Upload File

national institute of standards and technology computer security division information technology...

  • Home
  • Documents
  • National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
11
National Institute o Standards and Technolog omputer Security Division nformation Technology Laboratory Threat Information Sharing; Perspectives, Strategies, and Scenarios 15 June 2015 Tim Grance, NIST, Sarah Brown, Fox-IT, Luc Dandurand, ITU Thomas Millar, US CERT, Pawel Pawlinski, CERT.PL 1

Upload: amy-waters

Post on 22-Dec-2015

213 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute ofStandards and Technology

Computer Security DivisionInformation Technology Laboratory

Threat Information Sharing; Perspectives, Strategies, and Scenarios

15 June 2015

Tim Grance, NIST, Sarah Brown, Fox-IT, Luc Dandurand, ITU Thomas Millar, US CERT, Pawel Pawlinski, CERT.PL

1

Page 2: National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute ofStandards and Technology

Information Technology Laboratory NISTNational Institute of

Standards and Technology

Computer Security DivisionInformation Technology Laboratory

Information Sharing Benefits

• Organizations are sharing information and collaborating on its refinement for:

– Shared Situational Awareness– Expanded Understanding of Threat Horizon– Knowledge Maturation– Greater Defensive Agility– Improved Decision-Making

2

Page 3: National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute ofStandards and Technology

Information Technology Laboratory NISTNational Institute of

Standards and Technology

Computer Security DivisionInformation Technology Laboratory

Information Sharing Challenges

• Prior to Sharing– Establishing Trust– Policy, Legal, and Organizational Restrictions– Risk / Benefit Analysis – what to share?

• As Data is Shared– Collecting and classifying information– System interoperability – Preserving Anonymity

• Post Sharing– Classification of information– Generate / refine / action the intelligence

3

Page 4: National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute ofStandards and Technology

Information Technology Laboratory NISTNational Institute of

Standards and Technology

Computer Security DivisionInformation Technology Laboratory

Desired Characteristics of Cyber Threat Information

• Timely – in time for the recipient to act• Relevant – applicable to the recipient’s

operational environment• Accurate – correct, complete, and unambiguous• Specific – providing sufficient detail and context• Actionable – providing or suggesting an

effective course of action

4

Page 5: National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute ofStandards and Technology

Information Technology Laboratory NISTNational Institute of

Standards and Technology

Computer Security DivisionInformation Technology Laboratory

Cyber Threat Information Sources

• Internal– Intrusion Detection/Protection Systems– Security Information and Event Management– OS, network, security, and application logs– Personnel

• External– Open, public sharing communities– Government sources– Sector peers and business partners– Vendor alerts and advisories– Commercial Services

5

Page 6: National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute ofStandards and Technology

Information Technology Laboratory NISTNational Institute of

Standards and Technology

Computer Security DivisionInformation Technology Laboratory

Cyber Threat Information Types

• Indicators – an artifact or observation that suggests that an attack is imminent, is underway, or may have already occurred

• Tactics, Techniques, and Procedures – insights related to an adversary’s behavior, conduct, and tools

• Countermeasures – actions to counter a specific threat

• Adversary – information regarding the threat agent or actor

6

Page 7: National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute ofStandards and Technology

Information Technology Laboratory NISTNational Institute of

Standards and Technology

Computer Security DivisionInformation Technology Laboratory

Observations on Trust

• Trust equals knowledge, skills, experience, abilities, accuracy, integrity, reliability, commitment

• Trust gives us confidence to act• When we trust we are more likely to share• Trust is hard to earn, it must be cultivated• Trust is difficult to restore if lost

7

Page 8: National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute ofStandards and Technology

Information Technology Laboratory NISTNational Institute of

Standards and Technology

Computer Security DivisionInformation Technology Laboratory

Building and Maintaining Trust

• Trust is built through shared experiences• Use sharing models that bring together

contributors, participants, and consumers– Discuss current threats– Share technical insights – Develop mitigation strategies– Train, mentor, and develop skills– Mentor new community members– Develop key practices and resources

8

Page 9: National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute ofStandards and Technology

Information Technology Laboratory NISTNational Institute of

Standards and Technology

Computer Security DivisionInformation Technology Laboratory

Establishing Sharing Relationships

• Define Goals, Objectives, and Scope of Sharing– Mission specifics; resources; approvals

• Conduct an Information Inventory• Establish Information Sharing Rules

– Sources; sensitivity; restrictions; marking• Join existing Sharing Communities

– Info actionable; mechanisms; NDAs, etc.• Supporting an Information Sharing Capability

– Resources; proactive measures

• Look for information that is easier to share (e.g., threats vs incidents)

9

Page 10: National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute ofStandards and Technology

Information Technology Laboratory NISTNational Institute of

Standards and Technology

Computer Security DivisionInformation Technology Laboratory

1. What are the sharing barriers?

2. Overview of sharing architectures, capabilities, technical mechanisms (e.g.identity, access control, etc), and trust issues

3. How is sharing done today?1. Non-attributed vs attributed.

2. Protection of shared information.

3. Data analytics, etc.

4. Advice on how to create, maintain, and enhance sharing relationships

5. How can sharing be more scalable?

6. Specific technical and policy recommendations for the use of shared threat information.  Indemnification?

7. What examples (past or future) or specific incident scenarios illustrate how sharing could realistically work to improve security and operational capability?

