Why should all the cool security analysts focus on deciphering attack intent?

Posted by Avi Chesla on Jul 23, 2018 3:05:00 PM

"Intent." Is there anything more essential to business decision-making and processes?

I doubt it.

Sales people must know the intent of their prospects. Marketing people need to know the intent of their consumers. Employees need to know the intent - the mission and business goals - of their employers. 

But intent is something that isn’t discussed enough in our world of cybersecurity. And that’s a real issue.  Perhaps the biggest gap we face is the inability of cybersecurity professionals to know - on a deep and immediate level - the intent of hackers.

Intent in our world means: what are they after? How are they planning to sabotage my network, my business … before it is too late.

But the way we organize our security operations makes intent difficult to identify. Today CISOs, security analysts and teams have to manage a tsunami of security tools and solutions, typically working in silos which generate a sea of structured and unstructured data.

Given this, deciphering the intent of different event, clues and signals generated by these tools is a nearly impossible task.

Even skilled talent, resources and time may not be enough. Despite this challenge, deciphering the intent of different security events is key to achieving effective security. 

Flash forward to empow.

empow was named a 2017 "Cool Vendor" by Gartner, in its “Cool Vendors in Monitoring and Management of Threats to Applications and Data, 2017” report precisely because of the revolution in “intent deciphering” we represent.

Gartner makes the point compellingly, noting that empow “…goes a step further than most products do by deciphering the intent of bad actors and events; it then selects optimized investigation, and prescribes remediation/mitigation actions accordingly. Combined, these methods reduce the noise and false positives in security systems”.

There is no debate. Understanding the intent of an attack is a key imperative to ensuring effective, and efficient, security, so that investigation and remediation capabilities can be quickly put into action, before it’s too late.

Let’s take a look at the value behind deciphering attack intent.

From Theory to Practice…

Okay, imagine this. 

An alert is presented to your system by a malware variant with a generic name. Your analyst is now forced to search for information about it, (where??) analyze it and assess (or guess at!) the possible intents behind the event (Is the attacker trying to steal financial records (steal-ware)? Is he looking for personal information (spyware), service disruption, data manipulation, privileges escalation threat, RAT etc.).

Your analyst will likely try to track down the malware in one threat center and then another and then another, always searching for more.

What’s more, there are usually inconsistencies in malware naming practices – with different vendors giving different names to the same malware, and how can you be certain that the source is reliable?

It’s a broken process. When analysts need to handle thousands of alerts per day, this becomes an impossible task. The result is that your analyst will; never fully understand the new threat, correlate events effectively and understand the complete attack story in time. Nor will your analyst understand how the attack can impact the network, and how to defend against it.

How empow Uses Machine Learning to Decipher Attack Intent

Whether they realize it or not, attackers leave “intent clues” that are enormously valuable if you have the ability to identify. Moreover, not only do the attackers leave a trail, but so do the good guys (researchers) who analyze the vast amounts of malware and intrusions all over the world. and contribute their reports and conclusions in various collaborative threat exchanges, communities and DBs.

empow's research and data scientists have created and continually tune and train “intent classifiers” through NLP methods to identify indicative words, phrases and correlations between them that can understand intent.

These classifiers do their work on structured and unstructured data, can search in third-party threat centers reports, community based blogs, attack signature DBs of intrusion prevention systems etc. in order to decipher the intent of each event.

This is an essential capability. Even if we only have the name of the malware or just its hash, we mine the relevant additional information needed - combine it with other signals - and decipher the intent automatically.

Essentially we automate what a skilled analyst can do - combining our own resident IP with community sources – to create the first engine in cyber history that can understand intent at scale. This quickly illuminates what the malware, intrusion vectors and other types of attacker activities has been generated to accomplish, even if the tool that generated the alert doesn’t have the ability to recognize the malware yet. This is invaluable for your SOC analysts, giving them insight into how the network will be effected. 

The Benefits of Deciphering Attack Intent

Insight into intent makes defense and response strategies faster and smarter. You will be able, to automatically investigate events with the most relevant investigative functions and methods (far faster than before), and then launch razor-sharp remediation/mitigation controls – proactively, before any impact. Security operations can be prioritized based on attack intent and possible impacts, and aligned to the organization’s business priorities and risks.

Intent insight creates accuracy and precision, and reduces the noise and false positives in security systems. This is the new ‘cool’ according to Gartner, and we couldn’t agree more.

Proactive Threat Hunting

Managing threats, also demands visibility into cybercriminals’ possible next steps? What are they after? By focusing on attack intent, and by automating research and correlation we can quickly reveal the bigger story - predicting the next possible moves and impact to the organization before it’s too late.

Summary

It's not trivial to determine intent. In fact, the only way to accomplish this is by not looking in any one action - or any two, or any three - but to look at the totality of behaviors, in real time, using AI and machine learning to create an intent-driven narrative. That's what empow does and that's why Gartner gave us the Cool Vendor recognition.

As a young company it means a lot, and reaffirms that our mission - “To Turn What You Have Into What You Need” – is growing more relevant every day.

To learn more about how we do this, join us on July 6th for an exclusive webinar on Why Deciphering Attack Intent is the New Gartner Cool.

*From “Cool Vendors in Monitoring and Management of Threats to Applications and Data, 2017” Gartner