IBM Cyber Threat Analysis

© 2015 IBM Corporation

i2 Enterprise Insight Analysis

The Awakening of Cyber AnalysisIBM i2 Safer Planet

Bob Stasio – Sr. Product Manager, Cyber Analysis



Fig. 1: Malicious prompt to capture credentials

Fig. 2: Generic lure document

FIN 4 Group Arrested

2

$100 MillionDollars In

Profit since2013

32 Peopleinvolved in

Multiplecountries



3

The growth of asymmetric threats is changing the landscapeInformation security has become a human vs. human problem

Remote control device

1

2

3

Hackers negate tens of millions of dollarsin security infrastructure

with a $30USD device!

A male posing as an IT technician deployeda $30USD remote control device on a bankbranch office computer

The crooks connected to the device from anearby hotel, then accessed the bank’sservers

The hackers logged into a bank terminaland shifted ~$2.1M USD through 128transfers into mule accounts

The gang responsible for the theft wascaught 13 months later only due toattempting the same attack at another bank



Both security and analysis must address the problem

80%

90%

99.9%

Level of Effort / Investment

Perc

en

to

fT

hre

ats

Sto

pp

ed

Implement aSecurity

Framework

AdvancedSecurity

Intelligence

CyberAnalysis

Non-Linear Relationship Between Effectiveness and Cost

Information Security Cyber Analysis

Tier OneSOC Analyst

IncidentResponders

CyberAnalysts

Example ofPersonnel

High Effort

4



Intelligence as a Time Horizon

5

Information Security Cyber Analysis

Tier OneSOC Analyst

IncidentResponders

CyberAnalysts

Tier TwoSOC Analyst

ThreatResearchers



Learning from medical analogies

6

Threat Example Mitigation Strategy

Common hospitalassociated infections

Washing hands,wearing masksand scrubs

Emergent situations(e.g. chest pain,gunshot wound)

Creation of critical careand preventativemedicine discipline

Genetic diseasesand cancer

Research and tailoredgenetic treatments

Tier One –Hygiene

SECURITYMEDICAL

Threat Example Mitigation Strategy

Commodity threat,individual hackerswith widely-used tools

Changing passwords,removing unusedservices, patching

Organized crime,semi-tailored fraudand crimeware tools

Visibility, monitoring,alerting, response,real-time securityanalytics

Advanced PersistentThreat, nation-state,high resources

Cyber analysis, threatintelligence trendanalysis, campaigntracking

Tier Two –Specialization

Tier Three –Research



The cyber analysis discipline addresses the human dimension

7

ForensicsScience

ForensicsScience

InformationSecurity

InformationSecurity

IntelligenceAnalysis


ForensicsScience

InformationSecurity


The Cyber Analysis Discipline

Cyber Analysis is a new discipline andprofession with three subcomponents

Information Security blends aspectsof network defense, confidentiality,assurance, and malware threats

Intelligence Analysis brings the art ofthe intel cycle where information isdirected, collected, processed,analyzed, produced, and disseminated

Forensics Science blends aspects ofthe investigative process, evidencehandling, and latent evidence discovery

High expertisefrom CISO andSOC organizations

High expertisefrom the militaryand intelligence

communities

High expertisefrom law enforcement

and IR community

Human Enabled



Cyber Analysis Results

• Integrated data feeds

• Enterprise awareness

• Compliance monitoring

• Threat discovery

• Risk management

• Enable decisions

Cyber Analysis

8

Leveraging an analytical platformand internal and external informationfeeds, Cyber Analysts can help forma deep understanding of the threatstargeting your organization

CommunityInfo

ThreatIndicators

GovernmentAlerts

Social MediaHacker Forums

Mostly External Sources

PCAP

SystemLogs

Alerts

SIEM

VulnerabilityScans

SSO/AD

Mostly IT Sources

Human Enabled

IntelVendors

Access Logs

AccountCreation

Badge Logs

Reviews

BehavioralData

Mostly Human Sources

HR Data

SecurityIntelligence

ThreatIntelligence

PersonaData

AnalysisPlatform



IBM’s Strategic Threat Analysis Capability

9

Security Intelligence PlatformReal-time processing• Real-time data correlation• Anomaly detection• Event and flow normalization• security context and enrichment• Distributed architecture

