by Justine Kurtz | Sep 12, 2019 | #LifeAtWebroot
According to a report
from hired.com, the demand for security engineers is up 132%. Additionally, the
need for engineers who specialize in data analytics and machine learning has
increased by 38% and 27%, respectively. Given recent trends in cybersecurity,
it’s no wonder, and demand at Webroot is no exception. To be successful,
our software engineers have to stay ahead of AI and machine learning trends so
they can explore, work, grow, and effectively evolve tech in the cybersecurity
industry.
We talked to Alia AlaaElDin Adly, a software engineer based in Linz, Austria. In her role, Alia is constantly looking for new technology, testing platforms, and developing the new solutions to stay ahead of modern threats.
What is your favorite part of working as a software engineer?
I
enjoy exploring new technology and frameworks, specially figuring out problems
by hand. Software engineers don’t always receive all the requirements up front,
so we need to develop strategies and work on tasks without having all the
pieces necessary to execute. For example, take the testing framework SpecFlow. We
had to do a lot of research, have numerous brainstorming sessions, and rework
the project outline to create a viable structure that would fit the needs of
our APIs. It’s a fun challenge.
What does a week as a software engineer look like?
It really depends on the task at hand. Some tasks take a day or
two, and others can take quite a bit longer. In planning, most tasks are
designed to be completed in a maximum of two days, but, when you meet an unexpected
obstacle and need to find a workaround, the task needs more time. Also, you
have to factor in how much research or prototyping a task may require. One
thing I can say about working at Webroot is that I am learning a lot. It’s like
a rollercoaster ride: ups and downs, lefts and rights, spirals, and just when
you think you’re done, even more spirals!
What have you learned / what skills have you built in this role?
When I started, I had pretty bad documentation habits. You hear a
lot about the importance of documentation in school, but some lessons don’t
really sink in until you have to face them in a real-world setting. I would say
I still need to work on it, but my documentation has really improved! I am also
getting better at having a proper project structure, and I’m really enjoying
all the new tools and technologies I get to learn, like the Specflow framework
and Xamarin forms.
What is your greatest accomplishment in your career at Webroot so
far?
I work on the Unity API team based in Linz, Austria. The Webroot® Unity
API is a platform that enables admins to dig deeper into the services and
information Webroot offers. It’s a really useful tool for a lot of our
customers, and I helped build out a automation testing framework to create
smoke and regression tests for the API. Also, I managed and organized the
end-of-year spotlight video that showcased what our team had accomplished.
What brought you to Webroot after your last job?
I was already in Austria completing my masters when I applied for
the job. During the interview process, I liked how Webroot felt like a family.
Everyone was so friendly and welcoming the day I started. Instead of making me
feel like a nervous newcomer, they brought me in and helped me feel involved
and important right away. And it has stayed that way.
Best career advice you’ve received?
To always be flexible and not limit yourself. You have to be
curious not only about the world around you, but what you can do in it. If you keep
your options open, you’re more likely to discover new strengths, and new (and exciting!)
challenges to overcome.
What is your favorite thing to do in Linz?
I enjoy walking around in the city center and along the Danube
River. I also like to go cycling, climbing, and running. During spring and
summer, I usually bike to work and I like going to the lake to play beach
racket. Of course, I love traveling and visiting new cities and countries! I
feel very lucky that Webroot’s Linz office is in such a good location, which
makes quick day trips and weekend travel really easy.
by Connor Madsen | Sep 6, 2019 | Industry Intel
Deepfake BEC Scam
A new variant of the well-known BEC scam has implemented a feature that has yet to be used in an email scam: voice fraud. Using an extremely accurate deepfake voice of a company’s CEO, scammers were able to successfully convince another company to wire $250,000 with the promise of a quick return. Unfortunately, that transfer was quickly spread out through a number of countries, leaving investigators with very little clue as to the identity of the scammers.
Yves Rocher Data Leak
The
customer databases belonging to French retailer Yves Rocher were found to be publicly available
by researchers who discovered the records of over 2.5 million customers. In
addition to the personal data, the details for over 6 million transactions, and
internal Yves Rocher information were grouped with the exposed database. The
internal data could be a major opportunity for any competitors to obtain
some crucial footings in the marketplace.
