The confluence of info-security and social media
What's one of the easiest ways for attackers to gain inside information about a target?
Believe or not, it's LinkedIn and Twitter. Think about it - why bother running a blind scan trying to fingerprint targets when you can just look at the LinkedIn or Twitter profiles of their network and systems administrators to see what systems they're working on?
Social media is a powerful tool for business, but as you can see, it can also pose a big threat. As a result, many companies are enacting policies that require employees to remove specific details about their jobs on LinkedIn. The law is certainly not established, but many companies consider this as part of their confidentiality and privacy clauses. There is a difference in being vague and writing that you work in network security and that you manage Cisco ASAs running 9.2 code and using WebVPN.
At the same time, however, the principles behind social media can be used to actually increase organizational security.
It all comes down to the idea of sharing information, which is really what's at the heart of social media. By programmatically sharing information about threats, defenders can create a mutual defense much stronger than anyone would be able to alone. There are several standards for sharing of information, for example, STIX (Structured Threat Information eXpression), a structured language for cyber threat intelligence. But this applies both to internal sharing of information across team, basics such as reports as well as external sharing of information. Also, many vendors would like to leverage data from their customers with their permission but many customers are hesitant to do this. They should make sure the vendor is managing the data safely (anonymising the data).
Admittedly, this is easier said than done. When it comes to security, we -- IT professionals -- have traditionally been wary of sharing information since it could give attackers an advantage. While it's still important to consider what information gets shared, as an industry, we've got to come to terms with the fact that going it alone is no longer an option. We have to move beyond sharing basic virus definitions or IDS (Intrusion Detection System) signatures.
For once, we need to take a page out of attackers' playbook. The reality is that attackers are far ahead of defenders and have been for some time now. In general, they are also very social and share information about vulnerabilities and tactics much more efficiently than defenders. Forget the image of the lone wolf cybercriminal -- although those certainly are out there; most attackers are part of a very active underground community sharing tools and tactics faster than any one company can keep up with. So, we've got to turn the tables on them: get better at sharing more information more efficiently.
Recently, this has manifested itself in the form of threat feeds. Threat feeds are a much trumpeted technology to quickly share attack information and enable your infrastructure to dynamically detect and respond to new threats. Some of these feeds can be straightforward lists of IP addresses or network blocks associated with malicious activity, while others can contain more complex behavioral analysis.
The idea of sharing attack patterns or signatures isn't new, but in the last few years we've seen deeper integration through the detection and protection infrastructure. Threat feeds will not guarantee security -- actually, you should be skeptical of anything that claims to guarantee security -- but it's a move in the right direction towards creating collective defense arrangements. Even still, most of the data in today's threat feeds is submitted anonymously, so it's not a named alliance, but again, it's a start.
Some protective technology vendors, such as those that offer antivirus and firewalls, have created their own feeds and offer it to customers as premium subscription services. While good, these feeds, however, usually only work with a specific vendor's technology and are limited in how deep they can be leveraged throughout your IT organization. The problem with that is to be most effective, you'll likely want to embed such data in other places in your infrastructure. Sometimes it's fairly easy to get the raw data from these feeds to do just that, but not always. There are also vendor-agnostic threat feed sources worth looking into. For example, some security information and event management (SIEM) tools include such features.
Getting and sharing threat information can be done in other ways, too.
For example, the Internet Storm Center is also a great source for information about active attacks. They publish information about top malicious ports being used by attackers and the IP addresses of attackers. If you see any of the servers in your data center communicating with these IPs or on these ports, it's worth investigating. While it may turn out to be benign, these are good flags to help guide your investigations.
Simply being better at sharing data across internal teams is another. Less than half of the IT professionals who responded to a recent SolarWinds survey said their organizations tightly integrate security and other IT processes, but doing so can help you spot attacks or behaviors that you would otherwise miss.
An easy way get started is to have unified tools or dashboards that contain information about the state of your networks and systems. Often, performance data can be used to spot security incidents, whether it's a sudden surge in outbound traffic indicating someone is exfiltrating data, or a CPU on a database server spiking because of an attack. The best way to start down this path is to include other IT members in after action reports from incident responses. The more they understand how threats have been discovered, the more vigilant they can be in detecting anomalies in their systems and raising the flag.
At the end of the day, what's most important is that we as IT professionals get better at openly sharing and using valuable threat- and attack-related information any way we can. The security of our data depends on it.