0
Best Practices for
Leveraging Security
Threat Intelligence
Dave Shackleford, Voodoo Security and SANS
Russell Spitler, Ali...
What IS threat intelligence?
• Threat intelligence is the set of
data collected, assessed, and
applied regarding:
– Securi...
What Threat Intelligence ISN’T
• Regarding data for threat
intelligence:
– Not just one type of data
– Not just one source...
Advanced Threats
• Malware-based espionage staged
by threat actors that
– Aggressively pursue and
compromise specific targ...
Today’s Attack Cycle
© 2014 The SANS™ Institute - www.sans.org
1. Intelligence Gathering: Target
individuals
2. Point of E...
What’s This Leading To?
Source: http://www.forrester.com/Five+Steps+To+Build+An+Effective+Threat+Intelligence+Capability/f...
Why Threat Intelligence?
• Attackers are innovating faster
than we are
• “Productization” of malware
– Attack kits and “cr...
Adversary Analysis
• Why develop adversary profiles?
– Adversary profiles can provide clues
as to attacks, targets, techni...
What kinds of data can we share?
• DNS entries that are or should be
blacklisted
• Countries of origin with specific
reput...
Intelligence can drive
Investigations
• Intelligence-driven investigations
are based on the preservation of
the relationsh...
How to Evaluate Threat Intel
Services and Providers
• The first key differentiator is data
DIVERSITY:
– Where does the dat...
How to Evaluate Threat Intel
Services and Providers
• The second differentiator is data
ANALYSIS:
– What kind of analysis ...
How to Evaluate Threat Intel
Services and Providers
• The third differentiator is data
QUALITY:
– Does the data go through...
Example: Sinkhole Case
• A known malware propagation
platform communicating with a
C&C server
• This can fuel a sinkhole a...
Example: C&C Events
• Active malware command and
control communications
© 2014 The SANS™ Institute - www.sans.org
Example: File Download Activity
• File download IOC:
© 2014 The SANS™ Institute - www.sans.org
Example: Java File Download
• Another malware download
example, this time with a Java .jar
file:
© 2014 The SANS™ Institut...
AlienVault Open Threat Exchange
Open Threat Exchange (OTX) is a framework
to allow collaboration for enhanced threat
asses...
Built into AlienVault USM & OSSIM
• Diverse threat data
– Unified Security Management
– SIEM, IDS, VA, HIDS, Netflow in
on...
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
...
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
...
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
...
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
...
Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
...
Current OTX Participation
• 17,000 Contributions per day
• 140 Countries
• 500k IP’s, URL’s, and Malware
Samples analyzed ...
Attack Trends and Examples
• Current Attack Trends include:
– Stealth malware
– HTTP/HTTPS C&C channels
– Anti-forensics
–...
Conclusion
• We’re all facing attacks, all the
time
• We have a lot of data – why not
share it?
• To advance the state of ...
Questions?
Follow-up?
Q@SANS.
ORG
Thank You!
© 2014 The SANS™ Institute - www.sans.org
Upcoming SlideShare
Loading in...5
×

Best Practices for Leveraging Security Threat Intelligence

644

Published on

The state of threat intelligence in the information security community is still very immature. Many organizations are still combating threats in a reactive manner, only learning what they're dealing with, well...when they're dealing with it. There is a wealth of information in the community, and many organizations have been gathering data about attackers and trends for years. How can we share that information, and what kinds of intelligence are most valuable? In this presentation, we'll start with a brief overview of AlienVault's Open Threat Exchange™ (OTX), and then we'll discuss attack trends and techniques seen in enterprise networks today, with supporting data from AlienVault OTX. We'll also take a look at some new models for collaboration and improving the state of threat intelligence going forward.

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
644
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
57
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Transcript of "Best Practices for Leveraging Security Threat Intelligence"

