Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat...

October 25, 2017 Chicago, IL USA

Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham Security Solutions Architect, Phantom

| 2 October 25, 2017 Chicago, IL USA

My years in information security… Hobbies: Home Improvement, traveling, running @SOCologize Oh and infosec…

Gaming Geek (Atari User)

Cyber Warrior (Information Assurance)

Joins a Startup (likes to work…

A LOT OF work! )

Incident Responder Network Defender

(Team Builder)


Explosion of IoT and Porous Boundaries

http://assets.investmentu.com/contents/2016/08/iotgraph.jpg


Understanding Risk Calculus

• Define the risks and measure them • It’s about context and not content • Think like an attacker • Knowing is half the battle, analyzing is one step to winning

https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks

Risk Management: Hazard/Risk = Likelihood x Impact


Understanding Attack Pathways



Tactical Intelligence Threat Library Sharing/Automation – Atomic Indicators,

Incident & Intrusion Analysis, Malware Reverse Engineering

Operational Intelligence Decision Making Awareness & Proactive

Threat Assessments and Analysis, Partner Integration

Overview of Threat Intelligence

Business Threat Landscape Insider Threat and Hacktivists – Cyber Crime – Nation States (External Threats)

Strategic Intelligence Board Level Awareness – Security Vision

Policy and Planning – Threat Statistics & Reporting Strategic

Operational

Tactical


Why Threat Intelligence Matters to Risk



Strategic Intelligence

What reports should I read? How does these threats apply to

my industry? What do I need to do now?

How does the threat landscape affect the business risks? What data is being targeted? How do I plan for the future?

Board Level Threat Awareness with threat statistics and reporting

| 9

Contextual Risk Threat Means and Motive

• Characterize the methods towards motives

• Develop relationships to vulnerabilities • Understand strategic planning and…

What problem are we trying to solve?

28%

3% 4%

23% 1%

11%

9%

7%

6%

4% 4%

Unknown CC Unknown CW

Unknown H Account Hijacking CC

Account Hijacking H Targeted Attack

SQLi DDoS

Malvertising Defacement

Malware


Contextual Risk Vulnerability Exposure

• 26% - Exploited User • 38% - Malicious Files • 25% - Email/Website Malicious content Equals 89% Risk from Phishing

Nothing new right? Q: When does a cool sexy new security product protect? e.g. Endpoint Detection and Response (EDR/IDR)

[CATEGORY NAME],

[PERCENTAGE]

Authenticated locally logged on user with

limited privileges

26%

Website or e-mail with malicious content

25%

Malicious remote

network traffic 6%

Website with malicious content

5%


Adversarial Tactics, Techniques and Common Knowledge (ATT&CK)

Containment & Incident Response Proactive Detection Mitigation

• Persistence • Privilege Escalation • Credential Access • Host Enumeration • Defense Evasion • Lateral Movement • Execution • Collection • Command and Control • Exfiltration

Higher fidelity on right-of-exploit, post-access phases

Describes behavior sans adversary tools

MITRE, https://attack.mitre.org


Understand Defensive Courses of Actions

Source: http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

Phase Detect Deny Disrupt Degrade Deceive Recon Web Analytics Firewall ACL Weaponize Network

Intrusion Detection (NIDS)

Network Intrusion Prevention

Delivery Vigilant User Email Gateway Proxy filter

In-line AV Queuing Quarantine

Exploit HIDS Sandbox

Patching Data Execution Protection

Control NIDS Firewall ACL Content Filters

NIPS Tarpit DNS Redirect

Execute Host Intrusion Detection (HIDS)

chroot jail Host Firewall

AV EDR?

Maintain Audit Logs SIEM

IR Analyst DLP

IR Analyst DLP

Quality of Service

Honeypot HoneyToken

| 13

Operational Intelligence Decision Making Analysis

Decision Making

What information is already out there? Paste sites, Dark Web, etc.

Am I already compromised? How can I be attacked? Open Source Intelligence Contextual Threat Intelligence (Region & Vertical)


Lost Credentials - https://haveibeenpwned.com/


Bank Identification Numbers

Visualize your lost credentials here…


Dark Web Exploits for Sale


Operational Intelligence – Do we need to act?


Is the Vuln Exploitable?


Operational Intelligence – Define the So What?


Open Source Intelligence – Dig Deep


Operational Intelligence Define the So What then Pivot to Tactical


Tactical Intelligence Signatures, Indicators of Compromise, Behavior Analysis Intrusion prevention sandbox endpoint Vendors, industry partners, are you sharing? Bring the HEAT to the Adversary!!

TTPs

Tools

Network/ Host Artifacts

Domain Names

IP Addresses

Hashes David Bianco, Pyramid of Pain, http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html


Contextual Impact


Contextual Impact - Focus on what is important

Protect the pathways to and from critical systems and data Use the business continuity

plans to define the crown jewels Reduce the impact to the

enterprise


Ineffective Response = Huge Business Impact

From 200 to 2100 affected systems in less than 48 hours – why?? Pinkslipbot/Qbot – a cybercrime worm that spreads over network

shares and that steals banking credentials, logged on and admin credentials, among others

0

500

1000

1500

2000

2500

Server Workstation

Eradicate

Contain Recover 2nd Detect

1st Detect

| 30

Key Takeaways

Where’s the Val

• Intelligence preparation allows us to understand what’s important

• Strategic Intelligence supports technology needs

• Operational Intelligence remediates risk and supports process

• Tactical intelligence mitigates impact • Vulnerabilities will continue... • People can understand the threat,

respond quickly and reduce the impact 3


About Phantom

Resources Resource shortage of

1 million security professionals

Products Endless assembly line

of point products

Static Static independent controls

with no orchestration

Speed Speed of detection, triage, and response time must improve

Costs Costs continue

to increase

Problem Today


Automating Security Operations

Point Products (Observe / Sensing)

Analytics (Orient / Sense-making)

Decision Making Acting

FIREWALL

IDS / IPS

ENDPOINT

WAF

ADVANCED MALWARE

FORENSICS

MALWARE DETONATION

AUTOMATED MANUAL (TODAY)

SIEM

THREAT INTEL PLATFORM

HADOOP

GRC

TIER 1

TIER 2

TIER 3

FIREWALL

IDS / IPS

ENDPOINT

WAF

ADVANCED MALWARE

FORENSICS

MALWARE DETONATION


Shameless Plug

blog.phantom.us

twitter.com/tryphantom

Phantom-community Rob Gresham Security Solutions Architect [email protected] JOIN US @ phantom.us/join

The 1st Community-Powered Security Automation & Orchestration Platform

Thank You

The 1st Community-Powered Security Automation & Orchestration Platform

Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat...

Documents

Transcript of Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat...