best practices for leveraging security threat intelligence
DESCRIPTION
The state of threat intelligence in the information security community is still very immature. Many organizations are still combating threats in a reactive manner, only learning what they're dealing with, well...when they're dealing with it. There is a wealth of information in the community, and many organizations have been gathering data about attackers and trends for years. How can we share that information, and what kinds of intelligence are most valuable? In this presentation, we'll start with a brief overview of AlienVault's Open Threat Exchange™ (OTX), and then we'll discuss attack trends and techniques seen in enterprise networks today, with supporting data from AlienVault OTX. We'll also take a look at some new models for collaboration and improving the state of threat intelligence going forward.TRANSCRIPT
Best Practices for Leveraging Security Threat Intelligence
Dave Shackleford, Voodoo Security and SANSRussell Spitler, AlienVault
© 2014 The SANS™ Institute - www.sans.org
What IS threat intelligence?
• Threat intelligence is the set of data collected, assessed, and applied regarding:– Security threats– Threat actors– Exploits– Malware– Vulnerabilities– Compromise indicators
© 2014 The SANS™ Institute - www.sans.org
What Threat Intelligence ISN’T
• Regarding data for threat intelligence:– Not just one type of data– Not just one source of data– Not just internal or external
• Threat intelligence is also not one form of analysis or reporting
• Threat intelligence can mean different things to different organizations– This is 100% OK.
© 2014 The SANS™ Institute - www.sans.org
Advanced Threats
• Malware-based espionage staged by threat actors that– Aggressively pursue and
compromise specific targets– Often leveraging social engineering– Maintain a persistent presence within
the victim’s network – Escalate privilege and move laterally
within the victim’s network– Extract sensitive information to
locations under the attacker’s control
© 2014 The SANS™ Institute - www.sans.org
Today’s Attack Cycle
© 2014 The SANS™ Institute - www.sans.org
1. Intelligence Gathering: Target individuals
2. Point of Entry: Social Engineering and malware deployment
3. C&C Communication4. Lateral Movement5. Asset/Data Discovery: What is important
and/or sensitive?6. Data Exfiltration: Data sent outbound to
systems under the attacker’s control
What’s This Leading To?
Source: http://www.forrester.com/Five+Steps+To+Build+An+Effective+Threat+Intelligence+Capability/fulltext/-/E-RES83841
© 2014 The SANS™ Institute - www.sans.org
Why Threat Intelligence?
• Attackers are innovating faster than we are
• “Productization” of malware– Attack kits and “crimeware”– Reuse of malware and C2 protocols– Botnets for rent
• Other organizations have likely seen similar attacks or variants– We can help each other share
information to defend better
© 2014 The SANS™ Institute - www.sans.org
Adversary Analysis
• Why develop adversary profiles?– Adversary profiles can provide
clues as to attacks, targets, techniques commonly used
• Adversary Types– Unsophisticated – “script kiddies”– Competitors– State-sponsored– Organized Crime– Insiders (can also be one of above)
© 2014 The SANS™ Institute - www.sans.org
What kinds of data can we share?
• DNS entries that are or should be blacklisted
• Countries of origin with specific reputation criteria
• Types of events to look out for:– Application attacks– Ports and IP addresses– Specific types of malware detected
• Vertical-specific likelihood• And more…
© 2014 The SANS™ Institute - www.sans.org
Intelligence can drive Investigations
• Intelligence-driven investigations are based on the preservation of the relationships between the components of individual attacks so that they can be clustered as a campaign.
• Investigative Components– Malware Analysis– Network Analysis– Underground Analysis– “Big Data” Analysis
© 2014 The SANS™ Institute - www.sans.org
How to Evaluate Threat Intel Services and Providers
• The first key differentiator is data DIVERSITY:– Where does the data come from?– What type(s) of data do you get?– Do IOC artifacts come in one format
(ie file hashes) or multiple?– What specific are available
(vertical/industry, geography, etc)?
© 2014 The SANS™ Institute - www.sans.org
How to Evaluate Threat Intel Services and Providers
• The second differentiator is data ANALYSIS:– What kind of analysis is performed?– Who does the analysis?– To what depth is analysis done –
basic IOCs, or full traceback?– Is the data correlated with other
information?
© 2014 The SANS™ Institute - www.sans.org
How to Evaluate Threat Intel Services and Providers
• The third differentiator is data QUALITY:– Does the data go through a “QA”
process?– Is data revisited/re-analyzed to
ensure it is still accurate?– When are indicators “expired”?– What is the expiration
strategy/lifecycle … on an ongoing basis?
© 2014 The SANS™ Institute - www.sans.org
Example: Sinkhole Case
• A known malware propagation platform communicating with a C&C server
• This can fuel a sinkhole approach
© 2014 The SANS™ Institute - www.sans.org
Example: C&C Events
• Active malware command and control communications
© 2014 The SANS™ Institute - www.sans.org
Example: File Download Activity
• File download IOC:
© 2014 The SANS™ Institute - www.sans.org
Example: Java File Download
• Another malware download example, this time with a Java .jar file:
© 2014 The SANS™ Institute - www.sans.org
AlienVault Open Threat Exchange
Open Threat Exchange (OTX) is a framework to allow collaboration for enhanced threat
assessment and response
© 2014 The SANS™ Institute - www.sans.org
Built into AlienVault USM & OSSIM
• Diverse threat data– Unified Security Management– SIEM, IDS, VA, HIDS, Netflow in one
product• Diverse install base
– >12,000 installations– Open Source & Commercial
© 2014 The SANS™ Institute - www.sans.org
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
1. Observed Attack
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
2. Anonymous
Contribution
1. Observed Attack
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
3. Data Validation
2. Anonymous
Contribution
1. Observed Attack
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
AlienVault USM or
OSSIM
Installation 2
4. Distribute Threat
Intelligence
3. Data Validation
2. Anonymous
Contribution
1. Observed Attack
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
AlienVault USM or
OSSIM
Installation 2
4. Distribute Threat
Intelligence
3. Data Validation
2. Anonymous
Contribution
1. Observed Attack 5. Identify Malicious Activity
Current OTX Participation
• 17,000 Contributions per day• 140 Countries
• 500k IP’s, URL’s, and Malware Samples analyzed daily
© 2014 The SANS™ Institute - www.sans.org
Attack Trends and Examples
• Current Attack Trends include:– Stealth malware– HTTP/HTTPS C&C channels– Anti-forensics– New and varied DDoS tactics– Myriad Web app attacks– Client-side attacks with social
engineering as the primary attack vector
• How can we learn about these?
© 2014 The SANS™ Institute - www.sans.org
Conclusion
• We’re all facing attacks, all the time
• We have a lot of data – why not share it?
• To advance the state of threat intelligence, we’ll need to collaborate and correlate data at a much larger scale
• OTX is one effort to do just that
© 2014 The SANS™ Institute - www.sans.org