Upgrade to Pro — share decks privately, control downloads, hide ads and more …

If it bleeds we can kill it

If it bleeds we can kill it

2013 SANS CTI Summit

F0c9efd79ff9ea97a28f8552fae3b645?s=128

Rick Holland

March 22, 2013
Tweet

Transcript

  1. © 2012 Forrester Research, Inc. Reproduction Prohibited 1 “If it

    bleeds we can kill it” Leveraging CTI to take the fight to the adversary Rick Holland, Senior Analyst March 22, 2013 @rickhholland
  2. © 2012 Forrester Research, Inc. Reproduction Prohibited 2 2013 has

    been rough so far we’ve been hit hard
  3. © 2012 Forrester Research, Inc. Reproduction Prohibited 3

  4. © 2012 Forrester Research, Inc. Reproduction Prohibited 4 Our tactics

    are not effective
  5. © 2012 Forrester Research, Inc. Reproduction Prohibited 5 Check out

    our tools! M134 Mini Gun
  6. © 2012 Forrester Research, Inc. Reproduction Prohibited 6 Advanced malware?

    No problem!! M134 Mini Gun
  7. © 2012 Forrester Research, Inc. Reproduction Prohibited 7 If it

    bleeds we can kill it
  8. © 2012 Forrester Research, Inc. Reproduction Prohibited 8 Time for

    a new approach
  9. © 2012 Forrester Research, Inc. Reproduction Prohibited Introducing Cyber Threat

    Intelligence (CTI) Intelligence about external threat actors and active external threats 9
  10. © 2012 Forrester Research, Inc. Reproduction Prohibited Redefining Intelligence

  11. © 2012 Forrester Research, Inc. Reproduction Prohibited The Intelligence Cycle

  12. © 2012 Forrester Research, Inc. Reproduction Prohibited Intelligence Disciplines Open

    Source Intelligence - OSINT is "the discipline that pertains to intelligence produced from publicly available information . . . ." This information is provided "without the expectation of privacy," and could be "lawfully seen or heard by any casual observer."
  13. © 2012 Forrester Research, Inc. Reproduction Prohibited Intelligence Disciplines Human

    Intelligence - HUMINT is "the collection by a trained human intelligence collector of foreign information from people and multimedia to identify elements, intentions, composition, strength, dispositions, tactics, equipment, and capabilities.”
  14. © 2012 Forrester Research, Inc. Reproduction Prohibited Intelligence Disciplines Counter

    Intelligence - CI is "information gathered and activities performed to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations performed for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities."
  15. © 2012 Forrester Research, Inc. Reproduction Prohibited Attribution •  CTI

    is more than just attribution •  Many enterprises discount attribution, “Why do I need to know who is attacking me?” •  Attribution isn’t easy, it takes time •  Observing attacker Tactics, Techniques and Procedures enables attribution •  Alternative analysis required - Question your judgment and assumptions •  Apply high level of rigor to your analysis
  16. © 2012 Forrester Research, Inc. Reproduction Prohibited Offensive Security /

    Hacking Back •  Could violate the statutes of the Computer Fraud and Abuse Act •  How confident are you in your attribution? Will you strike back at innocent victims? •  Are you prepared for potential adversary escalation after striking back? •  Leave offensive security to the professionals: 3 letter agencies & their government contractors
  17. © 2012 Forrester Research, Inc. Reproduction Prohibited Active Defense

  18. © 2012 Forrester Research, Inc. Reproduction Prohibited Active Defense

  19. © 2012 Forrester Research, Inc. Reproduction Prohibited Why You Might

    Not Be Ready For CTI 19
  20. None
  21. None
  22. Do you know what assets / people you need to

    protect?
  23. Do you have mature Incident Response capabilities?

  24. Process for global password change, including local admin?

  25. Process to block C&C sources?

  26. Process to enable IR teams autonomy to make critical decisions?

  27. © 2012 Forrester Research, Inc. Reproduction Prohibited Building It 27

  28. © 2012 Forrester Research, Inc. Reproduction Prohibited Establish Buy-in Garner

    support from non-technical business leaders by: •  Using intelligence to communicate risk •  Determining the true scope and severity of attacks •  Demonstrate the ROI on previous investments •  Until the CTI program is mature, maintaining buy-in will be an ongoing process
  29. © 2012 Forrester Research, Inc. Reproduction Prohibited Staff The Team

  30. © 2012 Forrester Research, Inc. Reproduction Prohibited Staff The Team

  31. © 2012 Forrester Research, Inc. Reproduction Prohibited Staff The Team

  32. © 2012 Forrester Research, Inc. Reproduction Prohibited Staff The Team

    •  Analysis is the differentiator, invest appropriately •  Career pathing •  Diverse skillsets strengthen the team •  Cultural/geopolitical knowledge •  Business unit knowledge •  Incident handling •  Pen testing •  Scripting/programming •  Recruit former intelligence analysts and officers
  33. © 2012 Forrester Research, Inc. Reproduction Prohibited Establish Intel Sources

  34. © 2012 Forrester Research, Inc. Reproduction Prohibited Establish Intel Sources

  35. © 2012 Forrester Research, Inc. Reproduction Prohibited Derive Intelligence 35

