what happens before the kill chain

1 CONFIDENTIAL

Dan Hubbard, CTO, OpenDNS Rick Holland, Principal Analyst, Forrester

What Happens Before the Kill Chain

2 CONFIDENTIAL

Speakers

Dan Hubbard CTO

OpenDNS

Rick Holland Principle Analyst

Forrester

3 CONFIDENTIAL © 2015 Forrester Research, Inc. Reproduction Prohibited 3

Agenda

› The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work

@rickhholland


STRESS


Time to discover is pathetic


asdf

205 days to discover intrusions


Adversaries are on shopping sprees

8 CONFIDENTIAL With no time limits


New Incident Response Metric: Mean Time Before CEO Apologizes


asdf

›  asdf We need

bright ideas


Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains


Agenda


@rickhholland


Targeted attack hierarchy of needs

Source: May 15, 2014, “Introducing Forrester's Targeted-Attack Hierarchy Of Needs, Part 1 Of 2” Forrester report


asdf

›  asdf


asdf

›  asdf

Why should we give up on prevention?


asdf

›  asdf

Why should you settle for detection and response?


asdf

›  asdf

Can you imagine incident volume without prevention?


Prevention is dead?

›  Be wary of anyone claiming that prevention is dead

›  Especially if all the sell are detection tools or services

›  You should lead with prevention and fall back to detection and response

Be suspicious


Agenda


@rickhholland


Don’t wait for reconnaissance

Reconnaissance

Weaponization

Delivery

Exploitation

Installation

Command & Control

Action on objectives

Source: http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster


asdf

›  asdf Napoleon: “An army

marches on its stomach”


asdf

›  asdf Attacks against your org rely upon infrastructure


Block enemy infrastructure

›  The best way to get time to containment down is to reduce the overall number of security incidents ›  Free up your limited resources to focus

more on detection and response

›  You can disrupt the adversary by blocking its ability to target you

›  The military puts the kill in the kill chain, leave hack back to the government


Source: http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf

The Diamond Model of Intrusion Analysis


Infrastructure that the adversary could reuse

›  Domain names ›  IP addresses

›  Command and Control structure ›  Internet Service Providers

›  Domain registrars

›  Web-mail providers


Lenny Zeltser: Report Template for Threat Intelligence and Incident Response

Source: https://zeltser.com/cyber-threat-intel-and-ir-report-template/


Domain registration OPSEC fail

›  Careful observation of DNS registrant contact information history has revealed an OPSEC failure by the attackers in one instance.

›  For a brief period (possibly before the server was operational), WHOIS privacy was inactive, pointing at a real identity of the registrant. ›  This e-mail address leads to social

media accounts that show public and clear affinity with Lebanese political activism.


Forrester definition: Predictive analytics

›  “Software and/or hardware solutions that allow firms to discover, evaluate, optimize, and deploy predictive models by analyzing big data sources to improve business performance or mitigate risk.”


Predictive security analytics

›  Uses Big Data analysis techniques to anticipate future attacker activity based on historical activity ›  Leverages machine learning, statistical

analysis, and visualization

›  Unless you have a data science skills, navigating vendor marketing can be challenging ›  Ask vendors to provide use cases


asdf

›  asdf

32 CONFIDENTIAL

OpenDNS Research

Applied Research Thought Leadership

Response Customer / Prospect Engagements

33 CONFIDENTIAL

Requests Per Day

70B Countries 160+

Daily Active Users

65M Enterprise Customers

10K

Our Perspective Diverse Set of Data & Global Internet Visibility

34 CONFIDENTIAL

Our view of the Internet providing visibility into global Internet activity (e.g. BGP, AS, DNS)

35 CONFIDENTIAL

Apply statistical models and

human intelligence

Identify probable

malicious sites

Ingest millions of data

points per second

How it works

.com

.cn

.ru

.net

.com

36 CONFIDENTIAL

How we develop our statistical models…

3D Visualization

Data Mining Security Research Expertise

37 CONFIDENTIAL

Single, correlated source of information

Investigate

Types of threat information provided

WHOIS record data

ASN attribution

IP geolocation

IP reputation scores

Domain reputation scores

Domain co-occurrences

Anomaly detection (DGAs, FFNs)

DNS request patterns/geo. distribution

Passive DNS database

38 CONFIDENTIAL

Predictive Intelligence

Inference Knowledge Learning

Pre-Compromise

Compromise

Post-Compromise

39 CONFIDENTIAL


Inference Knowledge Learning

Reconnaissance

Exploitation

C & C

Weaponization Delivery Installation

Actions & Objectives

40 CONFIDENTIAL

Before the Kill Chain

Reconnaissance Weaponization Delivery

Plan Build Test / Iterate

41 CONFIDENTIAL


Plan Build Test / Iterate

•  Where will we host the infrastructure? •  How will it be fault tolerant? •  What domain / IP / Networks will I utilize? •  How will the backend scale? Reporting? Uptime? •  Private and public announcement and advertising? •  Testing and iteration of the solution

42 CONFIDENTIAL

We see where attacks are staged

43 CONFIDENTIAL

Examples

44 CONFIDENTIAL

Malaysia Airlines DNS Hijack January 25, 2015

45 CONFIDENTIAL

MALICIOUS ASN/IP IDENTIFIED Owned by Lizard Squad who hacked PS3 and Xbox Networks in December 2014

46 CONFIDENTIAL

OpenDNS recognized the domain hijacking on Jan 25th and blocked the DNS request, and hence any

subsequent attack

47 CONFIDENTIAL

WHOIS: BEDEP Example

48 CONFIDENTIAL

WHOIS: Visualization of Inferences

49 CONFIDENTIAL

WHOIS: Visualization of Inferences

50 CONFIDENTIAL

WHOIS Registration date after first seen!

51 CONFIDENTIAL

Anomaly Detection: Identify DGAs Domain Generation Algorithms: technique for generating malware domains on-the-fly

yfrscsddkkdl.com

qgmcgoqeasgommee.org

iyyxtyxdeypk.com

diiqngijkpop.ru

Does the probability distribution of letters

appear random?

N-gram” analysis Do letter pairings

match normal language patterns?

52 CONFIDENTIAL

DGA Example: Gameover

Min: May 30: Plan, Build, Test, Iterate

53 CONFIDENTIAL

Conclusion

§  Do not give up on prevention and shift *all* resources to detection

§  Analyze your security posture for predictive elements

§  Utilize hunting and analytic tools to increase security efficacy

§  Explore security analytics to identify and map attacker infrastructure before the kill chain

54 CONFIDENTIAL

Start a 14-Day Trial signup.opendns.com/freetrial

55 CONFIDENTIAL

Questions?

what happens before the kill chain

Technology