface Management at Group-IB.- According to our data, more than 50% of incidents investigated by the Group-IB Digital Forensics Laboratory in 2021 occurred as a result of the exploitation of perimeter vulnerabilities and could have been prevented. This requires robust tools to monitor and comprehensively inventory existing digital assets. }}

You can use the External Attack Surface Management (EASM) product class to protect your company's resources outside the perimeter. They provide monitoring of all externally available digital assets of the organization, identify, allow tracking the effectiveness of the measures taken.

The EASM class Group-IB solution using Threat Intelligence cyber intelligence data provides full monitoring of all externally available digital assets of the organization, identifies vulnerabilities, and prioritizes critical risks. To support the solution, Group-IB Attack Surface Management scans the address space every day and Internet IPv4 identifies not only current cyber threats - malware phishing panels, but also unsecured corporate digital assets. These can include forgotten cloud services with vulnerable, software incorrectly configured, databases accidentally accessed from the network, or self-deployed web servers - anything that can lead to unauthorized access to the company's infrastructure.

This product allows you to see all the risks of the company's cybersecurity in real time on one dashboard: from data leaks to an open RDP port, which significantly reduces the time and resources of the IT service and security teams, freeing them up for higher priority projects.

A new generation of "honey pots"

One of the areas of information security risk is associated with the growth of large projects of the Internet of things, up to solutions [[smart smart city]: the level of digitalization and intelligence of systems of this kind often increases at the expense of security. Indeed, smart devices without special protections become easy victims of cybercriminals. For this reason, experts classify the global information security market for the Internet of Things as one of the fastest growing segments of smart enterprises. According to the researchers of Markets & Markets, its growth rate is about 24%.

Deception-class systems are expected to grow in popularity in this segment, providing smart protection with deceptive traps designed to detect intruders in the infrastructure.

Deception (creating false goals, setting traps) is an effective technology of corporate information security. Organizations use it to detect intruders and prevent attacks in the early stages, "says Sergey Bortnikov, manager of technology solutions at Softline, in his article on the resource.

Deception solutions allow you to create traps in the company's infrastructure in order to neutralize the attacker and understand his goals and motives.

Deception is a direct descendant of Honey Pot (HoneyPot), which acts as a decoy, distracting the attacker from his activity in the attacked network. If HoneyPot is an independent solution that captures the actions of an attacker, then Deception (or Distributed Deception Platform, DDP) is a centralized system that includes many interconnected "pots." As Sergey Bortnikov explains, Deception technology automatically changes the environment without leaving it static, as in the case of HoneyPot.

Consequently, hackers conduct thorough reconnaissance and adapt their tools to the specifics of the victim's infrastructure. In order to successfully identify such threats, decoys must accurately imitate the real workstations of employees and provoke attackers to impersonate themselves, "says Sergey Bortnikov.

Therefore, when implementing DDP IT infrastructure , the organization is divided into two parts. The first is the real network of the company, the second is a simulated environment consisting of traps. Moreover, these traps are located on the real working infrastructure: false records about connecting to network disks, accounting data and other entities. The meaning of the design is that if an attacker gets into the real infrastructure of the organization, gets to the workstation or server, then he will stumble upon lures and traps, be discovered, and work will begin with him.

According to Sergei Bortnikov, DDP systems demonstrate a low level of false positives, so they are "shown" integration with other information protection tools: SIEM (prompt notification of compromised machines in SIEM, automatic search for infected systems using configured policies), firewalls (the ability to send requests for blocking or quarantine of infected AWS), EDR (blocking and sending to quarantine of infected stations, automatic response to incidents using isolation policies), sandboxes (sending suspicious executable files for analysis to C sandboxes).

Interestingly, the DDP platform can be implemented not only in, IT infrastructure but also, for example, APCS industrial enterprise networks.

In the register of domestic software there is the Xello Deception platform developed by Xello.

