Information Security Intelligence


Published on

Primer on Information Security Intelligence by a Cybertrust consultant

Published in: Technology, Business
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Information Security Intelligence

  1. 1. Information Security Intelligence Maarten Van Horenbeeck, Security Consultant
  2. 2. Content Information Security Intelligence Basic concepts Changing threat landscape Security Intelligence Intelligence methodology • Direction • Collection • Processing • Dissemination The Intelligence Organization Metrics and effectiveness Automation of intelligence processes Conclusion: what to take home ©2007 Cybertrust. All rights reserved. 2
  3. 3. 1. Basic concepts of security and information Robust systems and incident response
  4. 4. Basic concepts of security Robust systems Information Security Professionals strive to build robust systems that are reliable, fail in predictable ways and resist attack. Also known as the Ross Anderson school of thought, being the main undertone in his book ‘Security Engineering’ Time-based security In reality, systems do still fail and we introduce controls to make succesful attacks more difficult, increasing the time between attack and compromise. This time allows for detection and incident response. Coined by Winn Schwartau in his book ‘Time Based Security’ ©2007 Cybertrust. All rights reserved. 4
  5. 5. Basic concept of information Data: Unordered events, facts or figures. Information: Collected facts and data on a subject, ordered data. Knowledge: Awareness or possession of information, facts, truth, principles. Wisdom: Knowledge and experience required to make sensible decisions and judgments. Intelligence: The required input for getting to wisdom in a structured manner, and the process of establishing this input. ©2007 Cybertrust. All rights reserved. 5
  6. 6. 2. Changing Threat Landscape From defacement to fraud
  7. 7. Virus and malware evolution Computer viruses used to pose an availability threat to end user data. In 1991, Tequila infected local executable files, and transferred through infected floppies. ©2007 Cybertrust. All rights reserved. 7
  8. 8. Virus and malware evolution Change in methodology: Malicious code is now spread through compromised sites Change in target: This same code now gathers authentication credentials for internet banking sites or on-line games. ©2007 Cybertrust. All rights reserved. 8
  9. 9. Format rendering vulnerabilities Vulnerabilities in network-exposed services have always been popularly exploited. Our response has been to minimize attack surface by disabling services where not necessary. The increased popularity of fuzzers has now exposed a new class of vulnerabilities • Attacking indirectly by exploiting vulnerabilities in file format parsers such as Microsoft Office and Ichitaro word processor • Recently used in targeted attacks against organizations • UK Government institutions (2005) • US Department of State (2006) ©2007 Cybertrust. All rights reserved. 9
  10. 10. Just last week Organizations are being targeted with e-mails from a valid ‘business partner’ with an RTF attachment. • RTF : Rich Text Format, but is able to contain OLE embedded objects, such as executables; • Plenty of anti virus solutions generally scan the RTF file but do not unpack the embedded object; • Issue first identified in 2005, re-identified in 2007. Many risks: • What if you are the ‘business partner’ ? • Is your team aware of these types of attacks and is there a plan on how to respond to them? ©2007 Cybertrust. All rights reserved. 10
  11. 11. Conclusion A much more complex threat environment has drastically increased the scope of ‘residual risk’. Do we fully understand these and other emerging threats or threat facilitators? Did we see them coming or did we ‘respond’? How can our information security program deal with these events more proactively, saving resources? ©2007 Cybertrust. All rights reserved. 11
  12. 12. 4. Security Intelligence Understanding and mitigating threats
  13. 13. Security Intelligence As a product, intelligence is information that has the ability to reduce uncertainty in decisionmaking. Intelligence is also the process of gathering, evaluating, correlating and interpreting of information, and disseminating it to decision makers. Everyone in the organization performs the intelligence role, but it is only rarely formalized. ©2007 Cybertrust. All rights reserved. 13
  14. 14. The Intelligence Cycle Direction Collection and Planning Dissemination Processing ©2007 Cybertrust. All rights reserved. 14
  15. 15. Direction Security intelligence is gathered in response to management requirements. Such requirements can originate both with business management as information security management. The intelligence process is generally started by defining: Key Intelligence Topics • Threats towards our information assets; • Threats towards our reputation; Key Intelligence Questions “To what degree are incidents reported that could be instigated by our competitors”; “There has been an increase in the number of succesful security incidents. Are we missing a trend, or not seeing the wider picture?” ©2007 Cybertrust. All rights reserved. 15
  16. 16. Direction: current intelligence Aims to provide up-to-date intelligence to enable day-to-day intelligent decision-making: New vulnerabilities; Exploits being released; Important new talks at security conferences. Aims to answer: Should we patch ? Should we install new software ? ©2007 Cybertrust. All rights reserved. 16
