Upgrade to Pro — share decks privately, control downloads, hide ads and more …

[ENG ver.] Techrisk 2017: (CTI) Data or Wisdom?

[ENG ver.] Techrisk 2017: (CTI) Data or Wisdom?

English version of slides - Techrisk 2017 (Wrocław/Poland)

98d357c4b232e6365648d3e38e660fa1?s=128

White Cat Security

June 23, 2017
Tweet

Transcript

  1. 21-22 czerwca 2017, WROCŁAW CTI: Data or Wisdom? (TLP: WHITE)

    Przemysław Skowron, White Cat Security
  2. 21-22 czerwca 2017, WROCŁAW Przemysław Skowron • IT Security professional

    since 2004 • almost 7 years in financial sector - Alior Bank S.A. Group (2008-2015) • responsible for building first CSIRT in financial sector in Poland
  3. 21-22 czerwca 2017, WROCŁAW White Cat Security (2015-) • 4

    Consultants (Core Team) • Customers: ~ half of companies from WIG20 index on the Warsaw Stock Exchange • We deliver what we were lacking before: • Experience from successes and failures lessons learned from building SOC/CERT • Incident Response services • Threat Intelligence • [SOON] We are going to organise Threat Hunting • [On Demand] Training [SOC / IR / TI / TH] • no dependency on any particular security solutions
  4. 21-22 czerwca 2017, WROCŁAW Agenda • Assumptions • Threat Intelligence

    life cycle • Summary • Q&A session
  5. 21-22 czerwca 2017, WROCŁAW Assumptions (1/10) • Intelligence: Conclusions from

    Data = Wisdom • Wisdom is supposed to allow readiness for attack preventions based on: • known attacks from the past • undergoing attacks • future attacks* * - no matter if we know about them before execution
  6. 21-22 czerwca 2017, WROCŁAW Assumptions (2/10) Requirements (examples): • I

    want to know about new threat actor: • What are his goals and motives? (strategy, aims) • How does he operate? (TTP) • What tools is he using? (capabilities) • Are these tools leaving any traces? (host/net type artifacts) • How to know that I was compromised? (IOC)
  7. 21-22 czerwca 2017, WROCŁAW Assumptions (3/10) Requirements (examples): • I

    want to know about new threat actor: Lazarus 2009- • What are his goals and motives? (strategy, aims) financial sector 2015- • How does he operate? (TTP) -> next slide • What tools is he using? (capabilities) • Are these tools leaving any traces? (host/net type artifacts) • How to know that I was compromised? (IOC)
  8. 21-22 czerwca 2017, WROCŁAW Assumptions(4/10) • TTP: • Tactics -

    steps: full control over infected host • Technique - methods: communicate to C2 over a commonly used port • Procedures - implementation: connection over port 443/TCP with encryption (TLS)
  9. 21-22 czerwca 2017, WROCŁAW Założenia (4/…) Wymagania (przykładowe): • Chcę

    wiedzieć o nowej grupie przestępczej Lazarus 2009- • Jakie mają cele i motywacje? (strategia, cele) sektor finansowy 2015- • Jak działają? (TTP) • Z jakich narzędzi korzystają? (możliwości) • Czy te narzędzia zostawiają artefakty? (arefakty typu host/net) • Jak poznać, że zostałem skompromitowany? (IOC) Source: https://car.mitre.org/caret/
  10. 21-22 czerwca 2017, WROCŁAW Assumptions (6/10) Requirements (examples): • I

    want to know about new threat actor: Lazarus 2009- • What are his goals and motives? (strategy, aims) financial sector 2015- • How does he operate? (TTP) -> previous slide • What tools is he using? (capabilities) -> previous presentation • Are these tools leaving any traces? (host/net type artifacts) - ibid • How to know that I was compromised? (IOC)
  11. 21-22 czerwca 2017, WROCŁAW Założenia (6/…) Wymagania (przykładowe): • Chcę

    wiedzieć o nowej grupie przestępczej Lazarus 2009- • Jakie mają cele i motywacje? (strategia, cele) sektor finansowy 2015- • Jak działają? (TTP) -> poprzedni slajd • Z jakich narzędzi korzystają? (możliwości) poprzednia prezentacja • Czy te narzędzia zostawiają artefakty? (artefakty typu host/net) j/w • Jak poznać, że zostałem skompromitowany? (IOC) ->
  12. 21-22 czerwca 2017, WROCŁAW Assumptions (8/10) Wisdom is supposed to

    allow readiness for attack preventions based on: • known attacks from the past • undergoing attacks • future attacks*
  13. 21-22 czerwca 2017, WROCŁAW Assumptions (9/10) Threat Intelligence is a

