huntsman - threat intelligence (for iap2015)
TRANSCRIPT
Making Threat Data Intelligent Applied Security Intelligence
March 2015 – Piers Wilson
Setting the scene
• Threat Intelligence is more than just data
• Examples and applications
• Summary / Benefits
A Threat Intelligence “eco-system” ...
Applied Security
Intelligence
“Tradi(onal” Log Sources
Vulnerability informa(on
Geographic informa(on
Cyber-‐security/malware/aAack
context
External threat sources
Internal context
databases
Loca(ons, staff roles, HR systems, physical controls
IP reputa(on, known bad URLs, phishing sources,
C&C sites, botnets, CERTs
Scan informa(on, asset sensi(vi(es, vulnerable plaNorms
Countries, sites that pose risk, poli(cal factors
Networks, systems, applica(ons, devices
Malware details, network captures
Real Threat Intelligence Examples
Traditional public sources / external “TI”
• Externally available threat data source lists – Botnets, C&C systems, known malware
sites, compromised URLs, DLP risks
• Regular updates / scheduled retrieval
• Different sources/feeds used for different purposes
• Detection of : – Communication with suspicious/risky
hosts/domains – Data exfiltration risks – Etc...
© 2015 Tier-3 Pty Limited. All rights reserved.
• Emerging Threats – Raw IP list – C&C servers (Shadowserver) – Spam nets (Spamhaus) – Top Attackers (Dshield) – Compromised IP addresses
• Abuse.ch – SSLBL IP Blacklist – ZeuS Tracker – Palevo Tracker – SpyEye Tracker
• Malc0de – IP blacklist • URLBlacklist.com • Malware domains • Threat Expert
Plus various commercial sources
Traditional public sources / external “TI”
© 2015 Tier-3 Pty Limited. All rights reserved.
• Display or reference to GeoIP information
• Risk locations/attack sources used in security decisions
• Additionally WHOIS and DNS information useful
Getting to this information quickly in the decision making process is key
Geo-location Visualisation
© 2015 Tier-3 Pty Limited. All rights reserved.
• Defence customers are major user of Threat Intelligence
• Intelligence agencies provide threat information to Defence network administrators
• Reference data used to raise real-time alerts of suspicious network traffic
• Information from alerts subsequently adds to their internal threat intelligence reference data – i.e. Observed incidents create “new” TI that automatically adds to the reference data set
Defence sector – Real example
© 2015 Tier-3 Pty Limited. All rights reserved.
Internal Security Intelligence
• Creation of bespoke/local Threat Intelligence – Manual or Automated
• Particular value in MSSPs – Leverage threat observations across customers
• Better decision making in context of “real”, observed threats © 2015 Tier-3 Pty Limited. All rights reserved.
Government sector
• Suspicious network/IP addresses received from intelligence agency
• Post-analyse logs for traffic to/from those addresses 1. Suspicious hosts data set (high risk destinations) 2. Predefined reports use data for analysis
• Threat intelligence MATCHED WITH Observed activity and traffic
• Minimal operational workload – Data automatically updated in the background – Scheduled, automated, pre-defined processes
© 2015 Tier-3 Pty Limited. All rights reserved.
Detection leads to Resolution
Apply Security Intelligence during resolution • When an attack occurs, specific
information relating to the threat is vital • More than just log data
– System configurations/registry – Changes to affected systems files – Network traffic/connections – Other behaviour
• Malware - Specific examples – Network sessions/connection patterns – Known effects of specific malware activity within
file system and registry
© 2015 Tier-3 Pty Limited. All rights reserved.
Summary
© 2015 Tier-3 Pty Limited. All rights reserved.
Applied Security Intelligence
• Derive meaningful threat intelligence from all available security data
• Better context during triage, diagnosis and investigation
• Confident exclusion of false positives
• Automatically identify real attacks and known threats
• Increase speed and accuracy of detection
+44 (0) 7800 508517
www.huntsmansecurity.com www.tier-3.com
@tier3huntsman
Questions
© 2015 Tier-3 Pty Limited. All rights reserved.
:60 seconds The new way to deal with cyber threats www.huntsmansecurity.com