هوش تهدید سایبری
سید علیرضا کامرانی
فشرکت مدیریت امن الکترونیکی کاش
مسئولیت و اطالعیه حقوقیسلب
ی یادآورلذا است جهت آگاهی رسانی تهیه شده و نام بردن از شرکت ها یا سازمان های خارجی تنها باهدف بیان رویکردهای جهانی صرفاً ارائه این
.نیستارائهیا رد به کارگیری آن ها در قلمرو این تأیید می شود که
اهم مطالب
مقدمه•تهدیدهوشانواع•سایبریتهدیدهوشبلوغمدلوحیاتچرخه•تهدیداطالعاتاشتراکگذاریبهاستانداردهای•STIX/TAXIIاستانداردازمختصریمعرفی•
سایبریتهدیدهوشسکوهایومحصوالتخدمات،•CSIRTوSOCدرسایبریتهدیدهوشجایگاه•
بانکیصنعتدرتهدیدهوش•
The main trends in the 2017’s cyber threat landscape
• IncreasingAttack Volume, Complexity
• Threat agent of all types have advanced in obfuscation, that is, hiding their trails
• Malicious infrastructures continue their transformation
• Cyber-war is entering dynamically into cyberspace
ENISA Threat Landscape Report 2017 15 Top Cyber-Threats and Trends -JANUARY 2018
Deloitte & Touche Middle East 7
Financial services threat landscape report -July 2018
* Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute - 2015 Cost of Data Breach Study: Global Analysis
151% Increase in attack
indications
135 % Increase in bank data
offered for sale in the black
market
91% Increase in corporate email
addresses found on
phishing target list
40% Increase in corporate
credential leakage
(Employee or customer)
149% Increase in stolen credit
card information
49% Rise in fake social media
(profiles, apps, accounts)
Survey scope:
50 banks and financial services organizations in the US and Europe
Risk
Managementprocess
Identify
Access
Mitigate
Review
1تعریف -هوش تهدید سایبری
CTI: Cyber Threat Intelligence
It’s an important part of managing risk
• Threat intelligence is a critical tool for enabling the threat-centric side of a security equation and, at least in part, taking the fight to the adversary by identifying, exposing and sometimes prosecuting the threat actors.
2تعریف -هوش تهدید سایبری
CTI: Cyber Threat Intelligence
ا،سازوکارهادله ،نشانگرها،وضعیت،دربردارندهکهتهدیدشواهدبرمبتنیاستدانشی
بابطمرتتهدیدییاخطرآمدنوجودبهیاوجودخصوصدرقابل پیگیریتوصیه هایوپیامدها
خاذاتتهدیدبهپاسخدررامناسبیاقداموتصمیمآن،اساسبرمی توانوباشدمیدارایی ها
.نمود
گارتنر-
Types of Threat Intelligence
• Informal
• formal
• Strategic
• Operational
• Strategic
• Tactical
• Strategic
• Operational
• Tactical
• Technical
Real World Example: Email Found on DarkWeb
• Date & Time?• Where and who had this on the DarkWeb?• Captured for spam?• Stolen credentials?• Targeted campaign?• Without any context what will you do?• http://haveibeenpwned.com/
Real World Example: Phishing URL
http://www.shaparaksaman.ga/payment.php
• Collected from telegram?• Date & Time?• Related to what threat vector or threat?• Mobile app?• Propagation methods• ….
Real World Example: DDoS attack
• Campain? motivation?• Internal or external?• Botnet quality• Related to what threat vector or threat?• If you’re not looking how can you protect with
assurance?• ….
