Over the past few weeks we've been working with some models that get us to the left of kill chain. In fact, this is the exact term I've been using in describing a new value proposition to our portfolio of intelligence services --"Getting to the left of Kill Chain*". (*Kill Chain is registered trademark of Lockheed Martin)
How's it work? We look for things that tell us someone is going to be targeted, and then we track it. We're not 200 data scientists in the MIT Tech corridor or rocket scientists tracking space junk. We're simple guys running simple math. Take it for what it's worth.
It goes like this...
We tested against one intelligence source. Every day (well, nearly every day) we queried it for keywords, rules, IP addresses and other things that we think might be interesting. We tally the findings and present both the number of hits and detail to the analyst or subscriber who requested it. For the purposes of this blog, I tested PayPal, Amazon and Ebay for a pure online sample, and Walmart, Lowes and Gap for more traditional brick and mortars (although they too have online shopping). The results were, in this very limited sample, interesting.
I've removed the key from the graph to protect the innocent, but the numbers are interesting. The graph shows higher numbers of malware being sent to the online companies in a lead-up to Black Friday, while the major retailers showed nearly no increase in activity. Tallies of Malware being sent into brick and mortars were negligible throughout.
I'm showing only a few weeks, but even with the small sample, I had some thoughts..
First, this doesn't suggest to me that the sky is falling as a result of Black Friday. In fact, the numbers dropped going into Black Friday. That suggests (to me) that the cyber traps have already been set. Second, why do pure-play online companies have a higher rate of targeting than brick and mortars
However, the idea that the traps have already been set in backend systems of brick and mortars wouldn't surprise me at all. We know for a fact that ERP and CRM systems are just as coveted as other aggregation points -heck, we've been watching key loggers in thousands of companies around the world collect this data for over a year.
And why higher numbers in the online companies? Who knows.. maybe because the money flow is concentrated in these places? Pontification without more data would be irresponsible....
On the upside? Chatter in the security community, at least in the channels we monitor, continues as usual. The process is working. Marketers and press need to figure out how to message this stuff correctly, but the security community operates like any other day --because to us, it is. We're just a little more full as we work off the turkey.
So, get a good workout in. After mine I'm going to continue to pontificate about why one type of company gets targeted over another. We'll continue tracking.
I hope everyone had a great Thanksgiving!
Until next time!
Have a great weekend!