intelligence intelligence (uber)
TRANSCRIPT
INTELLIGENCE INTELLIGENCEIMT 553 - FINAL PROJECT
Presented by:
DIVYA KOTHARI karthik Krishnamurthy
Nausheen JawedNavin Hegde
Sandeep Bhat
(For educational purposes only)
SOURCES OF THREATS/RISKS
1. People
2. Process
3. External events
4. Technology
From an Information Assurance perspective, we chose to concentrate on Technology related risks.
Scope: Since Uber is driven through network, the scope of our project is Network Security
CRITICAL ASSETS
1. Software - Uber Application
2. Database server
3. Public facing servers
4. Internal servers
5. Directory (Access Management System)
6. Customer base
Observable TypesAccording to Kaspersky, the main two sources of threats penetration are
- Internet
In this context, the observable types we chose are:
1. IP address
2. Domain names
3. Email and email artifacts
IP Address - Desired State
1. Prevent access to dangerous hosts
2. Prevent dangerous hosts from accessing external facing systems
Integrating IP Address in a Risk Management Program
Risk:
1. Unauthorized access to confidential company information
2. Unauthorized access to customer database
3. Systems unavailability
Major Risk Driver:
Compromise of network security
Methods for IP compromise:
1. Eavesdropping
2. IP Spoofing
3. Data Modification
4. Man in the middle attack
Mitigation Plan:
IP Blacklisting
Integrating IP Address in a Risk Management Program
IP Address - Validating Sources
Factors used to validate the source:
1. No. of entries in the source
2. Diversity in the Geo-location of the IP address
3. False positive (to verify integrity of sources)
IP Address- Validating Sources
Step 1: Take three IP address sources
Step 2: Count the number of entries in each source
Step 3: By random sampling, we chose 5% of IP’s from each list
Step 4: Find the geo-location of the chosen IP’s using mxtoolbox
Step 5: Group the geo-location of the IP’s by continents
Step 6: Check for False positive for the samples chosen
Step 7: Assign a weighted score to the factors that have been used to validate the source
Step 8: Give a relative total score to each source based on the weight of the metrics
IP Address - Demo
IP Address - Demo Result
Metrics
Source 1 Source 2 Source 3
Score Weighted Score Score Weighted
Score Score Weighted Score
No of entries (0.5) 3 (3*0.5)1.5 2 (2*0.5)1 1 (1*0.5)0.5
Diversity (geolocation) (0.3) 3 (3*0.3)0.9 2 (2*0.3)0.6 1 1(1*0.3)0.3
False positive (0.2) 2 (2*0.2)0.4 2 (2*0.2)0.4 2 (2*0.2)0.4
Total score 2.8 2 1.2
Domain Names - Desired State
1. Prevent access to malicious domains
2. Prevent spam emails originating from malicious domains
3. Prevent emails that have phishing links
Integrating Domain Names in a Risk Management Program
Risk:
1. Unauthorized access to confidential company information
2. Unauthorized access to customer database
3. Systems unavailability
Risk Drivers:
4. Inbound Compromise - Could be through phishing emails sent from malicious domains.
5. Outbound - Could occur through employees trying to access these domains
Mitigation Plan: Domain Name Blacklisting
Domain Names - Validating Sources
Factors used to validate the source:
1. No of entries in the source
2. False positive (to verify integrity of sources)
Domain Names: Validating Sources
Step 1: Take three domain name sources
Step 2: Count the number of entries in each source
Step 3: By random sampling, we chose 5% of domain names from each list
Step 4: Check the validity of the domain names using mxtoolbox
Step 5: Assign a weighted score to the factors that have been used to validate the source
Step 6: Give a relative total score to each source based on the weight of the metrics
Domain names - Sample Toolbox
Domain NAMES - DEMO Result
MetricsSource 1 Source 2 Source 3
Score Weighted Score Score Weighted
Score Score Weighted Score
No of entries (0.6) 2 (2*0.6)1.2 3 (3*0.6)1.8 1 (1*0.6)0.6
False positive (0.4) 2 (2*0.4)0.8 1 (1*0.4)0.4 3 (3*0.4)1.2
Total score 2 2.2 1.8
Email artifacts - Desired State
1. Prevent emails that have phishing links (move to spam)
2. Prevent emails with malicious attachments
Email Artifacts - Validating Sources
It's helpful to validate as many aspects of the email address as possible:
the syntax
the email against a list of bad email addresses
the domain against a list of bad domains
a list of mailbox domains
whether or not the domain exists
whether there are MX records for the domain
and finally through SMTP whether or not a mailbox exists
Priority list of observable types
1. IP Address
2. Domain Names
3. Email and email artifacts
Limitations
1. Random Sampling
2. Not enough factors considered
3. Not taking subnets into IP consideration
Recommendations
1. Periodic assessment of effectiveness of sources
2. Intelligence framework should be complementary
3. Update sources based on newly identified threats
4. Employee awareness programs
5. Incident Response Team
APPENDIXFollowing are the primary six cyber intelligence resources we used to test our methodology:
FOR DOMAIN NAME:
● http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt
● https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
● http://malc0de.com/bl/BOOT
FOR IP ADDRESSES:
● http://www.blocklist.de/lists/apache.txt
● http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt
● http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt
BIBLIOGRAPHYContent:
● Juzenaite, R. 5th August, 2015, “The Most Hacker-Active Countries” Infosecinstitute. Accessed on 10th May, 2016. Retrieved from: http://resources.infosecinstitute.com/the-most-hacker-active-countries-part-i/
● Kaspersky Lab Support “Safety 101: Main sources of threats penetration” Kaspersky Lab. Accessed on 16th May, 2016. Retrieved from: http://support.kaspersky.com/us/viruses/general/789#block2
● Lam, James (2003) “Enterprise Risk Management: From Incentives to Controls” Hoboken, NJ: Wiley. 2003 (Print) Accessed on 2nd May, 2016.
● Microsoft TechNet, 21st January 2005 “Security Issues with IP” Microsoft TechNet. Accessed on 7th May, 2016. Retrieved from:
https://technet.microsoft.com/en-us/library/cc783463(v=ws.10).aspx
Image Credits:
● https://play.google.com/store/apps/details?id=com.ubercab
● http://www.technobuffalo.com/2014/08/12/uber-is-about-expand-to-other-apps/
● http://thenextweb.com/insider/2015/07/15/why-uber-is-buying-map-companies/
● http://techcrunch.com/2014/01/09/big-uberx-price-cuts/
● http://www.post-gazette.com/business/legal/2015/03/18/Uber-and-Lyft-face-independent-contractor-challenge/stories/201503170013
● https://newsroom.uber.com/app-updates-for-deaf-and-hard-of-hearing-partners/
● http://www.grossingerhyundainorth.com/uber/
Thank youQuestions?