SlideShare a Scribd company logo

Science of Security: Cyber Ecosystem Attack Analysis Methodology

Shawn Riley
Shawn Riley

Science of Security (SoS) presentation given at the 2014 Security Today Conference in Grapevine TX.

Presentations & Public Speaking
1 of 26
Download to read offline
www.securitytodayinfo.com November 18 &19, 2014 Gaylord Texan │Grapevine, TX Science of Security: Cyber Intelligence Analysis Shawn Riley Executive Vice President, CSCSS Americas
www.securitytodayinfo.com About Me • Attack Analysis Scientist, Multisource Cyber Intelligence Analyst, & Sci-Fi Geek • Veteran – US Navy Cryptology Community • Former Lockheed Martin Senior Fellow • Former member UK Cybercrime Experts Working Group (UK Govt CSOC / OCSIA)
www.securitytodayinfo.com Outline • Science of Security • Cyber Ecosystem – Cyber Terrain • Cyber Attack Lifecycle • Cyber Ecosystem Attack Analysis Method – Threat Actor’s Cyber Offense Ecosystem • Threat Intelligence Method – Defender’s Cyber Defense Ecosystem • Active Defense Method
www.securitytodayinfo.com Science of Security (SoS) • The Science of Security term has been around since 2010 when an independent science and technology advisory committee for the U.S. Department of Defense concluded there is a science of (cyber) security discipline. • The following year, 2011, the White House released “Trustworthy Cyberspace: Strategic Plan For The Federal Cybersecurity Research And Development Program” formally establishing the Science of Security as 1 of 4 key strategic thrusts for U.S. Federal cybersecurity R&D programs. • A cyber security scientist, in a broad sense, is one engaging in a systematic activity to acquire and organize knowledge in the cyber security domain.
www.securitytodayinfo.com SoS – Core Themes • In 2011 Canada, United States, and United Kingdom established 7 core, inter-related themes that make up the Science of Security domain. SoS Attack Analysis Common Language Core Principles Measurable Security Agility Risk Human Factors
www.securitytodayinfo.com Cyber Ecosystem • Ecosystem is defined as “a community of living organisms in conjunction with the nonliving components of their environment, interacting as a system”. • DHS defines a cyber ecosystem as: “Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non-profits, governments, individuals, processes, and cyber devices (computers, software, and communication technologies) – that interact for multiple purposes.” People ProcessesTechnology http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
www.securitytodayinfo.com Cyber Terrain • (Content)
www.securitytodayinfo.com Cyber Terrain – Layers 0-1 • CAPEC-ID:455 – Malicious Logic Insertion via Inclusion of Counterfeit Hardware Components • CAPEC-ID:453 – Malicious Logic Insertion via Counterfeit Hardware • CAPEC-ID:547 – Physical Destruction of Device or Component • CAPEC-ID:397 – Cloning Magnetic Strip Cards • CAPEC-ID:391 – Bypassing Physical Locks • CAPEC-ID:507 – Physical Theft • CAPEC-ID:414 – Pretexting via Delivery Person • CAPEC-ID:413 – Pretexting via Tech Support • CAPEC-ID:407 – Social Information Gathering via Pretexting • CAPEC-ID:406 – Social Information Gathering via Dumpster Diving CAPEC = Common Attack Pattern Enumeration Classification (463 total attack patterns in CAPEC V2.6) Website: http://capec.mitre.org
www.securitytodayinfo.com Cyber Terrain – Layers 2-7 • CAPEC-ID:383 – Harvesting Usernames or UserIDs via Application API Event Monitoring (Application Layer) • CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:291 – DNS Zone Transfers (Application Layer) • CAPEC-ID:315 – TCP/IP Fingerprinting Probes (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:310 – Scanning for Vulnerable Software (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:309 – Network Topology Mapping (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:293 – Traceroute Route Enumeration (Network Layer & Transport Layer) • CAPEC-ID:316 – ICMP Fingerprinting Probes (Network Layer)