German Mastercard
Breach
Officials
recently learned of a data breach that was affecting nearly 90,000
German Mastercard holders that are part of their members loyalty program.
Nearly half of the exposed email addresses have already been compromised in
previous data breaches, according to Have I Been Pwned, though the affected
customers should still update their credentials. Fortunately, this breach only
affected the loyalty program members rather than the entirety of Mastercard’s
world-wide client base.
Ransomware Wave
Hits US
Continuing
on from a summer full of ransomware attacks on US cities comes a streak of 13
new attacks that range from the East Coast to the West Coast. Sadly, several of
the victims have already paid out some portion of the demanded ransoms, with
some insurance companies even attempting to negotiate with the attackers for a
lower payout. With this streak, the total number of ransomware attacks in the
US in 2019 is up to 149, 20% of which involved educational institutions.
UK Travel Agency
Breach
A UK-based travel agency has recently fallen victim to a
data breach that could affect over 200,000 of their customers. The main leak
included audio files for the affected customers confirming travel and payment
plans, as the travel firm completes their deals over the phone. The audio files
appear to have bene publicly available for a span of nearly 3 years, but
quickly secured the sensitive information once they were informed of its
current status.
by Connor Madsen | Aug 30, 2019 | Industry Intel
Cybercriminals use Botnets to Launch Attacks on Social Media
According to a new report, more than half of all login attempts on social media sites are fraudulent, and at least 1 in 4 new account creation attempts are also fraudulent. With the sheer number of potential victims these types of sites provide attackers, these strategies are proving to be more and more lucrative. Even more worrisome: at least 10% of all digital handshakes from online purchases to new accounts being created are being made by malicious actors.
Cybercriminals target end users. Learn why businesses need security awareness training.
xHelper Trojan Infects Thousands of Android Devices
A new Trojan
has infected over 30,000 devices in a very short time. By disguising itself as a
JAR archive, the dropper is able to move quickly through a system, rather than
being installed within a bundle as a standard APK. At least two variants of the
Trojan have been spotted, one running extremely silently on infected devices
while the other does less to hide itself, creating an actual xHelper icon and
pushing an increasing number of notifications to the device.
Malicious PDF Scanner App
Researchers recently notified Google of a Trojanized CamScanner
app that has been downloaded over 100 million times. The app itself is used to
download and launch a malicious payload, after making contact with the
attacker’s servers. Fortunately, Google is quick to act when they receive these
types of reports, and has already removed the app from the Play Store. This app
follows in a long line of high-install malicious apps to hit the Google™ Play Store
in the last couple months.
Cable Companies Delay Robocall-Detection Implementation
Following the FCC decision to push out a technology
that would allow all telecom companies to implement detections for the excessive
number of robo-calls their customers receive every year. Unfortunately, the FCC
never made an official deadline, so the lobby groups for the cable companies
have been pushing for further delays. Hopefully, more telecom companies will
get behind this technology and start helping their customers avoid this kind of
harassment.
Hosting Provider Data Breach
A data breach was recently revealed by Hostinger,
a hosting provider, which could affect their entire 14-million-strong customer
base. Within the last week, the company identified unauthorized access to one
of their servers, which contained sensitive customer information. Fortunately,
Hostinger resolved the vulnerability quickly and pushed out a mandatory
password reset to all affected users.
by Connor Madsen | Aug 23, 2019 | Industry Intel
Android Apps Riddled with Adware
Another 85 photo and gaming apps have been removed from the Google
Play store after they were discovered to have been distributing adware to
the roughly 8 million users who had downloaded the fake apps. The adware itself
is rather tricky: by sitting dormant on devices for at least 30 minutes to avoid
detection, they are then able to display a steady stream of full-screen ads
that make users wait through each in its entirety before allowing continued use
of the app.
Learn more about
mobile security for shopping, banking and browsing.
