Estimated reading time: 7 minutes
When we talk about “left of boom” or “right of boom” we are referring to a concept that may appear superficial. Instead, it is a powerful tool that offers the ability to analyze security conflicts from both a offensive and a defensive perspective. In a hypothetical timeline of an attack, what is left of boom refers to what happens first. Similarly, what is on the right is what happens next.
In common parlance, the term “bang” is very often used instead of “boom”, but the meaning remains the same. In essence, it is the event itself around which the previous and subsequent period is analyzed.
So, “left of boom” is the set of events that occur before the attack . “Right of boom”, on the other hand, is the set of events following the “boom”. This is the essential difference between the two terms. If defensive stocks can detect events in the “left of boom” period, solutions can be found and adopted to predict when the “boom” will happen.
For an inexperienced person in cybersecurity, these concepts regarding the timeline of a cyber attack may not even be considered, for this reason many companies prefer to use a SOCaaS.
Left of Boom
A good penetration tester can detect some “left of boom” events, but they often miss out on gathering threat intelligence. Sometimes it is unable to distinguish concepts such as “security engineering, vulnerability discovery and remediation” from “automated prevention control”.
There is actually no real good prevention tool, more security checks are detection checks. Some of these controls integrate automated response mechanisms that prevent the succession of unpleasant events.
A web application that prevents XSS or SQLI attacks is really useful for detecting invalid inputs and responds by discarding the content before the injection can occur.
A firewall designed to block ports simply detects unwanted traffic in relation to the protocol used for the connection and the number of the port you want to access, interrupting and resetting the connection request.
These examples tie in well with the concept of “right of boom”. The prevention checks detect the “boom”, the event, and respond immediately, stemming the possible damage. “Left of boom” and “right of boom” are so close in the timeline that they are hardly distinguishable, until you do a careful analysis of the events.
This is one of the reasons why IT security professionals love prevention checks. They work quickly to fix errors before the hackers achieve their goals, limiting the damage.
A SOCaaS in these cases is one of the best solutions to adopt to protect the integrity of a computer system.
Right of Boom
Generally the shorter the distance between the “right of boom” and the response time to a threat, the lower the consequences of a possible cyber attack. Obviously this is only a logical consideration, it does not apply as an absolute rule.
For some breaches, the timeline between the event and the complete elimination of the threat is questionable, as detection occurred after the hacker achieved his goal. If the hackers they manage to infiltrate the system but are stopped in time, causing no damage to the infrastructure. In this second case, therefore, there is no “boom” we are talking about.
An example of right-of-boom
To better explain the concept of “right of boom” we could take a common “malware” as an example. Malware is generally developed to mass attack many devices, without much discretion. By “right of boom” we refer to that period of time that has passed since the malware infection occurred.
If you have read the other articles published by us you will have learned how hackers use these types of infections for the purpose of collect sensitive information , which is resold to a third party. If the “right of boom” is shorter than the time it takes the hacker to sell this information, the damage can be contained.
The best security systems manage to shorten the “right of boom” time by managing to gather information on attackers in the “left of boom”. This can be achieved by implementing countermeasures based on the threat model. These tools allow you to scan entire infrastructures, observing new threat indicators days or even weeks before attacks are deployed.
As we’ve seen in other articles, attacks don’t always happen quickly. In fact, the hackers involved are more likely to act in a slow first period just to gather the information needed to launch the attack. In the “right of boom” period, useful tools such as cyber threat intelligence and a threat hunting team come back < / a>.
Why “Right and Left of boom” concepts are important
If we put ourselves in the hacker’s perspective, the concept of “right of boom” and “left of boom” can help to decide which course of action is best to take.
Suppose a hacker has two methods of breaking into a computer system. If one of the two methods could be detected in the “left of boom” period, while the other one in the “right of boom”, it is obvious that the hacker will prefer the second. In fact, this would guarantee more probabilities successful attack.
Similarly, between two methods that can be detected “right of boom” we choose the one that has the most chance of being detected late . The longer it takes from boom to detection, the greater the chances of success. This kind of reasoning is important in determining which tactic has a broader timeline.
Thinking in this light is not easy at all, requires advanced knowledge from the security expert. It also requires having to consider all those hypotheses that could potentially determine the success of the hacker.
A hacker is able to predict whether, using certain tactics, he would be able to reach the goal faster than the expert trying to detect attacks. The “boom” is the first contact, in the set of intrusion tactics used to illegally access a computer system. The remaining tactics are placed before and after it.
Speed and stealth usually cancel each other out. In fact, very often you can be faster by sacrificing some stealth.
Speed and stealth don’t get along very well when it comes to cyber attacks. Being stealthy, avoiding leaving traces, requires more attention and therefore inevitably also more time. However, if the aim of a hacker is not a single goal but a series of multiple goals, to be fast can be effective.
