how to turbo-charge incident response with threat intelligence

How To Turbo-Charge

Incident Response With

Threat Intelligence

Agenda

• Introductions

• What is threat intelligence?

• Why does threat intelligence matter?

• How threat intelligence can turbo-charge IR

• Demo: IR management with integrated threat intelligence

Introductions: Today’s Speakers

• Ted Julian, Chief Marketing Officer, Co3 Systems

• Matt Hartley, Vice President of Product Management,

iSIGHT Partners

• Tim Armstrong, Security Incident Response Specialist, Co3

Systems

End-to-End IR: Before, During, and After

PREPARE

Improve Organizational

Readiness

• Appoint team members

• Fine-tune response SOPs

• Escalate from existing systems

• Run simulations (firedrills / table

tops)

MITIGATE

Document Results &

Improve Performance

• Generate reports for management,

auditors, and authorities

• Conduct post-mortem

• Update SOPs

• Track evidence

• Evaluate historical performance

• Educate the organization

ASSESS

Identify and Evaluate

Incidents

• Assign appropriate team members

• Evaluate precursors and indicators

• Correlate threat intelligence

• Track incidents, maintain logbook

• Prioritize activities based on criticality

• Generate assessment summaries

MANAGE

Contain, Eradicate, and

Recover

• Generate real-time IR plan

• Coordinate team response

• Choose appropriate containment

strategy

• Isolate and remediate cause

• Instruct evidence gathering and

handling

• Log evidence

About iSIGHT Partners 200+ experts, 16 Countries, 24 Languages, 1 Mission

Global Reach ThreatScape® Products

Research: Identify threats, groups; determine/capture motivation and intent

Analysis: Fuse knowledge across methods, campaigns, affiliations, historical context

Dissemination: Deliver high-fidelity, high-impact, contextual, actionable insights

Proven Intelligence Methodology

Cyber Crime Cyber

Espionage

Denial-of-

Service

Enterprise

Hacktivism Industrial Control

Systems

Mobile Vulnerability

and Exploitation

ThreatScape® Cyber Threat Intelligence Threat Data

• Bad IP Address • Bad IP Address

• Actor Group

• Motivation

• Primary Targets

• Ability to Execute

• Ranking

• Last Hop Geo

Location

• Additional IPs, Domains

• Malware Used

• Lures

Threat Intelligence VS. Threat Data Context Matters

• Vulnerabilities Targeted

• Historic Campaigns

• Successful Compromises

What is Threat Intelligence?

Name: uxsue.exe Identifier: Gameover Zeus

Extension: exe Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit

Size: 329216 Packer: ['MinGW GCC 3.x'] MD5sum: 045b793b2a47fbea0d341424262c8c5b

Sha1: 5ca6943f557489b510bd0fe8825a7a68ef00af53 Sha256: 8a4036289762a4414382fee8463d2bc7892cd5cab8fb6995eb94706d47e781dd

Fuzzy: 6144:ka23d0lraSurrtt/xue1obsXD8J3Ej+rbC80tsX9GR:kFd0lWzrrtxdowT8U8hYR MIME: Compiled: 2012-10-10 17:33:25

Malware Payload Indicators:

Gameover Zeus is a frequently used Trojan in financial cybercrime

Basic Context:

Exploitation Vector:

hxxp://26.azofficemovers.com/links/persons_jobs.php

Unique Threat-focused Information:

We believe the following actors are either members of or are close

associates with the petr0vich group: …

Bottom Line:

Zeus Malware Author Probably Working with Gameover Zeus Operators,

but Current Level of Involvement Remains Uncertain

Contextual Analysis:

…the primary Zeus author partnered with the "petr0vich group,"

which most likely controls Gameover Zeus, to develop custom Zeus

versions…. his continued participation will probably help fuel further

innovative developments to Zeus.

Knowledge and context, not just data

Technical Threat

ThreatScape API

Threat Fusion Center

Security Operations Center

Incident Response

Process Integration Technology Integration

Analytics

GRC

SIEM/IDS

Network/Host Protection

Configuration/Patch Management

ThreatScape® Intelligence

ThreatScape®

API

IR Suffers From A Lack Of Intelligence

• “75% said they conduct forensic investigations to ‘find and investigate incidents

after the fact.’”

