How Visa Threat Intelligence Is Keeping An ‘Eye’ On Cybercrime

Having been first announced back in October, Visa and FireEye’s Visa Threat Intelligence (VTI) — a subscription-based Web portal that gives merchants and issuers access to timely alerts on malicious actors, attack methods and trends, and in-depth forensic analysis — became generally available last month.

MPD CEO Karen Webster took the opportunity — an anniversary of sorts, if you will — to speak with Mark Nelsen, Senior Vice President of Risk Products and Business Intelligence of Visa Inc., Nart Villeneuve, Principal Threat Intelligence Analyst of FireEye, and members of their respective teams and get the down low on the progress of the partnership, the operational details of VTI, and what the companies hope to achieve moving forward.

“The main reason why we partner with FireEye,” Nelsen tells Webster, “is because we want to make sure that we can provide our stakeholders — both issuers and merchants — with tools that can help defend against these targeted attacks on consumer payment data.”

“By combining the assets that we have and intelligence that we have on our network with the intelligence that FireEye has, we can really provide some meaningful intelligence to the stakeholders. That’s really why we created this Visa Threat Intelligence powered by FireEye.” — Mark Nelsen, SVP of Risk Products and Business Intelligence, Visa

Villeneuve offers that “One of the things that we’ve been focusing on is trying to understand not just the different elements that constitute a successful attack, but all of them together.”

“What we’re really trying to do,” he continues, “is connect everything from the initial attack vectors through to the post-compromise activity, through to the activity on underground cybercrime marketplaces, to try to understand not only the tools and tactics that the actors are using, but also their motivation in their communities to try to get a sense of what they’re potentially developing: new types of malware that we should be worried about, or different types of attack vectors.”

“Something that is indiscriminate or commodity crimeware might be pretty easily dismissed or not handled with the appropriate level of severity,” notes Villeneuve. “You can’t really know when to apply that additional level of scrutiny without really good threat intelligence.”

As the companies began to walk Webster through how Visa Threat Intelligence works, they explained that the service is presented as a Web portal because Visa wanted to get the information therein to as many people as possible — and without them having to do any development.

When Visa was first putting together the portal with FireEye — working with organizations, trying to build out their threat intelligence capabilities — it found that companies were running into a couple of problems related to the existing intelligence feeds to which they were subscribing or buying.

For one thing, those feeds tended to be focused on an individual tool that had already been identified in the wild. And while this is important information for any security strategy, it doesn’t address threats that are being observed for the first time. Nelsen emphasized that if Visa or FireEye observes a new, previously unseen form of malicious software like POS malware or remote access Trojans (“backdoors”), or a command-and-control server IP address from an ongoing breach, that intelligence is critical in order to present and detect a compromise and can be immediately made available to issuers and merchants.

Visa and FireEye also observed that the companies were getting a large amount of raw data from their intelligence feeds. And this raw data was actually becoming more and more of the problem to manage and prioritize. The companies were hoping to get intel that would help them identify the most relevant threats to their organization, but because they were getting so much data, they weren’t able to tell what they needed to respond to first.

Visa and FireEye went in another direction in that regard, choosing with VTI to focus on information that they thought was the most relevant for the organizations in the payment card industry.

Overall, the companies explained to Webster, VTI contains four main sections.

First, there’s the briefing section, a dedicated team of analysts write articles about the most critical threats facing the payments ecosystem. These articles range from tactical pieces about a particular tool or tactic the criminals are using, to more strategic analysis that share insights about different threat actors and their thought processes in attacking the financial sector and payment data.

Part of the intelligence gathering process also involves going underground to gather information on cybercriminals. Villeneuve notes that this process “can be difficult” for FireEye’s researchers, given the requirement to navigate different levels of activity — and access — within the digital underworld.

While it is “a bit of a cat-and-mouse game,” says Villeneuve, he points out that “at the same time, the cybercriminals need this type of contact to be successful — they need to buy things; they need to sell things; they want to advertise their product to as many people as they can. So they do have an interest in letting people in.”

