Boosting your Cyber Security Defense with Threat Intelligence Blocking

The number of data breach incidents reported in 2018 is alarming. Internet tech giants, flag-carrying airlines, government institutions were a few targets that were devastated by these cyberattacks. These organizations have one thing in common: the scale of their IT security investment is larger than common enterprises. All of them are equipped with layers of security defenses such as next-generation firewall (NGFW), intrusion prevention system (IPS), web application firewall, antivirus, and Anti-APT solutions, yet their systems were compromised. 

This may take many by surprise. It is as if regardless of how much you invest in IT security, hackers are still able to intrude your network. The classic movie line “Life will find its way out” seems to ring true with hackers – they can always discover unknown weak spots before anyone else.

The saying holds true: “Know thyself and thy adversary to win a hundred battles”. Passive surveillance mechanism, which serves like front ramparts, is not sufficient to ward off intrusions from hackers. Experts have proposed a new concept: “Threat Intelligence Blocking” with high fidelity intelligence threat feeds. This is similar to missile defense, where a complex system of ground-based radars, satellite sensors, and interceptor missiles work in conjunction to stop threats from reaching your territory. Through building a densely woven intelligence network, threats will be detected and terminated before it reaches your domain. This approach not only lighten the burden of firewalls and IPSes, it also improves the security posture of an organization.

Given these circumstances, NETSCOUT Arbor releases “Arbor Edge Defense” (AED) as a brand-new solution. It can serve as TIG (Threat Intelligence Gateway) that holds up to millions of Indicators of Compromise (IOC) to complement corporates’ existing security stack.

Decrease in effectiveness of current security stack
Organizations continue to plan and build a secure network by investing in various perimeter solutions. This often produce lackluster results as we continue to witness sensitive information being leaked. These incidents may be due to various factors and enterprises should focus on the root cause of the problem. Otherwise, investing in top-end technology alone can never turn the situation around. 

NETSCOUT Arbor Greater China general manager Alex Chin gives a detailed analysis about the underlying problems. Firstly, many malicious acts are able to circumvent an organization’s multi-layered security defense. Hackers are able to pull the tricks because their targets usually rely on signatures or fingerprints detection techniques which may not be effective against zero-day exploit. Even though numerous organizations have Anti-APT solutions (such as sandbox technology) deployed with the intention to block unknown threats, the results are not assuring. 

There are two sides to a coin. With the emergence of sandbox technology to detect zero-day attacks, the anti-sandbox technology that dodges this detection also arises. After all, in the security battle, there are just too many areas yet to be explored - nothing is impossible. That’s why corporations should not solely rely on the sandbox technology against APT. 

Secondly, more than 70% of the Internet’s traffic is encrypted. To stop the potential threats embedded in them, security devices deployed in the network may need to include SSL encryption/decryption capability. The cost and management of these additional modules become costly and could only be afforded by larger organizations. Eventually, encrypted data traffic is let through without inspection, adding risk to a security breach.

Thirdly, organizations perceive that multiple solutions are required to tackle complex security problems. This mindset may not be precisely correct. By acquiring more security devices, the number of alerts will also increase. Security analysts diligently review the logs during the initial phase of deployment. As the volume of alert increases with a high percentage attributed as false positives, alert fatigue factor leads to alarms left unattended. Thus, critical warnings may be ignored, allowing threats to sneak through.

Furthermore, larger organizations diversify their security investment by purchasing solutions from multiple security vendors. The information between systems may not be interoperable, each producing huge event logs of its own. This makes it difficult for a security analyst to connect the dots, to view the bigger picture of the attacker’s behaviors, leaving gaps for the enemies to infiltrate the network.

IOT on the rise, Difficult to Implement Threat Blocking
It has been deemed critical to collect and share threat intelligence. Organizations around the world including Taiwan are moving towards ISAC (Information Sharing and Analysis Center) standards. On the national level, there is the N-ISAC and for its subordinate governments, G-ISAC; for financial service, the FS-ISAC; water resource, the W-ISAC; oil and gas, the ONG-ISAC, etc. ISACs have been set up in various sectors with the hopes that collaboration and intelligence sharing can gain the upper hand over hackers.