- SANS Survey of Digital Forensics and Incident Response, July 2013

• “60% … agree that their company at some point in time failed to stop a material

security exploit because of insufficient or outdated threat intelligence.”

• “49% said it can take within a week to more than a month to identify a compromise.”

- Ponemon Institute Live Threat Intelligence Impact Report 2013

• Forty percent of respondents say their security products do not support the import

of threat intelligence from other sources.

- Ponemon Institute Threat Intelligence & Incident Response Report, February 2014

• “In 66% of cases (up from 56% last year), breaches remained undiscovered for

years, and in 22% of cases, it took months to fully contain the incident.”

- 2013 Verizon Data Breach Investigations Report

Incident Response Needs Threat Intel

PREPARE • Who has attacked you in

the past?

• How have they attacked

you?

• What are those attackers

known to be interested

in?

Ensure alignment

with real threats and

actors

MITIGATE • How are threats

evolving?

• How should you update

your preventive and

detective controls?

• Can you eliminate the

target?

• Should you add some

new partners /

resources?

• Should you update /

expand training?

Inform mitigation

and preparation

based on real threats

and actors

ASSESS • Who is behind the attack?

• How are they attacking?

• What might they ultimately

be after?

• Time is of the essence

Prioritize an informed

response

MANAGE • What items in the IR

plan are most

important?

• Law enforcement? The

FBI? Who do you need

to call?

Accelerate a decisive

response

Data Capture Analysis Link Analysis Case Prep / Resolution

Detect

Respond Recover

Prepare

Traditional approaches: where does intelligence fit?

Incident

Report

Notification

Event Driven Basic Investigative Framework

Basic

IR

Framework

Intelligence enhances every stage of IR by providing

situational awareness,

context, and attribution

- where does it fit?

Investigations enhanced by intelligence

Intelligence

Proactive

Informed by knowledge of threat sources, activities, methods, and historical context

Look for:

• different

indicators

• other activity

Look in different

places

Consider:

• adversary

intent

• previous

activity

• alternative

targeting

• additional

information

Fusion of sources

Consider:

• affiliations

• adversary

intent

• previous

activity

• alternative

targeting

Historical links

Proactive,

detective, and

preventative

measures

Training and

exercises

Business impact

analysis

Reporting

Data Capture Analysis Link Analysis Case Prep / Resolution

Incident

Report

Notification

Event Driven Enhanced Investigative Framework

Connecting People and Technology at a Time of Crisis

Threat Intel With Incident Artifacts in Co3

• Artifacts are attributes of an incident that can indicate the presence

and nature of a threat.

• Artifacts can be anything from a suspected malware file, to the IP

address of a foreign server.

• Co3 supports multiple artifact types:

• URL’s

• IP addresses

• Malware hashes

• DNS names

• Log files

• Emails

• Malware samples

• Registry keys

• Username

• Port

• Process name

Threat Intelligence

• Actionable context about the nature of the incident based

on its associated artifacts. This insight can include:

• Actor(s)

• Means

• Methods

• Initial threat intelligence feeds include:

• iSIGHT Partners

• Abuse.ch

• AlienVault

• SANS

• Campaign

• Historical context

• Impacts

• MalwarePatrol

Enabling Actionable, Intelligent, Efficient Response

Co Investigate

Incident Artifacts

Threat Intel

Detailed Threat Info

• Which actors

• What methods

• What impacts

Correlated Threat Context

• Who else

• How else

• Why you

Accelerated Response

• Automatic discovery

• Enhanced collaboration

• Workforce enablement,

enhancement

QUESTIONS

One Alewife Center, Suite 450

Cambridge, MA 02140

PHONE 617.206.3900

WWW.CO3SYS.COM

“We’re doing IR in one-tenth of the time.”

DIRECTOR OF SECURITY & RISK, USA FUNDS

“It’s the best purchase we ever made.”

CSO, F500 HEATHCARE PROVIDER

Matt Hartley

Vice President of Product Management

[email protected]

571.287.7700

“One of the hottest products at RSA…”

NETWORK WORLD

“Co3 has done better than a home-run...it has

knocked one out of the park.”

SC MAGAZINE