Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
•Download as PPTX, PDF•
3 likes•2,135 views
Jon DiMaggio's presentation at the Open Analytics Cyber Summit
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
Similar to Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit) (20)
More from Open Analytics
More from Open Analytics (20)
Recently uploaded
Recently uploaded (20)
Utilizing cyber intelligence to combat cyber adversaries (OA Cyber Summit)
- 1. Utilizing Cyber Intelligence to Combat Cyber Adversaries Jon DiMaggio IntelThreat 7 October 2014
- 2. Problem • Advanced threats driven by state sponsored groups, hacktivists and organized crime rings have made threats increasingly difficult to defend against with traditional Computer Network Defense (CND) security practices • Traditional use of indicator and signature driven solutions alone are no longer sufficient to protect against these threats • Historically intelligence was only being conducted by military and government organizations
- 3. Cyber Intelligence • Purpose – Cyber intelligence products provide information on cyber threats, track trends and allow for predictive analysis on cyber threat groups • Process – Process of taking open source research, official reporting (reporting from credible organizations) and internal cyber attack data, and fusing them into an actionable product for information dissemination specific to your organization • Intent – Provide support to other security operation teams by filling intelligence gaps and providing information not currently being identified or tracked
- 4. Advanced Threats Categories • APT – Malware – Spear phishing emails and watering holes • Hacktivists – Attack in large numbers – DDoS attacks – Data compromise – Public posts of sensitive data • Crime Rings – Ransomware – TOR network – Blend in • Unknown – Similar tactics, techniques & procedures (TTPs) – Use of buckets or clustering
- 5. Complexity of Advanced Threats • Advanced threats often go undetected – Human operators driving attacks – Malware • These advanced attackers create/collect intelligence through analysis of their targets • The planning, patience and human driven aspects of advanced threats makes traditional security models less effective
- 6. CND vs. Cyber Intelligence • Computer Network Defense & Cyber Intelligence… What is the Difference? – CND: Direct and immediate impact to operations – CND: Identify malicious traffic and stop it – Cyber Intelligence: Understand why attacks are being conducted and the motivation behind it – Cyber Intelligence: Understand who is targeting your organization and what they want • Think the role of a police officer compared to a detective
- 7. Cyber Intelligence & Tracking Adversaries • Making cyber intelligence actionable – Targeting – Infrastructure – Personas used in advanced attacks – Malware – Spear Phishing emails
- 8. Pivoting • Using an indicator or information to discover new related intelligence that is obtained by identifying a relationship between the two • Use of open source and commercial services can assist with pivoting on intelligence to learn about new unknown information about your adversary
- 9. Cyber Intelligence Fusion Process • Track • Research • Pivot • Analyze • Fuse • Document Track Research Pivot Analyze Fuse Document
- 10. Creating Actionable Products • Use data gained from tracking adversaries and the cyber intelligence fusion process to create actionable products which are described in detail on the following slides
- 11. Threat Actor Profiling • Objective: – Provide a cyber fingerprint of advanced threats to assist in minimizing the time it takes for an analyst to recognize activity on their network is from an advanced threat group • Provide profiling of: – Threat actor groups – CNE operators / hackers – who, where and what are they targeting
- 12. Threat Actor “Attack” Time Lines Create time lines showing the events and dates of activity targeting your organization – Identify trends and patterns in activity, such as most active months, weeks and days for each threat group – Identify gaps in activity – Compare against other campaigns – Compare against other significant events (public events, military or political events, major hacktivists operations etc.) – Allow for predictive analysis based on patterns and trends in the data
- 13. Malware Intelligence • Different than a malware report – Focus is on what can be learned from malware when tracked from multiple events over time – Track and plot malware and the files associated with a malware family – Can produce links in malware families not traditionally seen when doing reverse engineering focusing on one sample
- 14. Cyber Intelligence + CND reporting = Fusion • Fusion reporting is designed to provide value for organizations by pivoting off of multiple data sources and connecting the dots • Fusion reporting focuses on who the attacker is, what they want and where they are likely going • Fusion reporting focuses on intelligence to track and trend threat actors and provide insight into the TTPs of the infrastructure, tools and personas adversaries use • Fusion done correctly can lead to predictive analysis
- 15. Conclusion • Advanced threats have changed the threat landscape making it difficult to detect advanced cyber threats • Mitigating and cleaning up an infection, post compromise, can cost hundreds of thousands and into millions of dollars • Cyber Intelligence can be combined with CND capabilities, giving organizations a much broader view into the who, what, when and why they are being targeted • This information can be used to arm CND teams, as well as senior leadership, with the information they need to make decisions and get ahead of todays targeted advanced cyber threats
Editor's Notes
- Defending against state sponsored threats, hacktivist groups, and organized criminal organizations has become increasingly difficult with traditional CND methods alone A frequent topic pertinent to this conversation is to whether benefits of associated with cyber intelligence warrant the cost associated with it This is a relatively new argument as historically only military and government organizations had the capability and access to the data required to produce intelligence
- Cyber Intelligence tells the story behind an attack , a threat actor and even an indicator. Cyber intelligence allows an organization to properly assess a threat and make decisions such as how to handle the threat and what resources should be allocated to mitigate the threat For example, cyber intelligence may tell you that an indicator has been associated with a threat group that uses malware which runs in virtual memory and eludes detection and is associated with a group that is known to escalate privileges and use legitimate accounts VPN in and out of your network to exfiltrate data. An organization would want to respond to that very differently then you would if you identified an indicator associated with ransomware or fake AV