Back in the Warring States Period, the ancient people already knew the importance of intelligence sharing. To ward off foreign intrusions, emperors decided to build beacons at critical zones and traffic accesses. Not all high towers were armed with sufficient forces. Some of them only had a few soldiers stationed. They were not expected to fight off hundreds of enemies – their task was to light up beacon fire (or smoke signal) once they spotted enemies. When soldiers on the other towers saw the fire, they would also light up their beacon fire. With this, the message could instantly be relayed dozens or hundreds of kilometers away, allowing forces to gather in the shortest time and ward off intrusions.

The ISAC that the IT security sector promotes today resembles the beacons. Private enterprises, government or education institutions deploy security checkpoints at every critical location in their network; they solely rely on their perimeter systems to spot anomalous traffic. However, there are always vulnerabilities no matter how thorough the defense is. The bad guys could pretend to be legitimate to bypass security inspections. On the contrary, by integrating external intelligence, organizations will be able to detect the smoke signals from miles away. Without doing the checks themselves, they would immediately know where the enemies are and how they behave. Therefore, they can devise countermeasures to stop the attackers from penetrating their network.
Alex Chin says, looking at the global evolution of ISAC, one can deduce that successful ISACs must have three key components: "real-time updates", "automation", and "standardized format". Threat intelligence should be simultaneously shared through automation processes without relying on human intervention. Also, it needs to be build based on standardized formats, such as STIX (Structured Threat Information Expression) and TAXII (Trusted Automated eXchange of Indicator Information). The former defines the format of information description and the latter the communication protocol of information sharing. They have been largely accepted across the international security sector. When properly utilized, they could facilitate integration and exchanges of information across technological platforms. Taiwan has started to adopt ISAC regulations. As ISAC matures, Taiwan’s academia commenced a “wall-building” project, which estimated that the academia network could produce tens of thousands of IOCs, among which may include malicious IP, URLs, and Domains. This is expected to help the education and academic fields to perform intelligence blocking. Local branded data traffic analyzers were used in the project; security vendors were also invited to participate to validate if these IOCs could be imported into their devices for effective blocking.
Unfortunately, the results were not promising. Most of these NGFWs were not able to import more than tens of thousands of IOCs. Moreover, the performance of the devices was hugely impacted. NGFW companies had to switch to bigger and expensive models, which barely held the required number of IOCs to block threats.

Potential concerns were determined during this arduous process. For organizations to block threats effectively, they would encounter huge setbacks, even in the very early phases. The reason behind this is because NGFWs or other common security devices have seen an increase in their functionalities over the years. Each service consumes memory and computing resources. The remaining CPU/memory is insufficient to hold tens of thousands of IOCs. The device would have reached its bottleneck when up to thousands or tens of thousands of IOCs were imported into it. Extending beyond this value will severely impact the device’s performance.

It is worth noticing that the “fifty-thousand IOCs” mentioned previously merely refer to the threat intelligence items gathered within the academia network. Suppose it is on a national N-ISAC level, and when combined with more intelligence feed from third-party TIP, there will be at least one million IOCs consumable. It could be argued that the massive amount of threat data should be included and used as the basis of blocking. However, even if organizations are willing to invest on top of the line security devices, there is no guarantee that these devices will be capable of holding millions of IOCs. This has significant impacts on the performance of NGFWs.      

Stateless Architecture with Expanded Blocking Capabilities 
Given the limitations that were previously mentioned, if users choose to yield to reality and include only thousands or tens of thousands of IOCs to their security devices, the success to blocking threats will be minimal. In light of this, the security field is coming up with a new solution, TIG, which would serve as a stand-alone device specifically for carrying the numerous IOCs and at the same time positioned to significantly lighten the burden on security devices such as the NGFW and IPS.   

