Enhanced Threat Awareness Proposition

Enhanced Threat Awareness Proposition

February 24, 2017 | Adeline Zhang

Author: Cody Mercer, Senior Intelligence Threat Researcher

Network threat attack vectors continually advance in diversity and complexity. Attacks supplied through advanced persistent threats (APT) now spread very quickly and on a larger scale. Various IOT devices and other assets to include mobile/hand-held devices, desktops, bare-metal networks, web applications, and social networks are all vulnerable to the many attack vectors rampant in the wild. Currently users obtain threat information through log data and Indicators of Compromise(IOC) derived from their network intrusion prevention systems (NIPS), network intrusion detection systems (NIDS), and other cyber-security tools a company’s network ecosystem may occupy. Additionally, network threat behaviors and IOC’s should be collected and retained for big data analysis and processing to help customers understand the entire dynamic attack chain intuitively.

A re-classification of vulnerability rules and their respective attack chains derived through log analysis alerts may now be modified and adjusted through big data processing. Analysis and presentation of attack chain data should be supplied to customers and should cover each stage of a compromised asset or attack.

Network security threat analysis now relies upon large-scale security intelligence systems and professional intelligent big data analysis. These attributes make full use of data-driven security, supporting 24×7 multidimensional and hierarchical network security threat awareness solutions that shall be integrated into cloud, on premise bare-metal, and any other IOT devices.

Alerts Generated by Traditional Devices

Alert logs are often the first forms of information available for users after intrusion behaviors have been detected. To improve the overall effectiveness of threat awareness the methods in which network threat alerts are processed and normalized and then rendered needs modification and improvement. To accomplish this necessity the call for a new threat awareness system is purposed to support a paradigm of next-generation detection devices. It is important to recognize that the analysis of alert logs and the classification of the alert logs serves major importance also. The classification dimensions will directly affect customer awareness and understanding of the alert logs to further enhance threat trend awareness correlations for future analysis.

Vulnerability Rules Supported by Traditional Devices

Currently it is not uncommon to have several thousand rules written on a single network security device. Rule types are closely associated with policy configuration and on traditional NIPS devices rules are classified and organized into various categories. Rules are orchestrated and displayed by attack type, protocol type, service type, technology, and risk level.

Often with traditional NIPS devices, rules are classified by attack type and displayed in un-organized fashion making it difficult for the average user to process and triage the thousands of alerts that are recognized on a daily basis. Moreover, users cannot correlate the entire attack process and have the data intuitively displayed in the most efficient manner necessary. This prevents users from making accurate judgment about attack behaviors and modifying network security protection solutions under the current attack collection processes. The following figures depict two types of rule classifications and their organization type:

Alert Display & Presentation

As indicated, depending on the security device in question, often you will find that a single alert is generated for one attack and provides limited information which leads for the need to have additional security tools increasing resources, man-power, and cost overhead.

Purposed Threat Awareness System

To introduce an enhanced modernized threat awareness system the following should be considered:

  • updated alert log analysis platform
  • analysis of data to develop new and modernized rules
  • new classification standards
  • modified attack chains
  • integrated artificial intelligence (AI) and machine learning ability

To cope with the changes of network attack behaviors the current system should be upgraded to a revolutionary attack state behavior alert scheme. Based on the actual diversified attack forms, the inherent mode of “one alert for one attack” should be modified. A recognition in the transformation of thinking and improving the product quality, solutions, and user experience to produce a grand overview of the attack end-to-end process is the intended objective. The end-game goal will permit users to comprehensively control the dynamic threat awareness system based on big data mining and intelligent data analysis. Seemingly, this real-time threat awareness trend solution will serve as the new foundation and break the cycle of traditional NIPS detection alert systems.

Threat Awareness Through Big Data Analysis

Big data processing centers support various display methods that permit users to view in real-time their current network attack behaviors and overall security posture. There is a demand to display Indicators of Compromise (IOCs’) and alert information for attack events and the corresponding correlation. From an asset perspective this includes one-to-one, one-to-multiple, and multiple-to-one modes. In addition, the number of attacks in a specified time and attack event information are to also be displayed for user validation with detailed meta-data.

Through the analysis of alert logs, visualized analysis and display of the attacks against the target host is provided by dividing the attacks by attack time and attack stage and thus helping users to understand attack behaviors of the compromised system.

Dynamic awareness should deploy countermeasures to enhance the capability of preventing known and unknown threats by analyzing, detecting, tracing, and restoring the entire attack process from start to finish. Additionally, dashboards depicting global network risk trends from the perspectives of attack sources, attack types, and attack targets shall provide comprehensive and in-depth threat alerts to help users take appropriate action. With alert logs as the core, the data processing center focuses on data visibility and supports multi-level network architecture data retrieving services.


As the internet is now the main source of information and connects limitless amounts of network and communication entities, many security risks and vulnerabilities are also introduced into the mix. Moreover, we are now heavily reliant upon big data, cloud computing, and mobile Internet capabilities. Networks are ubiquitous in nature supporting energy plants, traffic control-stations, and industrial infrastructure type communications. Security risks continue to rise on an unprecedented level and the traditional detection method of NIPS devices are no longer applicable to network threats in the big data-driven Internet of Things (IoT).

A new system needs to be developed based on a new rule classification model and the massive data that may be obtained globally with the incorporation of intelligent big data mining and analysis modules. By making full use of data-driven security it shall be possible to provide a visualized detection and alerting platform featuring global coverage, multi-source reporting, and hierarchical connections.