Date post: | 13-Apr-2017 |
Category: |
Technology |
Upload: | rahul-neel-mani |
View: | 407 times |
Download: | 0 times |
Threat Intelligence in Cyber Risk Programs
www.pwc.com
Strictly Private and Confidential
March 11, 2016
Sangram Gayal
Agenda
1 Why are we talking about this? 1
2 We already have threat intelligence!!! 6
3 Using Threat Intelligence 13
Page
Active Discovery
This publication has been prepared for general guidance on matters of interest only, and does not constitute
professional advice. You should not act upon the information contained in this publication without obtaining
specific professional advice. No representation or warranty (express or implied) is given as to the accuracy
or completeness of the information contained in this publication, and, to the extent permitted by law, PwC, its
members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of
you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or
for any decision based on it.
This publication contains certain examples extracted from third party documentation and so being out of
context from the original third party documents; readers should bear this in mind when reading the
publication. The copyright in such third party material remains owned by the third parties concerned, and
PwC expresses its appreciation to these companies for having allowed it to include their information in this
publication. For a more comprehensive view on each company’s communication, please read the entire
document from which the extracts have been taken. Please note that the inclusion of a company in this
publication does not imply any endorsement of that company by PwC nor any verification of the accuracy of
the information contained in any of the examples.
© 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to
PricewaterhouseCoopers Private Limited (a limited liability company in India), which is a member firm of
PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.
PwC
March 11, 2016
Why are we talking about this?
Threat Intelligence in Cyber Risk Programs •
1
PwC
March 11, 2016
Today, every organization endeavouring to improve its cyber posture is following the trend of adapting to various security solutions…. Unfortunately many still face security incidents
Section 1 – Why are we talking about this?
Threat Intelligence in Cyber Risk Programs •
2
Our study shows that Indian organizations detected more incidents over the previous year, shooting up from an average of 2,895incidents to 6,284 incidents a year.
117%
Source: PwC India GSISS 2015
Estimated average financial loss as a result of security incident per survey respondent: India (USD)
PwC
March 11, 2016
Section 1 – Why are we talking about this?
Threat Intelligence in Cyber Risk Programs •
3
We believe it is possible not only adapt to these increasing incidents but grow stronger because of them. A new type of organization -‘The antifragile’
PwC
March 11, 2016
Section 1 – Why are we talking about this?
Threat Intelligence in Cyber Risk Programs •
4
“Some things benefit from shocks; they
thrive and grow when exposed to
volatility, randomness, disorder, and
stressors” – Antifragile, Nassim Nicholas Taleb
Nature is full of anti-fragile systems. The human muscles are a good example of anti-fragile system. The more they are subjected to bouts of stress, the stronger they grow.
PwC
March 11, 2016
The mechanism of antifragility is about early discovery, response and improving resistance.
Section 1 – Why are we talking about this?
Threat Intelligence in Cyber Risk Programs •
5
1 2 3
Early discovery of existence of known and unknown threat vectors in the environment is important to prevent its spread and causing damage.
It is important to contain spread, assess damage, analyze characteristics of the threat and finally eardicate the threat.
Codify the learnings into mechanisms to detect or prevent recurrence of the threat vector. Share with others and learn from others.
Early Discovery
Rapid Response
Threat Resistance
All antifragile systems found in nature work on these principles including human muscles, vaccinations, human society etc.
PwC
March 11, 2016
We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
6
PwC
March 11, 2016
Threat = Capability to Cause Harm
Intelligence = Information, Analysis & Context
Threat Intelligence = Information, its Analysis and Context Regarding ‘Things’ that might cause
Harm
What is threat intelligence?
Section 2 – We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
7
PwC
March 11, 2016
Types of Threat Intelligence
Section 2 – We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
8
High Level Information on changing risks
Attacker methodologies, tools and tactics
Details of incoming attack
Indicators of Specific Malware
Low LevelHigh Level
Short
Term
Long T
erm
Area of Enterprise Focus
PwC
March 11, 2016
Threat Intelligence Explained
Section 2 – We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
9
Strategic Threat
Intelligence
• Target Audience is The Board, Executive Management• Focus on changing risks, high level topics: Geopolitics, Foreign
markets, Cultural background• Vision timeframe: years
Tactical Threat
Intelligence
• Target Audience: System Admins, Pen Testers, Hunters• Focus on TTPs (tactics, techniques, procedures, tools etc.), C2
behaviour etc.• Vision timeframe: Weeks to Months
Operational Threat
Intelligence
• Target Audience: strategic security teams• Focus on Threat Actors, Nation-State actors, future attacks etc.
