demystifying threat intelligence final rebit
TRANSCRIPT
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Demystifying Threat IntelligenceFinding the secret Squirrel using Threat Intel
Ashish Thapar | Managing Principal, APJ | Investigati ve Response
VTRAC (Verizon Threat Research Advisory Center)
Roy Porter | Consultant | Threat Research
VTRAC
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Agenda
� Cyber Threats and Dwell Time
� Cyber Threat Intelligence
� Lifecycle of Threat Intel
� Diamond Model
� Challenges and Maturity Cycle
� Threat Intel Platform and Automation
� Threat Hunting
� Final Wrap up
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Cyber Threat Landscape
3
State Sponsor AttacksNational Security
Business Data – Intellectual Property/Customer Data
Individual Data – PII
� New breaches happen everyday � New indicators of compromise released everyday� New vulnerabilities disclosed everyday� Advanced Persistent Threats / Zero Day Threats� Not anymore ‘the question of if, but when ’
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
The Ever-Increasing Dwell Time
4
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
None or insufficient preventive and detective mechanisms – waiting to get punched
Image Source: https://manila.com
What are We Currently Trying to Do?
5
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Image Source: https://i.pinimg.com
6
Or Have sufficient controls and skills - to Defend It !!!
What are We Currently Trying to Do?
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter 7
Image Source: https://www.expertboxing.com
Or should we build preventive, detective, responsiv e and proactive control - to Dodge it Completely !!!
What are We Currently Trying to Do?
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Cyber Threat Intelligence
What is Intelligence?
Intelligence is regularly defined as information that can be acted upon to change outcomes
What is Cyber Threat Intelligence?
Knowledge about adversaries their tactics , tools and procedures that are collected, analyzed and shared in ways that help concerned personnel at all levels to provide/implement adequate protection to crown jewe ls of an organization
8
In simple terms ‘cyber threat intelligence’ can be defined as moving from ‘unknown unknowns ’ to ‘known knowns ’. This can be achieved by discovering the existence of threats, understanding and mitigating the threats to move from ‘unknown unknowns ’ to ‘known knowns ’
Unknown Unknowns
Known Unknowns
Known Knowns
Inte
llige
nce
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Threat Intelligence Categories
9
Strategic
• High level information to be consumed by Senior Leadership for long term business goals
• Non Technical and translates cyber risks into business risks (financial risk & impact)
Tactical
• Consumed by security team (incident responders, SOC, etc.) for day-to-day threat management
• Details of Tactics, Techniques, and Procedures of the adversaries
Operational
• Consumed by senior security staff members such as security managers or heads of incident response
• Provides details of latest threats, vulnerabilities and associated warnings
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Sources of Threat Intelligence
10
Commercial Feeds
Open Source
Intelligence
Digital Forensics &
Incident Response
Malware Reverse
Engineering
IDS/IPS Alerts
SIEM Alerts
Threat Hunting
Endpoint Detection
& Response
DarkNet/DarkWeb CERT AlertsPenetration Testing
Results
Information Sharing
& Analysis Center
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Threat Intelligence Lifecycle
11
Requirement & Planning
Collection & Processing
Analysis & Production
Evaluation & Dissemination
Review
Automation
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Diamond Model
12
Adversary
Infrastructure
Victim
Capabilities
Hackers from identified locations/countries
Banks, Payment providers and Retail Industry. More than 50 banks and 5 payment systems compromised
C&C servers and related infrastructure
Spear-phishing emailsDrive by downloadWater-hole techniquesZero-day malicious software
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Problems for Security Analysts
� Are these threat feeds relevant to my organization?
� Are these significant threat?
� How to better analyze collected data and co-relate incidents to campaigns
� How to share and do intelligence exchange?
� Aggregating data from all different sources (OSINT, Commercial, Community, Customers, Foreground sources - incident response, malware analysis, researches, etc.)
� Aggregating the cyber threat intelligence collected from external sources with internal data?
� Managing all the collected information for better analysis
� Right balance between automation to detect and prevent threat(s)
13
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Threat Intel Program Maturity
14
Level 0
Level 2
Level 3
Level 4
Level 1
• Establish and centralize log collection• Periodically correlate open source threat data w/ logs• Utilize open source threat intelligence platform TIP)
• Utilize one or more premium (fee-based) threat feeds• Integrate threat data into SIEM and security devices
• Adopt threat model (STIX, VERIS, etc.)• Introduce automation at collection levels of the lifecycle• Use more robust TIP
• Begin producing Intel instead of just consuming• Improve sharing between internal security functions
• Enhance automation wherever possible• Develop proactive threat hunting program• Increase participation in sharing communities
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Cyber Threat Intelligence Team
15
Manager
Analysts* Engineers
Operations Team
Quality Assurance
*In addition to core security skills, emphasis on analyst skills should include analytical research, critical thinking, and an understand of how sociological and psychological aspects drive human behavior
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Automated Threat Intelligence
• Problem: Manual collection and analysis of collected threat data can take days, weeks, or even months – attacks are measured in seconds
• Solution: Identification of malicious activity patterns, through a combination of Machine Learning and Deep Learning
• Requires: Big data sets derived from analyzing malware, network traffic, event logs, etc.