www.securitytodayinfo.com Cyber Terrain – Layers 8-11 • CAPEC-ID:37 – Lifting Data Embedded in Client Distributions • CAPEC-ID:205 – Lifting Credential Key Material Embedded in Client • CAPEC-ID:8 – Buffer Overflow in an API Call • CAPEC-ID:14 – Client-side Injection-induced Buffer Overflow • CAPEC-ID:118 – Gather Information • CAPEC-IDS:268 – Audit Log Manipulation • CAPEC-ID:270 – Modification of Registry Run Keys • CAPEC-ID:17 – Accessing, Modifying or Executing Executable Files • CAPEC-ID:69 – Target Programs with Elevated Privileges • CAPEC-ID:76 – Manipulating Input to File System Calls • CAPEC-ID:35 – Leverage Executable Code in Non-Executable Files • CAPEC-ID:472 – Browser Fingerprinting • CAPEC-ID:151 – Identity Spoofing • CAPEC-ID:156 – Deceptive Interactions
www.securitytodayinfo.com Cyber Terrain – Layers 12-14 • CAPEC-ID:404 – Social Information Gathering Attacks • CAPEC-ID:410 – Information Elicitation via Social Engineering • CAPEC-ID:416 – Target Influence via Social Engineering • CAPEC-ID:527 – Manipulate System Users • CAPEC-ID:156 – Deceptive Interactions • CAPEC-ID:98 – Phishing • CAPEC-ID:163 – Spear Phishing • CAPEC-ID:164 – Mobile Phishing (aka MobPhishing)
www.securitytodayinfo.com Cyber Terrain - Complete • (Content)
www.securitytodayinfo.com Cyber Ecosystem w/ Terrain Persona Layer Software App Layer Operating System Layer Machine Language Layer Logical Layers Communications Ports & Protocols Physical Layer Geographic Layer Organization Layer Government Layer Technology / Cyber Terrain People Processes / TTPs
www.securitytodayinfo.com Cyber Attack Lifecycle “Use a cyber attack lifecycle as a framework for observing and understanding an adversary’s actions and for defining an active defense strategy that makes effective use of information available through both internal and external sources throughout the lifecycle.” Recon Weaponize Deliver Exploit Control Execute Maintain Cyber Attack Lifecycle from: http://www.mitre.org/publications/technical-papers/cyber-resiliency-and-nist-special-publication-800-53-rev4-controls Key recommendation from NIST Guide To Cyber Threat Information Sharing (DRAFT) http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf
www.securitytodayinfo.com Cyber Ecosystem Attack Analysis Persona Layer Software App Layer Operating System Layer Machine Language Layer Logical Layers Communications Ports & Protocols Physical Layer Geographic Layer Geographic Layer Physical Layer Logical Layers Communications Ports & Protocols Machine Language Layer Operating System Layer Software App Layer Persona Layer Organization Layer Organization Layer Government Layer Government Layer Technology / Cyber Terrain Processes / TTPs Threat Actors / People Defenders Threat Actor’s use of technology and observable technical indicators Threat Actor’s Modus Operandi (Methods of Operation) Defender’s technology based mitigations and countermeasures Defender’s process based mitigations and countermeasures Recon Weaponize Deliver Exploit Control Execute Maintain Threat Intelligence is based on analysis of the Threat Actor’s Cyber Offense Ecosystem. Active Defense is based on analysis of the Defender’s Cyber Defense Ecosystem. Offense Defense Offense informs Defense
www.securitytodayinfo.com Boyd Cycle / OODA Loop • Decision cycle developed by USAF Colonel John Boyd who applied it to combat operations. Often applied to understand commercial operations and learning processes. http://en.wikipedia.org/wiki/OODA_loop
www.securitytodayinfo.com Threat Intelligence Method 1. Observe – Observe each stage of the attack, collect and process available data and information about the attack for each layer of the cyber ecosystem. 2. Orient – Analyze and synthesize the attack data and information for each stage and layer. Orient on the Threat Actor’s methods of operation and use of technology to identify observable indicators in the attack data for each stage across one or more layers of the cyber ecosystem. 3. Decide – Based on the Threat Actor’s modus operandi identify observables and indicators, decide if this attack is from a new threat actor or if the attack is part of a larger campaign. Produce threat intelligence report. 4. Act – Disseminate the threat intelligence report.