Texas Hit by Multiple Ransomware Attacks
Several Texas
municipalities have fallen victim to a single ransomware campaign affecting
at least 22 locations and asking a cumulative ransom of $2.5 million. The state
of Texas has been under fire for the past few months, suffering a seemingly
endless string of ransomware attacks on local governments. Fortunately, many of
the targeted districts have been swift to remediate issues and are already on
the path to full system recovery, managing to avoid paying heavy ransoms.
Steam Zero-Days Released After Valve Bans Submitter
A researcher recently found several zero-day
vulnerabilities within the Steam API that could allow for local privilege
escalation (LPE), which could then allow malware to use the client as a
launching point. Unfortunately, Valve decided the bug was outside of its scope
of responsibility, locked the report, and refused to investigate it any
further, also banning the submitter from the bug bounty program. Eventually,
after much negative media coverage, Valve pushed out a patch that was quickly
subverted by another workaround. It is unusual for a company with so many
active users to blatantly ignore one of Microsoft’s most commonly patched
vulnerabilities.
Adult Site Database Exposed
Yet another adult
site has fallen victim to poor information security practices after a
database containing personally identifiable information belonging to nearly 1
million users was misconfigured and left publicly available. The leak was
discovered by researchers who were able to verify a breach and swiftly report
it to the site, which took only four days to secure the data. Site users were
notified of the breach and are being advised to change login credentials,
especially those using work devices or contact details.
Magecart Found in Poker Tracker
The infamous Magecart
card-skimming script was recently found loaded into Poker Tracker’s main site,
which allows online poker players to make statistics-based betting decisions.
It was later revealed that the site was fully injected via an outdated version
of Drupal that has since been updated. The attack left the attackers with a
copy of every payment made through the site or the app.
by Emily Kowalsky | Aug 20, 2019 | Home + Mobile
Our kids are more connected than any previous generation. From the moment they wake up, they have an instant connection to the internet through phones, tablets, and laptops. The internet is also now an important part of their learning experience, and many parents often assume that cybersecurity has risen as a priority for school administrators. But with many institutions struggling to modernize legacy systems, that assumption puts our children’s security at risk. Here are the top threats to cybersecurity in schools and how to protect against them, so you can send your kids out the door knowing they’re safe and secure.
Learn how VPNs help safeguard your data and can enable private and anonymous web browsing.
Unsecured School WiFi
Many school WiFi networks are as vulnerable as any public network at a coffee shop or airport. In an attempt to secure WiFi networks in K-12 environments, many schools use pre-shared key (PSK) authentication. PSK authentication is the practice of sharing a single WiFi password with network users in order to grant access. This password often makes its way onto unauthorized devices, granting potentially malicious users access to the school’s network, and to your child’s digital footprint.
Weak Cybersecurity Practices
A school’s cybersecurity defense plan is only as strong as its weakest link, and that weak link is often the plan’s users and overseers. According to Verizon’s 2019 Data Breach Investigation Report, a startling 35% of all education sector data breaches were caused by human error. Mistakes as simple as using discontinued or out-of-date software can leave entire school systems vulnerable—even at prestigious institutions like Stanford University. Because Stanford was using discontinued software called NolijWeb, a white hat hacker was able to exploit a security flaw that left sensitive student data easily accessed through a simple change to a numeric ID in a URL. While exploring the scope of the vulnerability, 81 students’ private data was exposed, including information like Social Security numbers, citizenship status, criminal status, standardized test scores, ethnicity, and home addresses.
Targeted Cybersecurity Attacks
Due to the highly
sensitive data stored within their systems, education IT infrastructure is consistently a top target for
cybercriminals. K-12 school systems and higher education saw more than 48 million records exposed through data breaches in 2017 and
2018 alone. The threat has become a large enough issue that the FBI has
released a public service announcement warning that the education sector
was one of those most frequently targeted by social engineering schemes and
phishing attacks.
Beyond traditional cyber threats, schools often face a unique adversary—the students themselves. The Joint Information Systems Committee (JISC) recently conducted a survey that examined more than 850 cyberattacks against schools and concluded that a majority of those incidents had been perpetrated by students or school staff. Although an attacker who targets a school so that they won’t have to take a test may not be as costly as one that targets student data, it still can grind a school system to a halt.
