We’ve all heard of the No-Fly List. Managed by the FBI’s Terrorist Screening Center, the list bans people on it from boarding commercial aircraft within, into, or out of the United States. The No-Fly List is only one tactic that the U.S. uses in its fight against terrorism, but since its inception there haven’t been any plane-based attacks within U.S. borders. Although the list is certainly not perfect — it has been criticized for profiling and false positives, among other things — its effectiveness makes this type of intelligence-based defense worthy of consideration by all organizations that are regularly targeted by cyberthreats.
The Transportation Security Administration’s machines, checkpoints, and rules are analogous to many of the security devices that enterprises use, which include network monitoring tools, firewalls, and endpoint management systems. Like air travel, enterprise networks play host to millions of “passengers” each day, in the form of information packets. Companies enforce rules such as “Watch for multiple failed login attempts” to reduce the odds of being compromised. These measures work some of the time, but often can’t distinguish between risky traffic and good traffic, especially when risky traffic follows the rules. To address these shortcomings, enterprises require additional intelligence regarding the reputation, history, and context of the traffic on their networks.
A cyber no-fly list can use deeper context and intelligence about digital traffic, asking, for example, “Is this traffic from a known malicious actor?” If so, the company should probably block the traffic regardless of how benign the activity may appear. With an up-to-date threat list, enterprises can stay informed about the many factors that reveal the true nature of network traffic, including whether it’s associated with a known threat, who and what might be behind it, and whether it has been reported as a threat to others.
Because all companies have unique characteristics and threat landscapes, there is no definitive or “master” cyber no-fly list. Every company should develop its own threat list using the research that is most relevant to its industry, geography, business, and other factors. Fortunately, there is an entire industry of cyber intelligence research providers to draw on, which includes proven feeds and analysis from organizations like CrowdStrike, FlashPoint, Digital Shadows, and Intel 471. To help matters even further, there are threat intelligence platforms that can help to simplify, make sense of, and integrate the intelligence into existing infrastructures and processes.
There is a lot of intelligence to make sense of. Based on what threat intelligence platform providers have seen, just four years ago researchers were tracking around 100,000 cyber threat indicators. Today the threat indicators number in the hundreds of millions. A large enterprise easily records over 1 billion network and system events per day. To gain visibility into all active cyber threats in the network, an organization would have to look at all of those events and evaluate them against hundreds of millions of threat indicators. Doing this effectively requires having powerful tools to identify the malicious traffic hidden in vast quantities of legitimate traffic.
Threat intelligence platforms are a key to effectively identifying threats and malicious traffic. Finding these threats, however, is not an easy feat — CSOs and other decision makers are faced with a crowded intelligence space and a shortage of qualified cybersecurity staff. They must ensure that the platform they choose to manage their list is providing quality data that is highly relevant to both the industry and organization. Because of these challenges, technologies that automate collection, optimization, and integration of threat intelligence play a critical role in helping companies build their cyber no-fly lists.
Newly discovered cyber threats are also an important part of the list. Every day, researchers identify thousands of new malicious indicators. It’s not enough to start looking for these new bad actors — organizations need to know if their networks have already been infected. This means taking new threats and looking back over months or even years of traffic to identify breaches. This would be similar to adding a new terrorist cell to the No-Fly List and then identifying whether its members have already entered the country and when and where they have flown at any time in the past. Unlike humans, cyber actors can quickly and easily change their “fingerprints”; sophisticated actors monitor public threat lists, which shows them when they’ve been detected. This is why it is critical to analyze network traffic history when evaluating new threats.
Despite these challenges, cyber no-fly lists work. Our recent study of 1,000 cybersecurity experts found that over 80% use threat intelligence — aggregated data on threats and the actors behind them — in their daily security operations. They typically integrate this intelligence with internal monitoring and network equipment. Recent events like the WannaCry and Petya attacks demonstrate the need for rapid intelligence. Within hours of the Petya outbreak, threat intelligence providers began sending out specific, actionable threat indicators — the fingerprints of the attacker — so that organizations could put in place safeguards such as firewall blocking rules and network monitoring alerts.
Not only does threat intelligence work, but it also gets better as more people use it. In many cases an investigation into one suspicious indicator will lead to the discovery of an entire new group of threats. As companies share and exchange this kind of information, the web of known threats becomes much wider. No one knows this better than Jessica Ferguson, director of information security architecture at Alaska Airlines.
Ferguson has implemented threat intelligence programs at multiple large enterprises. “Threat intelligence gives us visibility into known security threats, letting my team focus more time on hunting for unknown threats,” Ferguson says. At Alaska Airlines, Ferguson collects threat intelligence from research partners, internal sources, and even other airlines. She integrates this intelligence with security infrastructure, including firewalls, intrusion detection systems, endpoint monitoring tools, and security monitoring solutions. In doing so, she automates detection and blocking of known threats in the network and on the endpoint wherever possible.
Ferguson says her network can take automated action in response to threats it is confident about, including blocking all traffic from that source. In other cases, where there is lower confidence, Ferguson puts the events through a secondary screening process. This involves a manual investigation into the traffic, understanding what took place, what process initiated the traffic, what changes were made and whether or not any files were downloaded.
Threat sharing has become a critical element of Ferguson’s security arsenal, “just as the TSA shares No-Fly List dossiers with other intelligence agencies,” she says. In the last few years numerous information sharing and analysis centers (ISACs) have formed. These are communities of organizations, often aligned within a specific industry (for example, aviation ISAC, financial services ISAC, automotive ISAC), where members collaborate on cybersecurity topics and share intelligence. Ferguson frequently engages other airline security teams to discuss threats targeting their sector.
Although airline passengers and digital traffic are not interchangeable, there are distinct similarities in how malicious actors can be identified and denied access. To pinpoint malicious humans, the FBI recognized it needed knowledge of their activities outside of what’s observable at the last point of entry. Enterprises need to recognize that same level of knowledge is required to better identify and stop dangerous digital traffic.
The cyber no-fly list approach works because it leverages one of the most effective tools in warfare — intelligence. By knowing in advance who existing and potential foes are, enterprises can take proactive steps to stop them from passing through their gates.