Your SlideShare is downloading. ×
0
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

How To Turbo-Charge Incident Response With Threat Intelligence

740

Published on

Minutes, hours, days - each one counts when responding to a security incident. Yet most firms have a lot of room for improvement. According to the 2013 Verizon Data Breach Investigations Report, in …

Minutes, hours, days - each one counts when responding to a security incident. Yet most firms have a lot of room for improvement. According to the 2013 Verizon Data Breach Investigations Report, in 66% of cases (up from 56% last year), breaches remained undiscovered for years, and in 22% of cases, it took months to fully contain the incident.

This webinar will review the challenges firms face in trying to create a rapid and decisive incident response (IR) process. It will then highlight the crucial role that timely, contextual threat intelligence can play in turbo-charging incident response, particularly when tightly integrated with the broader IR discipline. Finally, it will reveal the power of this approach by demonstrating Co3's integrated threat intelligence capabilities including intel from industry-leader iSIGHT Partners.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
740
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Matt is the Senior Director of Intelligence Services at iSIGHT Partners where he has held a variety of responsibilities including leading government programs, managing technology partnerships, and leading a team enabling government and industry leaders worldwide to recognize their actual cyber threat reality. Previously, Matt was a Senior Program Manager at Lockheed Martin’s Advanced Technology Laboratory where he responsible for research and development of emerging information sciences and technologies in information operations and cyber security. He is an US Air Force veteran, and has been recognized with numerous awards throughout his 15 year career as a thought leader in advanced cyber warfare and security, and information operations and security. Matt is a CISSP.Tim Armstrong is a Security Incident Response Specialist at Co3. Tim has a deep background in the security industry including vulnerability management and malware analysis from his time at Rapid7 and Kaspersky Labs.
  • Adapted from the standard Emergency Response Process of : Prepare Respond Recover Mitigate
  • Adapted from the standard Emergency Response Process of : Prepare Respond Recover Mitigate
  • Transcript