  17. 17. Direction: warning intelligence Warning intelligence prepares the organization for new and emerging threats, and serves as input to the risk management processes already in place. •Warning intelligence monitors trends over a longer period of time and identifies emerging threats; •Aims to prevent being ‘surprised’ • WMF file format vulnerability in 2005; • Targeted attacks in 2005-2007. ©2007 Cybertrust. All rights reserved. 17
  18. 18. Collection targets Intelligence exists both internally as externally If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not your enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle - Sun Tzu Internal sources - Intrusion Detection Systems - Security Event Manager - Individual logs - Personnel ©2007 Cybertrust. All rights reserved. 18
  19. 19. Collection targets External sources - Vendors - Microsoft, Verisign, Symantec each publish security intelligence reports - iDefense, Secunia, IBM, Cisco sell security intelligence information - Sharing of information - FS-ISAC, Water ISAC, IT ISAC, Electricity Sector ISAC - NSP & threat related mailing lists - SANS Internet Storm Center - Law enforcement contacts ©2007 Cybertrust. All rights reserved. 19
  20. 20. Collection sources Closed sources - Some information is not publically available, and someone else’s intellectual property; - Usually not ethical nor lawful to access, but may be shared by the organization while remaining closed to others. Grey sources - Sources that have a significant barrier of entry (cost to access a database) while open to everyone who is interested. Open sources - Information that is generally available to everyone; - May not be on the internet, or may not be in English. ©2007 Cybertrust. All rights reserved. 20
  21. 21. Technical collection ©2007 Cybertrust. All rights reserved. 21
  22. 22. Processing: collation When received, information needs to be ordered based on a characteristic of interest to the process. This may be: • Time of occurence of certain events; • Region of occurence; • Size of business impact. ©2007 Cybertrust. All rights reserved. 22
  23. 23. Processing: evaluation Evaluating information prior to accepting it Is the information: •Accurate; •Complete; •Timely; •Potentially fabricated? We also try to establish with what purpose the information was provided to us. Is there any way it can be verified using existing information (information triangulation)? ©2007 Cybertrust. All rights reserved. 23
  24. 24. Processing: synthesis/analysis The analysis phase consists of two subsets: Synthesis In the synthesis phase, a model is generated of the threat at hand or the intelligence question. This model consists of a systems-centered replica of the question at hand, including all its inputs, outputs, processes and algorithms. Models can be physical and conceptual. Analysis Extracting knowledge from a model by: • changing an input parameter and monitoring the model’s output; • identifying and studying forces that have an impact on any parameter and measuring their impact on the final output. ©2007 Cybertrust. All rights reserved. 24
  25. 25. Processing: synthesis Generic models Timelines, maps, process models. Sample applied models Broken Windows Model Field Anomaly Relaxation Threat assessment models Ballistic Threat Model Some models are better placed to function in warning analysis, others are ideal for current analysis. ©2007 Cybertrust. All rights reserved. 25
  26. 26. Processing: integration Integrate information within existing frameworks •Dominant use of databases; •Web 2.0 technology for specific purposes: • Wiki for collaboration on topics; • Blogs for inter-group communication of ‘prime time’ issues; • Forums for generic Q&A; • Social networking for location of subject matter experts. ©2007 Cybertrust. All rights reserved. 26
  27. 27. Processing: interpretation Information is interpreted by: - Formulating hypotheses; - Testing hypotheses; When the hypotheses is not supported by most, or proved unreasonable by even a single item of trusted information, it is proven false and new hypotheses need to be generated. Unfortunately, cognitive limitations apply: Information that has personal influence is likely to be ranked higher than unpersonal, but perhaps more important data (your ex-department’s assets at risk ?); Most people believe other cultures, other organizations think and act in similar ways as they do. ©2007 Cybertrust. All rights reserved. 27
  28. 28. Processing: interpretation Methodology to reduce impact of bias: Analysis of Competing Hypotheses • Prepare a matrix of hypotheses; • Refine this matrix by deleting evidence with little diagnostic value; • Draw preliminary conclusions of likelihood. Attempt to disprove hypotheses; • Analyze sensitivity of the conclusion to the items of evidence; • Report conclusions. Include relative likelihood of all hypotheses; • Identify milestones for future observation. ©2007 Cybertrust. All rights reserved. 28
  29. 29. Processing: interpretation ©2007 Cybertrust. All rights reserved. 29
  30. 30. Processing: interpretation Decision making support tool by PARC • As with all intelligence analysis, merely a supportive measure • It doesn’t make decisions for you • Formalizes the process and forces the analyst to employ competing hypotheses • Instills trust in recipient of intelligence information • Free of charge at: • ©2007 Cybertrust. All rights reserved. 30