www.securitytodayinfo.com Pivot & Chain Into Campaigns Attack 1 Attack 2 Attack 3 APT 1 Attack 1 Attack 2 Attack 3 Attack 4 Attack 1 Attack 2 Attack 3 Attack 4 Attack5 Attack 1 Attack 2 Attack 3 Attack 4 Attack 5 Attack 6 APT 2 APT 1 APT 1 APT 2 APT 2 APT 2 CC1 CC1 CC1 CC1 CC1 CC2 CC2 CC2 CC2 CC2 CC2
www.securitytodayinfo.com PDCA – Plan Do Check Act • Iterative four-step management method used in business for the control and continuous improvement of processes and products. AKA Deming circle/cycle/wheel, Shewhart cycle, or as seen in ISO 9001. http://en.wikipedia.org/wiki/PDCA
www.securitytodayinfo.com Active Defense Method 1. Plan – Plan active defense courses of action based on threat intelligence for each stage of the Threat Actor’s attack, consider both technical and process based mitigations and countermeasures for each layer of the Defender’s cyber defense ecosystem. 2. Do – Implement the intelligence based courses of action to mitigate and counter the Threat Actor’s attack and to increase the defender’s resilience to future attacks by this threat actor. 3. Check – Measure the quality of the threat intelligence and effectiveness of the mitigations and countermeasures over time. 4. Act – Provide feedback on the quality of the threat intelligence and effectiveness of the mitigations and countermeasures, take action to continuously improve the security and resilience of the cyber ecosystem.
www.securitytodayinfo.com Methods Combined 2009 | | | | | | | | | | | | 2010 | | | | | | | | | | | | 2011 | | | | | | | | | | | | 2012 | | | | | | | | | | | | 2013 | | | | | | | | | | | | 2014 | | | | | | | | | | | | 2015 | | | | | | | | | | | Threat Intelligence Cycle Active Defense Cycle
www.securitytodayinfo.com Cyber Ecosystem Attack Analysis Methodology Persona Layer Software App Layer Operating System Layer Machine Language Layer Logical Layers Communications Ports & Protocols Physical Layer Geographic Layer Geographic Layer Physical Layer Logical Layers Communications Ports & Protocols Machine Language Layer Operating System Layer Software App Layer Persona Layer Organization Layer Organization Layer Government Layer Government Layer Technology / Cyber Terrain Processes / TTPs Threat Actors / People Defenders Threat Actor’s use of technology and observable technical indicators Threat Actor’s Modus Operandi (Methods of Operation) Defender’s technology based mitigations and countermeasures Defender’s process based mitigations and countermeasures Recon Weaponize Deliver Exploit Control Execute Maintain Offense Defense Threat Intelligence Cycle Active Defense Cycle
www.securitytodayinfo.com Benefits • Takes a more holistic approach by considering the attack across both the Threat Actor’s cyber offense ecosystem and the Defender’s defense ecosystem. • Enables the Defender to better identify, chain, and track Threat Actors and Campaigns over time. • Enables a more resilient cyber defense ecosystem by having multiple observable indicators for each stage of attack across different layers of the ecosystem. • Costs the Threat Actor considerable more to defeat layered intelligence based mitigations and countermeasures.
www.securitytodayinfo.com Additional Recommendations • Adopt STIX, TAXII, and CYBOX for Threat Intelligence with MAEC, CAPEC, CWE, CVE, CCE extensions. (http://msm.mitre.org) – Automation – Interoperability • Semantic Interoperability • Technical Interoperability • Policy Interoperability http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
www.securitytodayinfo.com Summary • Following this methodology will reduce the defender’s cost per attack while increasing the threat actor’s cost to overcome • Based on methods used by many organizations already - OSI Model, OODA Loop, and PDCA cycle • Maturing from a reactive, passive defense posture to a more proactive, active defense posture
www.securitytodayinfo.com Thank You! • Please feel free to reach out with any questions or comments. • You can find me on LinkedIn at: www.linkedin.com/in/shawnriley71/

