All information, data, and material contained, presented, or provided on is for educational purposes only.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners.
It is not to be construed or intended as providing legal advice.
Company names mentioned herein are the property of, and may be trademarks of, their respective owners and are for educational purposes only.
17 U.S. Code § 107 - Limitations on exclusive rights: Fair use
Notwithstanding the provisions of sections 106 and 106A, the fair use of a copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified by that section, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright.
Before the Breach: Using threat intelligence to stop attackers in their tracks
1. Before the breach
Using threat intelligence to stop attackers in their tracks
IBM Global Technology Services
White Paper
Managed Security Services
2. 2 Before the breach
Data breaches happen. They happen to big companies
and small companies, government agencies and nonprofit
organizations, hospitals and hotels. They happen every day,
everywhere and under virtually every kind of circumstance
you can imagine. And there’s no reason to believe that they’re
going to stop happening anytime soon.
Organized criminals, hacktivists, governments and adversaries
are compelled by financial gain, strategic advantage and
notoriety to attack your most valuable assets. Their operations
are often well funded and businesslike. Attackers patiently
evaluate targets based on potential effort and reward. They
use social media and other entry points to track down people
with access, take advantage of trust and exploit them as
vulnerabilities. At the same time, negligent employees can
inadvertently put the business at risk as the result of simple
human error.
IBM’s global monitoring operations and analysts have
determined that the average company experienced more than
91 million security events in 2013 (see Figure 1)—a 12 percent
increase over 2012. That reflects the continued worldwide
growth of data, networks, applications and the new technology
and innovations they support. It also reflects a growing number
of targets for potential attacks.1
Figure 1. Security intelligence makes it possible to reduce the millions of security events detected annually in any one of our clients’ systems to an average of 16,900
attacks—and under 110 incidents—in a single organization over the course of a year.
Security events, attacks and incidents for 2013
Security events
Annual 91,765,453
Monthly 7,647,121
Weekly 1,764,720
Security attacks
Annual 16,856
Monthly 1,405
Weekly 324
Security incidents
Annual 109
Monthly 9
Weekly 2
Security Intelligence
Correlation and analytics tools
Security Intelligence
IBM security analysts
3. IBM Global Technology Services 3
The damage can be severe
If consumers lose faith in a company’s ability to keep their
personal data safe, that company can ultimately lose customers.
In some cases, they can lose intellectual property. And they
most certainly stand to lose money. By one estimate, the
average cost of a single breach is more than $3.5 million.2
Taking the cost factor one step further, it’s also estimated that
each lost data record costs companies an average of $145.3 In
other words:
• A major retailer with millions of leaked credit cards
could face more than $1 billion in direct costs,
including fines.
• A university that leaked 40,000 records could suffer over
$5.4 million in losses.
Unfortunately, security investments—and approaches—of the
past may fail to protect against the highly sophisticated attacks
we’re seeing today. As a result, more severe security breaches
are taking place more often—and gaining more negative
attention in the media. In fact, public reaction to these breaches
has led 61 percent of organizations to say that data theft and
cybercrime are the greatest threats to their reputation.4
The sobering truth is, threats and attacker strategies are
advancing at a pace that most enterprises are unable to
match. What’s more, sophisticated attackers can continue to
steal valuable data for months—or even years—before they’re
even detected.
Know your enemy
When it comes to sophisticated attacks, there’s little doubt
that the attacker has the advantage. Because while you’re busy
trying to deploy your limited resources in defense of whatever
attacks may come your way, attackers have the “luxury” of
being able to zero in on a specific target or set of targets. They
can choose to devote all their energy and resources to finding
your vulnerabilities and exploiting them.
We all know that to protect your organization’s data, you need
to have the right security strategy, technology, policies, and
operations in place. But it’s become increasingly clear that
access to the right information and intelligence may be the
most important thing you need to help level the playing field
against today’s attackers. With up-to-date intelligence about
current and future threats, and a real understanding of how
well your security strategy stands up to these threats, you’re
in a better position to manage your defenses, reduce risk and
make smarter investments.
