Your SlideShare is downloading. ×
0
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Mark Arena - Cyber Threat Intelligence #uisgcon9
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Mark Arena - Cyber Threat Intelligence #uisgcon9

623

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
623
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Talk about Microsoft Fix it solution being a temporary work around that requires a manual download to fix the issue.
  • Define cyber espionage as a motivation and go over other motivations briefly (covered later)
  • Transcript

    • 1. Cyber Threat Intelligence What is it and how can we collect and produce it? By Mark Arena Menya zavut Mark Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 2. What is intelligence? • NOT James Bond (it would be cool though… wouldn’t it?) • NOT secret data, espionage or spying Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 3. Intelligence is… • Intelligence is taking what you have (data) and using your knowledge, skills and experience to characterize what is: – Fact – Probable/not probable • In both the past and the future • Communicating the output of this process to decision makers (people who decide where the $money get spent) in your organization. • Some examples! Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 4. FACT: Microsoft has reported a vulnerability in Internet Explorer that is currently being used in targeted attacks. PROBABLITY: It is likely that as Microsoft has released a Microsoft Fix it solution, that other attackers will attempt to discover the specifics of the vulnerability and seek to create exploits for it. Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 5. FACT: iDefense reported a vulnerability to Microsoft that an anonymous researcher found (i.e. it was not discovered being exploited in the wild by bad guys). PROBABILITY: Microsoft has released an update for Internet Explorer that fixes this and other vulnerabilities. It is not likely that attackers will attempt to exploit this vulnerability given an official new version of Internet Explorer has been released. Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 6. What does this mean to us as IT security professionals? • I should focus my efforts to patch vulnerabilities that are being actively exploited in the wild. • What more information can I find about the first mentioned Microsoft vulnerability? Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 7. Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 8. What does this tell us? • CVE-2013-3893 was being used in targeted attacks against Japanese targets. • According to open source reports, the same hacker group who was behind these attacks was linked to previous attacks against the Bit9 security company that was used to target the US financial sector. • The hacker group is highly likely motivated by cyber espionage. Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 9. So I’m a possible target, now what? • What data do you have access to in your organization that could inform you whether you had been compromised by this group or not? • What data should you proactively collect to be able to see if you were a target or not? Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 10. What do you need to do? • The ability to see from both the network perspective and end point (computer) perspective what has happened in the past. • To be able to use this information proactively to identify abnormalities and attack upon them. • It’s unlikely as a security professional that you’ll be able to block everything malicious that happens in your organization but you may be able to reduce the amount of time it takes to detect an intrusion thereby reducing the damage. Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 11. Data collection • Passive DNS – Packet capture on port 53 to collect DNS requests and answers – Python script to mine DNS requests and answers from a PCAP: http://mmishou.wordpress.com/2010/04/13/passive-dnsmining-from-pcap-with-dpkt-python/ • Netflow • HTTP GET/POST requests • End point monitoring – http://www.immunityinc.com/products-eljefe.shtml • IDS Sensors • Other logs Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 12. Data collection from the Internet • • • • • • Google! Maltego (great visual open source intelligence gathering tool) VirusTotal ThreatExpert DomainTools Did I mention Google?  Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 13. Data correlation • Try to get all this data collection into a single point that you can monitor and query • I personally like to use Splunk • Logstash looks like somewhat open source alternative to Splunk although I haven’t used it Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 14. How do I understand what security threats are affecting my organization? • One of the biggest resources that will help you understand the type of threats your organization is facing is looking at what has been blocked through anti-virus scanners, email filtering, etc. • Looking at the blocked items and try to ascertain whether the item blocked is linked to a cyber espionage, hacktivist or cyber crime group. • Understanding the attackers motivation is key to what measures you will need to put in replace to reduce the risk from this attacking group Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 15. Who are you protecting your organization against? • You are protecting your organization NOT from malware but from the bad guys using the malware, exploits etc. • Having an effective intelligence process will give you understanding how the bad guys operate! Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 16. Know your enemy • Sun Tzu was a Chinese general, military strategist, and author of The Art of War, an immensely influential ancient Chinese book on military strategy (ref: Wikipedia) • “It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.” Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 17. Attacker motivations • Cyber Espionage – Motivated to steal information such as executive communications, intellectual property (source code) etc. – Techniques include spear-phishing, water-holing websites. • Cyber Crime – Motivated by money! Do whatever is needed to get more money and more victims. – Techniques include mass spamming, compromises websites to host exploit kits to exploit visitors Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 18. Attacker motivations – 2 • Hacktivism – Politically motivated – Techniques include ‘doxing’, website defacements, denial of service attacks. Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 19. Final Thoughts • You are an IT security manager for an Ukrainian Bank • What information would you prefer to hear and which one is intelligence? • Which information would give you more insight into how the bad guy works and how to defend against them? Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 20. Final Thoughts 1. A competitor bank passed you a malware sample that connects to ukrainebankingupdate.com on HTTP port 80 with MD5 5f4dcc3b5aa765d61d8327deb882cf99 2. In September 2013 a competitor bank in Ukraine was targeted by a group we call “Zed group”. They typically: – – – – – – Drop files named zed.exe on compromised systems Target Ukranian banks in order to create bank accounts in order to receive and process laundered money Sending targeted email to people involved in the creation of new accounts with Microsoft Excel (.xls) attachments that contain exploits The exploit used by the group are publically known (CVE-2012-1847) and hasbeen patched already by Microsoft. Based on the use of known and patched vulnerabilities, it is highly likely that this group does not possess new and unpatched Microsoft Excel exploits (0days) The malware the group uses contains a number of different user agent strings but typically uses Afraid.org (free name server hosting) to host their malware command and control domain names. Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 21. Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved
    • 22. Discussion and questions • What is your organization targeted with and by whom? Proprietary and Confidential Information – Copyright© 2013 – All Rights Reserved

    ×