Source: Xello Company

The company says the Xello Deception platform accelerates incident response with automated attack analysis, Dexem's hidden bait technology and incident handling. Among its features should be mentioned:

• Continuous collection of medicine, which enriches SOC data and reduces the time it takes to parse an incident.
• Select attack scenarios. The attacker's tactics are analyzed, and he is misled, for which machine learning is used.
• Improve VDI security with distributed deception technology.

Xello Deception is an agentless solution that creates decoys on virtual hosts and distributes them across the enterprise network using its own technology. The decoys can be various saved passwords and sessions, keys, false configuration files, databases and others. Their task is to emulate real information assets in order to detect the presence of an attacker inside the perimeter of the company. This increases the security of the VDI environment and helps reduce the risk of unauthorized access to the company's infrastructure. The number of decoys and how they are distributed is constantly increasing.

Behavioral analysis

This allows UEBA systems to build profiles not only of users, but of the entire IT environment. Thanks to this, UEBA systems, unlike UBA, are able to identify a wider class of threats associated not only with users, but also with IT infrastructure facilities, "notes Alexey Matveev.

UEBA solutions use machine learning, algorithms, and statistical analysis to understand when a deviation from established rules occurs. They automatically determine which of these anomalies could lead to a potential or real threat. A proactive approach to security based on growing volumes of information about user behavior implies that, based on an array of collected data, the UEBA system builds a model of normal user behavior and its interaction with corporate systems, both using statistical algorithms and using machine-based learning algorithms, and detects deviations of each user or their groups from the general model.

In addition, the UEBA system maintains retrospective statistics for each user and, based on the collected data on his abnormal activity, is able to set risk assessments for each of them. UEBA systems solve several main task blocks:

• Applied big data analytics from various sources: based on mathematical statistics methods or using machine learning.
• Quick identification of attacks and other violations, most of which are not determined by classic information security tools.
• Consolidate data from multiple sources (SIEM, DLP, AD, etc.), build event flows, and prioritize them. UEBAs can aggregate data contained in reports and logs, as well as analyze information about files, streams, and data packages.
• Promptly respond to high-impact events by providing information security administrators with advanced incident information that includes all sites involved in abnormal activity.

Thus, the kernel of any UEBA system includes big data analytics technologies that can be available out of the box, or connected as separate solutions, for example, Elastic Stack.

User Behavior Analysts (UBA) employee behavioral analysis systems are relatively recent on the market. However, very actively developing in various areas, Vyacheslav Bozhiev, business analyst InfoWatch. For example, some systems include additional functionality for building a psychological portrait of an employee. Others strengthen the risk level assessment unit depending on the security policies that have worked. Another approach is based on dynamic analysis of employee behavior to predict risks.

UBA, built using this approach, allows you to output events from the "gray" zone, which repeatedly increases the efficiency of working with DLP system data, notes Vyacheslav Bozhev.

Sometimes the question arises about the similarity of two classes of systems: UEBA and SIEM (Security Information and Event Management). Indeed, SIEM is also a set of advanced tools and technologies that provide a comprehensive understanding of the security of the IT system. SIEM systems also collect data and event information, providing the ability to see patterns and trends that are normal. They can also warn about abnormal trends and events.

The UEBA system does the same for user and IT entity behavior, determining what is normal practice and what is out of bounds.

At the same time, the SIEM system is based on security policies designed to immediately detect threats occurring in real time, so that advanced hackers can easily bypass them. But advanced APT attacks typically take weeks and months, and are better suited to UEBA systems that don't rely on any rules, using risk assessment techniques and clever algorithms to detect anomalies over time. Therefore, experts advise, the best option is the integrated use of SIEM and UEBA to maximize security.

AI vigil: monitoring the work of personnel

Data from the research company IDC say that companies that do not analyze the effectiveness of their processes lose 20-30% of their income, although these losses can be avoided. In fact, we are talking about the performing discipline and performance of the employee. In addition, such systems perform the functions of protecting a company from employee actions that could harm its business. The second hypostasis of employee surveillance systems - controlling their behavior for fraud and misconduct - and previously interested banks in light of the "epidemic" of social engineering scams. And in the context of the total transition to remote work, these issues moved to the category of "hot" topics.

