Opora Product FAQ: Interview with Roy Peretz, VP of Product Management

How is Opora different than traditional threat intel?
It comes down to three simple distinctions.

  1. Behavior, not breadcrumbs. When analyzing and investigating cybercrime, all evidence is essential but focus must be placed on behavioral data points that are timely and actionable – information that can actively preempt attacks and contain the damage of an attack in progress.  

    Traditional threat intelligence providers rely too much on post-attack evidence collected after a breach has already happened – essentially conceding defeat rather than providing information that can actively deter adversaries. Another missing ingredient are the connections between the indicator and the adversary behind the threat.

    Bottom line: When the focus is solely on breadcrumb evidence such as IOCs, file hashes, IP addresses and domains and not the behavior behind the attack to find who is doing it, why, and how, organizations are less able to systematically defend against an adversary’s entire attack infrastructure.

  2. Pre-attack, not post-attack. The analysis that a threat intelligence provider delivers is entirely driven by post-attack behavior and IOCs which puts IT security teams in reactive mode, unaware of new and emerging attacks. Because Opora monitors adversaries when they’re targeting organizations and planning their attacks, customers have advance warning, giving them an edge on their adversaries.

  3. Actionable, not impractical. Threat intelligence providers put the burden on their customers to decide if the threat is relevant to them and what to do about the ones that are. Opora can identify persistent connections to attack infrastructure missed by other solutions and send containment actions to your gateways and firewalls. We create and communicate customer-specific preemptive countermeasures rather than threat intelligence content that requires manual interpretation and translation.

What’s Opora’s secret sauce?

If we said, it wouldn’t be a secret anymore. 😊 But seriously, we do not claim to have exclusive access to a particular dataset that no other security vendor can access. If any security vendor tells you something like this, we recommend that you seek business elsewhere.

What we do with the data we collect is where the magic happens. Like an FBI profiler, we examine a broad set of data sources and seek to understand who is behind the threat activity that targets our customers. A key aspect of this involves studying and finding patterns in the decision-making process for adversaries as they build out their attack arsenal.

Behind every attack, a threat actor makes dozens of operational decisions for each step in an attack – some that they are keenly aware of, and others that they probably remain unaware of, and instead perform as if on ‘auto-pilot’. We examine all these aware and unaware decisions. Examples include:

  • Aware decisions – choosing an ISP, selecting the services required to register domains, naming conventions, creating a fake identity to register it, etc.
  • Unaware decisions – time of day/day of week when setting up domains, unintended spelling and vocabulary mistakes, fixation on details when creating fake registrant identities, textual structure used when constructing domain names, etc.

If a customer already has a NGFW (next gen firewall), SIEM, plus they subscribe to more than one threat intelligence provider, so why do they need our feed too?

I know it’s not always polite to answer a question with another question, but… I’m going to try to answer by suggesting that we ask our customer a few questions.

  1. Can your threat intelligence provider give you advance notice when an adversary is targeting your suppliers, your subsidiaries or your customers?
  • Does your threat intelligence provider tell you how many persistent adversaries are targeting you right now and what their attack arsenal consists of?
  • With your existing toolset, can you quantify the degree to which you’ve contained your persistent adversaries?
  • Does the threat intelligence content enable automated action?

Bottom line: Opora is an essential ingredient for preemptive defense.  Because we know which adversaries target our customers, when and how they do it, what they use to do it, we can send preemptive countermeasures to each security control to defend against each attack – finding and blocking connections to Phishing, Delivery, and C2 infrastructure you didn’t know were active and preventing future attacks.

Where does Opora fit? Are we complementary or replacing something else our customers might already have?
Opora works with our customers’ existing NGFWs, proxies, SIEMs, SOARs, and other security systems to make them ‘adversary aware’. Adversary awareness means that any existing security controls (blocking at the firewall, detecting in the SIEM) are better equipped to preempt attacks as well as identify, block, and contain active threats. Our solution is designed to be complementary and avoid the disruption of ‘rip & replace’.

What do our customers do with the information that they see in Opora’s portal? What are their next steps?

First, let’s clarify the core components of the portal.

  • Threat Radar – main dashboard portal view, displays all active adversaries, their severity levels, and how they’re actively targeting an organization and its business eco-system: subsidiaries, customers, suppliers, and peers (as shown in screenshot above).
  • Adversary Profile – provides details about the individual adversary threats, their characteristics, and detailed information about their targeting activities.
  • Threat Score – Aggregated threat level across the threat landscape. See below for a more detailed explanation.
  • Attacking/Pre-Attack Adversaries – The number of adversaries across the attack phase (Command Center only).
  • Detected Connections – The number of Total, Blocked and Allowed connections to adversary infrastructure (Adversary Profile only).
  • Adversary Containment Level – Percentage of the total connections to malicious attack infrastructure that have been blocked in the selected timeframe.
  • Customer Preemptive Opportunity – Average amount of preemptive notice days for the detected malicious attack infrastructure in the selected timeframe.

