Making Threat Data Intelligent Applied Security Intelligence

 March 2015 – Piers Wilson

Setting the scene

•  Threat Intelligence is more than just data

•  Examples and applications

•  Summary / Benefits

A Threat Intelligence “eco-system” ...

Applied  Security  

Intelligence  

“Tradi(onal”  Log  Sources  

Vulnerability  informa(on  

Geographic  informa(on  

Cyber-­‐security/malware/aAack  

context  

External  threat  sources  

Internal  context  

databases  

Loca(ons,  staff  roles,  HR  systems,  physical  controls  

IP  reputa(on,  known  bad  URLs,  phishing  sources,  

C&C  sites,  botnets,  CERTs  

Scan  informa(on,  asset  sensi(vi(es,  vulnerable  plaNorms  

Countries,  sites  that  pose  risk,  poli(cal  factors  

Networks,  systems,  applica(ons,  devices  

Malware  details,  network  captures  

Real Threat Intelligence Examples  

Traditional public sources / external “TI”

•  Externally available threat data source lists –  Botnets, C&C systems, known malware

sites, compromised URLs, DLP risks

•  Regular updates / scheduled retrieval

•  Different sources/feeds used for different purposes

•  Detection of : –  Communication with suspicious/risky

hosts/domains –  Data exfiltration risks –  Etc...

© 2015 Tier-3 Pty Limited. All rights reserved.

•  Emerging Threats – Raw IP list –  C&C servers (Shadowserver) –  Spam nets (Spamhaus) –  Top Attackers (Dshield) –  Compromised IP addresses

•  Abuse.ch –  SSLBL IP Blacklist –  ZeuS Tracker –  Palevo Tracker –  SpyEye Tracker

•  Malc0de – IP blacklist •  URLBlacklist.com •  Malware domains •  Threat Expert

Plus various commercial sources

Traditional public sources / external “TI”

© 2015 Tier-3 Pty Limited. All rights reserved.

•  Display or reference to GeoIP information

•  Risk locations/attack sources used in security decisions

•  Additionally WHOIS and DNS information useful

Getting to this information quickly in the decision making process is key

Geo-location Visualisation

© 2015 Tier-3 Pty Limited. All rights reserved.

•  Defence customers are major user of Threat Intelligence

•  Intelligence agencies provide threat information to Defence network administrators

•  Reference data used to raise real-time alerts of suspicious network traffic

•  Information from alerts subsequently adds to their internal threat intelligence reference data –  i.e. Observed incidents create “new” TI that automatically adds to the reference data set

Defence sector – Real example

© 2015 Tier-3 Pty Limited. All rights reserved.

Internal Security Intelligence

•  Creation of bespoke/local Threat Intelligence –  Manual or Automated

•  Particular value in MSSPs –  Leverage threat observations across customers

•  Better decision making in context of “real”, observed threats © 2015 Tier-3 Pty Limited. All rights reserved.

Government sector

•  Suspicious network/IP addresses received from intelligence agency

•  Post-analyse logs for traffic to/from those addresses 1.  Suspicious hosts data set (high risk destinations) 2.  Predefined reports use data for analysis

•  Threat intelligence MATCHED WITH Observed activity and traffic

•  Minimal operational workload –  Data automatically updated in the background –  Scheduled, automated, pre-defined processes

© 2015 Tier-3 Pty Limited. All rights reserved.

Detection leads to Resolution

Apply Security Intelligence during resolution •  When an attack occurs, specific

information relating to the threat is vital •  More than just log data

–  System configurations/registry –  Changes to affected systems files –  Network traffic/connections –  Other behaviour

•  Malware - Specific examples –  Network sessions/connection patterns –  Known effects of specific malware activity within

file system and registry

© 2015 Tier-3 Pty Limited. All rights reserved.

Summary  

© 2015 Tier-3 Pty Limited. All rights reserved.

Applied Security Intelligence

•  Derive meaningful threat intelligence from all available security data

•  Better context during triage, diagnosis and investigation

•  Confident exclusion of false positives

•  Automatically identify real attacks and known threats

•  Increase speed and accuracy of detection

piers.wilson@huntsmansecurity.com

+44 (0) 7800 508517

www.huntsmansecurity.com www.tier-3.com

@tier3huntsman

Questions

© 2015 Tier-3 Pty Limited. All rights reserved.

:60 seconds The new way to deal with cyber threats www.huntsmansecurity.com