Pro View: Redefining Threat Intelligence Mission: From Reactive to Proactive
Updated: Oct 7, 2021
Vitali Kremez & Danny Aga
“If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” -Sun Tzu, Art of War
Advanced Intelligence’s CEO Vitali Kremez and Strategic Advisor Danny Aga discuss how the Andariel platform is redefining the Threat Intelligence mission from the traditionally reactive perspective to a more proactive focus that is particularly advantageous from both a defensive and Digital Forensics and Incident Response (DFIR) perspective. Question 1: What is “threat intelligence”?
For us, threat intelligence is that which shapes the leadership's model of reality in regard to security, and that which shapes security operations teams' tactical actions.
Question 2: What makes threat intel proactive?
Danny: The Cyber Threat Intelligence industry has fundamentally been at a disadvantage by not having a forward-looking capability; building feeds of historical Indicators of Compromise (IOCs) and/or profiles of groups and their past activities/relationships, without much of a focus on immediately actionable information that could lead to the prevention of cybercrime rather than just detection.
My experience in DFIR has been that intel reports that are even a few months old do not always provide sufficient context for today’s threats. From a forensics perspective, attacker TTPs are the most valuable indicator to help understand what could have happened, as full visibility is rarely achieved, but IOC feeds do not cover this and thorough reports are not timely enough.
One of the primary missing pieces for us as investigators had been visibility outside of the victim’s environment, and not only through publicly available data, but into the actual attacker infrastructure. Threat intel can become proactive by identifying potential paths of entry, precursor activity, and attacker/victim communication during the attack chain. Intelligence can thereby be gleaned early enough to mitigate a threat even as late as the command & control phase, prior to full completion of attacker objectives.
Question 3: Why is it important to track early indicators?
Danny: Tracking early indicators is key to proactive threat intelligence. Following the adversary’s footprints soon after they are made provides the precursory knowledge needed to halt exploitation attempts before they mature into large-scale threat events like ransomware, account takeovers, etc.
According to recent studies, the global median dwell time (time between initial intrusion to the detection) has dropped to 24 days from 56 days a year ago. While that is progress, attacker time to exploit is also shrinking, with some ransomware “speed runs” taking only a couple of hours.
More often than not, there is an opportunity to proactively disrupt an attack in between initial exposure and an impactful incident. For example, intelligence from credentials being sold at an RDP shop, forum-posted dumps of mass-scanned firewall credentials, and adversary-initiated vulnerability scans can prevent a likely incident with enough time to act. However, few if any traditional intelligence firms possess that deep level of insight.
AdvIntel’s considerable malware reverse-engineering experience has proven extremely valuable. Malware is constantly changing, and the deployment/tactics are becoming a challenge to the cybersecurity workforce as a whole. Being able to use a threat intelligence platform that culls information gained from malware analysis of a binary, further paves the way for the DFIR analyst to have up-to-date data at hand when investigations are performed. Access to this type of information can lead to adversary identification as well as discovering information on the latest secondary tools being leveraged when an attack occurs.
AdvIntel marries the disciplines of malware analysis, reverse engineering, and threat intelligence to provide a more complete approach where they complement each other and result in a better-defined product. Their “Anatomy of the Attack” summaries from recent in-the-wild incidents provides great context and training for our team.
Question 4: Given that Advanced Intelligence, LLC is the only threat prevention and loss avoidance software product, how uniquely do you offer customized solutions to your clients?
At Advanced Intelligence, we focus on providing proactive intelligence which supports our dual mission of providing threat prevention and loss avoidance solutions to our customer base. This is done through our unique view into the criminal underground - through the use of the adversarial perspective.
Our proprietary platform, Andariel, provides a mirrored view of criminal activity, which supplies our users with predictive tools and insights that are used to prevent intrusions from maturing into large-scale threat events like ransomware attacks.
Question 5: Advanced Intelligence provides immediate alerting, applied intelligence, and long-term strategic services to help its clients overcome any obstacles posed by the existing and emerging cyber threats. Would you like to elaborate on this a bit more?
Vitali: Absolutely! We strive to provide our customers with the most actionable, high-fidelity intelligence data that serves both their short-term and long-term needs. To ensure that our customers reap the most benefits from our technology and solutions, we provide a vast array of solutions spanning from full API automation, Splunk integration and Maltego, raw adversarial datasets, contextualized intelligence, and extended intelligence strategies aimed at threat prevention and loss avoidance.
Our technology enables alerting practices to cover both the individual and enterprise level, which can be actioned to de-risk the supply chain through executive-level and third-party monitoring, bolster anti-phishing efforts through domain mimicking detection, as well as uphold brand integrity through account takeover monitoring.
AdvIntel also provides its customers with access to contextualized intelligence that includes insight into threat group indicators of compromise, novel TTPs, and crime underground and darkweb monitoring. Our Andariel platform allows our customers to leverage this data through the convenience of integrated API endpoints so as to maintain adversarial awareness.