And, unlike a lot of other portals, Visa wanted to make the articles actionable. So, it added indicators whereby users can find the relevant domains, signatures, IP addresses and other attributes for a particular threat. Then, download those indicators and use them within their organization’s security tools.

The second main section of VTI is feeds, where users can take the intelligence that has been gathered and put it to work in in their environment by identifying and blocking the latest threats with their own security tools. Visa Threat Intelligence draws information from many unique sources like ongoing compromises that Visa and FireEye are involved with, and the intelligence assets of iSight Partners, a cyber intelligence company that FireEye recently acquired.

VTI Visa users can subscribe to threat feeds in bulk, instead of having analysts go through each one of the individual articles or threat indicators to manually pull information out.

“This is real-time, cutting-edge information,” states the company, “so it doesn’t necessarily mean that these are already in your network. This is taking that proactive approach to keep you ahead of attacks.”

The third section is Circles — a place where Visa enables organizations to securely share intelligence between companies.

While, historically, companies share intelligence with phone calls, emails, spreadsheets, et al … Circles does away with all that back-and-forth for organizations by allowing them to securely share that intelligence with other companies via VTI.

Users can create a circle and choose to invite other organizations to it based on trust; only organizations in a given circle will be able to see the shared information. Any organization can share a new intelligence piece. And when those companies log in and look at their briefings, they can look at specific information within their circle.

The fourth and final main section of VTI is Analysis. With this capability, the Web portal facilitates a secure environment for organizations to upload suspicious files or IP addresses that they find on their network, so FireEye can compare it to all previously identified threats and perform analysis to determine whether it’s malicious, precisely how it behaves, and what it does.

Specifically, the analysis tool can tell an organization exactly which files were added, which were open, which registry keys were added or opened or changed, and which folders were created on to an endpoint.

The analysis results can also be run against a handful of antivirus companies — whereby an organization can determine if its existing antivirus software did or would have also caught a malicious file, as well as determining what it would have been reported as — and the entirety of the results can be exported into an executive-level summary.

“The nice thing” about the analysis section, states FireEye, “is that you can only see files that either you’ve uploaded or that your organization has uploaded. You can’t see anyone else’s. The good side of that is if I or one or two people on my team are working on instant response, and I go to upload a file and see that somebody from a different department has already done so, now I can start to collaborate with him.”

Those four levels that make up the VTI package have garnered “a tremendous positive response” from users, says Visa, since the offering went to market last month. The Web portal operates on an annual subscription fee, the exact amount of which is dependent upon which product options are selected.

In general, Visa has observed that members of the payments industry think that VTI “is unique; they want to know more; they’re logging on and doing trials.”

Although Visa Threat Intelligence is very robust and comprehensive, the two companies behind the service do believe organizations need a base level of sophistication to take full advantage of it.

“It’s more about the level of sophistication,” Visa states. “The largest issuers are very sophisticated, but you’d be surprised that even some merchants that are fairly small — such as those classified as tier three — also have strong security strategies. So [VTI] would certainly work for them, as well.”

In addition to a certain level of sophistication making an organization a fit for a service on the level of Visa Threat Intelligence, resources also come into play.

That aspect is one that Visa and FireEye believe is one of the values that their partnership presents.

“We have a team of analysts on the Visa and the FireEye side,” notes Visa, “going through all the different sources of intel, and we distill it down to the more relevant, actionable threats for people in payments … this actually helps someone who doesn’t have a large staff. They can rely on our analysts to tell them what they should be paying attention to, so they don’t have to sift through all that information themselves.”

Overall, the company attests that it is “just really excited to have a tool like this and a partner like FireEye to launch these types of products.”

“We have a lot of what we feel is very unique intel that hasn’t been made available before,” states Visa. “And we just really think it’s going to be a good tool for us to help all stakeholders in the payments ecosystem — issuers, merchants, acquirers — better protect their sensitive data.”

Although Visa Threat Intelligence is the first product born of the Visa/FireEye partnership, the companies inform Webster that they have more ideas they’re putting on the roadmap.

“Hopefully,” concludes Visa, “this is the first of many products that we’re looking to launch together.”