Tales of a Principal Threat Intelligence Analyst

A t Splunk, we’re constantly on the hunt for new and emerging threats — tirelessly developing detection techniques to zero in on bad actors, while sharing key intelligence around cybercrime activity. But because threat intelligence can relate to so many different things — ranging from spear phishing campaigns to dark web dealings — it can be a challenge to cover and define all the specifics of what (or who) to look out for.

Unsurprisingly, this becomes an even bigger task when trying to align with a certain organization or business model, which will, inevitably, have its own set of priorities, risks and vulnerabilities to contend with. This is why so many companies are now building out their very own intelligence teams — a hard pivot on how things used to be.

How the Discipline and Role Has Evolved

A little over a decade ago, security teams had to depend on intelligence reports issued by third-party vendors, which were very rarely timely, and lacking in direct, acute analysis. Instead, they largely consisted of indicators of compromise (IoC) within a much broader report, sans any raw data or direct intelligence that could easily be put into practice.

Eventually, companies started to realize that having an intelligence analyst on the inside would be much more valuable, since they would have all the necessary technical and strategic know-how as well as familiarity with the business, bridging gaps where vendor analysts often fell short.

Since then, threat intelligence has naturally become a part of security operations. Where before these capabilities were reserved for big companies with deep pockets, we’re now seeing more organizations investing in their own intelligence, so that leadership can make better, safer decisions.

We’re also seeing how — in an increasingly competitive, risk-averse landscape — threat intelligence teams are encouraged to align security with the enterprise, especially in the era of remote work and post-SolarWinds. This expectation to support and juggle an array of priorities, while weighing in on board-level decisions around security is just one of the many ways the role has evolved over the years, and why threat intelligence is so critical to the business itself.

A Day in the Life

While a lot has changed in the world of threat intelligence, the essence of our role remains the same: We help defend against threats with key tactical and operational intelligence.

At Splunk, a recent example of a threat campaign we addressed is SAWFISH — a series of GitHub-themed phishing emails first observed in-the-wild in April 2020. Fast-forward to March 2021, and a small number of Splunk employees received these same phishing emails, containing a link to a GitHub credential harvesting website.

Fortunately, we were able to triage and determine that no employees clicked the phishing links; one of which was included in the IOC bundle of the April 2020 SAWFISH campaign. Comparing the campaigns and digging into the new domain, we discovered 20 additional typo-squatting domains mimicking Github (also known as URL hijacking: When threat actors register a domain name with an intentional typo or confusing language, duping users into thinking it’s the actual company or brand). Due to the two campaigns sharing similar email lures, infrastructure, domain names and phishing infrastructure, we assessed with high confidence that the phishing emails were, in fact, an extension of SAWFISH.

Along with our team — which is formally known as the Threat Hunting and Intelligence (THI) team here at Splunk — the Splunk Threat Research Team is similarly devoted to understanding bad actor behavior and researching known threats to build detections that the entire Splunk community can benefit from, and Splunk’s own SOC is no exception. Referencing the Splunk Security Content repository, THI quickly identified detection use cases that could be implemented to defend against typo-squatting phishing attacks:

• Monitor web traffic for brand abuse
• Monitor email for brand abuse

The Future of Threat Intelligence

In the wake of attacks like the SolarWinds supply-chain hack, our role in protecting the enterprise has become ever more apparent. The SolarWinds hacks involved malware that was embedded into the Texas-based company’s digitally-signed software, and multiple organizations — including several federal agencies — were compromised as a result, with the situation continuing to develop on a daily basis.

However, in spite of the many questions these attacks have raised, one thing is for certain: Even the most sophisticated security defenses can be breached through legitimate third-party processes.

The good news? This is where threat intelligence will continue to flourish (especially given the emphasis on third-party and vendor security). And while the SolarWinds hacks are a perfect example of the far-reaching consequences of a supply-chain attack, this is also an example of when and where threat intelligence teams are needed the most.

The full extent of the damage won’t be known for a while yet. But with threat intelligence at the frontlines of security — deconstructing available, raw data and information, and crafting that into concrete guidance — we can offer valuable intelligence to fend off future attacks, no matter how covert or cunning they appear to be.

Ready to channel your inner threat analyst? Check out this month’s Threat Hunter Intelligence Report to find out how you too can stay one step ahead of your adversaries.