Thus, StaffCop Enterprise Novosibirsk the company's system is responsible for monitoring the work of remote employees. " Atom Security The emphasis is on comprehensive monitoring of remote personal. computer Simply put, after installing the corresponding application on it, the system administrator gains full control over the user's actions on the corporate network: he can not only see the list of programs that are launched by the user, but also study which windows are open for the employee, and even block certain resources. The built-in module face recognition will help the administrator make sure that the same employee of the company is working at the computer.

Since each user action is recorded in the system log, it is possible to build a complete picture of business processes either for the purposes of their control and optimization, or to restore the picture of violation of information security rules, if any.

Control of illegal user actions at the computer, implemented in the StaffCop software, includes registration of user actions that could potentially carry a risk: connecting USB devices, flash drives, printers, printing facts on the printer and intercepting the contents of the clipboard, monitoring configurable log files and intercepting keystrokes on the PC keyboard. Moreover, audio recordings from microphones, the contents of the clipboard and other information that may be of interest to the security service undergo linguistic and content analysis to identify specific information to which a potential insider attacker has expressed interest. At the same time, the analysis of video recordings from the workplace webcam along with audio recordings makes it possible to understand which people were in the office at a particular time, and what events took place.

In the new version of Staffcop Enterprise, presented in early summer, there was an interception of new types, messengers as well as the conversion of audio recordings into text. The specialist in the specialist INFORMATION SECURITY no longer needs to listen to conversations, just look at the text decryption or, using the dictionary and regular expressions, automate the process of processing text data. The Tika parser connection is also implemented content Apache , which allows you to extract data from intercepted files of more than 100 types, which increases the ability to control leaks of critical information.

The special features of the algorithm allow you to respond to the detection of descriptions in the content stream bank cards UnionPay and. WORLD

Similar dual-use functionality: control over the use of working time by employees and ensuring the information security of the company - are supported by other software complexes of this class, for example, CleverControl or TimeDoctor. Each product has its own specifics. For example, TimeDoctor has a well-developed functionality for recording from a PC monitor, webcam and sound, and real-time monitoring implemented in CleverControl is perfect for situations where you need to know what the staff is doing directly at a given time.

The progress of theft methods, coupled with the general increase in the number of attacks on financial organizations, is increasing interest in anti-fraud systems in the banking sector, emphasizes Ruslan Kosarim from Angara. - To prevent cybercrime, developed anti-fraud solutions are increasingly being used that allow analyzing data on customers and transactions in dynamics and detecting behavioral anomalies.

For example, the InfoWatch Traffic Monitor DLP system prevents leaks of confidential information based on a full-fledged content analysis of information flows. At the same time, linguistic analysis of the text is provided in 42 languages. Thanks to a multidimensional analysis of their content, the system "understands" what information is in question, and therefore is able to identify and block leaks of confidential information of any format. For example, DeltaCredit Bank uses InfoWatch Traffic Monitor, primarily to protect itself from attempts by unscrupulous employees to copy client data from corporate information systems.

The DLP solution InfoWatch Traffic Monitor includes a vector graphics analyzer that identifies the presence of any piece of a sensitive drawing as part of another drawing, even if it has been modified. The program will be able to detect excerpts from documents with confidential information, as well as ensure the protection of documents on several grounds, for example, it will reveal a scan of the document of the completed contract with printing.

The product can control both standard channels and unique ones: corporate and web mail, instant messengers, cloud storage, network folders, FTP, terminal connections, local and network printers, removable media. Control involves not only identifying, but also blocking (blocking operations) actions to transfer confidential information outside the organization, as well as to other network folders within the company's infrastructure. The company notes that InfoWatch Traffic Monitor will "catch" complex text and graphics objects even if an insider was able to modify them.

EveryTag offers its own solutions to such problems - they help to control possible leaks of valuable information from the company: corporate documents, personal data, trade secrets, unique developments and various sensitive information.