"lists of bad IP addresses without context isn’t CTI”• No ability to determine the precise nature of their badness
• No information about an actual threat and threat actors, and no sources for the conclusions
• No timing information about when the IP address was actually associated with malicious
• Single usage ("block this IP") rather than faceted range of uses that enriches your understanding of the threat
Black and white in nature (good/bad), while intelligence is never black and white
CTI must be
Actinoable
Timely
Relevant and Accurate
Structured and linked format
Durability
Acquire Threat Intelligence
• Various servicesCommercial
• Social media, Web sites, Public resources
• Dark web, Deep web,…OSINT
• FS-ISAC, ISAOs
• CSIRT , …Community-driven
or industry-led
Use case regards to commercial providers-1
Phishing Detection
• PhishMe
• DomainTools
Vulnerability Prioritization
• Kenna Security
• Core Security,
Social Media Monitoring
• ZeroFOX
• Recorded Future,
Surface, Deep and Dark Web Monitoring
• Flashpoint
• IntSights
Brand Monitoring
• Digital Shadows, BrandProtect
Threat Indicator Investigations and
Response
• Verisign
• Group IB
Use case regards to commercial providers-3
Threat Intelligence Analyst
Augmentation
• FireEye (iSIGHT)
• Digital Shadows
Threat Intelligence Sharing
• EclecticIQ,
• ThreatConnect
Threat Actor Tracking
• Intel 471
• SenseCy
Rogue or Fake Mobile App Detection
• RiskIQ, PhishLabs, BrandProtect
Sample: Kaspersky Threat Intelligence Service
• Threat Data Feeds – enhance your SIEM solution and improve forensicscapabilities using Cyber Threat Data from Kaspersky Lab.
• APT Intelligence Reporting – gain exclusive, proactive access to descriptions of high-profile cyber-espionage campaigns, including indicators of compromise (IOC).
• Customer-specific Threat Intelligence Reporting – identify externally available critical components of your network - employee social network profiles, personal email accounts and other information - that are potential targets for attack.
OSINT
Sample of community driven / Industry-led
• ISACs: Information Sharing and Analysis Centers
collect, analyze and disseminate private-sector threat information to industry and government and provide members with tools to mitigate risks and enhance resiliency
• ISAOs: Information Sharing and Analysis Organizations
• CSIRTs
FS-ISAC
• Enable trusted sharing between members globally
• Track 500,000+ industry-specific threat indicators
• Add 1000’s of industry threat indicators monthly
• Process 10,000+ threat repository requests/day
• Handle 420 significant threat advisories/month
• Periodic threat calls in Europe and Asia Pacific
February 4, 2019 — FS-ISAC Confidential. © 2016 FS-ISAC32
Analysis
• Full-time ISAC Analysis Team (IAT)
o Additional analyst locations under development
• Two Security Operations Centers (SOCs) 24x7
operations (Virgina, Poland)
• Senior staff embedded at US National Cybersecurity
and Communications Integration Center (NCCIC)
o Any information shared by FS-ISAC with government organizations is
anonymous and only with the permission of the originator (submitter). The
FS-ISAC community is based on trust and the originator (submitter)
controls where the information goes.
• Real-time monitoring & sharing of threats,
vulnerabilities and incidents as attacks unfold
“For threat intelligence, the FSISAC is…one of the best and most valuable resources of
information I’ve ever experienced in my career.” – A Member
TLP Green
Local source for threat hunting
Malware analysis and reverse eng.
Incident investigation and forensic
Honeypots or deception solutions
SIEM/IDS/NGFW/WAF/EP/etc. solutions
Spam (and phishing email) traps
Botnet connections
…..
Threat
Modern SOCs
Threat intelligence fusion
Link Enrich RelateValidate and
ContextualizeRank Reformat
Suspect IP is not duplicate and link to
pre-exist data.
Whois, check in blacklists, …
Correlation such as IP to campain
…
Compare with logs, other reports,…
Trust and usage
malware IPs into
NIDS signatures
• Firewall, Flow data, IPS,…IP
• IPS/IDS, Email Gateway, Web Proxy,…URL
• DNS , IPS/IDS, Web Proxy,…Domain
• NGFW, Email gateway, Endpoint management, …File Hash
• Email Gateway, IPS/IDS, …Email Addr
Share it!
