The Power of Community: My Real-Life Lesson in Community-Sourced Threat Intelligence

0
5
[ This article was originally published here ]

Last week, my husband received the dreaded call from our bank.

“Hello Mr. Smith. We’ve noticed some unusual activities on your credit card account. Will you please verify the following charges?”

Whammy. A stolen credit card (yet, still in his wallet). These things happen, I suppose.

Luckily, we made out relatively unscathed. Thanks to the magical fraud detection capabilities of today’s financial industry, our bank had already declined the fraudulent transactions, froze the account, and alerted us right away. Case closed, right?

Yet, what happened next was an IRL (in real life) tale of the power of community-sourced threat intelligence.

My husband and I began looking through his recent credit card activity, searching for clues as to where and how his credit card may have been compromised. Could it have been the little Mexican restaurant where he (*ahem* stayed out too late) with friends the night before? The florist where he bought me apology flowers the next day? (JK…on the flowers anyway.)

It seemed pretty hopeless that we would ever find out where this credit card theft originated. That is, until yesterday, when a neighbor posted on Nextdoor (a popular social networking app for neighborhoods) asking if anyone had recently had their credit cards stolen after getting gas at a specific, shall-remain-nameless-despite-my-vindictive-urges gas station near our house.

A ha! Yes! I responded, along with three other neighbors, that we too had credit cards stolen within hours of pumping gas. My vigilante neighbor (the OP) then promptly returned to the gas station, where she snapped this photo, showing the security seals broken off the credit card machines. She also posted instructions to report it to 3-1-1 to prompt a police investigation. As a result of the thread, my entire neighborhood on Nextdoor knows to avoid or otherwise be extra diligent at that gas station.

This experience taught me (a non-cybersecurity layperson) the power of community when it comes to threat intelligence. See, when my husband and I tried to investigate the attack in isolation, by searching just the data in our own environment, we could only speculate on the list of potential bad actors. But, by sharing our threat data with the community and comparing it to other in-the-wild (or, in-the-neighborhood) attacks, we were able to connect those data points to build a threat story, and we gained confidence in it as more neighbors shared their data about the attack. Finally, because we all publicly shared our threat data with the rest of the neighborhood, everyone in the community (or at least, those who use the app) is alerted and better protected from falling victim to the same attack. We even had our own form of remediation guidance in calling 3-1-1 to report it.

This is pretty much how the AlienVault Open Threat Exchange works, but on a global cybersecurity scale. Our 53,000 members share threat data from their environments, whether that’s their USM deployments or their security research labs, so that the community can stay informed on the latest emerging threats. It’s like the neighborhood watch of the global InfoSec community. And, it’s free to join.

To be fair, OTX is much more sophisticated than my pissed-off band of neighbors cutting up our credit cards. In addition to the ten million indicators of compromise that the OTX community contributes on a daily basis, the AlienVault Labs Security Research Team leverages machine learning and human brainpower (from some very skilled and reputable security researchers) to deeply analyze security events and trends, which they then deliver to the community and directly to USM in the form of actionable threat intelligence, including correlation rules, IDS signatures, and response guidance. Even if you do not use the USM platform, you can still consume and contribute threat data in OTX.

To give you an example of the community-sourced power of the OTX—last week, as the Google G Suite phishing scam was unfolding, OTX community members were sharing malicious domains associated with the attack in real time. Our labs team rapidly analyzed the threat data and alerted the community of the attack—hours before the story spread across the mainstream media outlets. Without the open collaboration of the community members, it would have taken much longer to investigate the attack, to build a strong threat narrative, and to alert so many IT security professionals. The power of the community is that everyone is made more resilient sooner, making it harder for malicious actors to propagate their attacks.

Read Jaime Blasco’s full recap on the G Suite attack here.

As for me, our neighbors continue to share additional indicators of compromise on Nextdoor regarding our latest gas station skimmer attack, and I have renewed confidence that my neighbors and I are looking out for each other, online and IRL.

One interesting threat indicator is a Reddit thread from six months ago, wherein a neighborhood just north of ours had experienced a similar string of attacks at the same gas station chain. It looks like we may be dealing with an APT or an insider threat, here. As the threat narrative builds, I’ll keep you posted.

In the meantime, you can check out the latest cybersecurity threats coming to light in the Open Threat Exchange.