Ruslan Kosarim is confident that the fight against social engineering will be facilitated by the further evolution of the functionality of anti-fraud solutions, especially the introduction of cross-channel monitoring systems. An example of cross-channel monitoring is the Fazzy Lodge Labs Smart Fraud Detection system. In real time, the system recognizes and monitors employee behavior using cameras (photos, video data) and microphones (audio data). The analysis of the employee's behavior in order to counter fraudulent transactions is carried out on the basis of a risk assessment. And to create incidents for abnormal actions of employees, the system uses predefined rules.

As a rule, UEBA/DLP systems work only with data from software agents on workstations, servers and network routers/firewalls, explains Mikhail Dudalev, head of data analysis at Fuzzy Logjik Labs in an article in PLUS magazine (October, 2021). Sergey Parfenov, technical director of Fuzzy Logjik Labs, adds: When the system operates in a banking context, you can use cross-channel analytics of user behavior, which means building the most complete model of user behavior, improving the detection of anomalies and illegitimate user actions.

Information received through service channels other than the RBS can also improve the calculation quality of indicators for operations in the NWS. From this point of view, or the introduction of a multi-channel anti-fraud system for calculating indicators, according to the requirements of the standard, was seen as the most suitable option for us.

The approach involves constant monitoring of all customer service channels (even without payment transactions), which fills the analytical system with a lot of data on possible suspicious actions, even if they are not directly embezzlement of funds, "explains Ivan Barchuk, director of the data collection, storage and analysis department at VS Lab.

Fighting Hidden Threats and Targeted Attacks

Kaspersky The Security Optimal product "" Kaspersky Lab implements the ability to find hidden threats - malicious, software using various masking mechanisms. This is a separate class of investigated objects, which is characterized by the fact that malware it is already embedded in the organization's network, performs the tasks inherent in it, but cannot be detected by standard means of protection.

The hidden threat analysis and blocking tool, optimized for work in small companies, includes a sandbox - an advanced security element that was previously available only in "heavy" solutions such as KATA (Kaspersky Anti Targeted Attack) or KEDR (Kaspersky Endpoint Detection and Response).

To combat APT attacks Kaspersky Lab, Kaspersky Expert Security provides a single security platform. The central element of the platform is a class solution. SIEM Kaspersky Unified Monitoring and Analysis Platform (KUMA) To combat threats, KUMA also collects and analyzes from data all sources connected to it, which can be not only Kaspersky Lab products, but also third-party companies. The components of the Kaspersky Expert Security ecosystem complement each other and exchange information. As a result, information security specialists get a complete picture of what is happening in the infrastructure and can focus on the operational reflection of cyber attacks almost any complexity, say Kaspersky Lab.

APT threat detection is a time-consuming process that requires tools to analyze the entire state of the network, as well as analyze remote connections and users who work from home. This is a whole range of measures that will allow the information security department to increase the level of information security of the corporate IT infrastructure, - emphasizes Evgeny Budarin, head of the pre-sales support department at Kaspersky Lab.

Source: Kaspersky Lab, June, 2020

Not only does the complex nature of APT attacks require the use of an entire "portfolio" of information security tools. It is almost impossible to fully automate their detection: only people can make a final decision on the nature of the events taking place.

Angara Professional Assistance has combined human and machine intelligence to protect the network and endpoints from complex threats and APT attacks in the form of ACR Service AntiAPT & EDR. This is a joint service between Angara and Kaspersky Lab, built on the KATA platform. It is further enhanced by the capabilities of the KEDR product, and data on all identified suspicious events, including the sandbox, ends up on the Angara Cyber ​ ​ Resilience Center (ACRC) platform, designed to monitor, investigate and analyze cyber threats. There, information about the customer's IT assets is entered into the CMDB database, which contains information about the customer's protected IT assets, and compromise indicators (IoC) from trusted sources and regulators are used to enrich incidents. Data and communication channels are protected using SSL, it is also possible to organize a VPN tunnel according to GOST.

ML instead of SIEM?

Alexey Lukatsky, a well-known Russian specialist in the field of information security, talks in his article published in the BIS Journal in November 2021 about how with the help of modern ML solutions you can do without purchasing the SIEM system.

