When deploying threat intelligence and automated response technologies it is critical that these systems be configured correctly and accurately. In fact, when deploying technology that can drop traffic on your network you want to make 100% sure that your dropping the bad guy and letting the good guys through. In order to carry out this function we think that threat monitoring as a service makes sense. In fact we have rolled out our MSSP offering and have been pushing whitepapers on that topic because what we are finding is that customers that try and implement threat intelligence on their own are missing the mark and in many cases making additional problems.
Findings in Threat Intelligence Integration - A review of customers
Many companies are using threat data not threat intelligence - there is a huge difference in that threat intelligence is generated by your organization and threat data is something you buy from a vendor
Many organizations are not blocking - which leaves them open to attack. This occurs for several reason some of which we will cover later in this article
Systems do not scale - we have noted that companies that have implemented these solution on their own outgrow their systems built out over time
No sharing is occurring - companies want to be subscribers not contributors
What this means for you the customer
We believe that customers would rather pay for this service than build it out themselves for a variety of reasons. Researching potential customers shows that customer do not have a comprehensive understanding of intelligence. Until they integrate intelligence and cyber operations they will continue to have deployment issues. Intelligence is not the same as cyber security intelligence but management do not know the difference. Managers are OK it seems with paying for services even when they fail to protect their network(s).
MITM Attacks - Snooping on networks
As we conduct assessments we are observing many instances of man in the middle attacks as well as network intelligence gathering activities. This is occurring not only in the Government space but also in private and corporate networks. There have been many recent attacks utilizing DNS redirection to intercept and redirect network activity from known good sites to known bad decoy sites used to collect information and commit fraud. One of the great features of the Jigsaw Security stack is the ability to detect when DNS is being tampered with and to alert your network administrators who in turn can let you know what bad activity is being observed as well as near real time denial directly to the threat actor trying to manipulate your network activity.
Preventing Malicious Redirection
As Jigsaw Security gains visibility in both Government and Corporate networks, one thing is very apparent. Many of these networks are operating with gaping holes in which attackers can leverage to target individuals. Malware specifically designed to redirect users from known good sites to known information collection points has been observed. These malware samples are able to redirect any website such as banking, shopping and other sites to collect credit card information as well as the browsing habits of their targets.
Recent activity by Russian and Iranian threat actors has proven that the same technology used to prevent network infections can also be used to redirect users to sites to carry out infections. Many recent cases include prime examples of how these technologies are being utilized to infect targeted subscribers using ad networks, content delivery networks and by creating rogue hot spots that are malicious in nature.
Those wishing to try our new cloud based DNS protection can get a demo and free 30 days cloud deployed instance by requesting it from any Jigsaw Security sales personnel. This service requires only that you change your DNS servers to be effective and shows you exactly what attacks are observed on your network. If you choose to keep the service you simply leave the DNS protection in place and subscribe. If you decide our DNS protection is not right for you simply change your DNS back to your existing DNS servers. It really is that simply to defeat name based attacks.