How to Protect Your Student’s Cybersecurity
How
can you protect your child’s cybersecurity while they are at school? Get
involved. Ask the school’s administrators about their cybersecurity policy. Ask
about their strength of their firewalls, their
email security measures, and the amount of encryption applied to the data
storage systems. If you’re not satisfied with their measures, be your child’s
cybersecurity advocate.
Although
you may have limited control over any school-provided devices, you can secure your
child’s personal devices behind a trusted VPN (though they
must know how to use it first). This will wrap your child’s data in a tunnel
of encryption, protecting them from prying eyes wherever they go. In some
cases, VPNs can prevent access to testing and curriculum sites on school
networks, so students should know how to connect and disconnect to their VPN at
will.
Most importantly, teach
your child to be aware of the risks of cybercrime and how to combat them. Help
them understand how a VPN and other measures can keep them safe, how to
recognize phishing attacks, and why they should always be vigilant. Your child
knows to wear a seatbelt when riding in someone else’s car, they should also
know how to stay safe online, whether at home, school, or a friend’s house.
The key to truly
protecting your children from potential cybersecurity threats is education,
both for yourself and for your family. Follow us on Facebook and Twitter to stay up to date on the latest risk reports and security tips.
by Austin Castle | Aug 17, 2019 | #LifeAtWebroot
With job growth projected
to surge 24% over the next seven years, software
engineering is one of the most demanded professional fields in the U.S.
Exceptionally competitive pay and the chance to pursue careers across many
industries are just a few benefits of being a software engineer.
We explore how software
engineers working in cybersecurity face unique challenges and opportunities in
our sit down with Fred Yip, Manager of Software Development in Webroot’s San
Diego office.
Besides this sunny San
Diego weather, what gets you out of bed and into the office?
I’m
surrounded everyday by smart people who want to do their best to solve customer
problems. There is a lot to do, but the work is very engaging and
rewarding. My favorite part of the job is working
closely with my team to deliver products to our customers. We work in
a startup-like environment. Everyone wears many hats: as software
developer, as tester, DevOps engineer,
and customer support.
There are many industries
that demand your talent, what drew you to cybersecurity?
Cyberattacks are a rising trend. I used to work for an
enterprise serving Fortune 500 companies. Knowing that cyberattacks affect
everybody, I saw an opportunity to bring my skillset to Webroot. We extend our
product to small and mid-sized businesses as well as consumers, which gives me
the satisfaction of building a top-notch technology for anyone who needs it,
whether it be a doctor’s office, coffee shop, or someone walking down the
street.
What does a week of life at Webroot look like for you?
A
typical week for a manager is not much different than that of a team
member. We do software development, testing, and deployment
of product features as a team. I help design and implement the cloud
infrastructure that supports our software components as microservices. In
addition, I look out for the well-being of each team member in terms of
technical, personal, and career development.
What skills and traits do
you look when hiring software engineers?
As an engineer, you have to be a team player, not
self-focused. I look for a lot of integrity and honesty about what they are
doing and what they know and don’t know. An eager attitude toward learning is
important because it allows them to solve problems and contribute to the team. When
they bring their best character and performance, they help to build a strong
team. As long as someone has some relevant experience, they can always learn
the technical skills. And an ability to learn new things quickly is another
thing I always look for in a potential team member.
Are there any outside
activities that you and your team are involved in?
We attended a coding challenge at UC San Diego earlier this year, where we host students for a friendly competition. It was very high energy and there was a lot of participation. It was a fun challenge beyond just writing code. You could actually see the code working against others and the top winner was recognized after we gave out prizes. I always tell candidates to participate in the event, it’s a way to motivate them to join our team!
Check out Highlights from the UCSD Coding Challenge
by Connor Madsen | Aug 16, 2019 | Industry Intel
Hookup App Leaks User Locations
Geo-locating and other sensitive data has been leaked from the
hookup app 3fun,
exposing the information for more than 1.5 million users. While some dating
apps using trilateration to find nearby users, 3fun showed location data capable
of tracing a user to a specific building or floor. Though users had the option
to disable coordinate tracking, that data was nevertheless stored and available
through the app’s API. 3fun has since resolved the leak and has hopefully
implemented stronger security measures considering the private nature of their
client’s activities.