10

Discussion Questions

Page 11: National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute ofStandards and Technology

Information Technology Laboratory NISTNational Institute of

Standards and Technology

Computer Security DivisionInformation Technology Laboratory

Achieving Meaningful Information Sharing: A Few Take-Aways

• Operate at time scales consistent with the information• Trust leverages personal connections, operational

record, legal processes• Trust is paramount and hard to establish, but preparation

helps• As communities grow in size, trust is harder to achieve• Organizational abilities vary greatly• Roles and responsibilities need to be clearly articulated

before sharing• Simplicity facilitates sharing

11


AUSTRALIAN LEADERSHIP THREAT HUNTING …...THREAT HUNTING WORKSHOP PRESENTED BY THE SCHOOL OF INFORMATION TECHNOLOGY AND ELECTRICAL ENGINEERING IN CONJUNCTION WITH ARGO P@CIFIC KRIS

Threat/Risk Information Sharing and Analytics...2016/09/14  · Architecture Design Assurance System Focus Situational Awareness Threat information sharing Threat information federation

TOTEM: Threat Observation, Tracking, and Evaluation Model National Laboratories Information Technology Summit Oak Ridge, TN June 1, 2009

Assisted Reproductive Technology and the Threat to the

Mississippi Department of Information Technology Services Information Security ... · 2011. 8. 1. · Information Security events are defined as any violation or imminent threat of

RFID Technology and Threat Modeling

FALCON OVERWATCH MANAGED THREAT HUNTING · Director of Information Technology, TransPak. CrowdStrike Products FALCON OVERWATCH MANAGED THREAT HUNTING CROWDSTRIKE MANAGED THREAT HUNTING

Insider Threat Analysis Using Information-Centric Modeling

Standardizing Cyber Threat Intelligence Information … · Standardizing Cyber Threat Intelligence Information with the Structured Threat Information eXpression (STIX™) Table of

Stereotypes & Stereotype Threat Affect Computing Students National Center for Women & Information technology (NCWIT), J. Mcgrath Cohoon & the Academic

Information Security Threat Assessment

Drone threat and CUAS Technology - White Paper

ENISA Threat Taxonomy - start [DISI Security Research ... · sources of threat information. Most of threat information included was from existing threat catalogues the area of information

2017 Global Network Threat Protection Solutions Technology Leadership Award · Network Threat Protection Solutions Technology Leadership Award GLOBAL NETWORK THREAT PROTECTION SOLUTIONS

INFORMATION TECHNOLOGY SECURITY THREAT MANAGEMENT … · Information technology security threat management combines IT security disciplines of threat detection, incident management,

THREAT COMPASS - Blueliv...Threat Compass Threat Context provides security teams with continuously updated and intuitive information around threat actors, campaigns, IOCs, malware,

Threat Modeling - Praetorian Information Security and Risk

USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence

TR 103 331 - V1.1.1 - CYBER; Structured threat information ... · CYBER; Structured threat information sharing ... the known array of existing structured threat information sharing

Sophos Mobile Security Threat Report - Technology …i.crn.com/bestofbreed/sophos-mobile-security-threat-report.pdf · Sophos Mobile Security Threat Report ... phones. Spreads from

1 Information Technology Careers INFORMATION TECHNOLOGY CAREERS ... · INFORMATION TECHNOLOGY CAREERS Information Technology Careers: Past, Present, and Future ... Information Technology

Health Industry Cyber Threat Information Sharing … Health Industry Cyber Threat Information Sharing and Analysis Annual Review of HITRUST Cyber Threat XChange (CTX) Summary of Findings

Information Security Threat Vectors - Information … Pres... · Information Security Threat Vectors Phil Withers, ... Session Hijacking ... changing the security settings on your

Dalla Malware Analysis alla Cyber Threat Information Sharing€¦ · (Cyber) Threat information is any information related to a threat (Indicators, TTPs, Security alerts, etc… )

Application Development Technology Tools Vulnerabilities Threat .Pdfmanagement Secure

Ten Tales of Betrayal: The Threat to Corporate ... · companion report, “Ten Tales of Betrayal: The Threat to Corporate Infrastructures by Information Technology Insiders Report

Inspection of the Bureau of Diplomatic Security, High Threat … · Security Management 19 Information Technology Support 21 File Management 22 ... • The High Threat Programs directorate

MAXIMIZING THE VALUE OF CYBER THREAT INFORMATION …

UNDERSTANDING AND BUILDING THREAT MODELS · UNDERSTANDING AND BUILDING THREAT MODELS Threat Modeling ... (TARA) Factor Analysis of Information Risk (FAIR)

The Mechanics of Cyber Threat Information SharingThe Mechanics of Cyber Threat Information Sharing Session 229, February 23, 2017 Denise Anderson, President, National Health Information

Safer Technology Through Threat Awareness and Response

The Threat of GPS Jamming - Chronos Technology · PDF file| THE THREAT OF GPS JAMMING 1 The Risk to an Information Utility The Global Positioning System (GPS) has become a ubiquitous

Usability and Incentives for Threat Information Sharing Technology · 2016-06-12 · for Threat Information Sharing Technology Tomas Sander Brian Hein ... knowledge in malware analysis,

Tuomas Aura T-110.4206 Information security technology Threat modeling Aalto University, autumn 2012

Ransomware Threat Information Briefing - NIST · PDF file · 2016-12-01– Malvertisement • Targeted ... Ransomware Threat Information Briefing Author: William Wright, Symantec