threat landscape - usalearning · threat landscape . 22 [distribution statement a] this material...

Threat Landscape

Table of Contents

Threat Landscape ............................................................................................................................ 2

Anecdotal Sources .......................................................................................................................... 4

Threat Reports Usually Have Larger Sample Sizes .......................................................................... 6

Not All Reports Cover the Same Thing ........................................................................................... 9

Threat Report Examples -1 ........................................................................................................... 12

Threat Report Examples -2 ........................................................................................................... 13

Threat Landscape Example – Microsoft SIR .................................................................................. 14

Long-Term Studies ........................................................................................................................ 16

Growth in Automated Information Sharing .................................................................................. 19

Notices .......................................................................................................................................... 21

of 21

Threat Landscape

22[Distribution Statement A] This material has been approved for public release and unlimited distribution.

Threat Landscape

Threats can be • external • internal

- accidental- malicious

Learn their trends and patterns• current

- passive- active

• general TTPs• specific TTPs ‒ reported by

other teams• sources of threat behavior• identifying ‘shifts’

**022 When we talk about the threat landscape, we're talking about threats. And these threats can be external to an organization, or they can be internal to an organization, and then within there they could be accidental or malicious. But in general, for things like the external threat, the goals here are to learn about their trends and patterns. So what are the sort of common behaviors that they're using? Sometimes those behaviors might be active to probe someone to identify if they have a vulnerability, or they might be passive with something like sniffing traffic and waiting to observe

of 21

something that comes across the wire. We'll also talk about some of the more general tactics, techniques and procedures, and then sort of the more specific tactics, techniques and procedures, which may have been reported by other teams. What we're starting to see is that teams are reporting, "These are the tactics that were used against me during an attack that I had." Lastly, we're going to talk about sort of the sources that you might use to find that threat behavior and figure it out and do some of your own analysis. And in particular, one of the harder problems is to identify when there's been a shift. So when has an adversary or a group of adversaries started to abandon one technique and pick up another one? So that's a hard thing to identify.

of 21

Anecdotal Sources


Anecdotal Sources

Sources to learn about threats may be anecdotal, such as news stories:

• CNN – “5-year-old boy hacks dad's Xbox account” (http://www.cnn.com/2014/04/04/tech/gaming-gadgets/5-year-old-xbox-hack/)

• Zdnet – “Teenager hacks Google Chrome with three 0day vulnerabilities” (http://arstechnica.com/security/2012/10/google-chrome-exploit-fetches-pinkie-pie-60000-hacking-prize/ and http://www.zdnet.com/article/teenager-hacks-google-chrome-with-three-0day-vulnerabilities/)- It took about one-and-a-half weeks to find the vulnerabilities and

write a reliable exploit.- The exploit worked on a fully patched Windows 7 machine (64-bit)

and did not require user action beyond normal web browsing.

**023 So some of the sources that you could use to learn about the threat landscape might be anecdotal. And when we say anecdotal, we're talking about stories, right. So things like news stories. In this case, we've put up a few examples of news stories, and the examples that we've chosen here are to sort of give you a sense or a flavor that you don't necessarily have to have a lot of years of experience before you can identify some of the problems in software or hardware. So in this case, there was a five-year- old who sort of was mashing on his father's videogame controller and

of 21

ended up sort of inputting a string into their gaming system that caused it to crash, right? So the dad figured out, "Oh. There's something going on here. I should report this to the company." Because he was able to get around something sort of, you know, by inputting some random input. And that was not some feature that the company wanted to allow. The second one is one where in this case a teenager during a hacking competition sort of exploited three previously unknown bugs with software, and sort of in an interview after the competition was over, he said that it took him about a week and a half of work to find the vulnerabilities and then also write a reliable exploit. Now, it turns out that this person was somewhat of already sort of an expert, but again, still a teenager. So what we're trying to imply here is that sort of from the anecdotes and from the sources, you can gain a sense of sort of the amount of training that you need in some cases before you could find some kind of problem.