  36. © 2012 Forrester Research, Inc. Reproduction Prohibited Intelligence Driven Defense

  37. © 2012 Forrester Research, Inc. Reproduction Prohibited Collective Intelligence Framework

    •  Parses public and private feeds, normalizes the data so you can query against it •  Do we have hosts on these lists? •  What is the threat from our business partners who have extranet connections? •  Feed our detective/preventive controls
  38. © 2012 Forrester Research, Inc. Reproduction Prohibited Maltego •  Maltego

    is an open source intelligence and forensics application •  Used to determine the relationships and real world links between: •  People, Groups, Companies, Web sites, Domains, DNS Names, Netblocks, IPs, Phrases, Affiliations, Documents & Files •  Visually demonstrates interconnected links between searched items •  Palantir is a big data analytics platform used for similar purposes
  39. © 2012 Forrester Research, Inc. Reproduction Prohibited Maltego

  40. © 2012 Forrester Research, Inc. Reproduction Prohibited Building versus Buying

    40
  41. © 2012 Forrester Research, Inc. Reproduction Prohibited Build Versus Buy

    •  Defense industrial base, financial services and some technology companies have mature in house CTI capabilities •  Forrester sees oil & gas, and pharmaceutical moving in this direction •  Many organizations will not build out robust CTI teams; economics and operations issues •  For many organizations a “threat feed” or CTIaaS will be the extent of their CTI capability •  MSSP clients will add the CTI offering to their services
  42. © 2012 Forrester Research, Inc. Reproduction Prohibited OPSEC & Intel

    Sharing 42
  43. None
  44. © 2012 Forrester Research, Inc. Reproduction Prohibited

  45. © 2012 Forrester Research, Inc. Reproduction Prohibited Indicators

  46. © 2012 Forrester Research, Inc. Reproduction Prohibited OpenIOC •  Open

    Indicators of Compromise •  Characteristics of threat, methodology, or other evidence of compromise •  Host indicator focus •  Standardized xml format for sharing •  Free tools (IOC Editor, IOC Finder, Redline) •  FireEye & Pal Alto integrations recently announced
  47. © 2012 Forrester Research, Inc. Reproduction Prohibited MITRE CybOX • 

    Cyber Observable eXpression •  “A measurable event or stateful property in the cyber domain” •  Very large schema •  Wide range of objects, events, & actions •  OpenIOCs are a subset of observables •  Relies on STIX to describing campaigns
  48. © 2012 Forrester Research, Inc. Reproduction Prohibited MITRE CybOX

  49. © 2012 Forrester Research, Inc. Reproduction Prohibited MITRE STIX • 

    Structured Threat Information eXpression •  Being tested by US CERT & FS-ISAC •  Leverages CybOX •  Seeks to enable more robust sharing of indicators that include rich context the “full spectrum of cyber threat info” •  Sean Barnum presented at Blackhat & RSAC this year
  50. © 2012 Forrester Research, Inc. Reproduction Prohibited MITRE STIX

  51. © 2012 Forrester Research, Inc. Reproduction Prohibited IODEF •  Incident

    Object Description Exchange Format •  Developed by members of the Internet Engineering Task Force •  Defines a data representation that provides a framework for sharing information commonly exchanged by CSIRTs about computer security incidents •  Currently being updated
  52. None
  53. © 2012 Forrester Research, Inc. Reproduction Prohibited APT1 Report &

    Actionable Intelligence •  “What is an IOC?” •  “There’s an appendix?” •  “What do I do with it?” •  Intelligence needs to be consumed in an automated manner •  Vendors are very picky eaters when it comes to consuming intelligence •  We suffer from vendor intelligence ecosystem lockdown
  54. © 2012 Forrester Research, Inc. Reproduction Prohibited “Nothing but a

    couple of guys running around out there and we gotta take them down!” Nonbelievers
  55. © 2012 Forrester Research, Inc. Reproduction Prohibited

  56. © 2012 Forrester Research, Inc. Reproduction Prohibited

  57. © 2012 Forrester Research, Inc. Reproduction Prohibited Recommendations 57

  58. © 2012 Forrester Research, Inc. Reproduction Prohibited 58 Leveraging intel

    can make the attackers job more difficult
  59. © 2012 Forrester Research, Inc. Reproduction Prohibited Recommendations •  You

    don’t have to be the NSA or DOD to leverage intelligence •  CTI is a marathon not a sprint •  Monitor, then block commodity threats •  Share, share, share and share some more •  Use the tools that meet your unique needs but don’t get wrapped up in technology; remember people, process and oversight •  Develop your own company specific threat reports/ infographics
  60. © 2012 Forrester Research, Inc. Reproduction Prohibited 60 They’ll be

    back
  61. © 2012 Forrester Research, Inc. Reproduction Prohibited 61 They’ll be

    back
  62. © 2012 Forrester Research, Inc. Reproduction Prohibited 2013 Planned Research

    •  Seven Habits of Highly Effective Incident Response Teams •  Proactive Defense: Operational and Management Implications •  Market Overview: Threat Intelligence Services •  Wave: Managed Service Provider Threat Intelligence Services
  63. © 2012 Forrester Research, Inc. Reproduction Prohibited 63 Rick Holland

    rholland@forrester.com http://blogs.forrester.com/ rick_holland @rickhholland Thank you