IBM Cyber Threat Analysis
-
Upload
ibm-government -
Category
Government & Nonprofit
-
view
1.051 -
download
0
Transcript of IBM Cyber Threat Analysis
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
The Awakening of Cyber AnalysisIBM i2 Safer Planet
Bob Stasio – Sr. Product Manager, Cyber Analysis
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
Fig. 1: Malicious prompt to capture credentials
Fig. 2: Generic lure document
FIN 4 Group Arrested
2
$100 MillionDollars In
Profit since2013
32 Peopleinvolved in
Multiplecountries
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
3
The growth of asymmetric threats is changing the landscapeInformation security has become a human vs. human problem
Remote control device
1
2
3
Hackers negate tens of millions of dollarsin security infrastructure
with a $30USD device!
A male posing as an IT technician deployeda $30USD remote control device on a bankbranch office computer
The crooks connected to the device from anearby hotel, then accessed the bank’sservers
The hackers logged into a bank terminaland shifted ~$2.1M USD through 128transfers into mule accounts
The gang responsible for the theft wascaught 13 months later only due toattempting the same attack at another bank
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
Both security and analysis must address the problem
80%
90%
99.9%
Level of Effort / Investment
Perc
en
to
fT
hre
ats
Sto
pp
ed
Implement aSecurity
Framework
AdvancedSecurity
Intelligence
CyberAnalysis
Non-Linear Relationship Between Effectiveness and Cost
Information Security Cyber Analysis
Tier OneSOC Analyst
IncidentResponders
CyberAnalysts
Example ofPersonnel
High Effort
4
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
Intelligence as a Time Horizon
5
Information Security Cyber Analysis
Tier OneSOC Analyst
IncidentResponders
CyberAnalysts
Tier TwoSOC Analyst
ThreatResearchers
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
Learning from medical analogies
6
Threat Example Mitigation Strategy
Common hospitalassociated infections
Washing hands,wearing masksand scrubs
Emergent situations(e.g. chest pain,gunshot wound)
Creation of critical careand preventativemedicine discipline
Genetic diseasesand cancer
Research and tailoredgenetic treatments
Tier One –Hygiene
SECURITYMEDICAL
Threat Example Mitigation Strategy
Commodity threat,individual hackerswith widely-used tools
Changing passwords,removing unusedservices, patching
Organized crime,semi-tailored fraudand crimeware tools
Visibility, monitoring,alerting, response,real-time securityanalytics
Advanced PersistentThreat, nation-state,high resources
Cyber analysis, threatintelligence trendanalysis, campaigntracking
Tier Two –Specialization
Tier Three –Research
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
The cyber analysis discipline addresses the human dimension
7
ForensicsScience
ForensicsScience
InformationSecurity
InformationSecurity
IntelligenceAnalysis
IntelligenceAnalysis
ForensicsScience
InformationSecurity
IntelligenceAnalysis
The Cyber Analysis Discipline
Cyber Analysis is a new discipline andprofession with three subcomponents
Information Security blends aspectsof network defense, confidentiality,assurance, and malware threats
Intelligence Analysis brings the art ofthe intel cycle where information isdirected, collected, processed,analyzed, produced, and disseminated
Forensics Science blends aspects ofthe investigative process, evidencehandling, and latent evidence discovery
High expertisefrom CISO andSOC organizations
High expertisefrom the militaryand intelligence
communities
High expertisefrom law enforcement
and IR community
Human Enabled
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
Cyber Analysis Results
• Integrated data feeds
• Enterprise awareness
• Compliance monitoring
• Threat discovery
• Risk management
• Enable decisions
Cyber Analysis
8
Leveraging an analytical platformand internal and external informationfeeds, Cyber Analysts can help forma deep understanding of the threatstargeting your organization
CommunityInfo
ThreatIndicators
GovernmentAlerts
Social MediaHacker Forums
Mostly External Sources
PCAP
SystemLogs
Alerts
SIEM
VulnerabilityScans
SSO/AD
Mostly IT Sources
Human Enabled
IntelVendors
Access Logs
AccountCreation
Badge Logs
Reviews
BehavioralData
Mostly Human Sources
HR Data
SecurityIntelligence
ThreatIntelligence
PersonaData
AnalysisPlatform
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
IBM’s Strategic Threat Analysis Capability
9
Security Intelligence PlatformReal-time processing• Real-time data correlation• Anomaly detection• Event and flow normalization• security context and enrichment• Distributed architecture
Security Operations• Pre-defined rules and reports• Offense scoring and prioritization• Activity and event graphing• Compliance reporting• Workflow management
Cyber Analysis PlatformMulti-Dimensional Analysis• All-source intelligence
• Anomaly discovery
• Ecosystem visibility
• Scales to 150TBs of data
• Customized configuration
Human-Led Intelligence Discovery• Visualize linked data
• Identity and relationship resolution
• Geospatial and physical data analysis
• Persona domain threat identification
• Create decision-making products for leaders
StrategicIntelligence
Machine enabled Human enabled
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
Four Main Pain Points in Cyber Security Today
10
Hidden ThreatsHiding in Network
How do I find thesignals in the noise?