Recommended

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
ZaiffiEhsan
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
OWASP Delhi
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
Dedi Dwianto
 
Dark Web Forensics
Dark Web Forensics Dark Web Forensics
Dark Web Forensics
Deepak Kumar (D3)
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 

Recommended

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
ZaiffiEhsan
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
OWASP Delhi
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration Testing
Yvonne Marambanyika
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat Intelligence
Deepak Kumar (D3)
 
Vulnerability Assesment
Vulnerability AssesmentVulnerability Assesment
Vulnerability Assesment
Dedi Dwianto
 
Dark Web Forensics
Dark Web Forensics Dark Web Forensics
Dark Web Forensics
Deepak Kumar (D3)
 
Threat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill ChainThreat Hunting with Cyber Kill Chain
Threat Hunting with Cyber Kill Chain
Suwitcha Musijaral CISSP,CISA,GWAPT,SNORTCP
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting season
Ben Boyd
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
Dhruv Majumdar
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
Mohammed Adam
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
LearningwithRayYT
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
Christian Martorella
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
Edwin A. Opare
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
Moataz Kamel
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
Iain Dickson
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Edureka!
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
AbimbolaFisher1
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
Elliott Franklin
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
Bhushan Gurav
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
SandeepK707540
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
Michael Gough
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
Kumar Gaurav
 
Cyber security career development paths
Cyber security career development pathsCyber security career development paths
Cyber security career development paths
Chelsea Jarvie
 
National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)
Gopal Choudhary
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
London School of Cyber Security
 

More Related Content

What's hot

Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE - ATT&CKcon
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
Iain Dickson
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
mmubashirkhan
 

What's hot (20)

Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics Vulnerability assessment & Penetration testing Basics
Vulnerability assessment & Penetration testing Basics
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
 
Types of Threat Actors and Attack Vectors
Types of Threat Actors and Attack VectorsTypes of Threat Actors and Attack Vectors
Types of Threat Actors and Attack Vectors
 
Offensive OSINT
Offensive OSINTOffensive OSINT
Offensive OSINT
 
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for ExecutivesCybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
 
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
MITRE ATT&CKcon 2018: Hunters ATT&CKing with the Data, Roberto Rodriguez, Spe...
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
Cybersecurity Frameworks | NIST Cybersecurity Framework | Cybersecurity Certi...
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
Building an effective Information Security Roadmap
Building an effective Information Security RoadmapBuilding an effective Information Security Roadmap
Building an effective Information Security Roadmap
 
MITRE ATT&CK framework
MITRE ATT&CK frameworkMITRE ATT&CK framework
MITRE ATT&CK framework
 
Cyber Security roadmap.pptx
Cyber Security roadmap.pptxCyber Security roadmap.pptx
Cyber Security roadmap.pptx
 
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
MW_Arch Fastest_way_to_hunt_on_Windows_v1.01
 
Advanced persistent threat (apt)
Advanced persistent threat (apt)Advanced persistent threat (apt)
Advanced persistent threat (apt)
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Cyber security career development paths
Cyber security career development pathsCyber security career development paths
Cyber security career development paths
 

Viewers also liked

The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
Lancope, Inc.
 
National cyber security policy
National cyber security policyNational cyber security policy
National cyber security policy
NextBigWhat
 
National Cyber Security Policy-2013
National Cyber Security Policy-2013National Cyber Security Policy-2013
National Cyber Security Policy-2013
Vidushi Singh
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
AlienVault
 

Viewers also liked (20)

National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)National Cyber Security Policy 2013 (NCSP)
National Cyber Security Policy 2013 (NCSP)
 
How To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and TrainingHow To Catch a Phish: User Awareness and Training
How To Catch a Phish: User Awareness and Training
 
Addressing the cyber kill chain
Addressing the cyber kill chainAddressing the cyber kill chain
Addressing the cyber kill chain
 
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
Cyber Resilience – Strengthening Cybersecurity Posture & Preparedness by Phil...
 
CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2CSIRS ICS BCS 2.2
CSIRS ICS BCS 2.2
 
The Library of Sparta
The Library of SpartaThe Library of Sparta
The Library of Sparta
 
Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?Is Cyber Resilience Really That Difficult?
Is Cyber Resilience Really That Difficult?
 
National cyber security policy
National cyber security policyNational cyber security policy
National cyber security policy
 
Journey to cyber resilience
Journey to cyber resilienceJourney to cyber resilience
Journey to cyber resilience
 
Everything about TAXII
Everything about TAXIIEverything about TAXII
Everything about TAXII
 
Curso de Ejemplo
Curso de EjemploCurso de Ejemplo
Curso de Ejemplo
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 
National Cyber Security Policy-2013
National Cyber Security Policy-2013National Cyber Security Policy-2013
National Cyber Security Policy-2013
 
Improve Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USMImprove Situational Awareness for Federal Government with AlienVault USM
Improve Situational Awareness for Federal Government with AlienVault USM
 
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
STIX, TAXII, CISA: Impact of the Cybersecurity Information Sharing Act of 2015
 
BSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA DefenseBSidesAugusta ICS SCADA Defense
BSidesAugusta ICS SCADA Defense
 
Introduction to STIX 101
Introduction to STIX 101Introduction to STIX 101
Introduction to STIX 101
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber security awareness
Cyber security awarenessCyber security awareness
Cyber security awareness
 