To defend against attacks, Indicators of Compromise (IOCs) can be collected to remedy existing vulnerabilities and to introduce new detection controls, making the computer system more secure.
It is important to understand the timeline concept of attacks, and we have seen how the concepts of “left of boom” and “right of boom” affect the response mechanisms to intrusion threats.
The concepts we’ve seen in this article, while they don’t add anything concrete to a system’s defense or attack techniques, offer a point of view. In the constant struggle between hackers and security operators, having a winning strategy means not only having efficient tools, but also planning in detail every detail, before and after attacks.
To find out how a SOCaaS can help you monitor your business infrastructure and catch the “left of boom” clues, do not hesitate to contact us, we will be able to answer every question and offer you a solution for your company.
Estimated reading time: 5 minutes
In another article we have already talked about Cyber Threat Intelligence explaining what it is, how it works and its various types. Today, however, we will focus more on the importance of Cyber Threat Intelligence , deepening how it can be useful for companies to provide answers in the security field, containing risks and providing information that support incident response. & nbsp;
The importance of Cyber Threat Intelligence
In a world where technologies and cyber threats are constantly evolving, a company cannot afford to overlook the importance of Cyber Threat Intelligence. Every day on the web there are countless cyber attacks and data thefts to the detriment of companies and individuals. These large amounts of information are then cataloged and sold illegally on the Dark Web.
Hackers usually sell information on this part of the web because it guarantees them anonymity. In fact, unlike the traditional web, in order to access these virtual places, you must use a browser that masks your IP address. This complicates the authorities’ tracking of criminals and makes the dark web a completely anonymous place.
One of the objectives of the CTI is to monitor the information present in this large part of the web for analytical purposes. The aim is to prevent and limit the damage that this data could cause.
Monitoring the Dark Web and the Deep Web
Often, when we talk about the Deep Web and the Dark Web, we think that there are only and exclusively illegal activities, but that is not correct. There are also forums, blogs and websites that aim to disseminate information that is difficult to find on the traditional web.
Unfortunately, it is also true that criminals use this section of the network to sell all kinds of information . These include telephone numbers, email addresses, bank details, documents, passports, administrative login credentials for websites. There is practically everything.
This kind of information, in the hands of an attacker (or a competitor), could compromise the integrity of an entire company, its employees and its customers. The consequences of a data breach could also manifest themselves in the form of damage to the company’s reputation.
When a customer provides his personal data to a company, he expects them to be treated with the utmost respect. Customers may feel “betrayed” by the company that should have guaranteed them the security of their personal information.
A striking example was the data theft that occurred in 2019 against Facebook Inc. ( Source )
533 million personal data belonging to users of the platform are been stolen, divided by 106 countries and distributed for free on the web, bringing the company back to the center of controversy.
Companies looking to protect their customer, supplier and employee data invest in analytics and monitoring tools.
By relying on professionals, it is possible to promptly receive a notice whenever sensitive information is published on a forum or website on the Dark Web. For this reason the importance of Cyber Threat Intelligence plays a key role in the business cybersecurity branch.
Monitoring the Dark Web therefore means having the possibility of being able to promptly detect any sensitive information before it can cause problems for companies.
Tools for monitoring the Dark Web
Being a portion of the internet that is difficult to access and not indexed by search engines, analyzing and monitoring resources on the Deep Web becomes more complicated. For this reason, we are helped by various tools designed with the aim of simplifying the investigation and analysis process.
One piece of software that could help you during an investigation is Onionscan, a completely free Open Source program.
The Onionscan project and the CTI
The Onionscan project has two objectives:
– Helping operators find and solve operational security problems
– Help researchers monitor and track sites on the Deep Web
The software can be downloaded from the dedicated Github page, which also contains an installation guide and a list of dependencies required to run the software.
Once installed, to use it, simply type in the command line:
Of course, just accessing a tool like this isn’t enough to provide effective coverage. In fact, the importance of Cyber Threat Intelligence lies largely in knowing how to perform searches and interpret data.
We have seen what a Dark Web monitoring activity is and how it works and above all we have begun to understand the importance of Cyber Threat Intelligence.
Investing in these solutions guarantees additional security for the company. Securing the data of its customers and employees cannot be optional, every company should be sensitive to these issues and invest their resources to prevent unpleasant situations.
SOD offers a dedicated service which aims to provide valuable CTI information for proactive defense and resolution of critical issues before they become real problems.
If you need further information, do not hesitate to contact us, we are ready to answer all your questions.
Estimated reading time: 5 minutes
threat intelligence data provides companies with relevant and timely insights they need to understand, predict, detect and respond to cybersecurity threats . Threat intelligence solutions collect, filter and analyze large volumes of raw data related to existing or emerging sources of threats. The result is threat intelligence feeds and management reports. Data scientists and security teams use these feeds and reports to develop a targeted incident response program for specific attacks .
