since 2004 • almost 7 years in financial sector - Alior Bank S.A. Group (2008-2015) • responsible for building first CSIRT in financial sector in Poland
Consultants (Core Team) • Customers: ~ half of companies from WIG20 index on the Warsaw Stock Exchange • We deliver what we were lacking before: • Experience from successes and failures lessons learned from building SOC/CERT • Incident Response services • Threat Intelligence • [SOON] We are going to organise Threat Hunting • [On Demand] Training [SOC / IR / TI / TH] • no dependency on any particular security solutions
Data = Wisdom • Wisdom is supposed to allow readiness for attack preventions based on: • known attacks from the past • undergoing attacks • future attacks* * - no matter if we know about them before execution
want to know about new threat actor: • What are his goals and motives? (strategy, aims) • How does he operate? (TTP) • What tools is he using? (capabilities) • Are these tools leaving any traces? (host/net type artifacts) • How to know that I was compromised? (IOC)
want to know about new threat actor: Lazarus 2009- • What are his goals and motives? (strategy, aims) financial sector 2015- • How does he operate? (TTP) -> next slide • What tools is he using? (capabilities) • Are these tools leaving any traces? (host/net type artifacts) • How to know that I was compromised? (IOC)
steps: full control over infected host • Technique - methods: communicate to C2 over a commonly used port • Procedures - implementation: connection over port 443/TCP with encryption (TLS)
wiedzieć o nowej grupie przestępczej Lazarus 2009- • Jakie mają cele i motywacje? (strategia, cele) sektor finansowy 2015- • Jak działają? (TTP) • Z jakich narzędzi korzystają? (możliwości) • Czy te narzędzia zostawiają artefakty? (arefakty typu host/net) • Jak poznać, że zostałem skompromitowany? (IOC) Source: https://car.mitre.org/caret/
want to know about new threat actor: Lazarus 2009- • What are his goals and motives? (strategy, aims) financial sector 2015- • How does he operate? (TTP) -> previous slide • What tools is he using? (capabilities) -> previous presentation • Are these tools leaving any traces? (host/net type artifacts) - ibid • How to know that I was compromised? (IOC)
wiedzieć o nowej grupie przestępczej Lazarus 2009- • Jakie mają cele i motywacje? (strategia, cele) sektor finansowy 2015- • Jak działają? (TTP) -> poprzedni slajd • Z jakich narzędzi korzystają? (możliwości) poprzednia prezentacja • Czy te narzędzia zostawiają artefakty? (artefakty typu host/net) j/w • Jak poznać, że zostałem skompromitowany? (IOC) ->
data - usually IOC (IP, domain, hash, URL) • no context (description, time period of relevance) • sometimes with errors e.g. typos • sometimes hastily evaluated as IOC • Output: • structured data • initially verified for false positives generation Threat Intelligence life cycle
• Input: • structured data • initially verified for false positives generation • new data sources discovered from connections with already collected data • Output: • more IOC, artifacts, tools description, TTP, Threat Actor
• Wejście: • ustrukturyzowane dane • wstępnie zweryfikowane pod kątem fałszywych pozytywów • nowe źródła danych odnalezione na bazie powiązań z tym co mamy • Wyjście: • więcej IOC, artefakty, opis narzędzi, TTP, Threat Actora
• Input: • data modeling (eg. Kill Chain, Diamond Model) • Output (examples): • by observing detected or blocked: • TTP/Tools/Artifacts/IOC* • you have knowledge how bad/good it is (you recognise APT campaign stage and you know where intruders are)
the attacker is threatening your organisation • You know what you can not observe (events) • You know what you need to monitor (detect) • You know what you want to control (prevention/blocking)
the attacker is threatening your organisation • You know what you can not observe (events) • You know what you need to monitor (detect) • You know what you want to control (prevention/blocking) KNOW YOUR ENEMY
pskowron
kentosasaki
kentaitakura
0325
langstat
masatoto
yuukit
yumulab
ymorita613
matsuolab
sansan_randd
pauljervisheath
jcasabona
lara
bkeepers
destraynor
paulrobertlloyd
soudai
lauravandoore
3n
chrisshort
garrettdimon