of 21

Threat Reports Usually Have Larger Sample Sizes


Threat Reports Usually Have Larger Sample Sizes

Vendors and service providers deliver threat reports at different intervals. They typically describe trends in attacks, attacker tactics, or ‘interesting’ incidents. Examples include

• Microsoft Threat Report – Malware• Brian Krebs Article Series – Skimming• Imperva Web Hacking Report - Web Applications• US-CERT – Malicious Code Families, User Agent Strings, etc.• ICS-CERT Year End Assessment Report – SCADA• Defense Security Service – asset types targeted for collection activities

There are also databases that vendors sponsor to assist in producing these reports:• Privacy Rights Clearinghouse• Web Incident DB (submissions end in 2013)• Verizon Veris Community Database (VCDB)

The Software Engineering Institute has assisted with threat trend reports in the past, including US-CERT, Verizon DBIR, and others.

**024 A little bit larger sample size than just one single story is that there are a variety of different reports on sort of the activity of malware or threat actors that are written by vendors. These reports are sort of provided usually at different intervals, so it might be things like, "Okay. First quarter threat activity," or first, you know, second quarter tactic, tactics used by, most commonly used tactics used by attackers in all of our incident investigations and things like that. Or sometimes they might just be sort of one very in-depth, interesting incident that they responded to. This sort of gets back to the anecdote, but

of 21

instead of a news article written by a reporter, it's actually a technical report written by the team that did the investigation, and then the sort of nonpublic information is stripped out of that report and they make the report public so that other teams can sort of avoid the problems themselves, hopefully. So here's just some examples. We'll mention a few, but US-CERT has a report where they talk about the malicious code families that they have seen, and they receive reports from over a hundred different organizations throughout the year, including federal organizations. So these are the malicious code that was observed by many of the reporters that are reporting to a single place. They also include other information about the sort of technical details of the attacks used, and differences from one attack to another. That's just an example. There's also, when the vendors go to actually write these reports, they might also set up a database. And in some cases those databases are made public. So they'll set up a database to help them write the report, or based on some idea that came out of the report, and then they'll also make the database public. So if you're looking for data and you want to sort of not write your own report but you want to draw your own conclusions, you can go straight to the data in some cases.

of 21

This is starting to get a little better, and we've listed a few here. There's one that's often used by other teams called the Privacy Rights Clearinghouse database. That's a database of what is essentially data breaches, so the number of records. And they have a specific definition of what a record actually is, so it might not be the same as your definition of what a record is. So you need to be careful about how they're defining terms and what data they have before you compare it and say, "Oh, this is the same thing that we have." There's a few others. There's one that's got some data in it about web incidents, although those submissions stopped coming in a couple years ago, and then Verizon has one as well called the Veris Community Database. This is sort of a taxonomy that they set up, and now they've allowed the community to submit incidents in using their taxonomy. But you might be able to find some available incident data in there to using your own investigations. Additionally, the Software Engineering Institute, who is producing this content, has also assisted with some of the threat trend reports in the past. We have assisted a variety of teams, including US-CERT. And we've also collaborated with the Verizon data breach incident report and others.

of 21

Not All Reports Cover the Same Thing


Not All Reports Cover the Same Thing

There are various types of reports:• events from their sensors• events from clients they are servicing

The organization of the content in the reports varies:• by threat type such as distributed denial of service, web

applications, and malware• by detection mechanism, such as intrusion detection system,

firewall, data loss prevention system (DLP), and security incident event monitor (SIEM)

Note: Vendors may be influenced by Marketing Goals. You should carefully read descriptions of methodology, sample size, and resulting claims.

