2021 may well be called, “the year of the targeted attack.” Over and over, threat actors have carried out carefully crafted operations using infrastructure tailored to specific victim organizations.
On the other side of the table, large organizations rely on security tools that, at best, attempt to block the indicators they observed hitting other organizations previously. These IOCs don’t necessarily relate to the defending organization, meaning blue teams regularly miss the actors crafting domains and infrastructure to get beyond their particular defenses.
It is too easy for the organized crime or espionage group to develop new, bespoke assets to attack an organization safe in the knowledge of how to evade traditional security products and services. Silent Push regularly sees assets set up with such specific evasion techniques in mind.
Silent Push often sees domains registered and then aged for a period of time before malicious use to avoid aged based reputation scores. There are often domains imitating supply chain partners of various types to avoid security practitioners and potential victims becoming suspicious when seeing them in logs. Rotating name servers and customized name servers are often used in order to communicate with specialized malware while avoiding fingerprinting rules and behavior-based detection techniques. At the same time, there are very few innovations from security vendors to react to these new techniques.
It is time for the security industry and those defending teams to fight back. Silent Push wants to equip enterprises with the freedom to protect themselves.
Everybody needs their own customized threat intelligence. If an organization can’t meaningfully search for the attacks that are being tailored to them, what chance do they have?
Silent Push is exposing the analytics to help organizations track and trace the very attacker infrastructure being designed just for them. This allows threat intelligence teams to shine a light on this infrastructure as it is going live so they have a chance to proactively defend their organizations instead of hoping to discover the infrastructure after it has hit someone else.
What can be done?
Enterprises have been expected to accept ‘black box’ thinking from their security vendors for years: ‘You don’t need to know the details of how we detect things, just pay us the money and trust that we are defending you.’ That clearly hasn’t worked.
Now, Silent Push is exposing the underlying connections and patterns to enable enterprises to create their own intelligence feeds, focused on what they need to defend against.
If 5 threat groups use the same malicious infrastructure provider, then the enterprise needs to defend against that infrastructure provider. If numerous advanced threat groups use the same technique of managing and aging domains over time, then the enterprise needs to be able to identify domains currently managed with that technique going live. If a virtual Bullet Proof Hosting Provider is the commonality across numerous campaigns by different groups then a defending enterprise must be able to identify the fingerprint of that provider to defend against it.
These are the things Silent Push can allow the enterprise to do, with the aim to empower enterprise Threat Intelligence teams with the right tools to generate their own new intelligence, and to fuse their current intelligence with new insights that help contextualize and prioritize what matters today.