Previously, people bought SIEM to reduce the need to write signatures for attack detection systems, as well as reduce the number of false positives from them. Now people buy or build machine learning so as not to write rules for SIEM or reduce the number of false positives in them, - notes Alexey Lukatsky.

Indeed, two classic approaches to threat detection - signature and "anomalous" - require simulations of "bad" or "good" behavior, respectively, followed by analysis of deviations. However, it is extremely difficult to model what is still unknown. In this situation, machine learning comes to the rescue, which allows you to draw the right conclusion, relying not on models, but on a high-quality datacet.

To learn how to detect spam, we need tens and hundreds of thousands of email messages to analyze. To learn how to predict user behavior, you need to track all his actions for several weeks, - notes Alexey Lukatsky and adds that the best date is this one that will be created directly in the company based on its real data: network traffic, malicious files, URL, email, user actions, etc.

You then have to preprocess the data and select a different set of characteristics for each analysis direction. For example, for a network anomaly monitoring system (NTA or NDR), such features can be: source port, sender port, protocol (UDP, ICMP, TCP, IPv6), application identifier, etc.

Solutions of the EDR (Endpoint Detection & Response) class have more than 400 such features - these are metadata associated with the analyzed file: presence of network connections, non-standard protocols, use of certain calls, making changes to the file system, development for a certain architecture, accessing the registry, supported languages, working with RAM and hard disk, starting other processes, etc.

After the characteristics are generated, the corresponding model is selected. Teaching with a teacher is effective in the case of fairly simple data and understandable signs, for example, you can detect infection with malicious code, interaction with a command C2 server, loading malicious code, phishing and spam, DGA domains, etc. These models need marked up data that can be generated based on the datacet.

Thus, if teaching with a teacher allows you to identify new, but still previously known types of threats, then teaching without a teacher focuses on the threats of unknown persons, for example, expanding the bridgehead of intruders in the infrastructure (lateral movements), data leaks, abnormal access to various services and servers, - comments Alexey Lukatsky.

For example, scenarios for machine learning without a teacher may be a mismatch in the traffic profile or CPU load on identical servers or network segments, which may indicate the work of the ransomware or data leakage, previously unknown network or user activity, non-standard communications with colleagues (identifying power centers, an affair between employees, collusion), the user performs actions with rare privileges, etc.

Cyber ​ ​ intelligence (Threat Intelligence)

The complexity of the situation in which information security services are currently operating, the complex nature of the information security solutions used requires a serious information background - the context in which modern threats and methods of their prevention are developing. These functions are now taken over by Threat Intelligence platforms, which are able to accumulate in real time a variety of information about possible threats from various sources (commercial and free, closed and open, public and private), classify it, and carry out various operations with it, including unloading into protective equipment and SIEM systems.

Threat intelligence is specific knowledge that allows you to understand current threats, their impact on the organization or industry, area of ​ ​ activity, help manage risk and make strategic decisions, help improve the quality of detection and response to threats both proactively and reactively, provide an opportunity to increase awareness of threats and more adequately select protective measures that fit the organization-relevant threat landscape (taking into account the specifics of its activities/sector of the economy, industry), - they say in the company R-Vision.

Based on these goals, the TI platform should not only collect data, but also provide an opportunity to investigate the received entities, the relationships between them to understand the picture of the attack, the development of malicious infection, determine the similar features of various malicious campaigns and groups, attribution of attacks and similar analytical tasks, including automatic. Why might it be necessary?

The fact is that there are many data sources, in real practice dozens or even hundreds of different data sources can be connected to the TI platform. Moreover, each source has the property of updating from time to time, changing previously provided data. "The TI platform should promptly create new entities, update the statuses of old ones, if they have changed, get rid of takes, bring them into a single, consistent form (normalization), and delete old entities. Explicit relationships between entities need to be distinguished and linked together, defining the nature of the relationships. And these are not all operations performed, "they say in R-Vision.

The steady growth of the platform market was provoked by the active introduction of information technologies both into corporate and personal life (which provokes the growth of security threats), as well as requirements from regulators, - comments Anatoly Mukhin, observer Anti-Malware.ru.