• Outputs: Risk and confidence scoring of indicators; anomaly based threat detection based on network behaviors; proactive rule creation with automated dissemination to security devices
16
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Case Studies
17
Value of Threat Intelligence Aspects used Challenges
78%Essential to strong security posture
77%Valuable to security mission
81%
61%Integrated intel leads to faster analysis
54%Utilize TIP or will in 12 months
39%Subscribe to premium (paid) feeds
10Average number of feeds used
56%Don’t use standardized sharing protocols
70%Intelligence is too voluminous/complex
27%Utilize threat intelligence VERY effectively
44%Difficult to prioritize without a TIP
66%Integration was difficult
Security leaders benefit the most
Source: 2016 Ponemon Institute
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Open Source Options
Feed aggregation, enforcement, sharing application
Minemeld - https://www.paloaltonetworks.com/products/secure-the-network/subscriptions/minemeld
OSINTAlienVault OTX https://www.alienvault.com/open-threat-exchange
Bambenekconsulting http://osint.bambenekconsulting.com/feeds/
DShield https://secure.dshield.org/xml.html
Emerging Threats https://rules.emergingthreats.net/
blocklist.de http://www.blocklist.de/en/index.html
Malware Domain List https://www.malwaredomainlist.com/
OpenPhish https://openphish.com/
Ransomware Tracker https://ransomwaretracker.abuse.ch/
sslbl.abuse.ch https://sslbl.abuse.ch/
ZeuS Tracker https://zeustracker.abuse.ch/
Feodo Tracker https://feodotracker.abuse.ch/
18
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Threat Hunting
� Threat Hunting refers to proactively and iteratively searching through networks and datasets to detect threats that evade existing automated tools.
� Threat Hunting is an iterative process and should be carried out on an on-going basis to look for adversaries hidden in the network or vast data set.
� It typically requires a mix of technology, automation, assimilation, use case formulation and heavy contextualization and customization for an organization
� Threat Hunting finds the answer of What, Why, When and Where.
19
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Types of Threat Hunting
20
Data Driven Hunting
• Logs based hunting to find normal Vs. abnormal
• Analysis of various sources of logs such as netflow, proxy, DNS, etc.
Entity Driven Hunting
• Network based hunting to find abnormal behavior.
• Sometimes limited hunting on crown jewel infrastructure to find crucial intellectual property.
Intelligence Driven
Hunting
Endpoint Driven
Hunting
TTP Driven Hunting
• Hunting based on static threat indicators
• Threat indicators and intelligence based threat hunting
• Abnormal behavior identification on endpoints
• Achieved via deployment of Endpoint Detection and Response (EDR) agents
• Hunting based on Tactics, Techniques and procedures
• Hunting based on indicators of compromise
Hybrid Threat Hunting
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Example - Network Threat Hunting
21
Verizon Cyber Intel Database
VTRAC/RISK Labs
Security CustomerSecurity CustomerNetFor / IPA
Appliance
Customer Internet connectivity(All comms. over IPSEC VPN)
1
2
External View(Optional)• Netflow capture
• Requires signed Customer IP Schedule
Internal View:• Deep packet inspection
• Netflow generation
• Intel fusion
• Network recon
• Secure remote access
3
• Data resides on premises
• Verizon owns appliance
• No direct customer access permitted
Connection Sources:• US, Europe
• No contractors
• Fully Background Checked Resources
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Actively looking for unusual behavior Incident inves tigation post notification
Relies on Threat Intelligence Relies on Indicator of Compromise
Finding Normal Vs Evil Threat/ Vendor Information
Police Surveillance Approach Fire Fighting Approach
Being Proactive Vs. Reactive
22
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter 23
Learn from Actual Cyber Investigations
2017 DBIR
An in-depth analysis of cybersecurity.
DBIR executive summary
All the key findings from the 2017 DBIR, with insight and guidance tailored to executives.
Data Breach Digest
Real cases from the frontline of cybersecurity that reveal what really happens when an organization is breached.
http://www.verizonenterprise.com/verizon-insights-lab/dbir/2017/http://www.verizonenterprise.com/verizon-insights-lab/data-breach-digest/2017/
ReBIT Webinar – 23 Jan 2018
Ashish Thapar & Roy Porter
Thank you