Please note we have recently updated our Privacy Policy, effective May 24, 2018. You may view the updated Privacy Policy here.
By using this website, you consent to the use of information that you provide us in accordance with the Privacy Policy.


With Threat Intelligence, a Blurred Picture Often Tells the Most Clear Story

May 24, 2016 / Ben Johnson

Do you have one of those friends or family members who tells you every detail of every story?  As they are speaking, you think to yourself: “Just get to the point!”

Or do you have coworkers who are so head down they miss what should be obvious?

A tragic example of this approach occurred in 1978. United Flight 173 had a warning light on when it was attempting to land. The crew paid so much attention to diagnosing the problem and ensuring the passengers felt comfortable that they didn’t realize they were running out of fuel.  The plane crashed short of the runway and people died.

The crew missed the core stuff because they were too concerned with diagnosing secondary or tertiary indicators.

In threat intelligence, we are experiencing something similar, albeit not as acute. As an industry, we’ve become heavily focused on pumping as much data through the Internet’s tubes as possible that we often fail to see how effective the intelligence is.

This intelligence, our cyber currency, is becoming easier to consume and we want as much as we can get. But, as management consultant Peter Drucker said: “Efficiency is doing the thing right. Effectiveness is doing the right thing.”  

With threat intel, we may be efficient to the tune of millions of IOCs, but are we actually effective?

Intentionally Blurring Our View

In our event activity and threat data, we need to step back. We need to take the equivalent of a blurry photograph and see things for their shape and their story, versus every detail. Of course, I’m not against sharing the typical hashes, IP addresses and the like, but we’re often too zoomed in on that microscopic level that we’re unable to determine which organism we are looking at. We must start see the whole picture.

This is where we come back to the “Patterns of Attack.”  We must understand the story behind the details and then we must share that story with our friends, our colleagues and even our competitors. That is how we fight back.

Capturing the Frames

Fighting back starts with visibility. If you cannot observe the activity and you do not have the data, there can be no story to understand. That visibility can come from endpoint telemetry such as Carbon Black, full-packet capture from the network, or somewhere in between. The bottom line is that you need relationships and enough observed activity to be able to put together an understandable story.

Assuming you have the right data, it’s time to figure out what story to tell. If you tell too specific of a story, you will miss when the attacker iterates on their exploit kits. If you tell too broad of a story, then legitimate activity will fit this pattern and you’ll fall into the too-common tale of alert fatigue.  That’s no good. So, just as with “Goldilocks and Three Bears,” you need to find the story that is “just right.”  

(De)Constructing the Story

Start by deciding where your initial focus will be. Pick one of these three locations:

  • The infection
  • The root cause of the infection (rewinding the tape from infection)
  • The activity that occurred post infection (fast-forwarding the tape from infection)

Once you have a starting point, the goal is to add just enough to the story to make legitimate activity much less likely to fit. Let’s go through the following example:

  1. Chrome is used to visit an unknown domain
  2. Java is spawned by Chrome
  3. Command shell is spawned by Java
  4. Unknown application is spawned by command shell
  5. Putty is spawned by unknown application to setup a reverse tunnel
  6. Other activity occurs (omitted for brevity)


We will be inundated with notifications if we alert any time Chrome visits an unknown domain. So we keep going. But Java being spawned by Chrome, which visited an unknown domain is probably still too likely. We need to add to our screenplay. Incorporating the Command Shell spawned by Java seems to do the trick.

Once this story appears sufficient, we check to make sure that our environment won’t have a lot of legitimate activity that matches it. From here, we can continue to move from sufficient to optimized. We can remove the “visits an unknown domain” from our story and simply say: “Chrome spawns Java, which spawns Command Shell.”  

Taking that story one layer higher, (“blurring” it) we have “Browser spawns Java, which spawns Command Shell.” We could even go another level, where we say “Browser spawns plugin, which spawns Command Shell.”  It seems so simple once you get to this point but now you have an incredibly powerful way of disrupting your adversary with a “Pattern of Attack.”

MagicEyeCoverNotice that we didn’t have to specify which version of Java, which path of the browser, or any specific web or C2 sites that are contacted. We were intentionally fuzzy and blurry with our story and yet we have clarity. Remember those Magic Eye images where you relax your vision and look beyond the specifics of the image only to have the hidden shape reveals itself? That’s what we’re trying to do with threat intelligence.

The feedback loop and some testing is key as each environment is incredibly different.  An unsigned binary spawning the svchost.exe application is indicative of Zeus banking malware, but in some environments that activity happens a million times per month from legitimate (albeit questionable) software. This is why there should be sufficient context to educate the consumers of your POA in order to use it as a recipe should tuning be necessary. After all, if you’re not tuning, you’re probably falling victim to the deploy-and-decay scenario that plagues too many security teams.

In an ideal scenario the Pattern of Attack applies to other environments, too. Sure, you should immediately reuse a story for your own enterprise’s protection, but if you can help others by sharing that information, why not go for it? A united defense is much stronger than siloed defense. Sharing makes this possible.

Wrapping Up

Statistician Nate Silver aptly asserted: “The signal is the truth. The noise is what distracts us from the truth.” Up until now with threat intelligence, we’ve simply said: “more is better” and thrown everything, both focused and unfocused, in a cyber melting pot that doesn’t taste very good.  

Sure, some are getting value from threat intelligence and that’s great, but if we look at how much effort we put into incorporating IOCs and other types of intelligence into our environments, what’s the true utility of what we are doing? Are we actually being effective?

It’s on all of us to deconstruct malicious activity and understand Patterns of Attack quickly and clearly in order to identify when these these “stories” are retold. We need to think about effectiveness, and how we can increase the strength of the patterns we share.

Remember, a Pattern of Attack’s strength is not in the purely technical patterns and relationships. The context and the thought process that went into constructing the POA should be shared, because, after all, context is everything.


What is “Collective Defense?” Click here to learn more. 

TAGS: Carbon Black / Pattern of Attack