Science of Security: Cyber Ecosystem Attack Analysis Methodology
-
Upload
shawn-r -
Category
Presentations & Public Speaking
-
view
230 -
download
1
Transcript of Science of Security: Cyber Ecosystem Attack Analysis Methodology
www.securitytodayinfo.com
November 18 &19, 2014 Gaylord Texan │Grapevine, TX
Science of Security:
Cyber Intelligence Analysis
Shawn Riley
Executive Vice President, CSCSS Americas
www.securitytodayinfo.com
About Me
• Attack Analysis Scientist, Multisource Cyber
Intelligence Analyst, & Sci-Fi Geek
• Veteran – US Navy Cryptology Community
• Former Lockheed Martin Senior Fellow
• Former member UK Cybercrime Experts
Working Group (UK Govt CSOC / OCSIA)
www.securitytodayinfo.com
Outline
• Science of Security
• Cyber Ecosystem
– Cyber Terrain
• Cyber Attack Lifecycle
• Cyber Ecosystem Attack Analysis Method
– Threat Actor’s Cyber Offense Ecosystem
• Threat Intelligence Method
– Defender’s Cyber Defense Ecosystem
• Active Defense Method
www.securitytodayinfo.com
Science of Security (SoS)
• The Science of Security term has been around since 2010 when an
independent science and technology advisory committee for the
U.S. Department of Defense concluded there is a science of (cyber)
security discipline.
• The following year, 2011, the White House released “Trustworthy
Cyberspace: Strategic Plan For The Federal Cybersecurity
Research And Development Program” formally establishing the
Science of Security as 1 of 4 key strategic thrusts for U.S. Federal
cybersecurity R&D programs.
• A cyber security scientist, in a broad sense, is one engaging in a
systematic activity to acquire and organize knowledge in the cyber
security domain.
www.securitytodayinfo.com
SoS – Core Themes
• In 2011 Canada,
United States, and
United Kingdom
established 7 core,
inter-related themes
that make up the
Science of Security
domain.
SoS
Attack Analysis
Common Language
Core Principles
Measurable Security
Agility
Risk
Human Factors
www.securitytodayinfo.com
Cyber Ecosystem
• Ecosystem is defined as “a
community of living organisms in
conjunction with the nonliving
components of their environment,
interacting as a system”.
• DHS defines a cyber ecosystem as:
“Like natural ecosystems, the cyber
ecosystem comprises a variety of
diverse participants – private firms,
non-profits, governments,
individuals, processes, and cyber
devices (computers, software, and
communication technologies) – that
interact for multiple purposes.”
People
Processes Technology
http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
www.securitytodayinfo.com
Cyber Terrain – Layers 0-1
• CAPEC-ID:455 – Malicious Logic Insertion via Inclusion of Counterfeit Hardware Components
• CAPEC-ID:453 – Malicious Logic Insertion via Counterfeit Hardware
• CAPEC-ID:547 – Physical Destruction of Device or Component
• CAPEC-ID:397 – Cloning Magnetic Strip Cards
• CAPEC-ID:391 – Bypassing Physical Locks
• CAPEC-ID:507 – Physical Theft
• CAPEC-ID:414 – Pretexting via Delivery Person
• CAPEC-ID:413 – Pretexting via Tech Support
• CAPEC-ID:407 – Social Information Gathering via Pretexting
• CAPEC-ID:406 – Social Information Gathering via Dumpster Diving
CAPEC = Common Attack Pattern Enumeration Classification (463 total attack patterns in CAPEC V2.6)
Website: http://capec.mitre.org
www.securitytodayinfo.com
Cyber Terrain – Layers 2-7
• CAPEC-ID:383 – Harvesting Usernames or UserIDs via Application API Event Monitoring (Application Layer)
• CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer)
• CAPEC-ID:291 – DNS Zone Transfers (Application Layer)
• CAPEC-ID:315 – TCP/IP Fingerprinting Probes (Network Layer, Transport Layer, & Application Layer)
• CAPEC-ID:310 – Scanning for Vulnerable Software (Network Layer, Transport Layer, & Application Layer)
• CAPEC-ID:311 – OS Fingerprinting (Network Layer, Transport Layer, & Application Layer)
• CAPEC-ID:309 – Network Topology Mapping (Network Layer, Transport Layer, & Application Layer)
• CAPEC-ID:293 – Traceroute Route Enumeration (Network Layer & Transport Layer)
• CAPEC-ID:316 – ICMP Fingerprinting Probes (Network Layer)
www.securitytodayinfo.com
