Using threat trends to protect network resources

The threat landscape is developing faster than the usual rate of security analysis

Leveraging threat intelligence to improve an organization's security posture should be an essential component of any security strategy.

Security-focused organizations produce an increasing number of threat reports and they occur annually, quarterly, monthly, weekly and even daily. These reports often contain critical information about the latest trends, goals and tactics used by the cyber criminal community.

Threat Tools and Trends

Active threat feeds from security researchers, vendors, regional and vertical organizations can be leveraged by tools like SIEMs and integrated with SOCs to ensure systems are continually tuned to the latest threat trends.

Analyzing threat trends, especially those collected from live production environments, can provide security professionals with insights on how to better protect their organizations against the latest virtual threats.

Trend of cybercriminals work in packages

One of the most interesting insights gained from analyzing recent data collected during the first quarter of 2019 ( PDF ) is that cybercriminals tend to work in unorganized packages. If an exploit or an attack vector appears to have worked for a criminal, you can safely assume that there will soon be a swarm of attacks aimed at the same thing. This is a high-profile trend that anyone familiar with security can see. 

Threat Trends with FortiSIEM
Using threat trends to protect network resources 2

Large-scale packet behavior

WordPress is the world's leading solution for CMS (Content Management System), used to create hundreds of millions of websites. It is a fact that data stored on websites has a high value on the black market and the WordPress it is a frequent target of attacks. When we recorded more than 100,000 attacks targeting this application in the first quarter, it was not a big surprise. There was also an increase in attacks targeting other developers' CMS systems, including those that develop third-party plug-ins.

This information may have been overlooked by some analysts. The total number of attacks targeting each CMS was comparatively less than the number of attacks targeting the largest player in space.

Granular packet behavior

This behavioral trend of packaging is not limited to just big attacks overflowing in related areas. It also appears to occur in some of the most granular details of attacks.

Almost 60% of the threats analyzed in the first quarter of 2019 shared at least one domain used at a specific point in an attack chain. Many attacks also tend to use the same web providers over and over again.

The first is that cybercriminals pay close attention to each other. They interact in obscure web forums, share code and strategies, and even reverse engineer each other's tools. And when things work out, whether it’s an obfuscation technique or a web domain provider, they’re reused.

Second is that these patterns can be used to identify attacks. Traffic back and forth between a device and a web domain and that domain is hosted by a provider frequently used by cyber criminals.

read on ...

Scroll to Top