- Advanced threat group categories are going to vary from organization to organization however for the purpose of this brief I an advanced threat to be one that is organized and conducts targeted attacks APT is a term that is often used when referring to a threat associated with a State sponsor. Apt often uses advanced or custom malware that are delivered via spear phishing emails or watering holes While less sophisticated, hacktivists groups have been fairly successful due to their large scale attacks conducted against targets. Hacktivist groups are known to conduct DDoS attacks as well as post sensitive or proprietary data to public websites with the intent to cause embarrassment to the target Criminal elements operate differently as their target and motivation is finance based. The attacks conducted by these groups often Point of Sale (PoS) malware, RATs and ransomware Activity that meets the TTPs of an advanced threat are often identified however the attacker is often unknown. These attacks can be clustered or placed into buckets until further attribution can be made
- Generally advanced threats make up less then 10% of cyber threat activity. Human operators driving attacks make detection more difficult because they can adapt and change tactics and methods to elude detection. For example malware will often be re-hashed or modified to elude detection. Advanced threats have often conducted reconnaissance and taken the time to know their target. Doing the same and learning their TTPs can help understand how the threat groups operates and assist in knowing where and what to look for to find them on their network
- Individually they both bring value in different ways Together they provide a much more in depth threat picture that can be used to better defend your networks CND delivers an immediate action to operations while cyber intelligence helps you understand who is targeting your organizations and may provide insight into the attack vector and tools then my use to try and get onto your network. A good analogy I once heard on comparing CND to Cyber intelligence roles was to compare the role of a police office to a detective. A police officer identifies a threat or crime and primarily cares about stopping it while a detective is going to be concerned as to why the crime was conducted, if there was any previous related activity that lead up to the crime and if they are associated with any gangs or criminal orgs. Most police departments have both police officers and detectives and so should a good Security Operations Center
- Intelligence will tell you the industries, technologies, programs, and organizations that an adversary is targeting. With infrastructure cyber intelligence tells you id a command & control is attacker owned vs attacker controlled such as legitimate website that has been compromised. That information would make a difference on you treat or handle the domain or IP. Intel on an adversary personas would tell you who they are trying to masquerade as which can often lead you to what they are after. Intel will tell you if malware is has been seen in previous targeted attacks as well as if its unique and custom developed or publicly available. Identifying a malware attributes like unique strings, MUTEX or passwords can help with attribution as well as creating signatures With spear phishing intelligence may tell you of patterns or previous use of sender addresses or X-mailers or if the attacker primarily uses attachments vs URLs which can assist in attribution
- Taking an indicator and finding other indicators or intelligence through a relationship with the original indicator is called pivoting A number of open source and commercial tools are available that make pivoting an easy process. For example, use of Passive DNS records to tell you what other domains sat on an IP address at the same time that an Adversary Command and Control domain did. Another example would be using Domain records to identify new domains registered by the same adversary owned registrant address Or you could search through malware repositories to identify related variants of malware , decoy docs, and C2 infrastructure
- Track-Identify threat activity over time that is targeting your organization Research- use open source intelligence to identify other attacks & information from the same attacker Pivot- Expand on information learned from the Track and Research phase to identify new previously unknown information Analyze- Perform analysis on your data as a whole and connect the dots Fuse- Take all of your results, internal tracking, open source intel, pivot findings, and anlaysis and put it all together Document- Document your results and distribute within your organization
- We talked about the process of creating cyber intelligence and next Im going to discuss how to make actionable products from it
- One od the most useful products you can create from cyber intelligence is a threat actor profile or threat card. They provide a digital fingerprint of advanced threat adversaries. Their purpose of threat actor profiling is to create profiles of threats specific to your organization to get security analysts familiar with threats targeting your organization. This can assist in mitigating the time it takes for an analyst to identify a threat on their network is advanced and react accordingly to mitigate
- A lot of good information can be gained by creating timelines of cyber attacks against your organization. -You can identify trends and patterns within the activity -You can often determine the time-zone of your attacker based on the times attacks were conducted -Timelines assist in identifying significant events or a reoccurring event that takes place prior to the attacks -You can also use the patterns and trends to assist in conduct smart predicative analysis on when future attacks may occur
- You can track attributes of malware to find associations and intelligence that can be used for pivoting as well as assisting in attribution. Open source & commercial tools can assist in finding relationships in malware. Tools like Cuckoo Sandbox and Maltego can automate analysis and visually plot the malware and the C2 domains the call out. This can help to visually identify patterns and relationships that you would otherwise not have seen.
- Fusion is the process of using cyber intelligence + CND data to tell the story of your adversary -That story brings knowledge of who is targeting your organization, what they want and the level of sophistication they have to attack you. -It can allow you to make accurate and educated decisions on how to defend against advanced threats and provides knowledge of high value indicators often unknown to the public and vendors
- Cyber intelligence comes from a mix of data and analysis. Many organizations are heavily targeted by cyber threats. Use the data from your adversaries attacks organization against them. The intelligence is in the data many organization already have and it can be very effective and valuable at defending against cyber threats