Threat intelligence transforms the technical analysis required
to identify the symptoms of an attack—such as malware and
security events—into an understanding of who the attackers
are and what their motives and capabilities may be. Armed
with that information, you can gain the insight necessary to
develop a proactive stance that makes it more difficult for
attackers to succeed.
4. 4 Before the breach
In other words, you can use information about the threats
themselves to help manage risk. Taking advantage of threat
intelligence to help prioritize your security controls can help
you identify the latest attacks more quickly and increase the
speed with which you’re able to respond to an incident.
Where should you start?
If your organization is like most others today, you’ve probably
got at least a basic security strategy in place—along with at
least some defensive measures designed to keep outsiders out.
But there are lots of ways to look at IT security and plenty
of areas that can be of particular concern, making it virtually
impossible to gather information on everything going in and
out of your organization. So before you start thinking seriously
about threat intelligence, you need to set your priorities. A
good way to start is by answering the following questions:
• Which assets do you need to protect most? Customer data?
Intellectual property? Financial and personal profiles of
your organization’s leaders?
• Where in your organization would a security incident be
likely to do the most damage?
• What kind of attack would hurt you the most?
It’s no coincidence that these are the very same questions
an attacker might ask about you. That’s precisely why
understanding attackers and their motivations is so critical to
protecting your assets.
Next, you need to determine where you are now on the
IT security continuum and where you want to end up. For
example, just about every organization today maintains some
type of process for handling security-related software updates.
But you may not be doing much in the way of vulnerability
assessment, possibly because you don’t have the resources—in
terms of time, budget or people—to identify your exposures or
set priorities for eliminating them.
Or, if you’re already on board with assessing and prioritizing
your vulnerabilities, you may also have a SIEM (security
information and event management) system in place. You do?
Then what are you doing with the monitoring data you’re
collecting? Do you know which specific types of events should
be cause for further investigation? You can improve your
chances of detecting possible problems if you combine your
SIEM findings with threat intelligence on the actors, tactics,
tools and practices that are mostly likely to hurt
your organization.
This is the type of intelligence that can allow you to spot the
signs that an attack may be under way. And armed with that
evidence, you can begin to take action well before an actual
breach occurs.
Events, attacks and incidents defined
Security event: An event on a system or network detected by a
security device or application.
Security attack: A security event that has been identified
by correlation and analytics tools as malicious activity that
is attempting to collect, disrupt, deny, degrade or destroy
information system resources or the information itself.
Security incident: An attack or security event that has been
reviewed by security analysts and deemed worthy of
deeper investigation.
5. IBM Global Technology Services 5
Set priorities that make sense for
your situation
It’s likely that your cyber security priorities will mirror many
of the threats currently facing your particular industry. Recent
reports show that the same five industries have topped the list
of those struck by the most incidents over the past two years,5
with the same two continuing to hold the top spots (see
Figure 2). Those two accounted for nearly half of each
year’s security incidents among the data collected. The only
difference is that they swapped places in 2013. It’s likely that
these two industries will continue to battle for the number one
target spot in the years to come, since a breach in either one
can result in both major business disruption and big paydays
for successful cyber criminals.
Figure 2. The finance and manufacturing industries continue to offer attackers the most significant potential payoff.6
Retail and
wholesale
26.5% 23.8%
20.9% 21.7%
2012 2013
18.7% 18.6%
7.3% 6.2%
6.6% 5.8%
Finance and insurance
Manufacturing
Information and
communication
Health
and social
services
Retail and
wholesale
Finance and insurance
Manufacturing
Information and
communication
Health
and social
services
Incident rates across monitored industries
6. 6 Before the breach
Moving down the list, the two industries occupying fourth
and fifth place have also swapped places—although together
they accounted for 12 percent of the incidents in 2013,
compared to 14 percent in 2012. Both the retail and health
services industries deal directly with consumers, meaning
they both have high visibility and access to a huge number of
potential victims.