Cyber Terrain – Layers 8-11
• CAPEC-ID:37 – Lifting Data Embedded in Client Distributions
• CAPEC-ID:205 – Lifting Credential Key Material Embedded in Client
• CAPEC-ID:8 – Buffer Overflow in an API Call
• CAPEC-ID:14 – Client-side Injection-induced Buffer Overflow
• CAPEC-ID:118 – Gather Information
• CAPEC-IDS:268 – Audit Log Manipulation
• CAPEC-ID:270 – Modification of Registry Run Keys
• CAPEC-ID:17 – Accessing, Modifying or Executing Executable Files
• CAPEC-ID:69 – Target Programs with Elevated Privileges
• CAPEC-ID:76 – Manipulating Input to File System Calls
• CAPEC-ID:35 – Leverage Executable Code in Non-Executable Files
• CAPEC-ID:472 – Browser Fingerprinting
• CAPEC-ID:151 – Identity Spoofing
• CAPEC-ID:156 – Deceptive Interactions
www.securitytodayinfo.com
Cyber Terrain – Layers 12-14
• CAPEC-ID:404 – Social Information Gathering Attacks
• CAPEC-ID:410 – Information Elicitation via Social Engineering
• CAPEC-ID:416 – Target Influence via Social Engineering
• CAPEC-ID:527 – Manipulate System Users
• CAPEC-ID:156 – Deceptive Interactions
• CAPEC-ID:98 – Phishing
• CAPEC-ID:163 – Spear Phishing
• CAPEC-ID:164 – Mobile Phishing (aka MobPhishing)
www.securitytodayinfo.com
Cyber Ecosystem w/ Terrain
Persona Layer
Software App Layer
Operating System Layer
Machine Language Layer
Logical Layers
Communications Ports & Protocols
Physical Layer
Geographic Layer
Organization Layer
Government Layer
Technology /
Cyber Terrain
People
Processes /
TTPs
www.securitytodayinfo.com
Cyber Attack Lifecycle
“Use a cyber attack lifecycle as a framework for
observing and understanding an adversary’s
actions and for defining an active defense
strategy that makes effective use of information
available through both internal and external
sources throughout the lifecycle.”
Recon Weaponize Deliver Exploit Control Execute Maintain
Cyber Attack Lifecycle from: http://www.mitre.org/publications/technical-papers/cyber-resiliency-and-nist-special-publication-800-53-rev4-controls
Key recommendation from NIST Guide To Cyber Threat Information Sharing (DRAFT)
http://csrc.nist.gov/publications/drafts/800-150/sp800_150_draft.pdf
www.securitytodayinfo.com
Cyber Ecosystem Attack Analysis
Persona Layer
Software App Layer
Operating System Layer
Machine Language Layer
Logical Layers Communications Ports & Protocols
Physical Layer
Geographic Layer
Geographic Layer
Physical Layer
Logical Layers Communications Ports & Protocols
Machine Language Layer
Operating System Layer
Software App Layer
Persona Layer
Organization Layer
Organization Layer
Government Layer
Government Layer
Technology /
Cyber Terrain Processes /
TTPs
Threat Actors / People
Defenders
Threat Actor’s use of
technology and
observable technical
indicators
Threat Actor’s
Modus Operandi
(Methods of Operation)
Defender’s technology
based mitigations and
countermeasures
Defender’s process
based mitigations and
countermeasures
Recon Weaponize Deliver Exploit Control Execute Maintain
Threat Intelligence is
based on analysis of the
Threat Actor’s Cyber
Offense Ecosystem.
Active Defense is
based on analysis of
the Defender’s Cyber
Defense Ecosystem.
Offense
Defense
Offense
informs
Defense
www.securitytodayinfo.com
Boyd Cycle / OODA Loop
• Decision cycle developed by USAF Colonel John Boyd who applied
it to combat operations. Often applied to understand commercial
operations and learning processes.
http://en.wikipedia.org/wiki/OODA_loop
www.securitytodayinfo.com
Threat Intelligence Method
1. Observe – Observe each stage of the attack, collect and process
available data and information about the attack for each layer of the
cyber ecosystem.
2. Orient – Analyze and synthesize the attack data and information for
each stage and layer. Orient on the Threat Actor’s methods of operation
and use of technology to identify observable indicators in the attack
data for each stage across one or more layers of the cyber ecosystem.
3. Decide – Based on the Threat Actor’s modus operandi identify
observables and indicators, decide if this attack is from a new threat
actor or if the attack is part of a larger campaign. Produce threat
intelligence report.
