Airbus Cybersecurity To Offer A Richer Threat Intelligence With ThreatQ

Intelligentcio | February 27, 2020

Airbus Cybersecurity To Offer A Richer Threat Intelligence With ThreatQ
  • With ThreatQ, the company has been enabled to offer a richer threat intelligence service that has more context and is faster.

  • The ThreatQ platform is complementary to an existing MISP solution and allows the customer to build up their own knowledge base adapted with their context.

  • With ThreatQuotien t solution, Airbus Cybersecurity analysts will be able to respond better and faster to customer requests.


Airbus Cybersecurity has strengthened its already mature and reliable offering by enriching the threat intelligence service it had been offering customers since 2011 with contextual information at scale with the help of ThreatQuotient.


With ThreatQ, the company has been enabled to offer a richer threat intelligence service that has more context and is faster – with the result that it is now able to continuously deliver cyber intelligence flows tailored to the needs of its customers.


Since 2011, our threat intelligence service has worked very closely with our incident response teams. Among other things, this has allowed us to be very relevant and responsive when it comes to tracking attackers.

- Julien Menissez, Product Manager for Managed Services in Europe, Airbus Cybersecurity.


This proximity has paid off, enabling the service to better contextualize alerts that would otherwise remain purely technical, such as lists of IP addresses and other indicators of compromise (IoCs).


Technical alerts are effective in blocking specific attacks, often in an automated way. However, when they are enriched with relevant, contextual information they can become real decision-making tools allowing security analysts to answer questions, such as: What do we know about the attacker’s current targets and campaigns? Are we a potential target for this group in particular?


But to deliver this attractive theory, Airbus Cybersecurity needed to be equipped to offer a robust, industry-ready service.


“In 2015, we decided to create a dissemination offering that would allow customers operating their own SOC to benefit from this increased information. We first worked with flat files, and then we deployed MISP interfaces for our customers,” said Julien Menissez.


Malware Information Sharing Platform


In a world of threat intelligence, the Malware Information Sharing Platform (MISP) is a necessity. MISP is a freely available solution that facilitates the sharing of IoCs between researchers after the IoCs have been acquired and consolidated.


And the complication lies here. Julien Menissez recalls: “MISP is very good for dissemination, but ingestion is not simple! We were forced to use many other open source tools in parallel, requiring a lot of scripting and manual operations before delivering the information to our customers, while remaining within the timeframes allowed by our SLAs.”


The dissemination service became so successful, that the load on the Airbus Threat Intelligence team increased dramatically.  It quickly became clear that a manual approach could not be scaled up, as customers demanded more and more context and richer information, beyond what MISP can do with its tagging and commenting functionalities.


READ MORE: Oca releases 'opendxl ontology' to drive greater interoperability

Delivering Continuous Information


The Airbus Cybersecurity team then decided to research a new ‘cyber-intelligence back office’ – a tool capable of natively managing concepts such as the freshness of information, reliability, context and related data.


Julien Menissez said, “We quickly saw in ThreatQuotient the vendor best suited to our needs. We shared the same vocabulary (coming from the defense sector). The ThreatQ platform met our criteria, and the technical level of the ThreatQuotient subject matter experts was excellent.”


With ThreatQ, Airbus Cybersecurity will now be able to meet their goals. “We can now deliver the same service and the same knowledge, with the same quality as before, but much more quickly and with far fewer technical manipulations. And, obviously, it’s our customers who benefit. Airbus has gone from weekly information delivery to continuous information delivery,” Julien said.


The Airbus team can now offer an optional tool capable of helping them capitalize on their knowledge for slightly more mature customers, who do not yet operate their SOC but still have an internal CSIRT team. The knowledge acquired during the customer’s internal investigations is seamlessly integrated into the ThreatQ platform to enrich the information delivered back to the customer via the Airbus service.


The ThreatQ platform is complementary to an existing MISP solution and allows the customer to build up their own knowledge base adapted with their context. Since customers will keep all of their data within the ThreatQ Threat Library and therefore all the knowledge acquired by their CSIRT, they also have the freedom to change their threat intelligence feeds and sources at any time.