Source: Market Research Future, anti-malware.ru

In the world, the use of Threat Intelligence (TI) is gradually included in the set of familiar SOC tools, but in Russia the use of this tool is only gaining popularity. R-Vision experts conducted a special study to understand how Russian companies use TI data, how they are processed and what difficulties they face.

The main element of the Threat Intelligence platform is data streams presented in the form of Indicators of Compromise (IoC), the anti-malware.ru researchers note: they are signs by which a security risk can be detected, for example, IP and URLs associated with malicious activity, hash sums of malicious files, etc. The sequence of compromise indicators from one source is usually called "feed" (from the English feed - "material supply, power supply").

At the moment, both free and paid fed bases are available; usually their distribution (sales) is carried out by vendors. At the same time, the obvious drawback of the feeds is the lack of context, because the "raw" data does not allow you to get answers to the main questions: what is the connection of compromise indicators with specific attacks? What do they matter within the attacker's infrastructure? To do this, it is necessary to analyze the links between the received and available data, which is very laborious.

Here the Threat Intelligence platforms come to the rescue, allowing you to automatically receive feeds and enrich them with context. They help information security specialists prevent attacks in the early stages (for example, by identifying network interaction with well-known botnet servers or blocking the addresses of phishing domains on the organization's mail server), as well as making the most of the information they receive, says Anatoly Mukhin.

He notes that the feeds can be purchased from a specific supplier (Group-IB, Palo Alto, ESET, Kaspersky, FireEye, etc.) in order to obtain more specific data relevant for a specific infrastructure, or you can use such a Threat Intelligence platform that is able to interact with many other sources.

Anatoly Mukhin draws attention to the fact that often the Threat Intelligence process is perceived as collecting feeds of various types and integrating them into existing Threat Hunting, Incident Response, SIEM systems, etc., while they can influence the adoption of not only operational, tactical, but also strategic decisions.

Источник: anti-malware.ru/analytics/Market Analysis/Threat-Intelligence

The strategic level is more related to decisions made by management. At this level, the reports provided by the information security division are considered, goals and strategies are formed, as well as new tasks and needs (people, processes and tools). At the tactical decision level, it is necessary to operate with tactics, techniques and procedures (TTP) that can be obtained from MITRE ATT&CK (Adversarial Tactics, Techniques and Common Knowledge): a knowledge base or matrix describing the behavior of attackers. The operational level represents specific technical measures that are taken on the basis of incoming data (indicators of compromise).

Источник: anti-malware.ru/analytics/Market Analysis/Threat-Intelligence

All Threat Intelligence platforms differ in the nature of the implementation of cyber intelligence functionality at different levels. For example, a number of domestic developments are presented on the Russian market:

Group-IB Threat Intelligence of Group-IB. The solution is positioned as a product that is based not on managing compromise indicators, but on information about those behind each attack. It is provided as a subscription service and provides monitoring, analysis and forecasting of threats to the organization, its partners and customers. Using the generated database about attackers and a tracking system for them, you can find out about future attacks at the stage of their preparation. Provides a map of attacker activity and tools for risk attribution, reviews of trends, attacks, APT groups and the tools they use, and can also contain on-demand analytics.

Operational data is targeted research about new software and services used by cybercriminals, identification of new APT groups, information about leaks, etc. Tactical data is information about compromised accounts, bank cards, attacked mobile phones, as well as malware settings files, suspicious IP addresses and much more.

Kaspersky Threat Intelligence of Kaspersky Lab. The Kaspersky TI portal is a threat reporting service designed to quickly respond to incidents and effectively investigate them. Users are provided with constantly updated data on files, URL and IP addresses, domains, checksums, threat names, statistics and activity. This allows incident responders to quickly prioritize, track chronology, find infrastructure that targets attackers, and learn cybercriminals' tactics and methods to identify countermeasures.