To see what it means to set priorities for threat intelligence,
here’s a look at how companies in those top five industries
might go about setting theirs.
In the finance and insurance industry—where business
is all about handling sensitive customer and financial data—
governance and compliance issues play a dominant role
in determining security priorities. But threat intelligence
priorities need to go beyond a “checking the boxes”
mentality, which tends to focus on avoiding intrusions by
patching software and servers, enforcing identity and access
management policies and other similar programs. A sensible
approach to developing threat intelligence priorities for the
finance and insurance industry might include:
• Access to current insight into known threats and attack
techniques that target financial businesses
• Monitoring access to tangible asset data for evidence of
anomalies that might indicate fraud or criminal activity,
and increasing the priority of alerts correlated to known
threat techniques
• Regular and proactive assessments of security risks—
including analysis of high-value resources for vulnerability
to known and emerging attack techniques—and
identification of highest priority issues, to help focus risk
mitigation efforts
In the manufacturing industry intellectual property
remains the prized catch for attackers. Product designs,
manufacturing details and business plans for developing and
marketing everything from next-generation consumer devices
to government-funded aerospace programs are the big targets
here. And breaches could result in serious consequences for
both the companies involved and public safety. The threat of
industrial espionage also makes it important for manufacturers
to understand the role that insiders might play as potential
attackers, which means their priorities could include:
• Tracking types and sources of email that’s been blocked
or alerted by email security solutions for correlation with
known attackers or threat techniques, such as advanced
spearphishing attempts
• Reviewing security assessments of issues discovered in
product development and fabrication systems to determine
which gaps may be exploitable by known and emerging
high-priority threats
• Penetration testing access to internal file sharing systems,
looking for lapses in control that are known to be targeted
by threat actors, or for unusual access patterns that could
indicate internal threats
In the information and communication industry, which
includes social media, it’s become increasingly difficult to
rein in the exchange of sensitive information across systems,
often making the systems themselves the conduit for attacks.
While attackers regularly hide in plain sight, they can also
hack their way into internal media networks and gain access to
7. IBM Global Technology Services 7
critical financial market data, where they could wreak havoc—
undetected—in a matter of minutes. Threat intelligence
priorities for information and communication organizations
might include:
• Correlating detected activity in mission-critical networks
with known adversaries or attack techniques that pose
a threat to communications systems, their users, or the
business-critical processes that depend on them
• Watching for anomalies in social media usage such
as unusual access to legitimate accounts or activity
inconsistent with normal account use, which might indicate
account takeover or other exploitations of social media
• Content monitoring to detect the compromise of legitimate
web properties to propagate “drive by” malware downloads,
or to discover integrated third party services—such as
advertising content—which could be used or hijacked to
deliver threat payloads
In the retail industry, major security breaches dominated the
news in late 2013, revealing the theft of over 110 million credit
card records and shining a light on the vulnerability of credit
card data. What’s more, those incidents resulted in serious
financial and public trust issues for several major retailers.
Because credit cards have become a hot commodity on the
black market—and their value will likely keep them there for
a long time—retailers have an urgent need to know as much
as possible about the identity and motives of their attackers.
Therefore, a retailer’s priorities could likely include:
• Regularly assessing payment processing systems for
evidence of vulnerabilities known to be targeted by threat
actors and emerging attack techniques, and hardening those
systems against the ongoing evolution of attacks revealed by
threat actor intelligence
• Performing regular gap analysis on payment card industry
(PCI) compliance activities to determine whether there are
patterns that correspond to known threat activity and merit
further exploration
• Employing ongoing threat analysis services to help identify
potential threats before an attack can take place
In the health and social services industry, complex
compliance issues, many of which deal with patient and client
privacy, are major security concerns. Security breaches could
also disrupt the proper functioning of medical technology.