Ransomware Attacks on DSLR Cameras
Malware authors continue to find new victims, as a ransomware
variant has been found to be remotely attacking Canon DSLR
cameras and demanding a ransom to regain access to the device. Researchers
have found multiple vulnerabilities that could allow attackers to perform any
number of critical functions on the cameras, including displaying a ransom note
and remotely taking pictures with the camera. Fortunately, Canon has already
begun issuing patches for some of its affected devices, though it’s taking
longer to fully secure others.
Take back your privacy. Learn more about the benefits of a VPN.
Google Drive Exploit Allows Phishing Campaign to Flourish
A new phishing campaign has been discovered that uses a
legitimate Google
Drive account to launch a phishing campaign
that impersonates the CEO asking the victim to open the Google Docs file and
navigate to the phishing site’s landing page. Luckily for victims, the campaign
has a few tells. The phony CEO email address uses a non-conforming naming
convention and the email itself appears to be a hastily compiled template.
British Airways Data Leak
British
Airways has again come under scrutiny, this time after it was discovered
that their e-ticketing system was leaking sensitive passenger data. The leak stems
from flight check-in links that were sent out to customers containing both
their surname and booking confirmation numbers completely unencrypted within
the URL. Even more worrisome, this type of vulnerability has been well-known
since last February when several other airlines were found to have the same
issue by the same security firm.
Android Trojan Adds New Functionality
Following in the footsteps of Anubis, an Android banking Trojan
for which source code was recently revealed, Cerberus
has quickly filled the void without actually borrowing much of that code. One
major change is that Cerberus implemented a new method of checking if the
device is physically moving or not, in hopes of avoiding detection by both the
victim and any researchers who may be analyzing it. Additionally, this variant uses
phishing overlays from several popular sites to further collect any login
credentials or payment card data.
by Jason Berumen | Aug 15, 2019 | #LifeAtWebroot
Cybersecurity has become the hot industry – tips and tricks on how to get the most out of your cybersecurity internship (and land a job after graduation).
Students today are faced with grueling course loads, pressure to get real-world experience and a looming competitive job market. The need for hands-on knowledge and a developed resume is crucial, making internships a necessity. However, once you nail your interview and land your position, how do you prepare and make the most out of the opportunity?
The goal of an internship is to prepare you for your future career. While earning a college degree in computer science is quite an accomplishment, in the cybersecurity field, a theoretical knowledge and your required coding and science classes just aren’t enough. It’s critical to supplement those courses with real experience tackling a variety of threats in the cyber landscape, not only to gain new skills, but also understand what it’s really like to work in cybersecurity to decide if that career path is right for you.
Learn how Webroot is building a cybersecurity talent pipeline through our annual Coding Challenge.
According to a recent Wall Street Journal article, companies and government organizations are beginning to lock in contracts with cybersecurity job candidates younger than ever before–during junior, sometimes even sophomore year. Often, these early recruits are individuals who interned for the company in the past and proved themselves as an invaluable member of the team; securing a good position and acing your internship have never been more crucial to future career success. There’s no better feeling than having job security heading back to college for your senior year or being able to focus your electives on skills that will immediately translate to skills you’ll need for your upcoming role.
Be Eager and Ready to Learn
While pursuing a major in cybersecurity provides the background necessary for your internship, you won’t know it all. You should walk into your internship everyday ready to learn the ins and outs of the field and be eager to take on new experiences. Say “yes” to everything.
According to William W. Dyer, director of the Corporate Affiliates Program for the Jacobs School of Engineering at the University of California San Diego, “Students study theories, case studies and learn both fundamental and advanced coding, but are not able to work on threats and breaches in real-time. They have structured work with a finite ending (quarters are 10 weeks long), whereas hacks and threats can happen at any time and require immediate response and solutions.”
A simple way to learn (and network) is to reach out to a few professionals who are working on a project you’re interested in or skilled in an area you’d like to further develop. Grabbing a quick coffee with someone who has been working in the cybersecurity field will allow you to gain valuable insights and real-world anecdotes. Not only will these people be able to mentor you, but they could even be a reference when the time comes for you to apply for jobs after graduation.