    • 1. How To Turbo-Charge Incident Response With Threat Intelligence
    • 2. Page 2 Agenda • Introductions • What is threat intelligence? • Why does threat intelligence matter? • How threat intelligence can turbo-charge IR • Demo: IR management with integrated threat intelligence
    • 3. Page 3 Introductions: Today‟s Speakers • Ted Julian, Chief Marketing Officer, Co3 Systems • Matt Hartley, Senior Director of Intelligence Services, iSIGHT Partners • Tim Armstrong, Security Incident Response Specialist, Co3 Systems
    • 4. Page 4 Co3 – Automating IR based on E.R. standards PREPARE Improve Organizational Readiness • Appoint team members • Fine-tune response SOPs • Escalate from existing systems • Run simulations (firedrills / table tops) MITIGATE Document Results & Improve Performance • Generate reports for management, auditors, and authorities • Conduct post-mortem • Update SOPs • Track evidence • Evaluate historical performance • Educate the organization ASSESS Identify and Evaluate Incidents • Assign appropriate team members • Evaluate precursors and indicators • Correlate threat intelligence • Track incidents, maintain logbook • Prioritize activities based on criticality • Generate assessment summaries MANAGE Contain, Eradicate, and Recover • Generate real-time IR plan • Coordinate team response • Choose appropriate containment strategy • Isolate and remediate cause • Instruct evidence gathering and handling • Log evidence
    • 5. Page 5 About iSIGHT Partners Research Identify the Threat • Identify threats with personnel operating globally in 16 countries in local language, dialect, culture • Recognize, categorize threat actors, groups, and campaigns • Capture motivation, intents • Characterize technologies, targets Dissemination Cyber Threat Intelligence • Deliver technical and threat intelligence connected to indicators and observables • Tagged, categorized into areas of threat • High fidelity actionable insights • Knowledge and context, not just data Analysis Fused Threat Context • Fuse knowledge and context across threats, sectors • Focus on threats of highest import • Link observable attack methodologies to threat sources • Define threat ecosystem • Tactical, operational, strategic intel Intelligence Research Intelligence Analysis Intelligence Dissemination 70+ Researchers in 16 countries and 24 languages 70+ Cyber Threat Analysts in Washington, DC area 190+ total employees working as a global team Vulnerability & Exploit Threats to Enterprise IT DDoS Mobile Threats Cyber Espionage Cyber Crime Hacktivism Threats to Industrial Control Systems
    • 6. Page 6 What is threat intelligence? Name: uxsue.exe Identifier: Gameover Zeus Extension: exe Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit Size: 329216 Packer: ['MinGW GCC 3.x'] MD5sum: 045b793b2a47fbea0d341424262c8c5b Sha1: 5ca6943f557489b510bd0fe8825a7a68ef00af53 Sha256: 8a4036289762a4414382fee8463d2bc7892cd5cab8fb6995eb94706d47e781dd Fuzzy: 6144:ka23d0lraSurrtt/xue1obsXD8J3Ej+rbC80tsX9GR:kFd0lWzrrtxdowT8U8hYR MIME: Compiled: 2012-10-10 17:33:25 Malware Payload Indicators: Gameover Zeus is a frequently used Trojan in financial cybercrime Basic Context: Exploitation Vector: hxxp://26.azofficemovers.com/links/persons_jobs.php Unique Threat-focused Information: We believe the following actors are either members of or are close associates with the petr0vich group: … Bottom Line: Zeus Malware Author Probably Working with Gameover Zeus Operators, but Current Level of Involvement Remains Uncertain Contextual Analysis: …the primary Zeus author partnered with the "petr0vich group," which most likely controls Gameover Zeus, to develop custom Zeus versions…. his continued participation will probably help fuel further innovative developments to Zeus. Knowledge and context, not just data Technical Threat
    • 7. Page 7 IR Suffers From A Lack Of Intelligence • “75% said they conduct forensic investigations to „find and investigate incidents after the fact.‟” - SANS Survey of Digital Forensics and Incident Response, July 2013 • “60% … agree that their company at some point in time failed to stop a material security exploit because of insufficient or outdated threat intelligence.” • “49% said it can take within a week to more than a month to identify a compromise.” - Ponemon Institute Live Threat Intelligence Impact Report 2013 • “In 66% of cases (up from 56% last year), breaches remained undiscovered for years, and in 22% of cases, it took months to fully contain the incident.” - 2013 Verizon Data Breach Investigations Report
    • 8. Page 8 Incident Response Needs Threat Intel PREPARE • Who has attacked you in the past? • How have they attacked you? • What are those attackers known to be interested in? Ensure alignment with real threats and actors MITIGATE • How are threats evolving? • How should you update your preventive and detective controls? • Can you eliminate the target? • Should you add some new partners / resources? • Should you update / expand training? Inform mitigation and preparation based on real threats and actors ASSESS • Who is behind the attack? • How are they attacking? • What might they ultimately be after? • Time is of the essence Prioritize an informed response MANAGE • What items in the IR plan are most important? • Law enforcement? The FBI? Who do you need to call? Accelerate a decisive response
    • 9. POLL
    • 10. Page 10 Data Capture Analysis Link Analysis Case Prep / Resolution Detect RespondRecover Prepare Traditional approaches: where does intelligence fit? Incident Report Notification Event Driven Basic Investigative Framework Basic IR Framework Intelligence enhances every stage of IR by providing situational awareness, context, and attribution - where does it fit?
    • 11. Page 11 Investigations enhanced by intelligence Intelligence Proactive Informed by knowledge of threat sources, activities, methods, and historical context Look for: • different indicators • other activity Look in different places Consider: • adversary intent • previous activity • alternative targeting • additional information Fusion of sources Consider: • affiliations • adversary intent • previous activity • alternative targeting Historical links Proactive, detective, and preventative measures Training and exercises Business impact analysis Reporting Data Capture Analysis Link Analysis Case Prep / Resolution Incident Report Notification Event Driven Enhanced Investigative Framework
    • 12. POLL
    • 13. Page 13 System Overview Trouble Ticketing SIM Web Form Email IT Marketing Legal/Compli ance HR Trouble Ticketing SIM GRCEntry Wizar d Dashboards and Reporting SSAE-16 SOC2 certified hosting facility IR - Engine Threat Intel Auto- Correlation
    • 14. Page 14 Threat Intel With Incident Artifacts in Co3 • Artifacts are attributes of an incident that can indicate the presence and nature of a threat. • Artifacts can be anything from a suspected malware file, to the IP address of a foreign server. • Co3 supports multiple artifact types: • URL‟s • IP addresses • Malware hashes • DNS names • Log files • Emails • Malware samples
    • 15. Page 15 Threat Intelligence • Actionable context about the nature of the incident based on its associated artifacts. This insight can include: • Actor(s) • Means • Methods • Initial threat intelligence feeds include: • iSIGHT Partners • Abuse.ch • AlienVault • SANS • Campaign • Historical context • Impacts
    • 16. Page 16 Enabling Actionable, Intelligent, Efficient Response Co Investigate Incident Artifacts Threat Intel Detailed Threat Info • Which actors • What methods • What impacts Correlated Threat Context • Who else • How else • Why you Accelerated Response • Automatic discovery • Enhanced collaboration • Workforce enablement, enhancement
    • 17. DEMO
    • 18. QUESTIONS
    • 19. One Alewife Center, Suite 450 Cambridge, MA 02140 PHONE 617.206.3900 WWW.CO3SYS.COM “Co3 makes the process of planning for a nightmare scenario as painless as possible, making it an Editors‟ Choice.” PC MAGAZINE, EDITOR’S CHOICE “Platform is comprehensive, user friendly, and very well designed.” PONEMON INSTITUTE Matt Hartley Senior Director of Intelligence Services mhartley@isightpartners.com 571.287.7700 “One of the hottest products at RSA…” NETWORK WORLD – FEBRUARY 2013 “Adding the Security Module... to this otherwise fine suite of services, Co3 has done better than a home-run...it has knocked one out of the park.” SC MAGAZINE

    ×