Moving on from there, it’s easy to see how a breach could
compromise an entire healthcare facility and potentially
threaten critical care technology—which could lead to loss of
lives. These are some of the reasons why threat intelligence
priorities in this industry might include:
• Active vulnerability scanning and assessment informed by
the latest insight into threat activity for systems handling
confidential patent and client data
• Regular penetration testing for systems running life-support
and medication delivery technologies for
assessment of known or emerging threats to health
and safety
• Investigating SIEM attack data relating to private patient
and client records for identification of activity correlated to
recognized health, safety or patient/client privacy threats
8. 8 Before the breach
Penetration testing with a passion
When it comes to setting priorities for threat intelligence—in
virtually any industry—you’re likely to find that penetration
testing plays an important role. Penetration testing certainly
isn’t a new idea. But you might want to consider some new
ways to approach it.
As we’ve seen over the past few years, attackers are
continually becoming more sophisticated, developing new
techniques and finding new ways to exploit their targets. That
means you need to become more creative in developing your
penetration testing plans.
First, you and your testing personnel should determine the
scope of a realistic test. While most organizations are reluctant
to allow a penetration test to disrupt operational systems,
attackers rarely share that concern. But system disruption
may not be the goal of an attacker who prizes stealth in order
to remain hidden—and effective—for as long as possible. A
truly effective test doesn’t need to threaten the availability
or integrity of business-critical resources. It should, however,
reflect an understanding of what an attacker would regard as
the most valuable prizes in your organization. Focus on these
assets and you’re likely achieve truly actionable results.
With that in mind, you probably need to update your image
of the “typical” attacker. Today’s attackers are smart, detail-oriented
and highly committed to achieving their goals. They’ve
broadened their repertoires, going beyond perimeter attacks
to include spear phishing, social engineering and even on-site
visits, all in the quest for access to an organization’s data.
These people are passionate about what they’re doing—which
means you need to be equally passionate about finding ways
to stop them. Make sure that your penetration testers
are driven by the same desire to “break things” as today’s
hackers, who revel in the challenge of getting past your
security measures.
Second, ask your testers to try getting past your own users.
Encourage them to send out fake emails and see how many
takers they get—or how many users spot the potential scam.
Give them your company phone directory and let them pose
as members of your IT team, calling employees and asking for
their passwords. Or tell them to try gaining access to secure
areas by posing as employees or repair crews. The idea is not
to embarrass people or point fingers, but to get an honest view
of where you may have weak spots.
And finally, remember that if at first they don’t succeed at
getting what they want, many attackers will simply try again by
taking a different approach. So make sure that your testers do
the same thing and work all the angles—not just email, or only
an on-premises visit, but both, as in a coordinated attack. You
may be surprised by what you learn about your vulnerabilities.
Still, that’s a lot better than being surprised by a breach.
9. IBM Global Technology Services 9
Conduct your own incident investigation
You can learn a lot about your vulnerabilities by carrying out
your own incident investigation. In fact, you don’t even need
to have a “real” incident to gain valuable insight into the
types of vulnerabilities you may be facing. Take advantage
of penetration testing to discover software or configuration
defects that wouldn’t necessarily show up in a vulnerability
assessment that’s looking only for known issues. Penetration
testing also lets you gain insight into how a human element
might exploit aspects of your security measures. As a result, you
can identify gaps in your ability to protect critical assets and see
exactly what kind of intrusions your systems can withstand.
The journey from compliance to threat management
A large international insurance company with over 50,000
employees and more than 900 locations has made
considerable progress along its IT security journey over
the years. After starting out with basic security audits and
compliance activities, and later incorporating a threat- and risk-focused
approach, the company is now integrating security into
its business strategy.
But it’s taken some serious thought and effort to make
that happen.
