Post on 26-May-2015
description
transcript
Utilizing Cyber Intelligence to Combat Cyber Adversaries
Jon DiMaggioIntelThreat
7 October 2014
Problem• Advanced threats driven by state sponsored
groups, hacktivists and organized crime rings have made threats increasingly difficult to defend against with traditional Computer Network Defense (CND) security practices
• Traditional use of indicator and signature driven solutions alone are no longer sufficient to protect against these threats
• Historically intelligence was only being conducted by military and government organizations
Cyber Intelligence• Purpose– Cyber intelligence products provide information on cyber
threats, track trends and allow for predictive analysis on cyber threat groups
• Process– Process of taking open source research, official reporting
(reporting from credible organizations) and internal cyber attack data, and fusing them into an actionable product for information dissemination specific to your organization
• Intent– Provide support to other security operation teams by filling intelligence gaps and providing information not currently being identified or tracked
Advanced Threats Categories• APT
– Malware– Spear phishing emails and watering holes
• Hacktivists– Attack in large numbers– DDoS attacks– Data compromise– Public posts of sensitive data
• Crime Rings– Ransomware– TOR network– Blend in
• Unknown– Similar tactics, techniques & procedures (TTPs) – Use of buckets or clustering
Complexity of Advanced Threats• Advanced threats often go undetected– Human operators driving attacks – Malware
• These advanced attackers create/collect intelligence through analysis of their targets
• The planning, patience and human driven aspects of advanced threats makes traditional security models less effective
CND vs. Cyber Intelligence• Computer Network Defense & Cyber Intelligence…
What is the Difference?– CND: Direct and immediate impact to operations– CND: Identify malicious traffic and stop it– Cyber Intelligence: Understand why attacks are being
conducted and the motivation behind it– Cyber Intelligence: Understand who is targeting your
organization and what they want• Think the role of a police officer compared to a
detective
Cyber Intelligence & Tracking Adversaries• Making cyber intelligence actionable– Targeting– Infrastructure– Personas used in advanced attacks– Malware– Spear Phishing emails
Pivoting• Using an indicator or information to discover new
related intelligence that is obtained by identifying a relationship between the two
• Use of open source and commercial services can assist with pivoting on intelligence to learn about new unknown information about your adversary
Cyber Intelligence Fusion Process
• Track• Research• Pivot• Analyze• Fuse• Document
Track
Research
Pivot
Analyze
Fuse
Document
Creating Actionable Products• Use data gained from tracking adversaries and the
cyber intelligence fusion process to create actionable products which are described in detail on the following slides
Cyber intelligence product
Distributed and digested by security
analysts/ managers /network
defenders
Informed Action or defense decision
taken
Threat Actor Profiling• Objective: – Provide a cyber fingerprint of advanced threats to assist
in minimizing the time it takes for an analyst to recognize activity on their network is from an advanced threat group
• Provide profiling of:– Threat actor groups
– CNE operators / hackers – who, where and what are they targeting
Threat Actor “Attack” Time LinesCreate time lines showing the events and dates of activity targeting your organization– Identify trends and patterns in
activity, such as most active months, weeks and days for each threat group
– Identify gaps in activity– Compare against other campaigns– Compare against other significant
events (public events, military or political events, major hacktivists operations etc.)
– Allow for predictive analysis based on patterns and trends in the data
Adversary Historical Data
+Analysis of Trends
& Patterns
= Smart Predictive
Analysis
Malware Intelligence • Different than a malware report– Focus is on what can be learned from malware when
tracked from multiple events over time – Track and plot malware and the files associated with a
malware family– Can produce links in malware families not traditionally
seen when doing reverse engineering focusing on one sample
Cyber Intelligence + CND reporting = Fusion
• Fusion reporting is designed to provide value for organizations by pivoting off of multiple data sources and connecting the dots
• Fusion reporting focuses on who the attacker is, what they want and where they are likely going
• Fusion reporting focuses on intelligence to track and trend threat actors and provide insight into the TTPs of the infrastructure, tools and personas adversaries use
• Fusion done correctly can lead to predictive analysis
Conclusion• Advanced threats have changed the threat landscape making it difficult
to detect advanced cyber threats
• Mitigating and cleaning up an infection, post compromise, can cost hundreds of thousands and into millions of dollars
• Cyber Intelligence can be combined with CND capabilities, giving organizations a much broader view into the who, what, when and why they are being targeted
• This information can be used to arm CND teams, as well as senior leadership, with the information they need to make decisions and get ahead of todays targeted advanced cyber threats
Contact Info Jon DiMaggio
IntelThreatJon.dimaggio@intelthreat.com