cyber threat intelligence to improve incident response · 2017-11-28 · cyber threat intelligence...
TRANSCRIPT
Security Intelligence
CYBER THREAT INTELLIGENCE TO IMPROVE INCIDENT RESPONSE
Cyberdrill, Tanzania
MIKHAIL NAGORNYHEAD OF SECURITY SERVICES, ENTERPRISE BUSINESS
RANSOMWARE, APTS, PHISHING, BOTNETS, TROJANS…HOW TO PROPER REACT ON SUCH THREATS?
Log collection
• Proxy
• Network
• Firewall
• IPS/IDS
• DLP
• Endpoints
HOW TO USE SIEM SOLUTIONS TO UTILIZE ALL POSSIBLE THREAT INTELLIGENCE
3
Data Feeds
• IP reputation
• URL domain
reputation
• File reputation
• Whitelisting
• Vulnerability
Incident Response
INTERNAL LOG SOURCES
4
Collected locally from network
perimeter, domain controller an
endpoint devices
SIEM
Proxy
Network gateway
Firewall
IPS/IDS
DLP
Active Directory
Endpoint workstations
Others (you probably use
more)
OSINT – OPEN SOURCE INTELLIGENCE
5
OSINT is intelligence collected
from publicly available sources
WHOIS
Inactive analysis of public
internet sites
Search engines
DNS requests
Resources to to detect available
network services (Shodan,
scans.io)
Media
Internet forums, web
communities, social networks
COMMERCIAL THREAT INTELLIGENCE
6
Delivered by a Global Anti-
Malware vendor
IP Reputation
Domain/ URL reputation
Phishing TI feeds
Botnet C&C feeds
File Reputation
Whitelisting
Ransomware feeds
APT IOCs
Yara rules
Others..
MACHINE READABLE THREAT INTELLIGENCE FORMATS
7
JSON
STIX
Open IOC
JSON EXAMPLE
{
"ip": “1.2.3.4",
"threat_score": 80,
"category": "malware",
"first_seen": "21.01.2015
00:00",
"last_seen": "17.05.2016
03:16",
"popularity": 5,
"ip_geo": "us“,
"users_geo": "sa, ae, jp, dz,
in“,
“ip_whois”: {},
“domains”: ”domain.com,
domain2.com”,
“files”: [ {…} ]
}
• IP address (IP v4 standard)
• a probability scale specifying whether the IP address is
dangerous. The scale ranges between 50 to 100. We
recommend to block IPs with the threat score more or
equal to 75 and we recommend to consider IP addresses
with the threat score between 50 to 74 as suspicious.
Important systems or critical business assets might be
tuned to block IP addresses with threat score equal to or
greater than 50
• a category of the IP address. As for now we support the
following categories: malware, spam and tor_exit_node.
Please note that the spam category can be blocked
regardless of its threat score in case the IP address uses
SMTP protocol for the connection
• date when the record was created/detected (UTC)
• date when the record was last encountered by Kaspersky
Lab’s users (UTC)
• index number defining the IP address popularity (how
many users were affected by this IP address). 5 is the
most popular, 1 the least popular
• IP geolocation, country code (ISO 3166-1 alpha-2) is
specified
• Top 10 countries where KL users were most affected by
this IP address
INDICATORS OF COMPROMISE - IOC
9
An Indicator of compromise (IOC) is an artifact that can be
identified by special tools on a host or in network traffic to
determine the presence of an infection
Host IOC
File hashes
File size
File path
Registry strings
...
Network IOC
IP addresses
URLs and domains
Botnet C&C addresses
YARA RULES
10
YARA provides a rule based approach to create
descriptions of malware families based on textual and
binary patterns
There is support for three
Different types of string:
Hexadecimal strings, which
are useful for defining raw
bytes
Text strings
Regular expressions
COOPERATION BETWEEN CYBER THREAT INTELLIGENCE TEAM AND INCIDENT RESPONDERS
Log collection
• Proxy
• Network
• Firewall
• IPS/IDS
• DLP
• Endpoints
Data Feeds
• IP reputation
• URL domain
reputation
• File reputation
• Whitelisting
• Vulnerability
Incident Response
LET'S TALK?Kaspersky Lab HQ
39A/3 Leningradskoe Shosse
Moscow, 125212, Russian Federation
Tel: +7 (495) 797-8700
www.kaspersky.com