Be Up-To-Date on All Things Cybersecurity
Before your first day, it’s important to be well versed in the latest cybersecurity news, trends and data breaches. Taking the initiative to keep up on the latest in the industry and to provide an educated opinion on these issues will not only set you apart from other interns, but it will impress your managers and allow you to have a deeper understanding of your tasks and assignments. Every security incident is an opportunity to learn and ask questions that will serve you well later.
When pressed for what cybersecurity students should do to prepare for a future career in the space, Fred Yip, manager of software development at Webroot said, “Follow cybersecurity news and podcasts to understand what problems the industry is facing.”
Listening to a security podcast on your morning commute or setting up simple Google alerts for topics such as, ‘data breach,’ or ‘cybersecurity,’ will keep you up to date on the conversations happening in the space. Lots of great discussions happen on professional LinkedIn forums and Twitter too.
Continue to Grow in Cybersecurity, Even After Your Internship Ends
Once your internship has concluded, it is important to keep growing and honing your arsenal, especially that crucial developer knowledge. According to Dyer, “We encourage our students to participate in any and all extracurricular activities that enhance their skills.” Taking online tutorial courses or participating in hackathons or coding challenges are a great way to put your new skills to the test.
That said, continuing to challenge yourself in school and taking coding and cybersecurity classes is also important. Classes that are focused around operating systems, network security, digital forensics or a variety of computer programming languages like C++, Javascript, Python are all courses that will serve you in your future career. Finding the link between class and real-world is the key to a successful career.
Also continue following industry news and engaging with professionals through social channels. The network you create during your college years with classmates, professors and folks you meet during your internships will be instrumental in securing future opportunities. Check in with your internship managers, what’s their take on the latest data breach, acquisition or trend?
In today’s competitive job market, setting yourself apart through quality work is important and can be the key to a future at that company. While the classroom provides you with the concepts necessary to succeed, real-world experience will not only help you decide if a career in cybersecurity is something you want to continue to pursue, but you will gain invaluable knowledge and begin to grow your professional network that will be so crucial upon graduation. It is important to connect with colleagues and other interns, keep up with cybersecurity news, engage with professionals and accept as many opportunities as possible to learn about your chosen career path, allowing you to get the most out of your internship.
by Connor Madsen | Aug 9, 2019 | Industry Intel
Children’s Tablets Leave Users Vulnerable
At least one LeapPad
tablet designed specifically for children has been found to harbor critical
vulnerabilities in the app Pet Chat that could allow unauthorized access to
online traffic. The vulnerabilities could be used locate the tablet’s owner by
creating a temporary WiFi network to help the user connect with other devices
in the area. In addition to the remote access, local attackers would be able to
send messages to children through non-HTTPS communications.
UK Universities Lacking Security
A recent study found that nearly 65% of the UK’s top
universities are currently operating with sub-standard cybersecurity,
especially during the time that students would be sitting for final exams.
Among the remaining 35% of universities that did have some domain
authentication, only 5% of those were using settings that would fully block
phishing emails. If UK university students are requesting any login changes,
they should be cautious when opening anything they receive, as the message may
be compromised.
Intel CPU Patch Issued by Microsoft
Microsoft just released a patch for an Intel
CPU vulnerability that was brought to light in 2012. The flaw could have
been used to breach memory data from the device. The researchers who discovered
it found they could easily leak sensitive kernel memory data into the normal
user operations, even though a system normally doesn’t allow this. Additionally,
this vulnerability would allow for speculative execution, which is when the
system begins executing certain operations pre-emptively, and simply deleting
those that don’t occur.
AT&T Employees Bribed to Unlock Phones
Employees of AT&T
were found to be illicitly installing hardware onto corporate systems that
would allow an attacker to unlock phones that were prevented from being used on
other mobile providers. Even though some of the conspirators were eventually
fired, many continued to work from within and from outside the company to
further compromise nearly 2 million individual devices until the scam, which
had been ongoing for more than five years, was discovered.