Similar to Science of Security: Cyber Ecosystem Attack Analysis Methodology

1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
madunix
 
Protecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and IntersetProtecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and Interset
Perforce
 

Similar to Science of Security: Cyber Ecosystem Attack Analysis Methodology (20)

CyberOps.pptx
CyberOps.pptxCyberOps.pptx
CyberOps.pptx
 
Lessons Learned from the NIST CSF
Lessons Learned from the NIST CSFLessons Learned from the NIST CSF
Lessons Learned from the NIST CSF
 
RMS Security Breakfast
RMS Security BreakfastRMS Security Breakfast
RMS Security Breakfast
 
1 info sec+risk-mgmt
1 info sec+risk-mgmt1 info sec+risk-mgmt
1 info sec+risk-mgmt
 
CompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdfCompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdf
 
CompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdfCompTIA_Security_plus_SY0-701_course_content.pdf
CompTIA_Security_plus_SY0-701_course_content.pdf
 
CompTIA Security+ (Plus) Certification Training Course
CompTIA Security+ (Plus) Certification Training CourseCompTIA Security+ (Plus) Certification Training Course
CompTIA Security+ (Plus) Certification Training Course
 
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
 
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
𝐋𝐚𝐭𝐞𝐬𝐭 𝐂𝐨𝐦𝐩𝐓𝐈𝐀 𝐒𝐞𝐜𝐮𝐫𝐢𝐭𝐲+ 𝐒𝐘𝟎-𝟕𝟎𝟏 𝐄𝐱𝐚𝐦
 
Security+ SY0-701 CERTIFICATION TRAINING.pdf
Security+ SY0-701 CERTIFICATION TRAINING.pdfSecurity+ SY0-701 CERTIFICATION TRAINING.pdf
Security+ SY0-701 CERTIFICATION TRAINING.pdf
 
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
UMS Cybersecurity Awareness Seminar: Cybersecurity - Lessons learned from sec...
 
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
GDG Cloud Southlake #4 Biodun Awojobi and Wade Walters Security Programs and ...
 
Soc analyst course content v3
Soc analyst course content v3Soc analyst course content v3
Soc analyst course content v3
 
Soc analyst course content
Soc analyst course contentSoc analyst course content
Soc analyst course content
 
Protecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and IntersetProtecting Your IP with Perforce Helix and Interset
Protecting Your IP with Perforce Helix and Interset
 
Vulenerability Management.pptx
Vulenerability Management.pptxVulenerability Management.pptx
Vulenerability Management.pptx
 
Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)Cervone uof t - nist framework (1)
Cervone uof t - nist framework (1)
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
A Strategy for Addressing Cyber Security Challenges
A Strategy for Addressing Cyber Security Challenges A Strategy for Addressing Cyber Security Challenges
A Strategy for Addressing Cyber Security Challenges
 

Recently uploaded

Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
ZurliaSoop
 
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Hung Le
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
David Celestin
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
Kayode Fayemi
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
amilabibi1
 

Recently uploaded (17)

My Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle BaileyMy Presentation "In Your Hands" by Halle Bailey
My Presentation "In Your Hands" by Halle Bailey
 
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
Jual obat aborsi Jakarta 085657271886 Cytote pil telat bulan penggugur kandun...
 
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven CuriosityUnlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
Unlocking Exploration: Self-Motivated Agents Thrive on Memory-Driven Curiosity
 
Introduction to Artificial intelligence.
Introduction to Artificial intelligence.Introduction to Artificial intelligence.
Introduction to Artificial intelligence.
 
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait Cityin kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
in kuwait௹+918133066128....) @abortion pills for sale in Kuwait City
 
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
Proofreading- Basics to Artificial Intelligence Integration - Presentation:Sl...
 
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdfAWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
AWS Data Engineer Associate (DEA-C01) Exam Dumps 2024.pdf
 
lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.lONG QUESTION ANSWER PAKISTAN STUDIES10.
lONG QUESTION ANSWER PAKISTAN STUDIES10.
 