Everyone from fraud prevention to security operations to risk analysis benefits from threat intelligence . Threat intelligence software provides interactive, real-time views of threat and vulnerability data.
The advantage offered to security analysts and experts is obvious and serves to easily and quickly identify threat actor patterns . Understanding the source and target of attacks helps business leaders put in place effective defenses to mitigate risks and protect themselves from activities that could negatively impact the business.
cyber threat intelligence can be classified as strategic, tactical or operational. Strategic concerns the capabilities and general intent of cyber attacks . Consequently also the development of informed strategies associated with the fight against long-term threats. That Tactic is about the techniques and procedures that attackers might use in day-to-day operations. Finally, threat intelligence Operational provides highly technical forensic information regarding a specific attack campaign.
The threat intelligence cycle
Threat Intelligence Solutions collect raw data on actors and threats from various sources. This data is then analyzed and filtered to produce feed and management reports that contain information that can be used in automated security control solutions . The main purpose of this type of security is to keep organizations informed about the risks of advanced persistent threats, zero- day and exploits, and how to protect yourself from them.
The Cyber Threat Intelligence Cycle consists of the following stages.
Planning: The data requirements must first be defined.
Collection: Collect large amounts of raw data from internal and external threat intelligence sources.
Processing: Raw data is filtered, categorized and organized.
Analytics: This process transforms raw data into streams of threat intelligence using structured analytics techniques in real time and helps analysts identify Indicators of Compromise (IOC). < / p>
Dissemination: Analysis results are immediately shared with cybersecurity professionals and threat intelligence analysts.
Feedback: If all questions are answered, the cycle is over. If there are new requirements, the cycle starts over from the planning phase.
Common indicators of impairment
Enterprises are under increasing pressure to manage security vulnerabilities, and the threat landscape is ever-changing. threat intelligence feeds can help with this process identifying common indicators of compromise (IOC) . Not only that, they can also recommend the necessary steps to prevent attacks and infections. Some of the more common indicators of compromise include:
IP addresses, URLs and domain names: An example would be malware targeting an internal host that is communicating with a known threat actor.
Email addresses, email subject, links and attachments: An example would be a phishing attempt which relies on an unsuspecting user clicking on a link or attachment and initiating a malicious command.
Registry keys, file names and hashes of files and DLLs: An example would be an attack from an external host that has already been reported for nefarious behavior or is already infected.
Which tools for threat intelligence
The growing increase in malware and cyber threats has led to an abundance of threat intelligence tools that provide valuable information to protect businesses.
These tools come in the form of both open source and proprietary platforms. These provide a variety of cyber threat defense capabilities, such as automated risk analysis , private data collection , threat intelligence quick search tools, reporting and sharing this information among multiple users, curated alerts, vulnerability risk analysis, dark web monitoring, automated risk mitigation, threat hunting and much more.
We talked about one of these tools in a other article : the Miter Att & amp; ck . This is a very useful tool for learning about hacker attack techniques and behaviors. This is thanks to the information gathered by threat intelligence and the consequent sharing. A framework like this is very efficient for creating defensive mechanisms that make it possible to secure corporate infrastructures.
Artificial intelligence and threat intelligence
As we saw earlier, gathering information from various sources is just one of the steps. These must then be analyzed and subsequently processed into control protocols, to be really useful for security.
For this type of work of analysis, definition of baseline behaviors and data control, we are increasingly relying on artificial intelligence and deep learning. A Next Generation SIEM , flanked by a UEBA solution are perfect for this type of protection.
The control of the behavior of entities within the perimeter carried out by the UEBA is able to identify any suspicious behavior, based on the information collected and analyzed by the SIEM.
The defenses we have named are the primary value of a corporate security plan. Adopting specific solutions, implementing threat intelligence and therefore an active search for threat indicators, offers a strategic advantage. The company can take a step ahead of criminals, who can only leverage the surprise effect against their victims. Precisely for this general situation, every company should be in a position not to be caught by the off guard. Implementing proactive solutions is now necessary.
The threat intelligence is therefore a defense weapon behind which to protect the most important resources in order to work in peace.
If you want to know how we can help you with our security services, do not hesitate to contact us, we will be happy to answer any questions.
Estimated reading time: 6 minutes Quando si parla di sicurezza informatica e ci si trova dalla parte degli attacc… https://t.co/lYBxdVIxTi
Estimated reading time: 6 minutes When it comes to cyber security and is on the side of the attackers, we often… https://t.co/8o43bo6riu
Estimated reading time: 6 minutes Every day we hear about some new technology threats or vulnerabilities. Latel… https://t.co/YyZZPgyV6h
Estimated reading time: 6 minutes Every day we hear about some new technology threats or vulnerabilities. Latel… https://t.co/uV5QZuvPVS
Tempo di lettura stimato: 6 minuti Ogni giorno sentiamo parlare di qualche nuova minaccia o vulnerabilità in ambi… https://t.co/nlHWBfE6QU