demystifying threat intelligence final rebit

ReBIT Webinar – 23 Jan 2018

Ashish Thapar & Roy Porter

Demystifying Threat IntelligenceFinding the secret Squirrel using Threat Intel

Ashish Thapar | Managing Principal, APJ | Investigati ve Response

VTRAC (Verizon Threat Research Advisory Center)

Roy Porter | Consultant | Threat Research

VTRAC



Agenda

� Cyber Threats and Dwell Time

� Cyber Threat Intelligence

� Lifecycle of Threat Intel

� Diamond Model

� Challenges and Maturity Cycle

� Threat Intel Platform and Automation

� Threat Hunting

� Final Wrap up



Cyber Threat Landscape

3

State Sponsor AttacksNational Security

Business Data – Intellectual Property/Customer Data

Individual Data – PII

� New breaches happen everyday � New indicators of compromise released everyday� New vulnerabilities disclosed everyday� Advanced Persistent Threats / Zero Day Threats� Not anymore ‘the question of if, but when ’



The Ever-Increasing Dwell Time

4



None or insufficient preventive and detective mechanisms – waiting to get punched

Image Source: https://manila.com

What are We Currently Trying to Do?

5



Image Source: https://i.pinimg.com

6

Or Have sufficient controls and skills - to Defend It !!!



Ashish Thapar & Roy Porter 7

Image Source: https://www.expertboxing.com

Or should we build preventive, detective, responsiv e and proactive control - to Dodge it Completely !!!




Cyber Threat Intelligence

What is Intelligence?

Intelligence is regularly defined as information that can be acted upon to change outcomes

What is Cyber Threat Intelligence?

Knowledge about adversaries their tactics , tools and procedures that are collected, analyzed and shared in ways that help concerned personnel at all levels to provide/implement adequate protection to crown jewe ls of an organization

8

In simple terms ‘cyber threat intelligence’ can be defined as moving from ‘unknown unknowns ’ to ‘known knowns ’. This can be achieved by discovering the existence of threats, understanding and mitigating the threats to move from ‘unknown unknowns ’ to ‘known knowns ’

Unknown Unknowns

Known Unknowns

Known Knowns

Inte

llige

nce



Threat Intelligence Categories

9

Strategic

• High level information to be consumed by Senior Leadership for long term business goals

• Non Technical and translates cyber risks into business risks (financial risk & impact)

Tactical

• Consumed by security team (incident responders, SOC, etc.) for day-to-day threat management

• Details of Tactics, Techniques, and Procedures of the adversaries

Operational

• Consumed by senior security staff members such as security managers or heads of incident response

• Provides details of latest threats, vulnerabilities and associated warnings



Sources of Threat Intelligence

10

Commercial Feeds

Open Source

Intelligence

Digital Forensics &

Incident Response

Malware Reverse

Engineering

IDS/IPS Alerts

SIEM Alerts

Threat Hunting

Endpoint Detection

& Response

DarkNet/DarkWeb CERT AlertsPenetration Testing

Results

Information Sharing

& Analysis Center



Threat Intelligence Lifecycle

11

Requirement & Planning

Collection & Processing

Analysis & Production

Evaluation & Dissemination

Review

Automation



Diamond Model

12

Adversary

Infrastructure

Victim

Capabilities

Hackers from identified locations/countries

Banks, Payment providers and Retail Industry. More than 50 banks and 5 payment systems compromised

C&C servers and related infrastructure

Spear-phishing emailsDrive by downloadWater-hole techniquesZero-day malicious software



Problems for Security Analysts

� Are these threat feeds relevant to my organization?

� Are these significant threat?

� How to better analyze collected data and co-relate incidents to campaigns

� How to share and do intelligence exchange?

� Aggregating data from all different sources (OSINT, Commercial, Community, Customers, Foreground sources - incident response, malware analysis, researches, etc.)

� Aggregating the cyber threat intelligence collected from external sources with internal data?

� Managing all the collected information for better analysis

� Right balance between automation to detect and prevent threat(s)

13



Threat Intel Program Maturity

14

Level 0

Level 2

Level 3

Level 4

Level 1

• Establish and centralize log collection• Periodically correlate open source threat data w/ logs• Utilize open source threat intelligence platform TIP)

• Utilize one or more premium (fee-based) threat feeds• Integrate threat data into SIEM and security devices

• Adopt threat model (STIX, VERIS, etc.)• Introduce automation at collection levels of the lifecycle• Use more robust TIP

• Begin producing Intel instead of just consuming• Improve sharing between internal security functions

• Enhance automation wherever possible• Develop proactive threat hunting program• Increase participation in sharing communities



Cyber Threat Intelligence Team

15

Manager

Analysts* Engineers

Operations Team

Quality Assurance

*In addition to core security skills, emphasis on analyst skills should include analytical research, critical thinking, and an understand of how sociological and psychological aspects drive human behavior



Automated Threat Intelligence

• Problem: Manual collection and analysis of collected threat data can take days, weeks, or even months – attacks are measured in seconds

• Solution: Identification of malicious activity patterns, through a combination of Machine Learning and Deep Learning

• Requires: Big data sets derived from analyzing malware, network traffic, event logs, etc.

