Cyber threat Intelligence and Incident Response by:-Sandeep Singh
-
Upload
owasp -
Category
Technology
-
view
1.091 -
download
5
Transcript of Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber Threat Intelligence
Sandeep SinghOWASP Delhi & null Delhi30 January 2015
I am not an intelligence analyst but would love to be The topic is close to my heart Do not expect any FM (Freakin Magic ) The objective is to help attendees get familiar with the
world of threat intel
Disclaimer
Overview of Threat Intel Understanding Threat Intel What is Cyber Threat Intelligence Types of Threat Intel Intelligence Lifecycle Threat Intel – Classification & Vendor Landscape Threat Intel – Standards Open Source Threat Data/Intel Sources Bonus Agenda
Agenda
What is Threat Intelligence?
• Buzzword• Growing field- $250M in 2013- $1.5B in 2018
• Lots of new service providers entering the market
• and still maturing
Overview
Risk = Vulnerability * Threat * ImpactThreat = Intent * Capability
We like the term "Threat Actor". May be any of:• Cybercrime• State-sponsored• Hacktivism• Insider• Industry competition
Threat
Intelligencea.k.a. Renseignement, ré-enseignement
• Environment → Data → Information → Intelligence • Intelligence is a cyclic process• Analysis and contextualization• Models help counter diversity with abstraction
Accurate Relevant Timely Aligned Predictive Integrated
Actionable Intel
Cyber Area of interest/ of collection
Threat Subject of interest
Intelligence Process
Cyber Threat Intelligence
Key Elements of Threat Intel
Types of Threat Intel
• Target audience: decision-makers• Focus on changing risks, high level topics• Geopolitics• Foreign markets• Cultural background
• Vision timeframe: years
Note: You may never have heard of this; could be explained by lack of maturity in orgs
Strategic TI
• Target audience: defenders• Focus on current & future attacks:• Who, what, when?• Early warning on incoming attacks• Social media activity
• Vision timeframe: months, weeks, hours
Operational TI
Note: Hard for private companies to obtain on advanced attackers; traditionally collected through HUMINT / SIGINT
• Target audience: architects & sysadmins• Focus on "TTPs":• Attacker modus operandi• Blue team / red team tools• Exfiltration / C2 methods• Persistence / stealth / deception mechanisms
• Vision timeframe: weeks to a year
Note: The most common form of threat intel (and marketing ) produced today; easy to obtain
Tactical TI
Technical TIa.k.a. Data
• Target audience: SOC, IR people• Focus on raw observables:• Indicators of compromise• Host and network artifacts• Yara, Snort, OpenIOC rules
• Vision timeframe: hours to years
Note: Man-hours are valuable. Technical TI is abundant. Processing should be as automated as possible.
Strategic Will feed SWOT, risk assessments, Porter Diamond model...
Tactical Cyber Kill-chain, Diamond model, ACH
Operational OODA Loop, Pyramid of Pain
Technical F3EAD, CIF, FIR, MISP, Malcom, Maltego,….
Weaponry
Intelligence Cycle
Intelligence Cycle applied to CTI in orgs
• Planning• What are you looking for?
• Collection• OSINT/HUMINT• Logs/Data points inside the org• Honeypots/nets/docs, social networks• FM-5
• Processing• Synthesizing the collected data so that intelligence analyst can
work• Analysis
• Finished Intelligence• Dissemination
• Present to the right audience
Thre
at In
tel
Threat Intel Platform
Threat Intel Enrichment
Threat Intel Integration
Open Source Intel (OSINT)
Human Intel (HUMINT)
Technical Intel
Adversary Intel
Vulnerability Intel
Strategic Intel
Threat Intel - Classification
Vendors
Can you guess the price of commercial threat Intel?
Symantec's 12-month retail subscription to its reputation feed costs $95,300 (INR 6100000 approx.)
FireEye threat intelligence appliances cost around $17000 at starting price and increase upto $175000 per unit
Managing Threat IntelAs tough as it sounds
• MISP - Event-based indicator sharing• FIR - Incident management platform + indicator correlation• CRITS - Platform to store threat-related information• Malcom - Correlation of network traffic with maliciousness feeds• CIF - Query indicators + variety of output formats• Grr, osquery - Endpoint hunting
not mature…but lots of stuff is going on
What’s so nice about “standards”
• MITRE - STIX, TAXII, CybOX, MAEC• IETF - IODEF• Mandiant - OpenIOC• VERIS• MANTIS
Black List IP Address Sources • emergingthreats.net• binarydefense.com• zeustracker.abuse.ch• palevotracker.abuse.ch• feodotracker.abuse.ch• sslbl.abuse.ch• spamhaus
Phishing URL Sources• openphish.com
Vulnerability Database Sources• scip.ch• cxsecurity.com• exchange.xforce.ibmcloud.com• packetstormsecurity.com
Honeypots/Honeynets
Open Source Threat Data Sources
Bonus Agenda
• Developed by REN-ISAC• http://csirtgadgets.org/collective-intelligence-framework/• Does not generate data, simply takes sources normalizes it and
then outputs by given types• Limited in the types of data it can handle
– URLs– Domains– IPs – MD5s
• Certainly more to threat intel than this, but it’s a start
CIF: Collective Intelligence Framework
CIF Architecture
• A target-centric approach to intelligence analysis
• Bridge between operations and intelligence• a.k.a. “Hunting”
F3EAD
• TI is closely related to traditional intelligence• Models help but have limitations• The quality of your TI directly influences the quality of your
response• Tools to store, analyze, and share intelligence exist, but
there's room for improvement
Conclusion
http://sroberts.github.io http://direct.tomchop.me/slides http://frodehommedal.no/presentations/first-tc-oslo-
2015 https://www.mwrinfosecurity.com/system/assets/
909/original/Threat_Intelligence_Whitepaper.pdf Google
References:
Thank you,Sandeep Singh – Chapter Leader, OWASP Delhi & null [email protected]@null.co.in@Sandy1sm
Q & A