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdfSOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
SOLID WASTE MANAGEMENT SYSTEM OF FENI PAURASHAVA, BANGLADESH.pdf
 
ICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdfICT role in 21st century education and it's challenges.pdf
ICT role in 21st century education and it's challenges.pdf
 
Digital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of DrupalDigital collaboration with Microsoft 365 as extension of Drupal
Digital collaboration with Microsoft 365 as extension of Drupal
 
Dreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio IIIDreaming Music Video Treatment _ Project & Portfolio III
Dreaming Music Video Treatment _ Project & Portfolio III
 
Dreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video TreatmentDreaming Marissa Sánchez Music Video Treatment
Dreaming Marissa Sánchez Music Video Treatment
 
Report Writing Webinar Training
Report Writing Webinar TrainingReport Writing Webinar Training
Report Writing Webinar Training
 
Uncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac FolorunsoUncommon Grace The Autobiography of Isaac Folorunso
Uncommon Grace The Autobiography of Isaac Folorunso
 
Zone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptxZone Chairperson Role and Responsibilities New updated.pptx
Zone Chairperson Role and Responsibilities New updated.pptx
 
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
Bring back lost lover in USA, Canada ,Uk ,Australia ,London Lost Love Spell C...
 

Science of Security: Cyber Ecosystem Attack Analysis Methodology

  • 1. www.securitytodayinfo.com November 18 &19, 2014 Gaylord Texan │Grapevine, TX Science of Security: Cyber Intelligence Analysis Shawn Riley Executive Vice President, CSCSS Americas
  • 2. www.securitytodayinfo.com About Me • Attack Analysis Scientist, Multisource Cyber Intelligence Analyst, & Sci-Fi Geek • Veteran – US Navy Cryptology Community • Former Lockheed Martin Senior Fellow • Former member UK Cybercrime Experts Working Group (UK Govt CSOC / OCSIA)
  • 3. www.securitytodayinfo.com Outline • Science of Security • Cyber Ecosystem – Cyber Terrain • Cyber Attack Lifecycle • Cyber Ecosystem Attack Analysis Method – Threat Actor’s Cyber Offense Ecosystem • Threat Intelligence Method – Defender’s Cyber Defense Ecosystem • Active Defense Method
  • 4. www.securitytodayinfo.com Science of Security (SoS) • The Science of Security term has been around since 2010 when an independent science and technology advisory committee for the U.S. Department of Defense concluded there is a science of (cyber) security discipline. • The following year, 2011, the White House released “Trustworthy Cyberspace: Strategic Plan For The Federal Cybersecurity Research And Development Program” formally establishing the Science of Security as 1 of 4 key strategic thrusts for U.S. Federal cybersecurity R&D programs. • A cyber security scientist, in a broad sense, is one engaging in a systematic activity to acquire and organize knowledge in the cyber security domain.
  • 5. www.securitytodayinfo.com SoS – Core Themes • In 2011 Canada, United States, and United Kingdom established 7 core, inter-related themes that make up the Science of Security domain. SoS Attack Analysis Common Language Core Principles Measurable Security Agility Risk Human Factors
  • 6. www.securitytodayinfo.com Cyber Ecosystem • Ecosystem is defined as “a community of living organisms in conjunction with the nonliving components of their environment, interacting as a system”. • DHS defines a cyber ecosystem as: “Like natural ecosystems, the cyber ecosystem comprises a variety of diverse participants – private firms, non-profits, governments, individuals, processes, and cyber devices (computers, software, and communication technologies) – that interact for multiple purposes.” People ProcessesTechnology http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
  • 8. www.securitytodayinfo.com Cyber Terrain – Layers 0-1 • CAPEC-ID:455 – Malicious Logic Insertion via Inclusion of Counterfeit Hardware Components • CAPEC-ID:453 – Malicious Logic Insertion via Counterfeit Hardware • CAPEC-ID:547 – Physical Destruction of Device or Component • CAPEC-ID:397 – Cloning Magnetic Strip Cards • CAPEC-ID:391 – Bypassing Physical Locks • CAPEC-ID:507 – Physical Theft • CAPEC-ID:414 – Pretexting via Delivery Person • CAPEC-ID:413 – Pretexting via Tech Support • CAPEC-ID:407 – Social Information Gathering via Pretexting • CAPEC-ID:406 – Social Information Gathering via Dumpster Diving CAPEC = Common Attack Pattern Enumeration Classification (463 total attack patterns in CAPEC V2.6) Website: http://capec.mitre.org