4. Act – Disseminate the threat intelligence report.
www.securitytodayinfo.com
Pivot & Chain Into Campaigns
Attack 1
Attack 2
Attack 3
APT
1
Attack 1
Attack 2
Attack 3
Attack 4
Attack 1
Attack 2
Attack 3
Attack 4
Attack5
Attack 1
Attack 2
Attack 3
Attack 4
Attack 5
Attack 6
APT
2
APT
1
APT
1
APT
2
APT
2
APT
2
CC1
CC1
CC1
CC1
CC1
CC2
CC2
CC2
CC2
CC2
CC2
www.securitytodayinfo.com
PDCA – Plan Do Check Act
• Iterative four-step management method used in business for the
control and continuous improvement of processes and products.
AKA Deming circle/cycle/wheel, Shewhart cycle, or as seen in
ISO 9001.
http://en.wikipedia.org/wiki/PDCA
www.securitytodayinfo.com
Active Defense Method
1. Plan – Plan active defense courses of action based on threat intelligence
for each stage of the Threat Actor’s attack, consider both technical and
process based mitigations and countermeasures for each layer of the
Defender’s cyber defense ecosystem.
2. Do – Implement the intelligence based courses of action to mitigate and
counter the Threat Actor’s attack and to increase the defender’s
resilience to future attacks by this threat actor.
3. Check – Measure the quality of the threat intelligence and effectiveness
of the mitigations and countermeasures over time.
4. Act – Provide feedback on the quality of the threat intelligence and
effectiveness of the mitigations and countermeasures, take action to
continuously improve the security and resilience of the cyber ecosystem.
www.securitytodayinfo.com
Methods Combined
2009 | | | | | | | | | | | | 2010 | | | | | | | | | | | | 2011 | | | | | | | | | | | | 2012 | | | | | | | | | | | | 2013 | | | | | | | | | | | | 2014 | | | | | | | | | | | | 2015 | | | | | | | | | | |
Threat Intelligence Cycle
Active Defense Cycle
www.securitytodayinfo.com
Cyber Ecosystem Attack
Analysis Methodology
Persona Layer
Software App Layer
Operating System Layer
Machine Language Layer
Logical Layers Communications Ports & Protocols
Physical Layer
Geographic Layer
Geographic Layer
Physical Layer
Logical Layers Communications Ports & Protocols
Machine Language Layer
Operating System Layer
Software App Layer
Persona Layer
Organization Layer
Organization Layer
Government Layer
Government Layer
Technology /
Cyber Terrain Processes /
TTPs
Threat Actors / People
Defenders
Threat Actor’s use of
technology and
observable technical
indicators
Threat Actor’s
Modus Operandi
(Methods of Operation)
Defender’s technology
based mitigations and
countermeasures
Defender’s process
based mitigations and
countermeasures
Recon Weaponize Deliver Exploit Control Execute Maintain
Offense
Defense
Threat Intelligence Cycle
Active Defense Cycle
www.securitytodayinfo.com
Benefits
• Takes a more holistic approach by considering the attack
across both the Threat Actor’s cyber offense ecosystem
and the Defender’s defense ecosystem.
• Enables the Defender to better identify, chain, and track
Threat Actors and Campaigns over time.
• Enables a more resilient cyber defense ecosystem by
having multiple observable indicators for each stage of
attack across different layers of the ecosystem.
• Costs the Threat Actor considerable more to defeat
layered intelligence based mitigations and
countermeasures.
www.securitytodayinfo.com
Additional Recommendations
• Adopt STIX, TAXII, and CYBOX for Threat
Intelligence with MAEC, CAPEC, CWE, CVE,
CCE extensions. (http://msm.mitre.org)
– Automation
– Interoperability
• Semantic Interoperability
• Technical Interoperability
• Policy Interoperability
http://www.dhs.gov/xlibrary/assets/nppd-cyber-ecosystem-white-paper-03-23-2011.pdf
www.securitytodayinfo.com
Summary
• Following this methodology will reduce the
defender’s cost per attack while increasing
the threat actor’s cost to overcome
• Based on methods used by many
organizations already - OSI Model, OODA
Loop, and PDCA cycle
• Maturing from a reactive, passive defense
posture to a more proactive, active
defense posture
www.securitytodayinfo.com
Thank You!
• Please feel free to reach out with any
questions or comments.
• You can find me on LinkedIn at:
www.linkedin.com/in/shawnriley71/