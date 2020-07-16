FortiGuard Labs Threat Research Analysis

The famous painting 'Swans Reflecting Elephants'creates a double image and is an ideal metaphor of what we know about the Internet and the hidden layer beneath (the Darknet). I also see it as a metaphor for cyber adversaries and researchers and how we are tangled together by destiny almost in the world of cybercrime. Let me explain why…

Researchers often overlook the importance of additional sources of cyber threat intelligence and ways to maximize their searching. In its most basic terms, cyber threat intelligence allows organizations to prepare for-and mitigate against-cyber-attacks. But that is becoming more and more challenging as the cybercriminal ecosystem grows, and the volume and sophistication of attacks continue to expand. Gartner provided this definition nearly a decade ago, and it still applies today: 'Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.'

At FortiGuard Labs, we use threat intelligence to better understand the techniques, malicious software, and potential targets that threat actors are considering attacking. Our threat intelligence is curated from many different sources, including (but certainly not limited to) millions of global network sensors, as well as multiple honeypots, cybersecurity reports, and intelligence shared between security professionals, security vendors, government organizations, and private partnerships.

With over 100 billion indicators of compromise, or IOCs, observed every day, threat hunters at FortiGuard Labs also employ a variety of automation tools to scan, process, mine, and correlate this data. This includes multiple internal machine learning techniques and our patented AI threat collection and correlation system, using big data analytics and elastic search clusters, writing Yara rules, and sometimes just relying on a close relationship with our customers and other security professionals who participate in the community submissions of threats.

One of our most frequent data sources for threat intelligence are attacker and torrent/onion forums, usually on the Darknet, where malware, ransomware, and denial of service is often discussed, purchased, and sold. Many of these forums require researchers to jump thru a significant number of hoops to access. Some forums require some payment, other forums require people to vouch for you as a real hacker, and sometimes you have to prove your worthiness by demonstrating your ability to code around a security problem or create malicious software. Complicating this process further, the general rules of engagement from a white hat security researcher perspective states that, as one of the good guys, you never pay for information, never create code, and never even remotely participate in anything illegal or unethical.

Many people would think that would limit the usefulness of the information we would be able to access. It does not. That's because most attackers on these forums are not just motivated by financial based incentives. They want to post and advertise their knowledge in forums that will have the most views, and many want to show off their skills. Contrary to popular belief (and Hollywood movies), you will probably not find spies from two rival nations surreptitiously communicating across some secure backchannel on these networks. What we do see, however, are frequent attacks targeting mass individuals and organizations rather than the narrow, specific, targeted attacks.

I am often asked about where and how do we find out about these hacker forums. There are a few popular forums that get lots of attention, but these forums often have lots of noise, including ads and very outdated information. Others are much more focused. But regardless, these forums are not necessarily any more malicious than a Facebook group or even a cybersecurity class. And most importantly, in our case, the techniques shared in these forums help defenders understand attacker culture and how to defend against frequent attacks.