**025 So about these reports. Not all of the reports cover the same thing. So there's different kinds of reports. Some of the reports the vendor has a bunch of sensors deployed. They might have a customer base, and they're saying, "Okay. All of the events across all of our customers look like this." Other ones might have actual kind of services that they are providing, so they might just say, "Okay. We're providing phishing, e-mail services, anti-phishing," right? Or we're also providing kind of end-point services. And here's all the threats that we're seeing on the end points. So there's really quite a variation in what you're

of 21

going to find from one report to another. And then the, the organization of that content is also very varied from one report to another, so some of them will do the report and they'll say, "We're going to do it by threat type." And so then they'll say, "Okay. Here's all of the information about a distributed denial-of-service attacks that we saw across all of our customers." Other reports will say, "Okay. We're going to do it by customer." And so they'll say, "Okay. Here's all the industries that these customers are in and all of the attacks that they've seen and their percentages," and things like that. So you have to be really careful when you're reading these. It's sometimes difficult to compare apples to apples from one report to another. Lastly, there's also sort of the way where you might say, "Okay. I'm going to say the system that detected it." So now I'm not talking about the threat as much. I'm talking about how that threat was detected. And so they're going to say, "Okay. Using DLP tools," or using something like a SIM, "we detected the following kinds of threat activity," right. So you can still sort of get some threat activity from that as well. Can be very useful, including sort of how it was detected, because that might even be more useful than learning about the threat activity itself for your particular goal.

of 21

But so you should really be careful. A lot of these reports are produced because the teams want to get their name out there in the market. So the report is typically to support some kind of service or product and they're producing the report to show that the product actually does work, actually does collect data, actually does prevent threats, and they can kind of report on how much they've prevented or how much they're detecting. Of course, they're not going to be able to tell you how much they did not detect necessarily. And you may have to look other places for teams like investigation reports where they, "Okay. At the time that they had this, this, and this in place, this event was still, went undetected." So again, very hard thing to do. One of the big problems. But always be very careful when you read about the descriptions of the methodology that the team used in order to produce the report. Be very careful to look at the things like the sample size. Some of the reports will make very broad claims, but then you read the report and it turns out that they investigated in this particular industry that they're claiming, you know, kind of a 50 percent jump. They only investigated like 10 incidents in that industry over the course of the year. That may not be very many. So you should always be careful when you read the result of claims.

of 21

Threat Report Examples -1



• iSight partners• IBM X-Force <year> Trend & Risk Report• Veracode State of Software Security Report (and others)• Mandiant M-Trends• Dell SecureWorks (various)• Trustwave Global Security Report• Trend Micro <quarter><year> Security Round up• McAfee Threats Report <quarter><year>• Perimeter E-Security <quarter><year> (financial institution specific)• Microsoft Security Intelligence Report Volume X• Kaspersky <quarter><year>• Imperva Web Application Attack Report <year>

- also many other data driven reports and series on threats to web applications• ESET Global Threat Report <year>• Rapid7 (Sponsor of Privacy Rights Clearinghouse Chronology of Data Breaches)• Computer Security Institute (CSI) <year> Computer Crime and Security Survey• DSS Targeting US Technologies <year>• Digital Forensics Association ‒ study on six years of data breaches

**026 So I'm not going to cover these by reading each one, but just wanted to include in these modules a full list of reports. Actually, the list is not full. it's just a sample of the reports that are available, although we've tried to sort of find as many as we can. And this, actually this activity is from a few years ago, so there may be some new ones. But these are some of the more common ones that we've seen teams using to try to gather information about the external threat environment. And then we have a few slides of this.

of 21




• Verizon: Data Breach Investigations Report

• Websense Threat Report • Symantec: Internet Security Threat

Report • Sophos: Security Threat Report,

Cisco’s Annual Security Report • Hewlett Packard: Cyber risk report• Department of Homeland Security:

Executive Order 13636: Improving Critical Infrastructure Cybersecurity

• EY: Under Cyber Attack – EY’s Global Information Security Survey

• Booz Allen: Cyber Power Index • Office of Management and BudArbor

Annual Threat Report focused on Denial of Service

• Ponemon Institute Exposing the Cybersecurity Cracks: A Global Perspective

• CSRIC IV WG5 “Remediation of Server‐Based DDoS Attacks” Final Report

• Guide to Cyber Threat Information Sharing (Draft), NIST Special Publication 800‐150 (Draft)