Mobile Bank Customers’ PINs Exposed
Customers of Monzo,
a mobile-only bank in the UK, are being warned to change their PINs after many
customers’ were leaked into internal log files. Fortunately, the data wasn’t
made available outside of the company and the problem of PINs being stored in
an alternate location has been resolved. Even after the company fixed the data
leak, though, many customers were still suspicious when receiving an email
informing them of the PIN reset issue.
by Kyle Fiehler | Aug 5, 2019 | Business + Partners, Threat Intelligence
1949, 1971, 1979, 1981, 1983
and 1991.
Yes, these are numbers. You more than likely even recognize
them as years. However, without context you wouldn’t immediately recognize them
as years in which Sicily’s Mount Etna experienced major eruptions.
Data matters, but only if it’s paired with enough context to
create meaning.
While today’s conversations about threat intelligence tend to throw a ton of impressive numbers and fancy stats out there, if the discussion isn’t informed by context, numbers become noise. Context is how Webroot takes the wealth of information it gathers—data from more than 67 million sources including crawlers, honeypots, as well as partner and customer endpoints—and turns it into actionable, contextual threat intelligence.
Read about the importance of data quality for a threat intelligence platform in our latest issue of Quarterly Threat Trends.
What defines contextual threat intelligence?
When determining a definition of contextual threat
intelligence, it can be helpful to focus on what it is not. It’s not a simple
list of threats that’s refreshed periodically. A list of known phishing sites
may be updated daily or weekly, but given that we know the average lifespan of
an in-use phishing site to be mere hours, there’s no guarantee such lists are
up to date.
“Some threat intelligence providers pursue the low-hanging fruit of threat intelligence—the cheap and easy kind,” says Webroot Sr. Product Marketing Manager Holly Spiers. “They provide a list of IP addresses that have been deemed threats, but there’s no context as to why or when they were deemed a threat. You’re not getting the full story.”
Contextual threat intelligence is that full story. It
provides not only a constantly updated feed of known threats, but also
historical data and relationships between data objects for a fuller picture of
the history of a threat based on the “internet neighborhood” in which
it’s active.
Unfortunately, historical relationships are another aspect
often missing from low-hanging threat intelligence sources. Since threat actors
are constantly trying to evade detection, they may use a malicious URL for a
period before letting it go dormant while its reputation cools down. But
because it takes more effort to start from scratch, it’s likely the actor will
return to it before too long.
“Our Threat Investigator tool, a visualization demo that illustrates
the relationship between data objects, is able to show how an IP address’s
status can change over a period of time, says Spiers. “Within six months, it
may show signs of being a threat, and then go benign.”
What are the elements of context?
Over the course of a year, millions of internet objects
change state from benign to malicious and back numerous times as cyber
criminals attempt to avoid detection. And because threats are often
interconnected, being able to map their relationships allows us to better
predict whether a benign object has the potential to turn malicious. It also
helps us protect users from never-before-seen threats and even predict where
future attacks may come from.
That’s where the power in prediction lies—in having
contextual and historical data instead of looking at a static point in time.
Some elements that are needed to provide a deeper
understanding of an interwoven landscape include:
- Real-time
data from real-world sources, supplemented by active web crawlers and
passive sensor networks of honeypots designed to attract threats, provide the
necessary data for training machine learning models to spot threats
- An ability
to analyze relationships connecting data objects allows threat intelligence
providers to make a connections as to how a benign IP address, for example, may
be only one step away from a malicious URL and to predict with high confidence
whether the IP address will turn malicious in the future.
- Both live
and historical data helps in the development of a trusted reputation score
based on behavior over time and common reputational influencers such as age,
popularity, and past infections.
Seeing the signal through the noise
Context is the way to turn terabytes of data into something
meaningful that prompts action. Having the power to be able to dig into the
relationships of internet objects provides the context that matters to
technology vendors. For consumers of contextual threat intelligence, it means
fewer false positives and the ability to prioritize real threats.
“Working with real-world vendors is key,” according to Spiers. “The reach of contextual threat intelligence and number of individuals it touches can grow exponentially.”