A few years ago the company became concerned about a
growing problem. They recognized that both internal and
external actors could leverage any number of sophisticated
attacks against its people, processes and technology. And
if successful, those attacks could result in records theft,
business disruption, customer dissatisfaction, lost revenue,
fraud and a devaluation of the company’s brand.
It turned out that the company’s continued use of its earlier
security model—which had been designed for compliance, not
threat detection—was at the root of the problem. The security
system was reporting over 51 million events per hour, which
required a manual, resource-intensive process to resolve.
Not surprisingly, that led to delays in log collection, reporting
and analysis. It ended up taking five full days from the time an
attack was first detected until the security analysis could be
completed. Needless to say, a lot of damage could occur in five
days if any of those events were found to be serious threats.
That was when the company asked IBM to help improve the
situation. Together they worked to create a new security
model focused on threat detection instead of compliance.
By developing a new use case-driven tool, they were able to
reduce the “noise” generated by so many events. They also
shortened the time it took from the moment an attack was
detected until action could be taken. Now, instead of taking
five days, the entire process is completed in a single day. In
addition, they instituted a closed-loop process for incident
follow-though and closure. And they began to produce trend
information and metrics on relevant threats.
The company has found that shifting their focus from audits
and compliance to threats and risk required putting the right
structures in place to support their new approach and then
putting their security and IT teams in a position to support
those structures. Finally, they discovered that visibility is key
to successful threat management and risk mitigation—which
is what’s now allowing them to measure their performance
against business priorities.
10. 10 Before the breach
Develop a strategy for targeting
today’s threats
With a security team that’s primed to hunt for attacks and
breaches by collecting security-relevant data from multiple
sources—and that’s got insight into the practices and tactics
of your known adversaries—you can access the information
you need to recognize evidence of threats before they surface.
And by deploying security intelligence technologies that let
you correlate those insights with malicious activity in real
time, you can take action to thwart serious threats before they
impact your business. You can also take advantage of new
and more sophisticated sources of external threat intelligence
and expertise—along with a set of newly emerging analytics
capabilities and tools—to augment your own knowhow.
Why act now?
The truth is, your business may be just a keystroke or credit
card swipe away from being in the headlines. And that’s just the
first reason. Here are a few more:
• Criminals will not relent: Once you’re a target, criminals
will spend as much time trying to break into your
enterprise as you spend on your core business. If you
don’t have visibility into attacks as they happen, the
criminals will succeed.
• Every business is affected: In the past, banks were among
the primary targets of cyber criminals. Today, diverse
actors move with lightning speed to steal tangible assets,
intellectual property, customer information and confidential
data across all sectors.
• Your perimeter may already have been breached: Recent
attacks demonstrate that victims were compromised for
months before they discovered it. Assuming that you have
already been breached is today’s prudent security posture.
Security intelligence technologies let you
take action to thwart serious threats before
they impact your business.
11. IBM Global Technology Services 11
Why IBM Security?
Traditional security defenses are no match for today’s
unrelenting, well-funded attackers. And disruptive
technologies are continuing to introduce new vulnerabilities
to exploit. To stop attackers—regardless of how advanced or
persistent they are—organizations must accelerate their ability
to limit new risk and take advantage of intelligence to gain
insight into attackers’ approaches and motives.
IBM’s advanced cyber threat intelligence services provide
that insight. Monitoring our worldwide security operations
centers allows us to collect information on billions of security
events that occur daily. But that’s just the beginning. We then
combine that information with our technology partners’ threat
analyses to deliver the kind of meaningful data that can help
you improve your security strategy.
IBM security experts have the industry knowledge to
understand which threats are most applicable to you. And
they coordinate with IBM managed and professional security
services to provide you with the guidance you need to build a
stronger security posture.
For more information
To learn more about how IBM can help you protect your
organization from cyber threats and strengthen your IT
security, contact your IBM representative or IBM Business
Partner, or visit this website:
ibm.com/services/security
Follow us