The Department of Homeland Security, working with the FBI, has released the Joint Analysis Report (JAR), Grizzly Steppe, through US-CERT, while DHS through its Automated Indicator Sharing (AIS) platform released machine readable indicators to detect threats discussed within the JAR document. DHS cyber intel analysts identified a potential threat, and distributed data used by automated cyber threat detection systems. Companies can then use this data to automatically detect the same threat on their own systems and take appropriate steps to protect themselves.
Perch Security, a cyber intel startup, was among the first to react to Grizzly Steppe. Most Perch customers were receiving alerts related to Grizzly Steppe before they became aware of the US-CERT report.
Within an hour after the indicators were released, Perch customers were notified of activity in their environment via alerts, and could see the spread of Grizzly Steppe throughout the DHS AIS community via intelligence sightings,” the company said.
"Automating sightings is a relatively new concept that allows community members to see threats impacting other community members," said Aharon Chernin, CEO and founder of Perch. "Sightings give communities cyber situational awareness so they can have an idea of what is going on around them. Grizzly Steppe was a good test of how well sharing community sightings work. You are no longer alone out there."
A Perch analyst’s examination of DHS AIS’s indicators revealed higher than expected benign traffic patterns to servers at Yahoo, Verizon, and Twitter – resulting in an unusually high number of false positives. "Consumers and security service providers should review the indicators before taking preventative action," Aharon stated, adding, "Most JARs released by AIS are of high quality and do not erroneously include this level of benign traffic patterns."
DHS AIS works as a platform for quickly distributing machine readable threat indicators out to the public, and performs excellent service in these efforts. Perch works as a platform for automatically detecting, and sharing back, alerts from industry-based sharing communities like DHS AIS.
"That weekend was significant for our users," Aharon said. "They had already detected, been alerted and shared back intelligence context to their communities instantaneously after DHS analysts distributed the intelligence. No one was concerned when ‘Grizzly Steppe’ hit the news. They know Perch has them covered."