“Was this support article helpful?”
How many times have you read that question and heard the voice in your head screaming “NO!!!!” Why wasn’t the article useful? Usually because it explained the problem indicated by the error message, but really didn’t tell you what to do about it.
Same with the early Intrusion Detection System. Yes, they faithfully detected problems, logged them, and you could interrogate those logs. Later on they would morph into Intrusion Detection and Prevention Systems and finally Intrusion Prevention Systems. The huge and very important difference was that the first just reported information about the intrusion, and the improved versions actually did something about them.
7 Things You Can Learn From an Actionable Intelligence Report
That also describes the difference between the intelligence that most security systems collect and those that provide Actionable Intelligence Reports which not only inform but also drive action to resolve the exploit and mitigate the vulnerability.
Developing actionable intelligence requires the confluence of several resources and inputs. Monitoring all of one’s own network activity collects an enormous amount of log data. Baseline information from broader collections helps in comparing your activity with known exploits and other identified conditions, accompanied by information regarding successful mitigating activities. These must be combined by professionals with the expertise and the all-important experience in analyzing these data which results in actionable intelligence.
There are several important values businesses obtain from having actionable intelligence. These include protection of high-value data assets, avoidance of various malware threats, and preservation of ongoing business operations. Examples include:
RAT Attacks – Remote Access Tools (RATs) are often used to harvest credit card details from retailers, steal confidential corporate data and execute email attacks to obtain information. Since these attacks are designed to be very difficult to detect, deductive reasoning involving comparison of host computer behaviors over time may often be the only way to expose them.
Data Transfer Anomalies – Various applications are highly susceptible to exploit with malware being injected into them. Actionable intelligence is developed when careful inspection over time identifies these applications making unusual calls often directly to a specific IP address rather than a domain name. The action taken involved tracing down the target IP address to identify the attacker.
Downloading Malicious JavaScript – JavaScript is a popular scripting language among attackers who use it to inject malicious content on targeted hosts. Finding Java files that aren’t familiar to the network often helps admins to remove them before they cause harm.
Ransomware – One of the fastest growing types of attack is Ransomware. The attacker encrypts all data on the exploited servers making them useless to the owners. The company receives a ransom request which must be fulfilled before the data will be decrypted. Exploits as simple as a malicious menu bar downloaded when a user fails to uncheck it during a transfer can introduce such malware.
Direct Database Access – Database Servers are a very popular target for attackers because the data contained on them is usually very valuable. Direct, unencrypted database access is highly unusual, but various malware tools cause the servers themselves to initiate such connections. Noting unusual IP addresses connecting to database servers results in immediate action to block those connections.
Unusual User Behavior – Examining the “usual” activities of administrative users with high-level network access will often uncover sudden periods of unusual behavior, such as an admin logging in at odd hours, or logging into the network much more frequently than usual. This suggests that the user’s credentials have been compromised, resulting in immediate action to change that user’s passwords and other authentication details.
Incredibly Speedy Users – Where a user logs in is always part of their usage profile. When the same user logs in from locations so distant from each other that they would have had to use a Star Trek-like transporter to get from one to the other, it is immediately apparent that a password has been compromised. Immediate password changes usually resolve the exploit.
These are just seven examples of the kind of exploits that can be uncovered and resolved quickly when the goal is to produce actionable intelligence. A thorough Actionable Intelligence Report can expose many, many more kinds of attacks and provide the guidance needed to stop them.
Start a 30 day Threat Diagnostic for Free
Experience the difference between threat data feeds and a truly useful Actionable Intelligence Report. For a limited time, Synoptek is offering a free 30-day Threat Detection service which delivers a comprehensive Actionable Intelligence Report. Users taking this trial report that they will never return to standard detection systems again.