• Annual Report to Congress – Federal Information Security Management

Source: CYBERSECURITY RISK MANAGEMENT AND BEST PRACTICES WORKING GROUP 4: Final Report March 2015 - Threat Appendix https://transition.fcc.gov/pshs/advisory/csric4/CSRIC_WG4_Report_Final_March_18_2015.pd

**027 So here's another slide of examples. Again, these are threat reports and various companies that produce them. Some of these are nonprofit organizations. Some of them are government organizations. Some of them are private sector organizations. And they each cover different kinds of potential cyber threat, cyber-crime, cyber risk. Incident reports, incident investigations, et cetera.

of 21

Threat Landscape Example – Microsoft SIR


Threat Landscape Example – Microsoft SIR

Chart from Page 64 of Microsoft SIR #20 (https://www.microsoft.com/security/sir/)

Encounter rate is the percentage of computers running Microsoft real-time security products that report a malware encounter. … Only computers whose users have opted in to provide data to Microsoft are considered when calculating encounter rates. See page 157 for Data Sources

**028 So an example of what you might find when you're reading these reports is sort of a trajectory of activity. So we took this example. This particular example comes from a recent Microsoft report on the security that they see in their own analysis of data across a variety of different data sources from security products that they provide. And in this case, it's a chart which is sort of showing the encounter rates for different kinds of exploits that they saw in 2015. So they're saying, "These are the attempted exploits that we are seeing from some of the products that we have in 2015." And they specifically define the encounter

of 21

rate. We've included it here. It's the percentage of computers running Microsoft Real-Time Security products that report a malware encounter. Right. So that's a specific thing and you should be careful when reading claims like this, because what they're not saying is that this is all Microsoft products everywhere. This is just the ones that are Real-Time Security products. And then there's a list of those at the back of the report. So it's also only for computers whose users have opted in. So users that have opted out, you won't see any data from them. And that may or may not adjust the numbers, but we won't know it. So they give lots of references, lots of information about kind of the different types of exploits that you might encounter. So a way to read this would be, "Okay. I'm seeing that exploit kits in general are accounting for sort of more of the attempted exploit attempts on the internet than many of the other sort of single or one-off exploit attempts on particular plug- ins or on browsers." But again, the numbers, you know, looking at the left-hand side, you know, the percentages are not particularly high, although if you look at the one of exploit kits, you're starting to see, "Wow." It was like, you know, 1.4 percent, right, of all of the computers, in this case, right, were coming from exploit kits. So, you know, you got to really interpret these results for your own organization and really read the

of 21

claims very carefully and understand exactly what they're trying to explain with this kind of graph.

Long-Term Studies


Long-Term Studies

Academic and private sector research offers longer term studies with published collection methods:

• Measuring the Longitudinal Evolution of the Online Anonymous Marketplace Ecosystem by Kyle Soska and Nicolas Christin- In Proceedings of the 24th USENIX Security Symposium (USENIX

Security'15), pages 33-48. Washington, DC. August 2015. • Framing Dependencies Introduced by Underground

Commoditization by Kurt Thomas et al- Workshop on the Economics of Information Security, 2015

• And many others…Example lessons learned

• Attackers can outsource parts of their attack against a target for relatively low cost and high specialization.

**029 So in addition to the vendor reports, there are also sort of you may be able to find some longer-term information. You can find things like longer-term studies in the academic literature. So in the academic literature, you might find studies which, rather than being sort of six months or three months or one month or one story, are a little bit more longitudinal. So they're, over the course of one year, two years, three years, sometimes five years or