    PROCESS not a PRODUCT or TECHNOLOGY
  14. 21-22 czerwca 2017, WROCŁAW Assumptions (10/10) When have you lately

    received new data/information about Bluenoroff group? What conclusions were drawn from that information? NO CONCLUSIONS = NO VALUE
  15. 21-22 czerwca 2017, WROCŁAW Threat Intelligence life cycle • Collection

    • Enrichment • Analysis • Consumption
  16. 21-22 czerwca 2017, WROCŁAW • Collection • Input: • (un)structured

    data - usually IOC (IP, domain, hash, URL) • no context (description, time period of relevance) • sometimes with errors e.g. typos • sometimes hastily evaluated as IOC • Output: • structured data • initially verified for false positives generation Threat Intelligence life cycle
  17. 21-22 czerwca 2017, WROCŁAW Threat Intelligence life cycle • Collection

    • Data sources: • OSINT • KMT groups (Know, Meet, Trust) and related contacts • Deep/Dark and other dark places • Incident Response (IR) • Others
  18. 21-22 czerwca 2017, WROCŁAW Threat Intelligence life cycle • Enrichment

    • Input: • structured data • initially verified for false positives generation • new data sources discovered from connections with already collected data • Output: • more IOC, artifacts, tools description, TTP, Threat Actor
  19. 21-22 czerwca 2017, WROCŁAW Cykl pozyskiwania Threat Intelligence • Wzbogacanie

    • Wejście: • ustrukturyzowane dane • wstępnie zweryfikowane pod kątem fałszywych pozytywów • nowe źródła danych odnalezione na bazie powiązań z tym co mamy • Wyjście: • więcej IOC, artefakty, opis narzędzi, TTP, Threat Actora
  20. 21-22 czerwca 2017, WROCŁAW Threat Intelligence life cycle • Analysis

    • Input: • more IOC, artifacts, tools description, TTP of Threat Actor • Output: • data modeling (eg. Kill Chain, Diamond Model)
  21. 21-22 czerwca 2017, WROCŁAW Threat Intelligence acquisition cycle • Analysis

    • Input: • more IOC, artifacts, tools description, TTP, Threat Acto • Output: • data modeling (eg. Kill Chain, Diamond Model) Source: http://www.lockheedmartin.com
  22. 21-22 czerwca 2017, WROCŁAW Threat Intelligence life cycle • Consumption

    • Input: • data modeling (eg. Kill Chain, Diamond Model) • Output (examples): • by observing detected or blocked: • TTP/Tools/Artifacts/IOC* • you have knowledge how bad/good it is (you recognise APT campaign stage and you know where intruders are)
  23. 21-22 czerwca 2017, WROCŁAW Summary (1/2) • You know if

    the attacker is threatening your organisation • You know what you can not observe (events) • You know what you need to monitor (detect) • You know what you want to control (prevention/blocking)
  24. 21-22 czerwca 2017, WROCŁAW Summary (1/2) • You know if

    the attacker is threatening your organisation • You know what you can not observe (events) • You know what you need to monitor (detect) • You know what you want to control (prevention/blocking) KNOW YOUR ENEMY
  25. 21-22 czerwca 2017, WROCŁAW Summary (2/2) • Act on Threat

    Intelligence during RFI/RFP (Tools) • Build TI Team or outsource it with requirements (People) • Consume (Process)
  26. 21-22 czerwca 2017, WROCŁAW Q&A session “Not memory for memory’s

    sake, not accumulation of knowledge, but synthesis and application.” -- Bruce Lee
  27. 21-22 czerwca 2017, WROCŁAW Thank you for active participation! przemyslaw.skowron

    {@} whitecatsec.com