Faster Response In The Time Of Crisis


With ThreatQuotient solution, Airbus Cybersecurity analysts will be able to respond better and faster to customer requests.


Most SOCs work with a workflow system to investigate IoCs collected during an incident. It is often a manual process but since the ThreatQ platform can be integrated with a SIEM to do the research and automatically identify patterns and linkages and how to pivot from a given IoC, we have even been able to reduce our response time to our customers. And obviously, in an incident, quickly identifying the pivots and monitoring malicious activities as closely as possible is a major advantage.

- Julien Menisse, Product Manager for Managed Services in Europe, Airbus Cybersecurity


Strategic approach to mitigate risk


The ThreatQuotient solution has allowed Airbus Cybersecurity to refine the information delivered to customers in order to better manage their security posture. The ThreatQ platform makes it possible to automatically “package” the most relevant flows according to the exposure of the client to specific risks, and thus take a strategic approach to mitigate risk.


READ MORE: SIEM  is a great tool but it's administrative challenges are a barrier

Spotlight

Mobile ad hoc network comes with many advantages and applications in the situation where the time for recovery is very less. These advantages come along with some security risks. The approaches used to form MANET comes under three categories proactive, reactive and hybrid. The proactive and reactive has a vast research linked with them compared to the hybrid. The hybrid approach takes the advantage of both proactive and reactive. The hybrid has the advantage to follow the positives of both. In this paper, the implementation of a modified pass based identification and authorization technique is done over the hybrid protocol ZRP (Routing Protocol Zone) and analysis compared to the traditional available approach for ZRP is presented.

Related News

SOFTWARE SECURITY

Licel introduces Alice, a telemetry system that reveals the cyber threats facing apps in real time.

prnewswire | December 03, 2020

The worldwide application security organization, Licel, reported the appearance of their most recent item this week. In a universe of ever-changing dangers to application security, Alice portrays the everyday security chances that applications face. One of the results of COVID-19 has been a climb in the quantity of modern digital assaults. Programmers have hoped to misuse individuals' dependence on direction from specialists. Furthermore, 2020 has additionally observed applications take on much more noteworthy significance in an undeniably far off world. The blend of these two patterns implies that vigorous application security is as imperative as it's consistently been. However, as Licel CEO Ivan Kinash clarifies, there's additionally a developing craving from organizations to comprehend what the most hazardous digital dangers are. "App protection products such as our own, DexProtector, do a fine job of protecting apps from bad actors. But this year we've also seen an increase in demand for a sophisticated, real-time platform that allows businesses to respond to attacks quickly. For some companies, their app is now their most important asset. And as such, it's crucial for them to know how the threat landscape around that app is evolving."

Read More

New Honeywell Forge Features Help Protect Facilities From Cyber Threats Associated With Remote Operations

Honeywell | June 25, 2020

Honeywell (NYSE: HON) today announced the latest release of its Forge Cybersecurity Suite that includes several enhancements to help ensure business continuity in the face of mounting cyberthreats, uncertain global business conditions and continued supply chain disruption associated with remote operations.The new Honeywell Forge Cybersecurity Suite release (R200) incorporates new features such as enhanced industrial-grade remote access, increased asset discovery capabilities with active and passive functionality and improved cybersecurity risk monitoring.The enhancements come as more industrial organizations are embracing remote operations to effectively manage facilities with reduced numbers of onsite personnel due to current safety restrictions. A new Honeywell report indicates that the severity of cyber threats detected to operational technology (OT) systems has risen by significant amounts in a 12-month period.

Read More

65% of Phishing Threats Facing Remote Workers Impersonate Google-branded Websites