  • 9. www.securitytodayinfo.com Cyber Terrain – Layers 2-7 • CAPEC-ID:383 – Harvesting Usernames or UserIDs via Application API Event Monitoring (Application Layer) • CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:291 – DNS Zone Transfers (Application Layer) • CAPEC-ID:315 – TCP/IP Fingerprinting Probes (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:310 – Scanning for Vulnerable Software (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:309 – Network Topology Mapping (Network Layer, Transport Layer, & Application Layer) • CAPEC-ID:293 – Traceroute Route Enumeration (Network Layer & Transport Layer) • CAPEC-ID:316 – ICMP Fingerprinting Probes (Network Layer)
  • 10. www.securitytodayinfo.com Cyber Terrain – Layers 8-11 • CAPEC-ID:37 – Lifting Data Embedded in Client Distributions • CAPEC-ID:205 – Lifting Credential Key Material Embedded in Client • CAPEC-ID:8 – Buffer Overflow in an API Call • CAPEC-ID:14 – Client-side Injection-induced Buffer Overflow • CAPEC-ID:118 – Gather Information • CAPEC-IDS:268 – Audit Log Manipulation • CAPEC-ID:270 – Modification of Registry Run Keys • CAPEC-ID:17 – Accessing, Modifying or Executing Executable Files • CAPEC-ID:69 – Target Programs with Elevated Privileges • CAPEC-ID:76 – Manipulating Input to File System Calls • CAPEC-ID:35 – Leverage Executable Code in Non-Executable Files • CAPEC-ID:472 – Browser Fingerprinting • CAPEC-ID:151 – Identity Spoofing • CAPEC-ID:156 – Deceptive Interactions
  • 11. www.securitytodayinfo.com Cyber Terrain – Layers 12-14 • CAPEC-ID:404 – Social Information Gathering Attacks • CAPEC-ID:410 – Information Elicitation via Social Engineering • CAPEC-ID:416 – Target Influence via Social Engineering • CAPEC-ID:527 – Manipulate System Users • CAPEC-ID:156 – Deceptive Interactions • CAPEC-ID:98 – Phishing • CAPEC-ID:163 – Spear Phishing • CAPEC-ID:164 – Mobile Phishing (aka MobPhishing)
  • 13. www.securitytodayinfo.com Cyber Ecosystem w/ Terrain Persona Layer Software App Layer Operating System Layer Machine Language Layer Logical Layers Communications Ports & Protocols Physical Layer Geographic Layer Organization Layer Government Layer Technology / Cyber Terrain People Processes / TTPs
  • 14. www.securitytodayinfo.com Cyber Attack Lifecycle “Use a cyber attack lifecycle as a framework for observing and understanding an adversary’s actions and for defining an active defense strategy that makes effective use of information available through both internal and external sources throughout the lifecycle.” Recon Weaponize Deliver Exploit Control Execute Maintain Cyber Attack Lifecycle from: http://www.mitre.org/publications/technical-papers/cyber-resiliency-and-nist-special-publication-800-53-rev4-controls Key recommendation from NIST Guide To Cyber Threat Information Sharing (DRAFT) http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf
  • 15. www.securitytodayinfo.com Cyber Ecosystem Attack Analysis Persona Layer Software App Layer Operating System Layer Machine Language Layer Logical Layers Communications Ports & Protocols Physical Layer Geographic Layer Geographic Layer Physical Layer Logical Layers Communications Ports & Protocols Machine Language Layer Operating System Layer Software App Layer Persona Layer Organization Layer Organization Layer Government Layer Government Layer Technology / Cyber Terrain Processes / TTPs Threat Actors / People Defenders Threat Actor’s use of technology and observable technical indicators Threat Actor’s Modus Operandi (Methods of Operation) Defender’s technology based mitigations and countermeasures Defender’s process based mitigations and countermeasures Recon Weaponize Deliver Exploit Control Execute Maintain Threat Intelligence is based on analysis of the Threat Actor’s Cyber Offense Ecosystem. Active Defense is based on analysis of the Defender’s Cyber Defense Ecosystem. Offense Defense Offense informs Defense
  • 16. www.securitytodayinfo.com Boyd Cycle / OODA Loop • Decision cycle developed by USAF Colonel John Boyd who applied it to combat operations. Often applied to understand commercial operations and learning processes. http://en.wikipedia.org/wiki/OODA_loop