• Outputs: Risk and confidence scoring of indicators; anomaly based threat detection based on network behaviors; proactive rule creation with automated dissemination to security devices

16



Case Studies

17

Value of Threat Intelligence Aspects used Challenges

78%Essential to strong security posture

77%Valuable to security mission

81%

61%Integrated intel leads to faster analysis

54%Utilize TIP or will in 12 months

39%Subscribe to premium (paid) feeds

10Average number of feeds used

56%Don’t use standardized sharing protocols

70%Intelligence is too voluminous/complex

27%Utilize threat intelligence VERY effectively

44%Difficult to prioritize without a TIP

66%Integration was difficult

Security leaders benefit the most

Source: 2016 Ponemon Institute



Open Source Options

Feed aggregation, enforcement, sharing application

Minemeld - https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld

OSINTAlienVault OTX https://www.alienvault.com/open-threat-exchange

Bambenekconsulting http://osint.bambenekconsulting.com/feeds/

DShield https://secure.dshield.org/xml.html

Emerging Threats https://rules.emergingthreats.net/

blocklist.de http://www.blocklist.de/en/index.html

Malware Domain List https://www.malwaredomainlist.com/

OpenPhish https://openphish.com/

Ransomware Tracker https://ransomwaretracker.abuse.ch/

sslbl.abuse.ch https://sslbl.abuse.ch/

ZeuS Tracker https://zeustracker.abuse.ch/

Feodo Tracker https://feodotracker.abuse.ch/

18



Threat Hunting

� Threat Hunting refers to proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools.

� Threat Hunting is an iterative process and should be carried out on an on-going basis to look for adversaries hidden in the network or vast data set.

� It typically requires a mix of technology, automation, assimilation, use case formulation and heavy contextualization and customization for an organization

� Threat Hunting finds the answer of What, Why, When and Where.

19



Types of Threat Hunting

20

Data Driven Hunting

• Logs based hunting to find normal Vs. abnormal

• Analysis of various sources of logs such as netflow, proxy, DNS, etc.

Entity Driven Hunting

• Network based hunting to find abnormal behavior.

• Sometimes limited hunting on crown jewel infrastructure to find crucial intellectual property.

Intelligence Driven

Hunting

Endpoint Driven

Hunting

TTP Driven Hunting

• Hunting based on static threat indicators

• Threat indicators and intelligence based threat hunting

• Abnormal behavior identification on endpoints

• Achieved via deployment of Endpoint Detection and Response (EDR) agents

• Hunting based on Tactics, Techniques and procedures

• Hunting based on indicators of compromise

Hybrid Threat Hunting



Example - Network Threat Hunting

21

Verizon Cyber Intel Database

VTRAC/RISK Labs

Security CustomerSecurity CustomerNetFor / IPA

Appliance

Customer Internet connectivity(All comms. over IPSEC VPN)

1

2

External View(Optional)• Netflow capture

• Requires signed Customer IP Schedule

Internal View:• Deep packet inspection

• Netflow generation

• Intel fusion

• Network recon

• Secure remote access

3

• Data resides on premises

• Verizon owns appliance

• No direct customer access permitted

Connection Sources:• US, Europe

• No contractors

• Fully Background Checked Resources



Actively looking for unusual behavior Incident inves tigation post notification

Relies on Threat Intelligence Relies on Indicator of Compromise

Finding Normal Vs Evil Threat/ Vendor Information

Police Surveillance Approach Fire Fighting Approach

Being Proactive Vs. Reactive

22


Ashish Thapar & Roy Porter 23

Learn from Actual Cyber Investigations

2017 DBIR

An in-depth analysis of cybersecurity.

DBIR executive summary

All the key findings from the 2017 DBIR, with insight and guidance tailored to executives.

Data Breach Digest

Real cases from the frontline of cybersecurity that reveal what really happens when an organization is breached.

http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/



Thank you

demystifying threat intelligence final rebit

Documents