Public© Siemens AG 2016 Siemens CERT

Building an Efficient

Incident Response Process Using Threat Intelligence

A Global Enterprise Perspective Thomas Schreck | Siemens CERT | Borderless Cyber Europe 2016

Public© Siemens AG 2016

September 2016 Seite 2 Siemens CERT

Principal Engineer at Siemens CERT

Director of FIRST.org

Public© Siemens AG 2016

September 2016 Seite 3 Siemens CERT

How we think Cyber Threat Intelligence is working …

Public© Siemens AG 2016

September 2016 Seite 4 Siemens CERT

… and here is the reality!

4741a7df46e61985544c647a401e94f7

PDF Reports

Empty File Hash

Public© Siemens AG 2016

September 2016 Seite 5 Siemens CERT

What is Cyber Threat Intelligence?

Threat intelligence is a vital part of network

defense and incident response, including

information about threats, TTPs, and devices that

adversaries employ; the systems and information

that they target; and any other threat-related

information that provides greater situational

awareness with the following characteristics:

• Timely

• Relevant

• Accurate

• Specific

• Actionable

Strategic

Tactical

TTPs

IoCs

Public© Siemens AG 2016

September 2016 Seite 6 Siemens CERT

What can it be used for?

Situational Awareness

CTI

Hardening Detection Response

Public© Siemens AG 2016

September 2016 Seite 7 Siemens CERT

Capabilities and Tasks

Intel Sourcing

Other CERTs & TI communities, Open source intelligence

Subscriptions to Intel companies

Internal sources, like Malware Analysis and Investigations

Intel Usage

Integrate Intel in our existing TI platform

Make Intel “actionable” for our consumers

Aggregate strategic Intel to build Threat Landscape

Intel Management

Manual Vet incoming Intel

Store Intel in a structured way

Integrate other forms of QA in Intel lifecycle (e.g., rating)

Link Intel to respective IOCs

Intel Sharing

Share Intel with different communities

Fast sharing using open standards

Contribute in development of sharing platforms

The 4 pillars of Threat Intelligence

Public© Siemens AG 2016

September 2016 Seite 8 Siemens CERT

Managing and Utilizing Threat Intellingence

Public© Siemens AG 2016

September 2016 Seite 9 Siemens CERT

Managing Cyber Threat Intelligence

Collection

Processing

Analysis & Production

Dissemination

Planing

Public© Siemens AG 2016

September 2016 Seite 10 Siemens CERT

Utilizing Threat Intelligence

Threat Intelligence Platform

Proxies

Firewall

Shadowserver

Email

DHCP DNS

Analysis

pDNS

Malware Analysis

various data

sources

Forensic

various scripts

Indicators Threat

Intelligence

Ticketing

Abuse Reporting

etc.

Cleaning up

Lessons Learned

Analyst

Internal &

External

Intelligence

Sharing

Monitoring Solution

Ticketsytem (RT, OTRS, Jira)

Wiki (Mediawiki, Confluence)

Emailing (PGP, SMIME)

Incident Handling

etc.

Scripts for Automation

Public© Siemens AG 2016

September 2016 Seite 11 Siemens CERT

Sourcing and Sharing Threat Intelligence

Public© Siemens AG 2016

September 2016 Seite 12 Siemens CERT

Sharing Communities

Governance

• BSI / BMI /

Verfassungsschutz

• CERT-EU

• Various European GOV-

CERTs (e.g., NCSC.NL,

UK-CERT, CERT.at)

• US – CERT

• ICS-CERT

• CN-CERT

Siemens

CERT/

ProductCERT

Vendors

• Google

• Microsoft

• CISCO

• Amazon

• Juniper

• SAP

• ORACLE

• SuSE/Red Hat

• Intel

• IBM

Science

• University of California,

Santa Barbara

• Northeastern University

Boston

• iSecLab

• Ruhr-Universität Bochum

• Friedrich-Alexander-

Universität Erlangen

• Fraunhofer AISEC/SIT/FKIE

• Technische Universität

München

Sec. Companies

• Trend Micro

• Kaspersky

• Symantec

• BFK

• CSIS Security Group

• Team Cymru

• Crowdstrike

• Farsight

Trusted Groups

• FIRST

• Trusted Introducer/ TF-CSIRT

• CERT-Verbund

• AkSiGro

• German Cyber Security Alliance

• CSSA e.V.

• Various OpSec Groups

OSINT

• Sec. Mailinglists (full-disc.)

• Sec. Blogs

• Twitter

• Pastebin

• SANS

• Various websites, e.g.

XSSed, Zone-h,…

• DNS and Malware

Blacklists (about 110

different blacklists in total)

• …

Law Enforcement

• Europol

• FBI

• German State Police

Active TI Sharing

• DoD CRADA Program

• DHS:

• CISCP

• ICS

• Microsoft MAPP for

Responder

• German APT WG

Public© Siemens AG 2016

September 2016 Seite 13 Siemens CERT

https://www.first.org

Public© Siemens AG 2016

September 2016 Seite 14 Siemens CERT

Public© Siemens AG 2016

September 2016 Seite 15 Siemens CERT

Sharing Standards and Tools

OpenIOC

IETF MILE MANTIS

JSON, CSV, PDF, …

Mailinglists

Chatrooms

Public© Siemens AG 2016

September 2016 Seite 16 Siemens CERT

Sharing 101

• Use a common standard like Traffic Light Protocol: https://www.first.org/tlp

• Define the standard how to exchange information

• Share as early with others as possible

• Evaluate commercial vendors carefully and re-evaluate them

Public© Siemens AG 2016

September 2016 Seite 17 Siemens CERT

Activites you should joing

• OASIS Cyber Threat Intelligence (CTI) TC

• FIRST Information Exchange Policy SIG

• FIRST Traffic Light Protocol (TLP) SIG

• MISP Summit 02 https://2016.hack.lu/misp-summit/

Public© Siemens AG 2016

September 2016 Seite 18 Siemens CERT

Siemens AG

Thomas Schreck

Principal Engineer

Internet

https://www.siemens.com/cert

E-Mail

t.schreck@siemens.com

Thomas Schreck

Contact Details