Threat Intelligence - Routes to a Proactive Capability

594 views

Published on

A presentation originally from 2007 on how organisations could look to build a threat intelligence capability.

Published in: Technology, Business
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
594
On SlideShare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
21
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Threat Intelligence - Routes to a Proactive Capability

  1. 1. Threat Intelligence – Routes to a Proactive Capability Ollie Whitehouse, Architect, Advanced Threat Research 22nd November, 2007
  2. 2. Agenda 1 Introduction 2 Intelligence Sources 3 Some Examples 4 Discussion Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 2
  3. 3. Introduction Symantec Advanced Threat Research Symantec and Cellular Security 3
  4. 4. Introduction – The Presentation • Original purpose of this presentation – An open discussion between A Client and Symantec • About the types of intelligence sources A Client could leverage • How these could be used to gain insight into threats – Present of a number of ideas on how to achieve this – Designed to be interactive • Braining storming, guidance, questions, answers all welcome… • What this presentation is NOT – A presentation on productized technology available from Symantec • Goal of a well developed intelligence program – Gain visibility ahead of time – Predict likely targets – Detect stealthy attacks or attack precursors Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 4
  5. 5. Introduction – The Presentation • Problem statement guidance – Existing threat intelligence data is re-active • Patch Tuesday etc… – A Client want to develop more of a pro-active capability • How to gain visibility before the attack – Technology threat intelligence – Aggressor threat intelligence • How to detect attacks for which there is no signature • Additional guidance already given – This will not focus on web based applications – This will look at infrastructure, standard client based threats Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 5
  6. 6. Intelligence Sources Symantec Advanced Threat Research Symantec and Cellular Security 6
  7. 7. Intelligence Sources • So what does A Client have access to? – A lot! – However deciding what to process will be difficult – Actual processing will present some unique challenges – Result – risk / effort versus reward will come into play • Caveat: You may be analyzing some of these already • What follows is a relatively high-level overview – Designed to capture the key sources – Does not cover in detail all the methods of analysis Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 7
  8. 8. Intelligence Sources Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 8
  9. 9. Intelligence Sources • A couple key observations – Gaining insight into where/how an attack will happen ahead of time is hard • Unlike fraud attackers aren’t going to hang out on publically accessible channels discussing their targets/methods • Monitoring for sentiment is going to throw up false positives (annoyed customers etc) • Attacks which hit you fall into two categories – mass exploitation & targeted • Mass exploitation – some indication ahead of time • Targeted – little to no indication ahead of time – However detecting the early stages of an attack is far easier – Detecting an in-progress attack is even easier – So some discussion around the key objectives will need to be had Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 9
  10. 10. Couple of Examples Symantec Advanced Threat Research Symantec and Cellular Security 10
  11. 11. Binary File Format Exploitation - PDF • Goal – Process PDFs at mail server/AV/SPAM layer to identify suspicious files potentially trying to exploit a vulnerability • Approach – Does it comply with the file format? • Does your AV/SPAM solution successfully parse it? • Can you automate the opening of all PDF files in a sandbox to detect crashes and/or suspicious behavior? – What does it contain? • Is it a re-work of press release either issues by you, a competitors, regulator or publically listed company? • Shell code heuristics trigger? – What produced it? • Surprising amount of meta data in PDFs which could be used to influence the risk profile of it. Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 11
  12. 12. Binary File Format Exploitation - PDF Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 12
  13. 13. Binary File Format Exploitation - JAR • Goal – Log accesses made to JARs via A Client web proxies – Isolate those of interest and analyze off-line to detect targeted attacks • Approach – Has it changed? • Over time if you generate hashes for the JARs accessed you’ll be able to spot changes – Is it signed? • Is the archive signed by a trusted company? – Does it comply with the file format? • Does your AV/SPAM solution successfully parse it? • Can you automate the opening of all JAR files in a sandbox to detect crashes and/or suspicious behavior using multiple JVMs? Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 13
  14. 14. The Generic E-Mail Attack • Goal – Detect the generic targeted e-mail attachment born attack.. • Lots of things to look at – Is the source IP actually assigned to the company it’s claimed to be from? – If you’ve received e-mail from that organization before did the e-mail originate from the same source? – Does the message header contain character set information which indicates it’s originated from a non friendly or suspicious country? – Have you seen e-mails from that person to that person before? – Does the message content contain public information re-worked? – Does the attachment contain public information re-worked? Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 14
  15. 15. Pro-Active Strategies for Attachments • Goal – How do we identify the next zero-day that would work against our organization? • We utilize some of the pre-filtering already discussed • Then we have a copy of our geographic or departmental standard builds inside a couple of virtualized environments* • We then pass a selection of received e-mails/attacks through • We also regularly visit a selection of web sites commonly visited by the entire organization or specific departments • We also visit a sample of URLs sent into the organization (EMail/IM etc.) • All to monitor for any unexpected behavior Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 15
  16. 16. Other Things to Consider • All of the strategies I’ve discussed are because we know the modi operandi of certain classes of attacker • However there are a number of other approaches we can consider to spot attacker evolution – Trending • We’ve seen attackers go after images (JPG/PNG/TIFF), Office (DOC/XLS/PPT), Web Containers (JAR), Other (WMF,PDF,ZIP) for binary format exploitation • It doesn’t take a rocket scientist to realize this isn’t going to stop while it’s so successful • So what application do you run which haven’t be targeted (either propriety, niche or common)? Why don’t you go after them aggressively, find the vulnerabilities, develop mitigations and/or detections ahead of time Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 16
  17. 17. Open Discussion Symantec Advanced Threat Research Symantec and Cellular Security 17
  18. 18. Thank You! Ollie Whitehouse ollie_whitehouse@symantec.com http://www.symantec.com/ Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Symantec Advanced Threat Research Symantec and Cellular Security 18

×