threat intelligence and risk, a wild goose chase? · october 25, 2017 chicago, il usa threat...
TRANSCRIPT
October 25, 2017 Chicago, IL USA
Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham Security Solutions Architect, Phantom
| 2 October 25, 2017 Chicago, IL USA
My years in information security… Hobbies: Home Improvement, traveling, running @SOCologize Oh and infosec…
Gaming Geek (Atari User)
Cyber Warrior (Information Assurance)
Joins a Startup (likes to work…
A LOT OF work! )
Incident Responder Network Defender
(Team Builder)
| 3 October 25, 2017 Chicago, IL USA
Explosion of IoT and Porous Boundaries
http://assets.investmentu.com/contents/2016/08/iotgraph.jpg
| 4 October 25, 2017 Chicago, IL USA
Understanding Risk Calculus
• Define the risks and measure them • It’s about context and not content • Think like an attacker • Knowing is half the battle, analyzing is one step to winning
https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks
Risk Management: Hazard/Risk = Likelihood x Impact
| 5 October 25, 2017 Chicago, IL USA
Understanding Attack Pathways
https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks
| 6 October 25, 2017 Chicago, IL USA
Tactical Intelligence Threat Library Sharing/Automation – Atomic Indicators,
Incident & Intrusion Analysis, Malware Reverse Engineering
Operational Intelligence Decision Making Awareness & Proactive
Threat Assessments and Analysis, Partner Integration
Overview of Threat Intelligence
Business Threat Landscape Insider Threat and Hacktivists – Cyber Crime – Nation States (External Threats)
Strategic Intelligence Board Level Awareness – Security Vision
Policy and Planning – Threat Statistics & Reporting Strategic
Operational
Tactical
| 7 October 25, 2017 Chicago, IL USA
Why Threat Intelligence Matters to Risk
https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks
| 8 October 25, 2017 Chicago, IL USA
Strategic Intelligence
What reports should I read? How does these threats apply to
my industry? What do I need to do now?
How does the threat landscape affect the business risks? What data is being targeted? How do I plan for the future?
Board Level Threat Awareness with threat statistics and reporting
| 9
Contextual Risk Threat Means and Motive
• Characterize the methods towards motives
• Develop relationships to vulnerabilities • Understand strategic planning and…
What problem are we trying to solve?
28%
3% 4%
23% 1%
11%
9%
7%
6%
4% 4%
Unknown CC Unknown CW
Unknown H Account Hijacking CC
Account Hijacking H Targeted Attack
SQLi DDoS
Malvertising Defacement
Malware
| 10 October 25, 2017 Chicago, IL USA
Contextual Risk Vulnerability Exposure
• 26% - Exploited User • 38% - Malicious Files • 25% - Email/Website Malicious content Equals 89% Risk from Phishing
Nothing new right? Q: When does a cool sexy new security product protect? e.g. Endpoint Detection and Response (EDR/IDR)
[CATEGORY NAME],
[PERCENTAGE]
Authenticated locally logged on user with
limited privileges
26%
Website or e-mail with malicious content
25%
Malicious remote
network traffic 6%
Website with malicious content
5%
| 11 October 25, 2017 Chicago, IL USA
Adversarial Tactics, Techniques and Common Knowledge (ATT&CK)
Containment & Incident Response Proactive Detection Mitigation
• Persistence • Privilege Escalation • Credential Access • Host Enumeration • Defense Evasion • Lateral Movement • Execution • Collection • Command and Control • Exfiltration
Higher fidelity on right-of-exploit, post-access phases
Describes behavior sans adversary tools
MITRE, https://attack.mitre.org
| 12 October 25, 2017 Chicago, IL USA
Understand Defensive Courses of Actions
Source: http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
Phase Detect Deny Disrupt Degrade Deceive Recon Web Analytics Firewall ACL Weaponize Network
Intrusion Detection (NIDS)
Network Intrusion Prevention
Delivery Vigilant User Email Gateway Proxy filter
In-line AV Queuing Quarantine
Exploit HIDS Sandbox
Patching Data Execution Protection
Control NIDS Firewall ACL Content Filters
NIPS Tarpit DNS Redirect
Execute Host Intrusion Detection (HIDS)
chroot jail Host Firewall
AV EDR?
