Security Intelligence

CYBER THREAT INTELLIGENCE TO IMPROVE INCIDENT RESPONSE

Cyberdrill, Tanzania

MIKHAIL NAGORNYHEAD OF SECURITY SERVICES, ENTERPRISE BUSINESS

RANSOMWARE, APTS, PHISHING, BOTNETS, TROJANS…HOW TO PROPER REACT ON SUCH THREATS?

Log collection

• Proxy

• Network

• Mail

• Firewall

• IPS/IDS

• DLP

• Endpoints

HOW TO USE SIEM SOLUTIONS TO UTILIZE ALL POSSIBLE THREAT INTELLIGENCE

3

Data Feeds

• IP reputation

• URL domain

reputation

• File reputation

• Whitelisting

• Vulnerability

Incident Response

INTERNAL LOG SOURCES

4

Collected locally from network

perimeter, domain controller an

endpoint devices

SIEM

Proxy

Network gateway

Firewall

IPS/IDS

DLP

Active Directory

Endpoint workstations

Others (you probably use

more)

OSINT – OPEN SOURCE INTELLIGENCE

5

OSINT is intelligence collected

from publicly available sources

WHOIS

Inactive analysis of public

internet sites

Search engines

DNS requests

Resources to to detect available

network services (Shodan,

scans.io)

Media

Internet forums, web

communities, social networks

COMMERCIAL THREAT INTELLIGENCE

6

Delivered by a Global Anti-

Malware vendor

IP Reputation

Domain/ URL reputation

Phishing TI feeds

Botnet C&C feeds

File Reputation

Whitelisting

Ransomware feeds

APT IOCs

Yara rules

Others..

MACHINE READABLE THREAT INTELLIGENCE FORMATS

7

JSON

STIX

Open IOC

JSON EXAMPLE

{

"ip": “1.2.3.4",

"threat_score": 80,

"category": "malware",

"first_seen": "21.01.2015

00:00",

"last_seen": "17.05.2016

03:16",

"popularity": 5,

"ip_geo": "us“,

"users_geo": "sa, ae, jp, dz,

in“,

“ip_whois”: {},

“domains”: ”domain.com,

domain2.com”,

“files”: [ {…} ]

}

• IP address (IP v4 standard)

• a probability scale specifying whether the IP address is

dangerous. The scale ranges between 50 to 100. We

recommend to block IPs with the threat score more or

equal to 75 and we recommend to consider IP addresses

with the threat score between 50 to 74 as suspicious.

Important systems or critical business assets might be

tuned to block IP addresses with threat score equal to or

greater than 50

• a category of the IP address. As for now we support the

following categories: malware, spam and tor_exit_node.

Please note that the spam category can be blocked

regardless of its threat score in case the IP address uses

SMTP protocol for the connection

• date when the record was created/detected (UTC)

• date when the record was last encountered by Kaspersky

Lab’s users (UTC)

• index number defining the IP address popularity (how

many users were affected by this IP address). 5 is the

most popular, 1 the least popular

• IP geolocation, country code (ISO 3166-1 alpha-2) is

specified

• Top 10 countries where KL users were most affected by

this IP address

INDICATORS OF COMPROMISE - IOC

9

An Indicator of compromise (IOC) is an artifact that can be

identified by special tools on a host or in network traffic to

determine the presence of an infection

Host IOC

File hashes

File size

File path

Registry strings

...

Network IOC

IP addresses

URLs and domains

Botnet C&C addresses

YARA RULES

10

YARA provides a rule based approach to create

descriptions of malware families based on textual and

binary patterns

There is support for three

Different types of string:

Hexadecimal strings, which

are useful for defining raw

bytes

Text strings

Regular expressions

COOPERATION BETWEEN CYBER THREAT INTELLIGENCE TEAM AND INCIDENT RESPONDERS

Log collection

• Proxy

• Network

• Mail

• Firewall

• IPS/IDS

• DLP

• Endpoints

Data Feeds

• IP reputation

• URL domain

reputation

• File reputation

• Whitelisting

• Vulnerability

Incident Response

LET'S TALK?Kaspersky Lab HQ

39A/3 Leningradskoe Shosse

Moscow, 125212, Russian Federation

Tel: +7 (495) 797-8700

www.kaspersky.com