Google | June 11, 2020

The phishing attacks applied a method known as spear phishing to tricks users into disclosing login credentials by impersonating legitimate websites. Google-branded sites accounted for 65% of the attacks experienced during the study, while Microsoft-branded impersonation attacks accounted for just 13%. The form-based phishing attacks applied various methods such as using legitimate sites as intermediaries, using online forms for phishing, and getting access to accounts. Remote workers faced a barrage of over 100,000 phishing attacks within four months, mostly involving Google-branded websites, according to a report by Barracuda Networks. The phishing attacks applied a method known as spear phishing to tricks users into disclosing login credentials by impersonating legitimate websites. Google-branded sites accounted for about 65,000 of the attacks making up for 65% of the attacks experienced during the study, while Microsoft-branded impersonation attacks accounted for just 13% of the attacks registered between January 1, 2020, and April 30, 2020. The form-based phishing attacks applied various methods such as using legitimate sites as intermediaries, using online forms for phishing, and getting access to accounts without the use of passwords. Google file-sharing and storage websites accounted for 65% of phishing attacks targeting remote workers within the first four months of the year. These phishing attacks involved the use of Google’s domains, such as storage.googleapis.com (25%), docs.google.com (23%), storage. cloud.google.com (13%), and drive.google.com (4%). Microsoft brands were used in 13% of the attacks, including onedrive.live.com (6%), sway.office.com (4%), and forms.office.com (3%). Read more: GOOGLE'S ADVANCED PROTECTION CYBERSECURITY NOW AVAILABLE TO NEST USERS Organizations should also educate their employees on online security to help them navigate the complex attack landscape that keeps changing. This training would come in handy, especially for remote workers who are more prone to phishing attacks . ~ Google Other brands used to target remote workers included sendgrid.net, which contributed to 10% of the phishing attacks. Mailchimp.com and formcrafts.com accounted for 4% and 2%, respectively. Barracuda Networks senior product marketing manager for email, Olseia Klevchuk, said cybercriminals prefer to use Google’s services because they are more accessible and are free to use, thus allowing them to create multiple accounts. She added that the methods that criminals use, such as sending a phishing email with a link to a legitimate site, make it harder to detect these forms of phishing attacks. Steve Peake, the UK systems engineer for Barracuda Networks, says brand-impersonation spear phishing attacks formed a popular and successful method of harvesting a user’s login credentials. With more people than ever working from home, cybercriminals found an opportunity to flood people’s inboxes with phishing emails. With the advancement of the attacks in recent times, now hackers can even create an online phishing form or page using the guise of legitimate services to trick unsuspecting users. Criminals impersonate legitimate sites by creating emails that appear to have been generated automatically by file-sharing sites such as Google Drive or OneDrive. Many attackers know that if they want to attack someone specific, it’s more likely to succeed if their initial attacks lands in a target’s email box late at night or early in the morning when they’re not as focused, and when the attacker can most convincingly pretend to be someone else. The criminals then redirect the remote workers to a phishing site through a file stored on the file-sharing site. These phishing sites then request the users to provide login details to access the content. To create data forms resembling login pages, criminals are using online forms services provided by companies such as forms.office.com, and send these forms to unsuspecting users. These services trick many users because they reside on the official companies’ domain and hence appear trustworthy. Most users do not realize that companies do not use these domains for login or password recovery. For example, Google does not ask users to log in through docs.google.com but instead uses account.google.com for authentication. For an ordinary user, the difference is too subtle to raise any suspicions. Hackers have also applied non-password methods to access user accounts. Users are requested to accept app permission for rogue apps after logging in through legitimate sites. By granting these permissions, the users give the hackers their accounts’ access token, thus allowing them to log in at will. These attacks cannot be prevented by enabling two-factor authentication because the apps are given long-term access to the account. They also remain unnoticed for a long time because users forget which apps they have granted permissions to access their accounts. Users should be vigilant in detecting suspicious activities on their accounts. Most accounts provide an account history that allows users to view the time and location their accounts were accessed from. Read more: SECURITYSCORECARD REVAMPS ITS CYBERSECURITY RISK MANAGEMENT PRODUCT AMIDST GLOBAL SHIFT TO REMOTE WORK

Read More

Spotlight

Mobile ad hoc network comes with many advantages and applications in the situation where the time for recovery is very less. These advantages come along with some security risks. The approaches used to form MANET comes under three categories proactive, reactive and hybrid. The proactive and reactive has a vast research linked with them compared to the hybrid. The hybrid approach takes the advantage of both proactive and reactive. The hybrid has the advantage to follow the positives of both. In this paper, the implementation of a modified pass based identification and authorization technique is done over the hybrid protocol ZRP (Routing Protocol Zone) and analysis compared to the traditional available approach for ZRP is presented.