Maintain Audit Logs SIEM
IR Analyst DLP
IR Analyst DLP
Quality of Service
Honeypot HoneyToken
| 13
Operational Intelligence Decision Making Analysis
Decision Making
What information is already out there? Paste sites, Dark Web, etc.
Am I already compromised? How can I be attacked? Open Source Intelligence Contextual Threat Intelligence (Region & Vertical)
| 15 October 25, 2017 Chicago, IL USA
Lost Credentials - https://haveibeenpwned.com/
| 16 October 25, 2017 Chicago, IL USA
Lost Credentials - https://haveibeenpwned.com/
| 17 October 25, 2017 Chicago, IL USA
Bank Identification Numbers
Visualize your lost credentials here…
| 18 October 25, 2017 Chicago, IL USA
Dark Web Exploits for Sale
| 19 October 25, 2017 Chicago, IL USA
Operational Intelligence – Do we need to act?
| 20 October 25, 2017 Chicago, IL USA
Is the Vuln Exploitable?
| 21 October 25, 2017 Chicago, IL USA
Operational Intelligence – Define the So What?
| 22 October 25, 2017 Chicago, IL USA
Operational Intelligence – Define the So What?
| 23 October 25, 2017 Chicago, IL USA
Open Source Intelligence – Dig Deep
| 24 October 25, 2017 Chicago, IL USA
Operational Intelligence Define the So What then Pivot to Tactical
| 25 October 25, 2017 Chicago, IL USA
Operational Intelligence Define the So What then Pivot to Tactical
| 26 October 25, 2017 Chicago, IL USA
Tactical Intelligence Signatures, Indicators of Compromise, Behavior Analysis Intrusion prevention sandbox endpoint Vendors, industry partners, are you sharing? Bring the HEAT to the Adversary!!
TTPs
Tools
Network/ Host Artifacts
Domain Names
IP Addresses
Hashes David Bianco, Pyramid of Pain, http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
| 27 October 25, 2017 Chicago, IL USA
Contextual Impact
| 28 October 25, 2017 Chicago, IL USA
Contextual Impact - Focus on what is important
Protect the pathways to and from critical systems and data Use the business continuity
plans to define the crown jewels Reduce the impact to the
enterprise
| 29 October 25, 2017 Chicago, IL USA
Ineffective Response = Huge Business Impact
From 200 to 2100 affected systems in less than 48 hours – why?? Pinkslipbot/Qbot – a cybercrime worm that spreads over network
shares and that steals banking credentials, logged on and admin credentials, among others
0
500
1000
1500
2000
2500
Server Workstation
Eradicate
Contain Recover 2nd Detect
1st Detect
| 30
Key Takeaways
Where’s the Val
• Intelligence preparation allows us to understand what’s important
• Strategic Intelligence supports technology needs
• Operational Intelligence remediates risk and supports process
• Tactical intelligence mitigates impact • Vulnerabilities will continue... • People can understand the threat,
respond quickly and reduce the impact 3
| 31 October 25, 2017 Chicago, IL USA
About Phantom
Resources Resource shortage of
1 million security professionals
Products Endless assembly line
of point products
Static Static independent controls
with no orchestration
Speed Speed of detection, triage, and response time must improve
Costs Costs continue
to increase
Problem Today
| 32 October 25, 2017 Chicago, IL USA
Automating Security Operations
Point Products (Observe / Sensing)
Analytics (Orient / Sense-making)
Decision Making Acting
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
AUTOMATED MANUAL (TODAY)
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
TIER 1
TIER 2
TIER 3
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
| 33 October 25, 2017 Chicago, IL USA
Automating Security Operations
Point Products (Observe / Sensing)
Analytics (Orient / Sense-making)
Decision Making Acting
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
AUTOMATED MANUAL (TODAY)
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
TIER 1
TIER 2
TIER 3
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
| 34 October 25, 2017 Chicago, IL USA
Shameless Plug
blog.phantom.us
twitter.com/tryphantom
Phantom-community Rob Gresham Security Solutions Architect [email protected] JOIN US @ phantom.us/join
The 1st Community-Powered Security Automation & Orchestration Platform
Thank You
The 1st Community-Powered Security Automation & Orchestration Platform