The above information assists CISOs and their teams by:

  • Prioritizing and validating threats while reducing false positives
  • Automating and accelerating incident response
  • Preempting targeted attacks

For example, in the following screenshot, the adversary MTBR (TA-505) is considered a high threat because it has established connections to your organization whereas adversary PRTS (Cobalt) is targeting some of your your suppliers.

How much work is required for customers to act on Opora’s information?

The Opora platform is designed to ease the burden on IT security teams. Unlike threat intelligence content that requires interpretation or human intervention, Opora sends countermeasures directly to your firewalls and proxies to safely and automatically block an adversary’s entire arsenal.

Similar setups for SOARs, SIEMs, SASEs, and SEGs (secure email gateways) provide instant adversary awareness so even if an adversary changes their tactics, techniques or procedures (TTPs), Opora shields your organization from attack.

How does Opora collect data? From which sources? What is the vetting process?

We collect three types of information: Pre-Attack, Post-Attack, and Attacking information. All are collected in order to identify adversary behavior that can be translated into pre-attack indicative behavior that is then used by Opora to detect newly created attack infrastructure closest to its creation.

We use many different data sources in each of these categories. Here are a few:

  • WHOIS and live DNS information
  • Dedicated homegrown crawlers to collect pre-attack signals
  • Publicly available and dedicated blacklists and feeds as post-attack information
  • Additional security log data from customers and partners (anonymized)

Does Opora monitor the dark web? Is that where we find this information on what adversaries are doing?

Opora’s research methodology is based on monitoring adversaries at critical ‘intelligence junctions’ – or ‘gates’ that all threat actors are obligated to pass through when setting themselves up to target their next victims. After evaluating adversary behavior on the dark web, we determined that these sources failed three critical requirements: they were not consistently concrete, actionable, or containable.

In other words, there are no mandatory gates on the dark web that every threat actor must ‘walk through’ or engage in; the collection effort is laborious and open to subjective influence; and fails to restrict the adversary in ways that exposes their behavior to cognitive analysis and attribution. That’s why we find open sources richer, more reliable, and better suited to our cognitive model.

Bottom line: Our observations are that public sources on the open Internet (e.g. domain registration) provide the most value for adversary behavior analytics.

What information does Opora require to onboard customers? For example, do we require log data from a customer’s security systems in order to operate?

Opora is not reliant on log data and can offer visibility into active adversary threats with little to no information provided by our customers. Because our platform is designed to address each customer’s specific goals, we can accommodate a wide range of deployment options. That said, when Opora customers choose to provide anonymous and whitelisted security logs to us, it enhances their overall understanding of the threat landscape.

Bottom line: Each customer chooses their own Opora adventure… how they’d like to work with us, how much and what kind of information they provide us, the metrics they plan to prioritize, and what their strategic goals are.

How much manual work (human validation and interpretation) is done on Opora’s side? Is this all ML or is much of it based on human analysis and interpretation of raw data?

Our innovative technology is based on active learning supervised models. This integrated approach results in a constant dialogue between the human intelligence analysts and the machine. The human analysts gradually delegate responsibilities to the machine to mine and monitor adversary behavior patterns while the machine constantly suggests greenfield adversary behavior patterns that our experts can then validate. This cycle ensures we can get to very broad coverage with a small but very effective intelligence team.

What comprises the adversary threat score that we see in the Opora portal?

The adversary threat score is dynamically calculated by using the following factors:

  • The “Who” aspect of the adversary – their profile characteristics such as severity, weapons used, and whether or not they conduct targeted campaigns.
  • The “Where” aspect of the adversary – where they target the organization, its subsidiaries, its sector or geography (e.g. the closer the adversary is detected to the organization, the higher the score)
  • The “Sightings” aspect of the threat – adversaries identified active inside the organization will have a higher threat score in this aspect based on their attack stage

This score is also reduced based on the actual adversary containment level (the higher the containment level, the lower the score).

What advice do you have for folks on the front lines in cyber security?

Use numbers to make every business case. Whether it’s hiring new team members or investing in new technology, you need to show measurable progress and quantifiable value as outcomes. That’s where our customers find much of our immediate value – through the quantifiable KPIs in our portal that demonstrate progress – as well as prioritization – in threat containment and risk reduction.