Security Operations• Pre-defined rules and reports• Offense scoring and prioritization• Activity and event graphing• Compliance reporting• Workflow management

Cyber Analysis PlatformMulti-Dimensional Analysis• All-source intelligence

• Anomaly discovery

• Ecosystem visibility

• Scales to 150TBs of data

• Customized configuration

Human-Led Intelligence Discovery• Visualize linked data

• Identity and relationship resolution

• Geospatial and physical data analysis

• Persona domain threat identification

• Create decision-making products for leaders

StrategicIntelligence

Machine enabled Human enabled



Four Main Pain Points in Cyber Security Today

10

Hidden ThreatsHiding in Network

How do I find thesignals in the noise?

Where ShouldAnalysts Look

How to find a needlein a stack of needles?

Lack of ActionableIntelligence

How do leaders makedecisions?

Too Much Data,Too Many Sources

How do I put thepicture together?

• Finding beaconing• Strange admin logs• Employees caching info• IP theft and exfiltration

• Intelligence led security• Understand vendor risk• Incident reporting• Risk analysis

• SIEM tipping and queuing• External physical threats• Host intrusion correlation• Ext. breach discovery

• APT kill chain analysis• Darkweb integration• IOC historical search• Vulnerability prioritization

$35 Million- SONY

$162 Million- Target

1,400 People- ISIS Hit list

14 months- OBY Cleanup

IMPACT

USE CASES



Tipping, Queuing, and Anomaly Research

11

EIA

25 PhisingAttempts Blocked

3 RDPAttemptsBlocked Event

Threshold

30 GB of DataExfiltrated

2 MaliciousEmailsOpened

Server toServer Admin

Logon

BeaconingActivity



APT Kill Chain Detection Example

12

ReconWeapon-ization

Delivery Exploit Install C&C Action

Proxy Logs

DNS Logs

Firewall Logs

Syslogs

Logon Events

EIA



Employee Sensitive Data Theft Example

13

(1) - DLP Alertfrom SOC

(2) – Badge RecordsPhysical Security

(3) – Social MediaSearch

(4) – HR Records

(6) – LegalTeam

(5) – Print Logs

EIA



Vendor Risk Management Example

14

Vendor RiskProfiles

Vendor RiskProfiles

VulnerabilityScans

VulnerabilityScans

SocialMedia

Analysis

SocialMedia

Analysis

BitSightIndicator

Data

BitSightIndicator

Data

DarknetBreach

Discovery

DarknetBreach

Discovery

• A security vendorrisk managementteam interviewsand recordsinformation aboutvendors. Reportscontains pages ofinformationdetailinginfrastructure andprotection.

• Periodicvulnerabilityscans areconductedagainst vendor'sservers whichcontain sensitivecompanyinformation.

• Constantlyanalyze varioussocial mediafeeds formalicious actorsdiscussingpotential threatsagainst vendors.

• BitSight providesreal-time dataconcerningbotnet and othervulnerabilityactivity stemmingfrom a vendor’sinfrastructure.The data serviceprovides a real-time risk ratingfor each vendor.

• By mining variousdarknet datafeeds, thesecurity teammay discoverindicators of abreachconcerning one ofthe vendors whomay containsensitivecompany data.



Solution Overview

15

High Speed Actionable Intelligence

IBM i2 Cyber Analysis and Forensics

Intelligence Repository

Unstructured, OpenSource and

Social Media

Identity andRelationship resolution(The ‘Analyst’s Assistant)

Cyber Security Analytics(SIEM systems)

Asynchronous Big DataAnalytics

Geospatial Analytics

VisualisationVisualisation

All source fusion of data

The Analyst’s ‘Whiteboard’



Screenshots

16

Date post:	21-Jan-2017
Category:	Government & Nonprofit
Upload:	ibm-government
View:	905 times
Download:	0 times

IBM Cyber Threat Analysis

Government & Nonprofit