We offer a wide variety of long-term threat intelligence strategies aimed at threat prevention and loss avoidance. Such solutions include, but are not limited to, initiating domain takedowns to stymie phishing attempts, credential exposure monitoring, and surveying DarkWeb chatter which can assist in Vulnerability Management, brand monitoring, and even emerging criminal enterprises.
Question 6: What are your focus areas? Please share an overview.
Vitali: At AdvIntel, we focus our energies on providing continuous proactive threat monitoring which includes deep visibility into the criminal infrastructure. Our monitoring capabilities involve adversarial awareness into prolific botnet groups, ransomware syndicates, crimeware operators, fraudsters, and more. As part of our early warning monitoring model, we prioritize delivering the highest fidelity adversarial datasets to our customers which assist in proactively identifying and dissolving threats before they mature into large-scale incidents.
Question 7: Partnerships make businesses more robust and better. That said, who are your partners, and how do these collaborations help you grow?
Vitali: Whether we are providing actionable intelligence on the individual or enterprise level, our approach remains the same: we strive to emphasize the human element of threat intelligence. Information sharing is vital in the battle against cybercrime. To this end, we proudly partner with various ISACs and ISAOs to support their sector-specific threat alerting practices. Leveraging our unique adversarial insight within their networked relationships ensures that our capabilities are reaching a much wider audience, which in turn, will assist in building a brighter, safer future.
Question 8: What new endeavors is Advanced Intelligence currently undertaking?
Vitali: This is an exciting time for our company. We are growing at an exponential pace, which means that we have many ideas on where we would like to see our product and our offerings to go. Our mission is to provide our end-users with access to the most high-fidelity adversarial data feeds, thereby further extending our intimate view into adversarial behavior patterns.
Putting investigative power into the hands of our platform users is also something that we are continuously emphasizing. Whether it is through alternate sources of automation, one-on-one training sessions that delve into our platform’s capabilities, or expanding our offerings, we aim to provide our platform users with as many tools as possible to assist in participating in the threat-intelligence-as-threat-prevention model.
Question 9: Who are your clients? Would you like to share a client success story or two?
Vitali: There is a universal need for threat prevention and loss avoidance. This need is reflected by our client base. Proudly catering to a wide spectrum of clients including those affiliated with the industries of finance, insurance (with specific emphasis on cyber insurance carriers), healthcare, security, telecommunications, and even professional services, we have begun to build a culture of proactive intelligence which has reaped tangible benefits. As an example, one of our clients, an organization affiliated with the insurance industry, uses our strategic adversarial vantage point to de-risk their insured customers’ exposure levels.
We also work closely with the security industry, specifically with incident response teams. Our product, Andariel, and our technological solutions are leveraged to assist in identifying the patient zero in the aftermath of a threat event. Our uniquely positioned insight into the adversarial space allows IR teams to piece together an incident by mapping out the threat actors’ movements within the victim network.
Of course, this information can also be harnessed to serve as a source of predictive awareness into criminal territory, as well. We have had a few instances in which our view into the botnet infrastructure has assisted in identifying potential ransomware victims. Through our early warning monitoring capabilities, we were able to assist the intrusion victims in mitigating the threat before it escalated to a ransomware attack!
Question 10: How do you plan to transform your company into a future that is unfolding before you?
Vitali: As the cybercrime and advanced persistent threat domain continues to evolve, so shall we. To maintain the closest, most intimate view into a threat actor’s frame of mind, we are routinely adding elements and integrations into our platform software and model to add as much value to our customers’ experience as possible. Currently, we have a few irons on the fire that endeavor to carry on this mission, which we are very excited to share with the world in due course!
Danny Aga is a Strategic Advisor for Advanced Intelligence LLC as well as VP of Digital Forensics and Incident Response at CFC Response/Solis Security. Danny has over 16 years of experience in digital forensics. In his current role, Danny leads CFC Response’s DFIR organization, one of the largest of its kind dealing primarily with cyber claims, and also oversees CFC Response’s Project Management team and Cyber Threat Intelligence initiatives. Danny is also an advisor/investor at Living Security, a rapidly growing security awareness and human risk management startup.
Vitali Kremez is CEO and Chairman of Advanced Intelligence LLC. Vitali specializes in researching and investigating complex cyberattacks, network intrusions, and data breaches. Over his government and private sector career, Kremez has made numerous groundbreaking findings into Eastern Europe’s cybercrime underworld and has earned virtually every major certification available in the fields of IT, security, and digital forensics. Advanced Intelligence is an elite threat prevention firm. We provide our customers with tailored support and access to the proprietary industry-leading “Andariel” Platform to achieve unmatched visibility into botnet breaches, underground and DarkWeb economy and mitigate any existing or emerging threats.
Advanced Intelligence is an elite threat prevention firm. We provide our customers with tailored support and access to the proprietary industry-leading “Andariel” Platform to achieve unmatched visibility into botnet breaches, underground and dark web economy, and mitigate any existing or emerging threats.