Post on 15-Jan-2015
description
Best Practices for Leveraging Security Threat Intelligence
Dave Shackleford, Voodoo Security and SANSRussell Spitler, AlienVault
© 2014 The SANS™ Institute - www.sans.org
What IS threat intelligence?
• Threat intelligence is the set of data collected, assessed, and applied regarding:– Security threats– Threat actors– Exploits– Malware– Vulnerabilities– Compromise indicators
© 2014 The SANS™ Institute - www.sans.org
What Threat Intelligence ISN’T
• Regarding data for threat intelligence:– Not just one type of data– Not just one source of data– Not just internal or external
• Threat intelligence is also not one form of analysis or reporting
• Threat intelligence can mean different things to different organizations– This is 100% OK.
© 2014 The SANS™ Institute - www.sans.org
Advanced Threats
• Malware-based espionage staged by threat actors that– Aggressively pursue and
compromise specific targets– Often leveraging social engineering– Maintain a persistent presence within
the victim’s network – Escalate privilege and move laterally
within the victim’s network– Extract sensitive information to
locations under the attacker’s control
© 2014 The SANS™ Institute - www.sans.org
Today’s Attack Cycle
© 2014 The SANS™ Institute - www.sans.org
1. Intelligence Gathering: Target individuals
2. Point of Entry: Social Engineering and malware deployment
3. C&C Communication4. Lateral Movement5. Asset/Data Discovery: What is important
and/or sensitive?6. Data Exfiltration: Data sent outbound to
systems under the attacker’s control
What’s This Leading To?
Source: http://www.forrester.com/Five+Steps+To+Build+An+Effective+Threat+Intelligence+Capability/fulltext/-/E-RES83841
© 2014 The SANS™ Institute - www.sans.org
Why Threat Intelligence?
• Attackers are innovating faster than we are
• “Productization” of malware– Attack kits and “crimeware”– Reuse of malware and C2 protocols– Botnets for rent
• Other organizations have likely seen similar attacks or variants– We can help each other share
information to defend better
© 2014 The SANS™ Institute - www.sans.org
Adversary Analysis
• Why develop adversary profiles?– Adversary profiles can provide
clues as to attacks, targets, techniques commonly used
• Adversary Types– Unsophisticated – “script kiddies”– Competitors– State-sponsored– Organized Crime– Insiders (can also be one of above)
© 2014 The SANS™ Institute - www.sans.org
What kinds of data can we share?
• DNS entries that are or should be blacklisted
• Countries of origin with specific reputation criteria
• Types of events to look out for:– Application attacks– Ports and IP addresses– Specific types of malware detected
• Vertical-specific likelihood• And more…
© 2014 The SANS™ Institute - www.sans.org
Intelligence can drive Investigations
• Intelligence-driven investigations are based on the preservation of the relationships between the components of individual attacks so that they can be clustered as a campaign.
• Investigative Components– Malware Analysis– Network Analysis– Underground Analysis– “Big Data” Analysis
© 2014 The SANS™ Institute - www.sans.org
How to Evaluate Threat Intel Services and Providers
• The first key differentiator is data DIVERSITY:– Where does the data come from?– What type(s) of data do you get?– Do IOC artifacts come in one format
(ie file hashes) or multiple?– What specific are available
(vertical/industry, geography, etc)?
© 2014 The SANS™ Institute - www.sans.org
How to Evaluate Threat Intel Services and Providers
• The second differentiator is data ANALYSIS:– What kind of analysis is performed?– Who does the analysis?– To what depth is analysis done –
basic IOCs, or full traceback?– Is the data correlated with other
information?
© 2014 The SANS™ Institute - www.sans.org
How to Evaluate Threat Intel Services and Providers
• The third differentiator is data QUALITY:– Does the data go through a “QA”
process?– Is data revisited/re-analyzed to
ensure it is still accurate?– When are indicators “expired”?– What is the expiration
strategy/lifecycle … on an ongoing basis?
© 2014 The SANS™ Institute - www.sans.org
Example: Sinkhole Case
• A known malware propagation platform communicating with a C&C server
• This can fuel a sinkhole approach
© 2014 The SANS™ Institute - www.sans.org
Example: C&C Events
• Active malware command and control communications
© 2014 The SANS™ Institute - www.sans.org
Example: File Download Activity
• File download IOC:
© 2014 The SANS™ Institute - www.sans.org
Example: Java File Download
• Another malware download example, this time with a Java .jar file:
© 2014 The SANS™ Institute - www.sans.org
AlienVault Open Threat Exchange
Open Threat Exchange (OTX) is a framework to allow collaboration for enhanced threat
assessment and response
© 2014 The SANS™ Institute - www.sans.org
Built into AlienVault USM & OSSIM
• Diverse threat data– Unified Security Management– SIEM, IDS, VA, HIDS, Netflow in one
product• Diverse install base
– >12,000 installations– Open Source & Commercial
© 2014 The SANS™ Institute - www.sans.org
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
1. Observed Attack
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
2. Anonymous
Contribution
1. Observed Attack
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
3. Data Validation
2. Anonymous
Contribution
1. Observed Attack
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
AlienVault USM or
OSSIM
Installation 2
4. Distribute Threat
Intelligence
3. Data Validation
2. Anonymous
Contribution
1. Observed Attack
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
AlienVault USM or
OSSIM
Installation 2
4. Distribute Threat
Intelligence
3. Data Validation
2. Anonymous
Contribution
1. Observed Attack 5. Identify Malicious Activity
Current OTX Participation
• 17,000 Contributions per day• 140 Countries
• 500k IP’s, URL’s, and Malware Samples analyzed daily
© 2014 The SANS™ Institute - www.sans.org
Attack Trends and Examples
• Current Attack Trends include:– Stealth malware– HTTP/HTTPS C&C channels– Anti-forensics– New and varied DDoS tactics– Myriad Web app attacks– Client-side attacks with social
engineering as the primary attack vector
• How can we learn about these?
© 2014 The SANS™ Institute - www.sans.org
Conclusion
• We’re all facing attacks, all the time
• We have a lot of data – why not share it?
• To advance the state of threat intelligence, we’ll need to collaborate and correlate data at a much larger scale
• OTX is one effort to do just that
© 2014 The SANS™ Institute - www.sans.org
Questions?
Follow-up?
Q@SANS.ORG
Thank You!
© 2014 The SANS™ Institute - www.sans.org