  31. 31. Dissemination Perhaps the most important phase of the intelligence process Making decisions should be separated from the intelligence gathering process, however this may not always be possible; In smaller organizations, intelligence gathering may be performed by operational teams, upon which they may make decisions themselves; Presentation of evidence may impact decisions: Representation of numbers; Risk is low, medium, “slam dunk”; Cost of collection often over-appreciates importance. Sample deliverables Threat reports Statistical information ©2007 Cybertrust. All rights reserved. 31
  32. 32. 5. The Intelligence Organization Real-life implementation
  33. 33. Intelligence as a CERT function CERT teams often also carry a partial intelligence function Track vendor bulletins and re-issue those that may affect the organization; CERTS have defined matrix team liaisons across the organization; Advantages Usually an existing, skilled team; Awareness of threats can be used in incident response. Makes the CERT realize the value of maintaining a good inventory of security incidents; Greater visibility of the CERT to management. Disadvantages Less appropriate for warning analysis; Intelligence function may suffer during high-incident timeframes. ©2007 Cybertrust. All rights reserved. 33
  34. 34. Intelligence as a research group A specific research team is assigned to perform ongoing intelligence efforts. It usually delivers input to the risk analysis process, or supports it as mediators and subject matter experts. Advantages Dedicated team; Team members can be selected more accurately; Intelligence function remains independent from decision makers. Disadvantages Less visibility and experience with company assets than a CERT. ©2007 Cybertrust. All rights reserved. 34
  35. 35. A quote “Intelligence is best done by a minimum number of men and women of the greatest possible ability” - RV Jones, UK Military Intelligence Expert (1911-1997) ©2007 Cybertrust. All rights reserved. 35
  36. 36. 6. Metrics Measuring effectiveness
  37. 37. Measuring intelligence results Security Intelligence is primarily a support function to risk management. It enables Better measurement in support of risk management; Better measurement of risk management efforts; Some measurement of intelligence product. Some examples: Measuring the threat level against the organization: how many of the vulnerability exploitations observed against the network were not actively translated into a worm but had a high complexity of exploitation according to the NVD; How many new threats out of the total that required change management was the team informed of well advance; ©2007 Cybertrust. All rights reserved. 37
  38. 38. 7. Automation Automating the intelligence process
  39. 39. Automating intelligence Most software currently available is aimed at: Intelligence/Law Enforcement clients; • Uses industry-developed checklists and data-mining tools; • Allows interaction with various closed databases, but mainly collaboration tools; • Inxight, Interquest, ... Competitive intelligence; • Market research, competitor analysis, internet discussion tracking • Digimind, Factiva, Trellian, Attentio... Information Security threat management (event management) •Automate the collection process by crawling open, grey and closed databases. •They store and make searchable key concepts. •Some apply automate translation. ©2007 Cybertrust. All rights reserved. 39
  40. 40. Automating intelligence In 2004, the RAND Institute published a major study in the automization of intelligence structures. • Introduces ASAP: Atypical Signal and Analysis Processing Schema • Interceptor agents: test data and gather information; • Detection agents: filter the dots for events matching and violating criteria; • Agents to identify relationships and sweep back using these for further information; • Hypotheses agents: create and test; • Prioritize hypotheses and forward to analysts for manual review • Also introduces a framework for short-term implementation: • Use Delphi technique to obtain expert opinion on ‘status quo’ in monitored threats; • Define ‘items of note’ that may impact the expression of these threats; • Design systems to monitor these ‘items of note’; • Establish virtual communities amongst experts to track these items and use modelling for forecasting. • Future tools will most likely be based on similar frameworks ©2007 Cybertrust. All rights reserved. 40
  41. 41. 8. Conclusion What to take home today
  42. 42. Intelligence It is • A support tool that enables better risk management; • A formalized way of dealing with ‘current’ and ‘warning’ research questions and forecasting; • Consists of collection that occurs both within the organization (know yourself) and outside the organization (know thy enemy); It is not: • Something you purchase in itself, though it can consist of purchased ‘current’ intelligence with in-house research; • Yet fully standardized: many concepts, ideas and models linger, but many are only published in journals. ©2007 Cybertrust. All rights reserved. 42
  43. 43. Combine strengths Vendors are best placed to: •Provide information (‘intelligence’) on what is happening on the internet and in the business, and who is likely to be targeted; •Provide detail on current incidents and attacks; •Help with the definition of relevant models. Organizations themselves should: •Consider the use of intelligence concepts in their research and risk management processes; •Better understand their own networks, systems and people; •Make use of public information where available to enable better decision making. ©2007 Cybertrust. All rights reserved. 43
  44. 44. 5. Any Questions ? Tel. +32 (016)28 73 92 .