Threat Intelligence: Data Driven Security

by Liejun Wang, director of 360 threat intelligence center, 360ESG

Gartner’s definition of threat intelligence is as follows:

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

This is an ideal definition, which proposes clear requirements for the amount of information to be included in intelligence. The complete intelligence style, as the basis of providing decisions for high-end users,  can be considered as narrowly defined threat intelligence.

In fact, such accurate and comprehensive intelligence services mentioned above are not available to most organizations and agencies. Even if such services are obtainable, they may not be so actionable. Just imagine, even though a security vendor is able to provide the background of a foreign APT group, including source countries and even the personal information (These are all necessary to high-end threat intelligence), to a large enterprise is faced with, what else could the company do? Generally, the organizations and agencies cannot serve as law enforcement agencies to take measures to mitigate threats arising from intelligence.

For general companies or organizations, a relatively low-end indicator of compromise (IOC) is more realistic. It consists of data that can be applied to boundary security devices and host security protection software. The typical intrusion indicator includes file HASH, IP, domain name, program operating path, registry key, etc. The continuous accumulation and iteration of the producible threat intelligence cannot be accomplished in a single day.

As threat intelligence has very high demands for timeliness and industry, experts ever conducted researches specifically for open source threat intelligence and found that 75% of malicious IP intelligence lasts for no more than 5 days. The threat of intelligence against the financial industry might not apply to the telecom industry.

It is for these reasons that threat intelligence has high requirements on suppliers’ customization capability. In many cases, security vendors’ integrated threat intelligence services will not achieve expected results, but produce a lot of noises and increase the burden on security personnel.

360 ESG, itself, is endowed with PE sample collection capacity at tens of billions level. The capability of full-  dose data collection and rapid data processing makes 360  more efficient in producing threat intelligence. On the one hand, the timeliness of threat intelligence is guaranteed to the greatest extent; on the other hand, the customization capability of threat intelligence products in many subdivided fields is also supported by sufficient data.

Then how can 360 ESG own such big data for security? To be more specific, it aims to provide useful and all-dimensional IP reputation for information and realize the ability to discover, evaluate and track a variety of epidemic and advanced targeted attacks by producing attack discovery logs of vast terminal samples, active defense data, file credit information and a variety of security products (such as website security, firewall, situational awareness, advanced threat discovery, etc.), and integrating the identification and portraits of associated threat sources based on huge security terminal software installation foundation in China. Meanwhile, as the basic data of machine-readable intelligence in batch production, it can realize local and popular attack IOC coverage. Besides, relying on vast threat intelligence source data like historical Passive DNS and Whois data, 360 ESG is endowed with the efficient capability to discover threat, associate and attack sources.

Based on threat intelligence,

360 ESG also owns the first- class ability to discover and track APT  groups.  According to the statistics, 38 APT groups are monitored by 360 in total, which is the supplier who published the most APT reports in China. APT groups firstly discovered and named by 360 include OceanLotus, APT-C-12, APT-C-01, etc.

In the year of 2018, 360 threat intelligence center published more than 20 technical reports on APT activity, which involve six independent APT groups, including two firstly revealed groups in 2018, and discovered two in the wild 0day vulnerability attack cases, thus taking the leading position together with internationally recognized suppliers.

Such kind of experience accumulation and strength demonstration  is  attributed  to

360 ESG threat intelligence research and analysis team, which is formed by nearly 100 experts. Specialized talents are available for all links of threat analysis, including public intelligence collection, data processing, malicious code analysis, network traffic analysis, and clue mining expansion, thus providing powerful basic data and threat assessment support for improving the ability in developing security services and products of threat intelligence. Till now, 360 ESG has already published many   threat intelligence products like Alpha threat analysis platform, a threat intelligence platform – TIP, threat intelligence platform for the regulatory industry – threat radar,

advanced threat intelligence analysis services and  Cloud  SaaS API, and has been able to provide customized industrial solutions for different customers, thus playing a leading role in the industry in terms of the delivery success rate.

In addition, core security products and services like 360 intelligent firewalls, EDR, NGSOC, situational awareness, Cloud security, and virtual security are integrated into the threat intelligence ability. The machine-readable intelligence can be rapidly sent to security devices, formulating a linkage defense system driven by threat intelligence. 360 ESG will make persistent efforts to demonstrate more excellent threat intelligence ability in the future.

About the Author

Liejun Wang is the Director of 360 threat intelligence center, with a focus on malware analysis and APT tracking.