Know your adversary

Louise Davis

Adam Vincent looks at cyber threat intelligence for the oil and gas industry

The oil and gas industry has a massive task on its hands when it comes to information security. GCHQ announced in mid-July that Russian-backed hackers launched a concerted attack on the UK’s energy providers during the June election.

Nation-state hackers are increasingly targeting essential service industries in an attempt to disrupt daily activity, cause economic havoc, and steal sensitive information. If you’re an oil and gas organisation, you need to be hyper-aware of what you’re facing.

On top of that, each company has multiple endpoints that they need to protect - from corporate laptops to industrial control systems or SCADA (supervisory control and data acquisition) systems.

Security analysts at these organisations must understand the policies and controls of each endpoint and which threats are targeting them - and that’s both difficult and time-consuming.

Relevance is key

Because analysts must protect such a variety of endpoints, understanding what information is relevant to the organisation is critical.

Depending on the organisation, analysts consume indicators (pieces of information about threats) from a number of different locations and sources.

Advanced threat intelligence platforms can help teams to find relevant threats and gain more context, such as attack patterns or previous victims.

For many companies, this will be a new area, requiring training to get teams up to speed.

The threat intelligence sector is relatively young, and has come into its own in the last five years as automation and data processing have increasingly sped up and gained greater capacity.

As the industry has grown, however, user-friendly systems have been made available which reduce the man-hours required to make sense of threat data. These can be quickly integrated into a company’s existing security procedure to provide rapid, useful insights into threats and malicious activity on the network.

Oil and gas companies can develop their threat intelligence skills and keep assets safe in an era of increasingly powerful adversaries by following these three key steps:

Step 1: Create a system of record

One of the main challenges in the oil and gas industry is a fairly common one: collecting, normalising, and enriching threat intelligence sources.

Oil and gas companies have unique assets to protect, so analysts may not be able to use common sources. They need to figure out what sources are worth their time and effort.

In order to evaluate the sources, you need to put them all into one place. The best place to start is to look at oil and gas-specific data in a number of threat intelligence sources, such as ThreatConnect, PhishTank Source and the Malware Domain Blocklist.

It’s a good idea to have a platform in place which can aggregate these intelligence sources, to save you from manually trawling through them all.

By investigating specific indicators (host, address, file, etc.) or group types (campaign, incident, threat, etc), you can hone in on the most likely characteristics of future threats and analyse existing potentially malicious activity on your system in comparison to known threats.

You also need to be able to export these indicators into your existing security tools in order to drive an informed defence programme.

By plugging endpoint protection into threat intelligence tools, you can reduce the time between discovery of a cyber threat and your system’s response to it.

With pre-loaded threat identity information you can create playbooks to manage responses to set categories of attacks, enabling your system to deal with hacks quickly and accurately.

Step 2: Understanding which intel is relevant

Aggregating pertinent data is a good first step, but indicators and threat intelligence are not one-size-fits-all. Some feeds are noisy and have a lot of false positives, while some are valuable and full of relevant threat intelligence. To help reduce the complexity, it’s a good idea to use utilities-specific tags.

Tags let you categorise data within a threat intelligence platform, and range from specific industries to country of origin to malware families and more.

As you hunt, analyse, and create threat intelligence in the platform, specific tags can be applied to enable easy searching.

Once you can categorise and view the data, it is much easier to recognise trends, and view historical knowledge or observations in your network.

When you search for oil and gas tags, you can choose to view indicators or incidents that have had the tag added.

We recommend looking at incidents where you can easily dive in to see how indicators relate to each other, observe adversary attack patterns, and more.

Step 3: Leverage peer knowledge

If connected technology is creating new risks for the oil and gas industry, it also comes with some useful benefits.

Communities of companies can share vertical-specific data across a threat intelligence platform, so that if one member is attacked, they can push their findings out to others in the group so they can boost their defences in response. This is a mutually beneficial model, reducing the chance of a breach for all involved, even if they are competitors.

Communities should be run by organisations that want to share, collaborate, and ask questions about threat intelligence or users with specific interests or assets.

Upon joining, follow a community to receive immediate or summary alerts of incidents or comments that get posted. This is an excellent way to get started with threat intel.

Protect your future

No matter your organisation’s stage of maturity, it boils down to the same issue - information security takes time and effort, particularly as nation-backed hackers continue to grow in strength and persistence.

In the face of this challenge, it can be difficult to figure out what data is relevant to your organisation.

Creating threat intelligence and defining what poses the most risk is a time-consuming and resource-intensive process.

An intelligent threat platform can help simplify information security tasks and processes by making it easier to find relevant insights.

The oil and gas sector is and will come under attack.

Now is the time to fight back - integrate your disparate tools, automate your manual processes with orchestrated playbooks, and ultimately make your team more efficient.

Adam Vincent is CEO, ThreatConnect

Recent Issues