How To Turbo-Charge Incident Response With Threat Intelligence
-
Upload
resilient-systems -
Category
Technology
-
view
753 -
download
4
Transcript of How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
Page 2
Agenda
• Introductions
• What is threat intelligence?
• Why does threat intelligence matter?
• How threat intelligence can turbo-charge IR
• Demo: IR management with integrated threat intelligence
Page 3
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Matt Hartley, Senior Director of Intelligence Services, iSIGHT Partners
• Tim Armstrong, Security Incident Response Specialist, Co3 Systems
Page 4
Co3 – Automating IR based on E.R. standards
PREPARE
Improve Organizational Readiness• Appoint team members• Fine-tune response SOPs • Escalate from existing systems• Run simulations (firedrills / table
tops)
MITIGATE
Document Results & Improve Performance• Generate reports for management,
auditors, and authorities • Conduct post-mortem• Update SOPs• Track evidence• Evaluate historical performance• Educate the organization
ASSESS
Identify and Evaluate Incidents• Assign appropriate team members• Evaluate precursors and indicators• Correlate threat intelligence• Track incidents, maintain logbook• Prioritize activities based on criticality• Generate assessment summaries
MANAGE
Contain, Eradicate, and Recover• Generate real-time IR plan• Coordinate team response• Choose appropriate containment
strategy• Isolate and remediate cause• Instruct evidence gathering and
handling• Log evidence
Page 5
About iSIGHT Partners
Research
Identify the Threat• Identify threats with personnel
operating globally in 16 countries in local language, dialect, culture
• Recognize, categorize threat actors, groups, and campaigns
• Capture motivation, intents• Characterize technologies, targets
Dissemination
Cyber Threat Intelligence• Deliver technical and threat intelligence
connected to indicators and observables• Tagged, categorized into areas of threat• High fidelity actionable insights• Knowledge and context, not just data
Analysis
Fused Threat Context• Fuse knowledge and context across
threats, sectors• Focus on threats of highest import• Link observable attack
methodologies to threat sources• Define threat ecosystem• Tactical, operational, strategic intel
Intelligence Research Intelligence Analysis Intelligence Dissemination
70+ Researchers in 16 countries and 24 languages
70+ Cyber Threat Analysts in Washington, DC area
190+ total employees working as a global team
Vulnerability & Exploit
Threats to Enterprise IT
DDoS
Mobile Threats
Cyber Espionage
Cyber Crime
Hacktivism
Threats to Industrial Control Systems
Page 6
What is threat intelligence?
Name: uxsue.exe Identifier: Gameover Zeus Extension: exe Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Size: 329216 Packer: ['MinGW GCC 3.x'] MD5sum: 045b793b2a47fbea0d341424262c8c5b Sha1: 5ca6943f557489b510bd0fe8825a7a68ef00af53 Sha256: 8a4036289762a4414382fee8463d2bc7892cd5cab8fb6995eb94706d47e781dd Fuzzy: 6144:ka23d0lraSurrtt/xue1obsXD8J3Ej+rbC80tsX9GR:kFd0lWzrrtxdowT8U8hYR MIME: Compiled: 2012-10-10 17:33:25
Malware Payload Indicators:
Gameover Zeus is a frequently used Trojan in financial cybercrime
Basic Context:
Exploitation Vector:
hxxp://26.azofficemovers.com/links/persons_jobs.php
Unique Threat-focused Information:
We believe the following actors are either members of or are close associates with the petr0vich group: …
Bottom Line:
Zeus Malware Author Probably Working with Gameover Zeus Operators, but Current Level of Involvement Remains Uncertain
Contextual Analysis:
…the primary Zeus author partnered with the "petr0vich group," which most likely controls Gameover Zeus, to develop custom Zeus versions…. his continued participation will probably help fuel further innovative developments to Zeus.
Knowledge and context, not just data
Technical Threat
Page 7
IR Suffers From A Lack Of Intelligence
• “75% said they conduct forensic investigations to ‘find and investigate incidents after the fact.’”- SANS Survey of Digital Forensics and Incident Response, July 2013
• “60% … agree that their company at some point in time failed to stop a material security exploit because of insufficient or outdated threat intelligence.”