Indeed, the concept of TIG does make sense. Most organizations already implemented a sophisticated security infrastructure. Unless TIG can be consolidated into existing security stack, will be simple to operate, and will not create an additional burden for the security team, organizations would hesitate to insert another stand-alone device to their security stack.

To meet the market’s requirements, NETSCOUT Arbor launched a pioneering solution called the AED (Arbor Edge Defense). NETSCOUT Arbor’s DDoS defense device “APS” boasts advance DDoS defense capabilities and has been relied on by many organizations over the years. AED is designed to combine both APS and TIG functionalities into a single device. Users equipped with APS can, through a simple upgrade process, enjoy the TIG features instantaneously.
APS has been the leader in the Anti-DDoS market due to three distinct advantages. First, it is positioned in a unique location between the router and firewall; second, it is designed with a stateless packet processing engine; third, it is backed with the ATLAS global threat intelligence. The new AED also inherits these advantages.
Since AED is positioned at the edge of the Internet, it is suitable to serve as both the first and last lines of defenses against advanced Internet threats. It not only can fend off threats from outside but will also cut off the external communications of the internal infected host to its C2 bot master. This helps stop security compromise to becoming a breach. AED inherits APS’s stateless technology, it complements the NGFW or IPS to reduce their loadings.

More importantly, NETSCOUT Arbor ATLAS is collaborating with over 400 telecommunications companies around the world and has sensors/honeypots positioned across their backbones. Internet data are collected at the peak rate of 140 Tbps which is one third of the global Internet traffic. With such visibility as its solid foundation, ATLAS is able to examine over 200K malware samples per day. Feed updates and countermeasures are regularly refreshed to the product. Alex Chin points out that ATLAS has a very powerful brain. Research in the field of Anti-DDoS merely used a slight fraction of ATLAS’ resources. ATLAS has been expanded to explore advanced cyber threats over the years. Furthermore, ATLAS relies on a highly automated process with results validated by experts. Thus, it is able to sort through hundreds of million pieces of threat information and condense them into hundreds of thousands of high fidelity IOCs to import into AED. Along with security devices such as the NGFW and IPS, intelligence threat blocking is achieved. By retaining only relevant information, the IOCs in AED are highly reliable indicators. Erroneous judgments are thus minimized and blocking rates maximized, producing amazing results.  

Even though ATLAS can gather most threat intelligence around the globe in real time, NETSCOUT Arbor still strongly recommends that users also import local intelligence into TIG. In a sense, global threat intelligence is like an internet criminal blacklist. Yet, there are the “red-handed” offenders who are only beginning to take root locally. To identify them in time, local threat intelligence is required. Through standard exchange protocols such as STIX/TAXII or RESTful API, users can easily integrate AED with local intelligence to strengthen its threat blocking capabilities.

Also, third-party TIP (threat intelligence platform) can be used to enhance AED’s blocking capability. However, it is worth noticing that although TIPs often claim that they have up to a hundred million to even a billion IOCs and that their coverage is huge, this often results to over- blocking of traffic when not correctly tuned. For example, some organizations IPs might have previously been used as a stepping stone for hackers; even if the incidents only lasted short, these IPs may be included in the TIP’s blacklist and may never be seen as legitimate again. If organizations include these IPs for blocking, they may be dropping communication to potential business partners. Having SIEM interact with TIP to derive the most relevant IOCs can bring down the IOC number from billions to the millions. This eliminates over-blocking in TIGs. 

As a conclusion, NETSCOUT AED is positioned to increase service availability, perform threat intelligence blocking and reduce the burden on NGFW or IPS. By supporting STIX/TAXII formats, AED can perfectly integrate with major threat intelligence platforms and SIEMs to generate a faster and accurate response, to bring down cybersecurity incident rate to the very minimum. The combination of AED's software features ("real-time update", "automation", "standardized format") and unique architecture (stateless technology, unlimitedly scalable blocking capabilities) produces optimal protection against cyber threats to organizations at an epic scale