Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5...
Transcript of Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5...
Public© Siemens AG 2016 Siemens CERT
Building an Efficient
Incident Response Process Using Threat Intelligence
A Global Enterprise Perspective Thomas Schreck | Siemens CERT | Borderless Cyber Europe 2016
Public© Siemens AG 2016
September 2016 Seite 2 Siemens CERT
Principal Engineer at Siemens CERT
Director of FIRST.org
Public© Siemens AG 2016
September 2016 Seite 3 Siemens CERT
How we think Cyber Threat Intelligence is working …
Public© Siemens AG 2016
September 2016 Seite 4 Siemens CERT
… and here is the reality!
4741a7df46e61985544c647a401e94f7
PDF Reports
Empty File Hash
Public© Siemens AG 2016
September 2016 Seite 5 Siemens CERT
What is Cyber Threat Intelligence?
Threat intelligence is a vital part of network
defense and incident response, including
information about threats, TTPs, and devices that
adversaries employ; the systems and information
that they target; and any other threat-related
information that provides greater situational
awareness with the following characteristics:
• Timely
• Relevant
• Accurate
• Specific
• Actionable
Strategic
Tactical
TTPs
IoCs
Public© Siemens AG 2016
September 2016 Seite 6 Siemens CERT
What can it be used for?
Situational Awareness
CTI
Hardening Detection Response
Public© Siemens AG 2016
September 2016 Seite 7 Siemens CERT
Capabilities and Tasks
Intel Sourcing
Other CERTs & TI communities, Open source intelligence
Subscriptions to Intel companies
Internal sources, like Malware Analysis and Investigations
Intel Usage
Integrate Intel in our existing TI platform
Make Intel “actionable” for our consumers
Aggregate strategic Intel to build Threat Landscape
Intel Management
Manual Vet incoming Intel
Store Intel in a structured way
Integrate other forms of QA in Intel lifecycle (e.g., rating)
Link Intel to respective IOCs
Intel Sharing
Share Intel with different communities
Fast sharing using open standards
Contribute in development of sharing platforms
The 4 pillars of Threat Intelligence
Public© Siemens AG 2016
September 2016 Seite 8 Siemens CERT
Managing and Utilizing Threat Intellingence
Public© Siemens AG 2016
September 2016 Seite 9 Siemens CERT
Managing Cyber Threat Intelligence
Collection
Processing
Analysis & Production
Dissemination
Planing
Public© Siemens AG 2016
September 2016 Seite 10 Siemens CERT
Utilizing Threat Intelligence
Threat Intelligence Platform
Proxies
Firewall
Shadowserver
DHCP DNS
Analysis
pDNS
Malware Analysis
various data
sources
Forensic
various scripts
Indicators Threat
Intelligence
Ticketing
Abuse Reporting
etc.
Cleaning up
Lessons Learned
Analyst
Internal &
External
Intelligence
Sharing
Monitoring Solution
Ticketsytem (RT, OTRS, Jira)
Wiki (Mediawiki, Confluence)
Emailing (PGP, SMIME)
Incident Handling
etc.
Scripts for Automation
Public© Siemens AG 2016
September 2016 Seite 11 Siemens CERT
Sourcing and Sharing Threat Intelligence
Public© Siemens AG 2016
September 2016 Seite 12 Siemens CERT
Sharing Communities
Governance
• BSI / BMI /
Verfassungsschutz
• CERT-EU
• Various European GOV-
CERTs (e.g., NCSC.NL,
UK-CERT, CERT.at)
• US – CERT
• ICS-CERT
• CN-CERT
Siemens
CERT/
ProductCERT
Vendors
• Microsoft
• CISCO
• Amazon
• Juniper
• SAP
• ORACLE
• SuSE/Red Hat
• Intel
• IBM
Science
• University of California,
Santa Barbara
• Northeastern University
Boston
• iSecLab
• Ruhr-Universität Bochum
• Friedrich-Alexander-
Universität Erlangen
• Fraunhofer AISEC/SIT/FKIE
• Technische Universität
München
Sec. Companies
• Trend Micro
• Kaspersky
• Symantec
• BFK
• CSIS Security Group
• Team Cymru
• Crowdstrike
• Farsight
Trusted Groups
• FIRST
• Trusted Introducer/ TF-CSIRT
• CERT-Verbund
• AkSiGro
• German Cyber Security Alliance
• CSSA e.V.
• Various OpSec Groups
OSINT
• Sec. Mailinglists (full-disc.)
• Sec. Blogs
• Pastebin
• SANS
• Various websites, e.g.
XSSed, Zone-h,…
• DNS and Malware
Blacklists (about 110
different blacklists in total)
• …
Law Enforcement
• Europol
• FBI
• German State Police
Active TI Sharing
• DoD CRADA Program
• DHS:
• CISCP
• ICS
• Microsoft MAPP for
Responder
• German APT WG
Public© Siemens AG 2016
September 2016 Seite 13 Siemens CERT
https://www.first.org
Public© Siemens AG 2016
September 2016 Seite 14 Siemens CERT
Public© Siemens AG 2016
September 2016 Seite 15 Siemens CERT
Sharing Standards and Tools
OpenIOC
IETF MILE MANTIS
JSON, CSV, PDF, …
Mailinglists
Chatrooms
Public© Siemens AG 2016
September 2016 Seite 16 Siemens CERT
Sharing 101
• Use a common standard like Traffic Light Protocol: https://www.first.org/tlp
• Define the standard how to exchange information
• Share as early with others as possible
• Evaluate commercial vendors carefully and re-evaluate them
Public© Siemens AG 2016
September 2016 Seite 17 Siemens CERT
Activites you should joing
• OASIS Cyber Threat Intelligence (CTI) TC
• FIRST Information Exchange Policy SIG
• FIRST Traffic Light Protocol (TLP) SIG
• MISP Summit 02 https://2016.hack.lu/misp-summit/
Public© Siemens AG 2016
September 2016 Seite 18 Siemens CERT
Siemens AG
Thomas Schreck
Principal Engineer
Internet
https://www.siemens.com/cert
Thomas Schreck
Contact Details