  1. 1. Best Practices for Leveraging Security Threat Intelligence Dave Shackleford, Voodoo Security and SANS Russell Spitler, AlienVault © 2014 The SANS™ Institute - www.sans.org
  2. 2. What IS threat intelligence? • Threat intelligence is the set of data collected, assessed, and applied regarding: – Security threats – Threat actors – Exploits – Malware – Vulnerabilities – Compromise indicators © 2014 The SANS™ Institute - www.sans.org
  3. 3. What Threat Intelligence ISN’T • Regarding data for threat intelligence: – Not just one type of data – Not just one source of data – Not just internal or external • Threat intelligence is also not one form of analysis or reporting • Threat intelligence can mean different things to different organizations – This is 100% OK. © 2014 The SANS™ Institute - www.sans.org
  4. 4. Advanced Threats • Malware-based espionage staged by threat actors that – Aggressively pursue and compromise specific targets – Often leveraging social engineering – Maintain a persistent presence within the victim’s network – Escalate privilege and move laterally within the victim’s network – Extract sensitive information to locations under the attacker’s control © 2014 The SANS™ Institute - www.sans.org
  5. 5. Today’s Attack Cycle © 2014 The SANS™ Institute - www.sans.org 1. Intelligence Gathering: Target individuals 2. Point of Entry: Social Engineering and malware deployment 3. C&C Communication 4. Lateral Movement 5. Asset/Data Discovery: What is important and/or sensitive? 6. Data Exfiltration: Data sent outbound to systems under the attacker’s control
  6. 6. What’s This Leading To? Source: http://www.forrester.com/Five+Steps+To+Build+An+Effective+Threat+Intelligence+Capability/fulltext/-/E-RES83841 © 2014 The SANS™ Institute - www.sans.org
  7. 7. Why Threat Intelligence? • Attackers are innovating faster than we are • “Productization” of malware – Attack kits and “crimeware” – Reuse of malware and C2 protocols – Botnets for rent • Other organizations have likely seen similar attacks or variants – We can help each other share information to defend better © 2014 The SANS™ Institute - www.sans.org
  8. 8. Adversary Analysis • Why develop adversary profiles? – Adversary profiles can provide clues as to attacks, targets, techniques commonly used • Adversary Types – Unsophisticated – “script kiddies” – Competitors – State-sponsored – Organized Crime – Insiders (can also be one of above) © 2014 The SANS™ Institute - www.sans.org
  9. 9. What kinds of data can we share? • DNS entries that are or should be blacklisted • Countries of origin with specific reputation criteria • Types of events to look out for: – Application attacks – Ports and IP addresses – Specific types of malware detected • Vertical-specific likelihood • And more… © 2014 The SANS™ Institute - www.sans.org
  10. 10. Intelligence can drive Investigations • Intelligence-driven investigations are based on the preservation of the relationships between the components of individual attacks so that they can be clustered as a campaign. • Investigative Components – Malware Analysis – Network Analysis – Underground Analysis – “Big Data” Analysis © 2014 The SANS™ Institute - www.sans.org
  11. 11. How to Evaluate Threat Intel Services and Providers • The first key differentiator is data DIVERSITY: – Where does the data come from? – What type(s) of data do you get? – Do IOC artifacts come in one format (ie file hashes) or multiple? – What specific are available (vertical/industry, geography, etc)? © 2014 The SANS™ Institute - www.sans.org
  12. 12. How to Evaluate Threat Intel Services and Providers • The second differentiator is data ANALYSIS: – What kind of analysis is performed? – Who does the analysis? – To what depth is analysis done – basic IOCs, or full traceback? – Is the data correlated with other information? © 2014 The SANS™ Institute - www.sans.org
  13. 13. How to Evaluate Threat Intel Services and Providers • The third differentiator is data QUALITY: – Does the data go through a “QA” process? – Is data revisited/re-analyzed to ensure it is still accurate? – When are indicators “expired”? – What is the expiration strategy/lifecycle … on an ongoing basis? © 2014 The SANS™ Institute - www.sans.org
  14. 14. Example: Sinkhole Case • A known malware propagation platform communicating with a C&C server • This can fuel a sinkhole approach © 2014 The SANS™ Institute - www.sans.org
  15. 15. Example: C&C Events • Active malware command and control communications © 2014 The SANS™ Institute - www.sans.org
  16. 16. Example: File Download Activity • File download IOC: © 2014 The SANS™ Institute - www.sans.org
  17. 17. Example: Java File Download • Another malware download example, this time with a Java .jar file: © 2014 The SANS™ Institute - www.sans.org
  18. 18. AlienVault Open Threat Exchange Open Threat Exchange (OTX) is a framework to allow collaboration for enhanced threat assessment and response © 2014 The SANS™ Institute - www.sans.org
  19. 19. Built into AlienVault USM & OSSIM • Diverse threat data – Unified Security Management – SIEM, IDS, VA, HIDS, Netflow in one product • Diverse install base – >12,000 installations – Open Source & Commercial © 2014 The SANS™ Institute - www.sans.org
  20. 20. Automate Threat Sharing & Action © 2014 The SANS™ Institute - www.sans.org AlienVault USM or OSSIM Installation 1 Bad Guy AlienVault OTX 1. Observed Attack
  21. 21. Automate Threat Sharing & Action © 2014 The SANS™ Institute - www.sans.org AlienVault USM or OSSIM Installation 1 Bad Guy AlienVault OTX 2. Anonymous Contribution 1. Observed Attack
  22. 22. Automate Threat Sharing & Action © 2014 The SANS™ Institute - www.sans.org AlienVault USM or OSSIM Installation 1 Bad Guy AlienVault OTX 3. Data Validation 2. Anonymous Contribution 1. Observed Attack
  23. 23. Automate Threat Sharing & Action © 2014 The SANS™ Institute - www.sans.org AlienVault USM or OSSIM Installation 1 Bad Guy AlienVault OTX AlienVault USM or OSSIM Installation 2 4. Distribute Threat Intelligence 3. Data Validation 2. Anonymous Contribution 1. Observed Attack
  24. 24. Automate Threat Sharing & Action © 2014 The SANS™ Institute - www.sans.org AlienVault USM or OSSIM Installation 1 Bad Guy AlienVault OTX AlienVault USM or OSSIM Installation 2 4. Distribute Threat Intelligence 3. Data Validation 2. Anonymous Contribution 1. Observed Attack 5. Identify Malicious Activity
  25. 25. Current OTX Participation • 17,000 Contributions per day • 140 Countries • 500k IP’s, URL’s, and Malware Samples analyzed daily © 2014 The SANS™ Institute - www.sans.org
  26. 26. Attack Trends and Examples • Current Attack Trends include: – Stealth malware – HTTP/HTTPS C&C channels – Anti-forensics – New and varied DDoS tactics – Myriad Web app attacks – Client-side attacks with social engineering as the primary attack vector • How can we learn about these? © 2014 The SANS™ Institute - www.sans.org
  27. 27. Conclusion • We’re all facing attacks, all the time • We have a lot of data – why not share it? • To advance the state of threat intelligence, we’ll need to collaborate and correlate data at a much larger scale • OTX is one effort to do just that © 2014 The SANS™ Institute - www.sans.org
  28. 28. Questions? Follow-up? Q@SANS. ORG Thank You! © 2014 The SANS™ Institute - www.sans.org
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×