Where ShouldAnalysts Look
How to find a needlein a stack of needles?
Lack of ActionableIntelligence
How do leaders makedecisions?
Too Much Data,Too Many Sources
How do I put thepicture together?
• Finding beaconing• Strange admin logs• Employees caching info• IP theft and exfiltration
• Intelligence led security• Understand vendor risk• Incident reporting• Risk analysis
• SIEM tipping and queuing• External physical threats• Host intrusion correlation• Ext. breach discovery
• APT kill chain analysis• Darkweb integration• IOC historical search• Vulnerability prioritization
$35 Million- SONY
$162 Million- Target
1,400 People- ISIS Hit list
14 months- OBY Cleanup
IMPACT
USE CASES
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
Tipping, Queuing, and Anomaly Research
11
EIA
25 PhisingAttempts Blocked
3 RDPAttemptsBlocked Event
Threshold
30 GB of DataExfiltrated
2 MaliciousEmailsOpened
Server toServer Admin
Logon
BeaconingActivity
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
APT Kill Chain Detection Example
12
ReconWeapon-ization
Delivery Exploit Install C&C Action
Proxy Logs
DNS Logs
Firewall Logs
Syslogs
Logon Events
EIA
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
Employee Sensitive Data Theft Example
13
(1) - DLP Alertfrom SOC
(2) – Badge RecordsPhysical Security
(3) – Social MediaSearch
(4) – HR Records
(6) – LegalTeam
(5) – Print Logs
EIA
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
Vendor Risk Management Example
14
Vendor RiskProfiles
Vendor RiskProfiles
VulnerabilityScans
VulnerabilityScans
SocialMedia
Analysis
SocialMedia
Analysis
BitSightIndicator
Data
BitSightIndicator
Data
DarknetBreach
Discovery
DarknetBreach
Discovery
• A security vendorrisk managementteam interviewsand recordsinformation aboutvendors. Reportscontains pages ofinformationdetailinginfrastructure andprotection.
• Periodicvulnerabilityscans areconductedagainst vendor'sservers whichcontain sensitivecompanyinformation.
• Constantlyanalyze varioussocial mediafeeds formalicious actorsdiscussingpotential threatsagainst vendors.
• BitSight providesreal-time dataconcerningbotnet and othervulnerabilityactivity stemmingfrom a vendor’sinfrastructure.The data serviceprovides a real-time risk ratingfor each vendor.
• By mining variousdarknet datafeeds, thesecurity teammay discoverindicators of abreachconcerning one ofthe vendors whomay containsensitivecompany data.
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
Solution Overview
15
High Speed Actionable Intelligence
IBM i2 Cyber Analysis and Forensics
Intelligence Repository
Unstructured, OpenSource and
Social Media
Identity andRelationship resolution(The ‘Analyst’s Assistant)
Cyber Security Analytics(SIEM systems)
Asynchronous Big DataAnalytics
Geospatial Analytics
VisualisationVisualisation
All source fusion of data
The Analyst’s ‘Whiteboard’
© 2015 IBM Corporation
i2 Enterprise Insight Analysis
Screenshots
16