Kaspersky TI solves the above problems through a set of services: threat data streams, customized reports (for specific companies, for specific countries, for financial organizations, as well as about APT threats), Threat Lookup, Cloud Sandbox and CyberTrace. The Incident Responder receives not only up-to-date threat information, but also global research on the sources of targeted attacks, which allows you to prioritize internal system signals, reduce incident response time, prevent infrastructure compromise, and improve the quality of incident investigation.

PT Cybersecurity Intelligence компании Positive Technologies. The platform is designed to manage knowledge about information security threats based on free and commercial feeds, as well as the vendor's own data. It allows you to automatically accumulate, lead to the required type and enrich compromise indicators coming from external sources and from internal means of protection.

In order to identify massive, targeted and industry attacks, the platform is able to independently transfer processed data to existing protection and response tools. By integrating with the products of Positive Technologies and other vendors through the API, as well as by automatically uploading threat data to existing security tools, the PT CybSI platform is able to solve problems related to skipping attacks, false positives, manual analysis of feeds.

R-Vision Threat Intelligence. A centralized cyber intelligence analytics platform that collects, processes, stores, and analyzes threat data, and leverages that knowledge to identify and block threats, respond to incidents, and conduct investigations. R-Vision TIP supports work with commercial and free sources, as well as data from FinCERT. The product automatically collects data from connected sources, normalizes and deduplicates it, and leads to a single presentation model.

In addition to the R-Vision indicators themselves, TIP also loads related reports, information about vulnerabilities and malware, analyzes the relationships of indicators, allowing analytics to gain a holistic understanding of the threat. Due to integration with external services (VirusTotal, Shodan, RiskIQ, Whois, etc.), indicators are enriched with an additional context. Processed and sorted data can be automatically uploaded to internal security tools of different manufacturers. It is possible to perform in automatic mode the entire sequence of operations with compromise indicators - from collection to blocking by means of protection.

Joining forces against attackers, leveraging shared knowledge, and sharing threat data is what Threat Intelligence platforms are built and deployed for. With their help, a process is built that allows you to competently manage both information about the method of a possible attack and the available time to prepare for it, while ensuring the completeness of information about the threat, "emphasizes Anatoly Mukhin.

Thus, intelligent information security solutions strive to support data consolidation processes from a variety of sources, processes, niche products and their joint analysis. Sergey Voinov, CEO of EveryTag, believes that ultimately information security solutions will come to integrated end-to-end products that will simultaneously ensure reliable storage of documents, data, other information, and the security of digital assets.

All this creates the cyber stability of an organization that protects business, - emphasizes Igor Lyapunov.

Next Review Material "Artificial Intelligence Technologies" > >
> Home Review Page "Artificial Intelligence Technologies" > > >

Other materials of the review "AI Technologies"

• Data processing in deep neural networks: achievements and calls of the current moment
• AI: from data to knowledge
• Processing of natural language documents and texts
• Smart Process Processing
• Smart Voice Services
• Intelligent video analytics
• AI in analytics: What's beyond BI?
• Smart manufacturing
• Virtual Assistants
• Smart city
• Conclusion. Where does the world of practical AI implementations roll?

Other materials on the topic of AI

• The artificial intelligence market in Russia has reached a turning point. TAdviser 2020 Review
• Artificial intelligence (AI, Artificial intelligence, AI)
• Artificial Intelligence (Russian market)
• Artificial Intelligence (Global Market)
• Computer Vision: Technology, Market, Outlook
• Video Analytics Systems Video Analytics Systems and Projects Catalog
• National Strategy for the Development of Artificial Intelligence
• Machine Learning, Malicious Machine Learning, Data Labeling
• RPA - Robotic Process Automation
• Video analytics (machine vision)
• Machine intelligence
• Cognitive computing
• Data Science
• DataLake
• BigData
• Neuronets
• Chatbots
• Smart speakers Voice assistants
• Artificial intelligence in various fields: in banks, medicine, radiology, retail, military-industrial complex, production, education, Autopilot, transport, logistics, sports, media and literature, video (DeepFake, FakeApp), music
• Self-driving cars in the world
• Self-driving cars in Russia