Enterprises longing for an automated system that sends up a smoke signal that attackers may be planning a move against a particular organization or are promoting a new tool that targets companies in a specific industry may have had their wish come true.
Georgia Tech Research Institute has released a tool that collects threat intelligence from the open Internet and connects the dots in order to give organizations or industries an early warning that a distributed denial-of-service attack or new exploit is in the wild.
The system, called BlackForest, can be used as a feed into existing threat intelligence service, or can produce a report that cuts out a lot of painstaking manual research for enterprise security analysts.
“There’s been a dramatic—and in our opinion, correct—shift in not just fighting the attack but rather placing more emphasis on the motivations/goals of the attacker,” said Christopher Smoak, a research scientist in GTRI’s Emerging Threats and Countermeasures Division. “By understanding more about who these actors are, how they communicate, and where they’re sourcing tools, for example, we can help fill that much-needed gap and catch more things higher up in the kill chain.”
BlackForest rakes in information from hacker forums, social media, news sites and other information sharing programs, Smoak said.
“What it collects varies slightly based on source, but in general, it collects information being shared between parties. This may mean a public post made from one user to another, a forum post releasing a tool, or a conversation attempting to gather support for a Distributed Denial of Service (DDoS), for example<” Smoak said. “All of this information is automatically processed into a coherent picture based on various analytics in the background and can be further modified by analysts if desired.”
The intelligence sources BlackForest mines are broad and change according to attackers’ habits, Smoak said. But the secret sauce here is how it connects the dots between data gathered from different sources.
“Methods for connecting the dots vary based on the data, but we use a combination of what is communicated, to/by whom, and sets of derived metadata to provide automated connections between entities within our database. We then run additional analytics in the background to begin to discover new connections not easily identified,” Smoak said. “These are based on a number of machine learning techniques we’ve been developing over the course of the last two years. Additionally, analysts working with the system directly can add their own connections they’ve made through alternate methods to further enrich the data set.”
Smoak said BlackForest can monitor hacker forums, for example, for posts on new exploit tools for sale, or for references to specific companies or industries in the crosshairs of an impending DDoS attack. This allows an analyst at GTRI to download the exploit tool, for example, and make a report available to users, or send out an alert to a bank or government agency that hacktivists might be gearing up to flood a website or online resource.
“There’s not a lot of pre-attack, high up the kill chain tools out there. A lot of what we find before the fact is due to diligent manual inspection, and that’s just not feasible or cost effective in the long run,” Smoak said. “BlackForest aims to augment this workflow by putting machines in charge of collection and finding the information, thereby making analysts’ time more effective at actually preventing or mitigating attacks.”
Organizations can use the pre-attack data to develop malware indicators in order to build SIM or intrusion detection signatures.
“We’re just scratching the surface on how this information may be combined with other data sets to enhance decision making, and I fully expect it to morph in unique ways over the coming months,” Smoak said.