Based on infiltrating Threat Actor groups • Vision timeframe: Hours to Months
Technical Threat
Intelligence
• Target Audience: SOC, IR, Firewall Admins• Focus on Indicators of compromise, malware domains, artefacts,
signatures etc. • Vision timeframe: Hours to years
PwC
March 11, 2016
The Pyramid of Pain
Section 2 – We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
10
Hash Values / IP Address
Domains
System Artifacts
TTPs
Tools
Pyramid of Pain (for the attacker)- David J. Bianco
Tough
Challenging
Annoying
Easy
Trivial
Indicators of Compromise Developed by Client / PwC’s Cyber Threat Intelligence team
Indicators of Compromise provided by most OEM’s and Anti-virus providers
PwC
March 11, 2016
Where do you get the Threat Intelligence?
Section 2 – We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
11
Hash Values / IP Address
Domains
System Artifacts
TTPs
Tools
A number of Open-source and Commercial Feeds
Develop from known malware behaviour.
Analyse malware to understand variants, families, CnC domains and threat actors
PwC
March 11, 2016
Technical & Tactical TI – Looking at the indicators
Section 2 – We already have threat intelligence!!!
Threat Intelligence in Cyber Risk Programs •
12
MD5 / Sha-1 Hash
Filename of Initial Malware
Files Dropped by Malware
Registry Keys created by malware
Well Written Yara Rule
Trivial Difficult
IP Address Domain Name
Exact URL accessed
Algorithm for generating Radom domain
Exact Command Channel Structure
PwC
March 11, 2016
Using Threat Intelligence
Threat Intelligence in Cyber Risk Programs •
13
PwC
March 11, 2016
1. Collate and Curate Threat Feeds: Use a platform to collate and curate threat feeds, distribute it to various detection systems. Maintain the intelligence system by adding your own threat Intelligence
2. Tactical Intelligence: Generate tactical intelligence for malware variants prevalent in your environment. Use tactical intelligence generated by communities, peers and professional agencies.
3. Sharing: Share your new threat intelligence with local and global communities. Submit malware samples, submit new indicators, and share the CnC information.
1. Run a Threat Intelligence Program
Section 3 – Using Threat Intelligence
Threat Intelligence in Cyber Risk Programs •
14
PwC
March 11, 2016
2. Use technical and tactical TI to detect Compromises
Section 3 – Using Threat Intelligence
Threat Intelligence in Cyber Risk Programs •
15
Active Discovery 1. Use enriched and curated Technical TI at Gateways, SIEMs and Domain Controllers to detect compromises
2. Use Tactical TI to analyse host compromises by collecting system and memory artefacts
3. Use Tactical TI by conducting static and dynamic analysis of suspicious file samples
4. Use honeypots to actively detect lateral movement
PwC
March 11, 2016
3. Respond to compromises while leveraging Tactical Indicators
Section 3 – Using Threat Intelligence
Threat Intelligence in Cyber Risk Programs •
16
1. Develop Tactical Threat Indicators for detected compromises and unknown malware
2. Use the TI to “hunt” for malware and eradicate it
3. Build Threat Intelligence database of detected malware
Cyber Response
PwC
March 11, 2016
- brought to you by PwC’s Active Defence Services
Section 3 – Using Threat Intelligence
Threat Intelligence in Cyber Risk Programs •
17
PwC CIRCA
Cyber Incident Response and compromise assessment platform
04PwC Nethunt
Network level compromise assessment and hunting platform with flow and packet analysis
02PwC TIP
Threat Intelligence platform for threat feeds aggregation, selection, visualization, and sharing.
01LAMPS
Large –scale Automated Malware Analysis Platform
03
Active Discovery
PwC’s Active Defence Services helps organizations detect, analyse and monitor advanced threats supported by team of Malware Analysts, Data
Scientists and Incident Responders.
PwC ADS Platforms
The information contained in this document is provided 'as is', for general guidance on matters
of interest only. PricewaterhouseCoopers is not herein engaged in rendering legal, accounting,
tax, or other professional advice and services. Before making any decision or taking any
action, you should consult a competent professional advisor.
© 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC”
refers to PricewaterhouseCoopers Private Limited (a limited liability company in India), which
is a member firm of PricewaterhouseCoopers International Limited, each member firm of
which is a separate legal entity.
“the ring has awoken, it’s heard its masters call” –Gandalf, Lord of the RingsThe sleeping malware in our organizations
Sangram Gayal+91 [email protected]