• “49% said it can take within a week to more than a month to identify a compromise.”- Ponemon Institute Live Threat Intelligence Impact Report 2013
• “In 66% of cases (up from 56% last year), breaches remained undiscovered for years, and in 22% of cases, it took months to fully contain the incident.”- 2013 Verizon Data Breach Investigations Report
Page 8
Incident Response Needs Threat Intel
PREPARE• Who has attacked you in
the past? • How have they attacked
you?• What are those attackers
known to be interested in?
Ensure alignment with real threats and
actors
MITIGATE• How are threats
evolving?• How should you update
your preventive and detective controls?
• Can you eliminate the target?
• Should you add some new partners / resources?
• Should you update / expand training?
Inform mitigation and preparation
based on real threats and actors
ASSESS• Who is behind the attack?• How are they attacking?• What might they ultimately
be after?• Time is of the essence
Prioritize an informed response
MANAGE• What items in the IR
plan are most important?
• Law enforcement? The FBI? Who do you need to call?
Accelerate a decisive response
POLL
How do you currently evaluate attacks: specifically the attacker, their tactics, etc?
Page 10
Data Capture
Analysis Link AnalysisCase Prep / Resolution
Detect
Respond
Recover
Prepare
Traditional approaches: where does intelligence fit?
Incident
Report
Notification
Event Driven Basic Investigative Framework
Basic IR
Framework
Intelligence enhances everystage of IR by providing situational awareness, context, and attribution
- where does it fit?
Page 11
Investigations enhanced by intelligence
Intelligence
Proactive
Informed by knowledge of threat sources, activities, methods, and historical context
Look for:• different
indicators
• other activity
Look in different places
Consider:• adversary
intent
• previous activity
• alternative targeting
• additional information
Fusion of sources
Consider:• affiliations
• adversary intent
• previous activity
• alternative targeting
Historical links
Proactive, detective, and preventative measures
Training and exercises
Business impact analysis
Reporting
Data Capture
Analysis Link AnalysisCase Prep / Resolution
Incident
Report
Notification
Event Driven Enhanced Investigative Framework
POLL
Does your organization have a formal threat intelligence program?
Page 13
System Overview
Trouble Ticketing
SIM
Web Form
IT
Marketing
Legal/Compliance
HR
Trouble Ticketing
SIM
GRCEntry Wizar
d
Dashboards and Reporting
SSAE-16 SOC2
certified hosting facility
IR - Engine
Threat Intel
Auto-Correlation
Page 14
Threat Intel With Incident Artifacts in Co3
• Artifacts are attributes of an incident that can indicate the presence and nature of a threat.
• Artifacts can be anything from a suspected malware file, to the IP address of a foreign server.
• Co3 supports multiple artifact types:• URL’s• IP addresses• Malware hashes• DNS names• Log files• Emails• Malware samples
Page 15
Threat Intelligence
• Actionable context about the nature of the incident based on its associated artifacts. This insight can include:
• Actor(s)
• Means
• Methods
• Initial threat intelligence feeds include:
• iSIGHT Partners
• Abuse.ch
• AlienVault
• SANS
• Campaign
• Historical context
• Impacts
Page 16
Enabling Actionable, Intelligent, Efficient Response
Co Investigate
Incident Artifacts
Threat Intel
Detailed Threat Info• Which actors• What methods• What impacts
Correlated Threat Context• Who else• How else• Why you
Accelerated Response• Automatic discovery• Enhanced collaboration• Workforce enablement,
enhancement
DEMO
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 makes the process of planning for a nightmare scenario as painless as possible, making it an Editors’ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Platform is comprehensive, user friendly, and very well designed.”
PONEMON INSTITUTE
Matt HartleySenior Director of Intelligence [email protected]
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“Adding the Security Module... to this otherwise fine suite of services, Co3 has done better than a home-run...it has knocked one out of the park.”
SC MAGAZINE