of 21

more. And even if it is for a shorter period of time, often what they try to do is cover as much of a space as possible. So in this case, they're not just looking at kind of what sensors they have deployed on the internet. They're trying to really aggregate more. A couple of examples here would be a study which was done on the evolution of online anonymous marketplaces, including sort of this is sort of like the analysis of dark markets, but not just one. This is like all of the dark markets that they could find, and as well as sort of the amount of traffic that was going to them, amount of transactions that were happening on them at any given point. And then relative to each other, so which one was kind of going up, which one was kind of going down in what month, and what events were precipitating those rises and falls. And then others, examples, would be kind of like what are some of the dependencies that are introduced by underground commoditization? This is a great paper as well, and there's many, many others. But I think the reason for reading these and the sort of understanding that you can get is that it can teach you things about the ways that attackers behave as well as sort of your incentives and how much it costs for them to launch a particular given kind of attack. So from these two particular examples, there's a fairly strong lesson to be learned,

of 21

which is that attackers can really outsource parts of their attack against a target for relatively low cost. And with a very high level of specialization. So if they need to get around a particular kind of authentication control or things like password questions, there's a large underground dark market where they can go, advertise that they need these kinds of services, or go to somebody who's already advertising that they provide those kinds of services, and kind of get their need met in a very fast and efficient manner and with a very high level of specialization. So it's not just one Person on their own trying to attack you. They can now recruit, right, other specialists to help them in their attack.

of 21

Growth in Automated Information Sharing


Growth in Automated Information Sharing

There has been recent growth in the adoption of standards for information sharing such as the Structured Threat Information Sharing format (STIX).

Slide source: RSA 2016, STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015 By Bret Jordan (Blue Coat Systems) and Mark Davidson (Soltra)

**030 There's also been, in addition to the academic literature, really a kind of a recent growth and adoption of standards for sharing information at a lower level than the reports, and this would be things like from team to team. So one cyber team might share data on the incidents and attempts that they've seen from external threat actors with another team, and they might use something like the Structured Threat Information Sharing format, shorthand STIX, to do that. And so we've pulled an example here of how you might use STIX to tell another team about something that has happened to you. So you may use it

of 21

to sort of explain, "This is the bad guy," and then, "This is the observed tactic, technique and procedure." He used a backdoor sort of toolkit and the version number was version number one. He used it against bank executives. Specifically it contained an indicator and this particular indicator was the e-mail subject with the value that said, "Follow-up." So this is a machine-readable format, and so it's easy to transfer, right, from their environment to my environment. I can read it and parse it. I can then use it in my own rule set. So I could say, "Okay. Any e- mails that are coming in, that's a follow-up," but that also, right, also have the following MD5 hash, which you can see also on the slide. You know, I'm going to treat those as potentially malicious, right. And I can sort of have a clean trail. I'm not just writing in on my e-mail filter a rule that says, "Follow-up plus this particular MD5 hash." Manually I have some reasons that I can defend for why that particular rule exists. It's because this other team saw this and it was an attack on their bank executive and these are the other particulars about those values that make them important to have.

of 21

Notices


Notices

Copyright 2016 Carnegie Mellon University

[Distribution Statement A] This material has been approved for public release and unlimited distribution. Please see Copyright notice for non-US Government use and distribution.

This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense.

NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.

This material is distributed by the Software Engineering Institute (SEI) only to course attendees for their own individual study. Except for the U.S. government purposes described below, this material SHALL NOT be reproduced or used in any other manner without requesting formal permission from the Software Engineering Institute at [email protected].

The U.S. Government's rights to use, modify, reproduce, release, perform, display, or disclose this material are restricted by the Rights in Technical Data-Noncommercial Items clauses (DFAR 252-227.7013 and DFAR 252-227.7013 Alternate I) contained in the above identified contract. Any reproduction of this material or portions thereof marked with this legend must also reproduce the disclaimers contained on this slide.

Although the rights granted by contract do not require course attendance to use this material for U.S. Government purposes, the SEI recommends attendance to ensure proper understanding.

Carnegie Mellon®, CERT® and CERT Coordination Center® are registered marks of Carnegie Mellon University.

DM-0003588

of 21

threat landscape - usalearning · threat landscape . 22 [distribution statement a] this material...

Documents