  • 17. www.securitytodayinfo.com Threat Intelligence Method 1. Observe – Observe each stage of the attack, collect and process available data and information about the attack for each layer of the cyber ecosystem. 2. Orient – Analyze and synthesize the attack data and information for each stage and layer. Orient on the Threat Actor’s methods of operation and use of technology to identify observable indicators in the attack data for each stage across one or more layers of the cyber ecosystem. 3. Decide – Based on the Threat Actor’s modus operandi identify observables and indicators, decide if this attack is from a new threat actor or if the attack is part of a larger campaign. Produce threat intelligence report. 4. Act – Disseminate the threat intelligence report.
  • 18. www.securitytodayinfo.com Pivot & Chain Into Campaigns Attack 1 Attack 2 Attack 3 APT 1 Attack 1 Attack 2 Attack 3 Attack 4 Attack 1 Attack 2 Attack 3 Attack 4 Attack5 Attack 1 Attack 2 Attack 3 Attack 4 Attack 5 Attack 6 APT 2 APT 1 APT 1 APT 2 APT 2 APT 2 CC1 CC1 CC1 CC1 CC1 CC2 CC2 CC2 CC2 CC2 CC2
  • 19. www.securitytodayinfo.com PDCA – Plan Do Check Act • Iterative four-step management method used in business for the control and continuous improvement of processes and products. AKA Deming circle/cycle/wheel, Shewhart cycle, or as seen in ISO 9001. http://en.wikipedia.org/wiki/PDCA
  • 20. www.securitytodayinfo.com Active Defense Method 1. Plan – Plan active defense courses of action based on threat intelligence for each stage of the Threat Actor’s attack, consider both technical and process based mitigations and countermeasures for each layer of the Defender’s cyber defense ecosystem. 2. Do – Implement the intelligence based courses of action to mitigate and counter the Threat Actor’s attack and to increase the defender’s resilience to future attacks by this threat actor. 3. Check – Measure the quality of the threat intelligence and effectiveness of the mitigations and countermeasures over time. 4. Act – Provide feedback on the quality of the threat intelligence and effectiveness of the mitigations and countermeasures, take action to continuously improve the security and resilience of the cyber ecosystem.
  • 21. www.securitytodayinfo.com Methods Combined 2009 | | | | | | | | | | | | 2010 | | | | | | | | | | | | 2011 | | | | | | | | | | | | 2012 | | | | | | | | | | | | 2013 | | | | | | | | | | | | 2014 | | | | | | | | | | | | 2015 | | | | | | | | | | | Threat Intelligence Cycle Active Defense Cycle
  • 22. www.securitytodayinfo.com Cyber Ecosystem Attack Analysis Methodology Persona Layer Software App Layer Operating System Layer Machine Language Layer Logical Layers Communications Ports & Protocols Physical Layer Geographic Layer Geographic Layer Physical Layer Logical Layers Communications Ports & Protocols Machine Language Layer Operating System Layer Software App Layer Persona Layer Organization Layer Organization Layer Government Layer Government Layer Technology / Cyber Terrain Processes / TTPs Threat Actors / People Defenders Threat Actor’s use of technology and observable technical indicators Threat Actor’s Modus Operandi (Methods of Operation) Defender’s technology based mitigations and countermeasures Defender’s process based mitigations and countermeasures Recon Weaponize Deliver Exploit Control Execute Maintain Offense Defense Threat Intelligence Cycle Active Defense Cycle
  • 23. www.securitytodayinfo.com Benefits • Takes a more holistic approach by considering the attack across both the Threat Actor’s cyber offense ecosystem and the Defender’s defense ecosystem. • Enables the Defender to better identify, chain, and track Threat Actors and Campaigns over time. • Enables a more resilient cyber defense ecosystem by having multiple observable indicators for each stage of attack across different layers of the ecosystem. • Costs the Threat Actor considerable more to defeat layered intelligence based mitigations and countermeasures.
  • 24. www.securitytodayinfo.com Additional Recommendations • Adopt STIX, TAXII, and CYBOX for Threat Intelligence with MAEC, CAPEC, CWE, CVE, CCE extensions. (http://msm.mitre.org) – Automation – Interoperability • Semantic Interoperability • Technical Interoperability • Policy Interoperability http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
  • 25. www.securitytodayinfo.com Summary • Following this methodology will reduce the defender’s cost per attack while increasing the threat actor’s cost to overcome • Based on methods used by many organizations already - OSI Model, OODA Loop, and PDCA cycle • Maturing from a reactive, passive defense posture to a more proactive, active defense posture
  • 26. www.securitytodayinfo.com Thank You! • Please feel free to reach out with any questions or comments. • You can find me on LinkedIn at: www.linkedin.com/in/shawnriley71/