Pick a sharing mechanism
• Web server
• File sharing site
• Threat intelligence platform (TIP)
• …
Tell people how to get it
• Internal customers
• a friend
• External Trust communities
Recent trends of CTI Sharing
MRTITIP
Open standards
Increasing Cyber Risks• Malicious actors have become much
more sophisticated & money driven.• Losses to US companies now in the tens
of millions; WW hundreds of millions.• Cyber Risks are now ranked #3 overall
corporate risk on Lloyd’s 2013 Risk Index.
Solving the Problem• Security standards recently matured.• Cyber Intelligence Sharing Platform
revolutionizing sharing and utilization of threat intelligence.
Manually Sharing Ineffective• Expensive because it is slow manual
process between people.• Not all cyber intelligence is processed;
probably less than 2% overall = high risk.• No way to enforce cyber intelligence
sharing policy = non-compliance.
Yesterday’s Security
Intelligence SharingIdentify and track threats, incorporate knowledge and share what you know manually to trusted others, which Is
extremely time consuming and ineffective in raising the costs to the attackers.
Network AwarenessProtect the perimeter and patch the holes
to keep out threats share knowledge internally.
Situational AwarenessAutomate sharing – develop clearer picture
from all observers’ input and pro-actively mitigate.
Today’s Problem Tomorrow’s Solution
?
? ?
? ??
45
Sharing Solution
Intelligence
Repository
Org A Many Trusted
Orgs
1
2 4
3
5
46
CTI standards
• IODEF 2007 Incident Object Description and Exchange Format
• CIF 2009 Educause Collective Intelligence Framework
• VERIS 2010 Verizon Vocabulary for Event Recording and Incident Sharing
• OpenIOC 2011 Mandiant
• MILE 2011 Managed Incident Lightweight Exchange
• OTX 2012 Alien Vault Open Threat Exchange
• TLP
47
MITRE
Traffic Light Protocol (TLP)
Restricted to a defined group (e.g., only those present in a meeting.) Information labeled RED should not be shared with anyone outside of the group
AMBER information may be shared with FS-ISAC members.
GREEN Information may be shared with FS-ISAC members and partners (e.g., vendors, MSSPs, customers). Information in this category is not to be shared in public forums
WHITE information may be shared freely and is subject to standard copyright rules
49
50
You Host the Connection
Indicators are pulled from the DHS TAXII server via your own TAXII capability where they can be used in multiple ways.
AIS Indicators
DHS TAXII Server
Analysts
Securitydevices
Database
TAXIIclient
Splunk, etc.
Soltra Edge,etc.
STIX v1.0
What Activity are
we seeing?
What Threats
should I be
looking for and
why?
Where has this
threat been
Seen?
What does it Do?
What
weaknesses
does this threat
Exploit?
Why does it do
this?
Who is
responsible for
this threat?
What can I do?
51
| 52 |
| 53 |
| 54 |
| 55 |
| 56 |
| 57 |
| 58 |
| 59 |
| 60 |
What you are looking for
Why were they doing it?
Who was doing it?
What were they looking to exploit?
What should you do about
it?
Where was it seen?
What exactly
were they doing?
| 61 |
Why should you care about it?
Key Features of Sample TIP
ThreatConnect ،EclecticIQ ،LookingGlass ،MISP ،TruSTAR،CRITS ،Threstelligence
Standards and Guidelines for information sharing
65
Challenges for not sharing
• Quality issues
• Untrusted participants
• The natural instinct for organizations to not share
• Believing that there is a little chance of a successful prosecution
• The unawareness of the victimized organization about a cyber incident
• Sharing faster is not sufficient
Threat IntelligenceSources
Validation
Vetted Intel
SIEM Use Cases
Security Operations Center
False Positives
Cyber Investigators
Business Partners
STIX/TAXI
STIX/TAXI
Event Remediation
Cyber Intelligence Incident Response Team
Sample process
SWIFT ISAC – Cyber security information sharing
Next-Gen Threat Intelligence providersTruSTAR was selected for its unique “Connective Defense” approach to cybersecurity, which fuses threat intelligence, fraud, and physical security data into the platform for increased data correlation and collaboration across teams
Q&A