Download - What Happens Before the Kill Chain
1 CONFIDENTIAL
Dan Hubbard, CTO, OpenDNS Rick Holland, Principal Analyst, Forrester
What Happens Before the Kill Chain
2 CONFIDENTIAL
Speakers
Dan Hubbard CTO
OpenDNS
Rick Holland Principle Analyst
Forrester
3 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 3
Agenda
› The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work
@rickhholland
4 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 4
STRESS
5 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 5
Time to discover is pathetic
6 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 6
asdf
205 days to discover intrusions
7 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 7
Adversaries are on shopping sprees
8 CONFIDENTIAL With no time limits
9 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 9
New Incident Response Metric: Mean Time Before CEO Apologizes
10 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 10
asdf
› asdf We need
bright ideas
11 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 11
Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
12 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 12
Agenda
› The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work
@rickhholland
13 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 13
Targeted attack hierarchy of needs
Source: May 15, 2014, “Introducing Forrester's Targeted-Attack Hierarchy Of Needs, Part 1 Of 2” Forrester report
14 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 14
asdf
› asdf
15 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 15
asdf
› asdf
Why should we give up on prevention?
16 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 16
asdf
› asdf
Why should you settle for detection and response?
17 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 17
asdf
› asdf
Can you imagine incident volume without prevention?
18 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 18
Prevention is dead?
› Be wary of anyone claiming that prevention is dead
› Especially if all the sell are detection tools or services
› You should lead with prevention and fall back to detection and response
Be suspicious
19 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 19
Agenda
› The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work
@rickhholland
20 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 20
Don’t wait for reconnaissance
Reconnaissance
Weaponization
Delivery
Exploitation
Installation
Command & Control
Action on objectives
Source: http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster
21 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 21
asdf
› asdf Napoleon: “An army
marches on its stomach”
22 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 22
asdf
› asdf Attacks against your org rely upon infrastructure
23 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 23
Block enemy infrastructure
› The best way to get time to containment down is to reduce the overall number of security incidents › Free up your limited resources to focus
more on detection and response
› You can disrupt the adversary by blocking its ability to target you
› The military puts the kill in the kill chain, leave hack back to the government
24 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 24
Source: http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf
The Diamond Model of Intrusion Analysis
25 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 25
Infrastructure that the adversary could reuse
› Domain names › IP addresses
› Command and Control structure › Internet Service Providers
› Domain registrars
› Web-mail providers
26 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 26
Lenny Zeltser: Report Template for Threat Intelligence and Incident Response
Source: https://zeltser.com/cyber-threat-intel-and-ir-report-template/
27 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 27
Domain registration OPSEC fail
› Careful observation of DNS registrant contact information history has revealed an OPSEC failure by the attackers in one instance.
› For a brief period (possibly before the server was operational), WHOIS privacy was inactive, pointing at a real identity of the registrant. › This e-mail address leads to social
media accounts that show public and clear affinity with Lebanese political activism.
28 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 28
29 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 29
Forrester definition: Predictive analytics
› “Software and/or hardware solutions that allow firms to discover, evaluate, optimize, and deploy predictive models by analyzing big data sources to improve business performance or mitigate risk.”
30 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 30
Predictive security analytics
› Uses Big Data analysis techniques to anticipate future attacker activity based on historical activity › Leverages machine learning, statistical
analysis, and visualization
› Unless you have a data science skills, navigating vendor marketing can be challenging › Ask vendors to provide use cases
31 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 31
asdf
› asdf
32 CONFIDENTIAL
OpenDNS Research
Applied Research Thought Leadership
Response Customer / Prospect Engagements
33 CONFIDENTIAL
Requests Per Day
70B Countries 160+
Daily Active Users
65M Enterprise Customers
10K
Our Perspective Diverse Set of Data & Global Internet Visibility
34 CONFIDENTIAL
Our view of the Internet providing visibility into global Internet activity (e.g. BGP, AS, DNS)
35 CONFIDENTIAL
Apply statistical models and
human intelligence
Identify probable
malicious sites
Ingest millions of data
points per second
How it works
.com
.cn
.ru
.net
.com
36 CONFIDENTIAL
How we develop our statistical models…
3D Visualization
Data Mining Security Research Expertise
37 CONFIDENTIAL
Single, correlated source of information
Investigate
Types of threat information provided
WHOIS record data
ASN attribution
IP geolocation
IP reputation scores
Domain reputation scores
Domain co-occurrences
Anomaly detection (DGAs, FFNs)
DNS request patterns/geo. distribution
Passive DNS database
38 CONFIDENTIAL
Predictive Intelligence
Inference Knowledge Learning
Pre-Compromise
Compromise
Post-Compromise
39 CONFIDENTIAL
Predictive Intelligence
Inference Knowledge Learning
Reconnaissance
Exploitation
C & C
Weaponization Delivery Installation
Actions & Objectives
40 CONFIDENTIAL
Before the Kill Chain
Reconnaissance Weaponization Delivery
Plan Build Test / Iterate
41 CONFIDENTIAL
Predictive Intelligence
Plan Build Test / Iterate
• Where will we host the infrastructure? • How will it be fault tolerant? • What domain / IP / Networks will I utilize? • How will the backend scale? Reporting? Uptime? • Private and public announcement and advertising? • Testing and iteration of the solution
42 CONFIDENTIAL
We see where attacks are staged
43 CONFIDENTIAL
Examples
44 CONFIDENTIAL
Malaysia Airlines DNS Hijack January 25, 2015
45 CONFIDENTIAL
MALICIOUS ASN/IP IDENTIFIED Owned by Lizard Squad who hacked PS3 and Xbox Networks in December 2014
46 CONFIDENTIAL
OpenDNS recognized the domain hijacking on Jan 25th and blocked the DNS request, and hence any
subsequent attack
47 CONFIDENTIAL
WHOIS: BEDEP Example
48 CONFIDENTIAL
WHOIS: Visualization of Inferences
49 CONFIDENTIAL
WHOIS: Visualization of Inferences
50 CONFIDENTIAL
WHOIS Registration date after first seen!
51 CONFIDENTIAL
Anomaly Detection: Identify DGAs Domain Generation Algorithms: technique for generating malware domains on-the-fly
yfrscsddkkdl.com
qgmcgoqeasgommee.org
iyyxtyxdeypk.com
diiqngijkpop.ru
Does the probability distribution of letters
appear random?
N-gram” analysis Do letter pairings
match normal language patterns?
52 CONFIDENTIAL
DGA Example: Gameover
Min: May 30: Plan, Build, Test, Iterate
53 CONFIDENTIAL
Conclusion
§ Do not give up on prevention and shift *all* resources to detection
§ Analyze your security posture for predictive elements
§ Utilize hunting and analytic tools to increase security efficacy
§ Explore security analytics to identify and map attacker infrastructure before the kill chain
54 CONFIDENTIAL
Start a 14-Day Trial signup.opendns.com/freetrial
55 CONFIDENTIAL
Questions?