Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

What Happens Before the Kill Chain

3,075 views

Published on

A presentation by Dan Hubbard, CTO of OpenDNS, and Rick Holland, Principal Analyst at Forrester, Inc.

Published in: Technology
  • Be the first to comment

What Happens Before the Kill Chain

  1. 1. 1 CONFIDENTIAL Dan Hubbard, CTO, OpenDNS Rick Holland, Principal Analyst, Forrester What Happens Before the Kill Chain
  2. 2. 2 CONFIDENTIAL Speakers Dan Hubbard CTO OpenDNS Rick Holland Principle Analyst Forrester
  3. 3. 3 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 3 Agenda › The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work @rickhholland
  4. 4. 4 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 4 STRESS
  5. 5. 5 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 5 Time to discover is pathetic
  6. 6. 6 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 6 asdf 205 days to discover
  7. 7. 7 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 7 Adversaries are on shopping sprees
  8. 8. 8 CONFIDENTIAL With no time limits
  9. 9. 9 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 9 New Incident Response Metric: Mean Time Before CEO Apologizes
  10. 10. 10 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 10 asdf ›  asdf We need bright ideas
  11. 11. 11 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 11 Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains
  12. 12. 12 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 12 Agenda › The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work @rickhholland
  13. 13. 13 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 13 Targeted attack hierarchy of needs Source: May 15, 2014, “Introducing Forrester's Targeted-Attack Hierarchy Of Needs, Part 1 Of 2” Forrester report
  14. 14. 14 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 14 asdf ›  asdf
  15. 15. 15 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 15 asdf ›  asdf Why should we give up on prevention?
  16. 16. 16 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 16 asdf ›  asdf Why should you settle for detection and response?
  17. 17. 17 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 17 asdf ›  asdf Can you imagine incident volume without prevention?
  18. 18. 18 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 18 Prevention is dead? ›  Be wary of anyone claiming that prevention is dead ›  Especially if all the sell are detection tools or services ›  You should lead with prevention and fall back to detection and response Be suspicious
  19. 19. 19 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 19 Agenda › The cyber kill chain › Targeted Attack Hierarchy of Needs › Making prevention work @rickhholland
  20. 20. 20 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 20 Don’t wait for reconnaissance Reconnaissance Weaponization Delivery Exploitation Installation Command & Control Action on objectives Source: http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster
  21. 21. 21 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 21 asdf ›  asdf Napoleon: “An army marches on its stomach”
  22. 22. 22 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 22 asdf ›  asdf Attacks against your org rely upon infrastructure
  23. 23. 23 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 23 Block enemy infrastructure ›  The best way to get time to containment down is to reduce the overall number of security incidents ›  Free up your limited resources to focus more on detection and response ›  You can disrupt the adversary by blocking its ability to target you ›  The military puts the kill in the kill chain, leave hack back to the government
  24. 24. 24 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 24 Source: http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf The Diamond Model of Intrusion Analysis
  25. 25. 25 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 25 Infrastructure that the adversary could reuse ›  Domain names ›  IP addresses ›  Command and Control structure ›  Internet Service Providers ›  Domain registrars ›  Web-mail providers
  26. 26. 26 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 26 Lenny Zeltser: Report Template for Threat Intelligence and Incident Response Source: https://zeltser.com/cyber-threat-intel-and-ir-report-template/
  27. 27. 27 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 27 Domain registration OPSEC fail ›  Careful observation of DNS registrant contact information history has revealed an OPSEC failure by the attackers in one instance. ›  For a brief period (possibly before the server was operational), WHOIS privacy was inactive, pointing at a real identity of the registrant. ›  This e-mail address leads to social media accounts that show public and clear affinity with Lebanese political activism.
  28. 28. 28 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 28
  29. 29. 29 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 29 Forrester definition: Predictive analytics ›  “Software and/or hardware solutions that allow firms to discover, evaluate, optimize, and deploy predictive models by analyzing big data sources to improve business performance or mitigate risk.”
  30. 30. 30 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 30 Predictive security analytics ›  Uses Big Data analysis techniques to anticipate future attacker activity based on historical activity ›  Leverages machine learning, statistical analysis, and visualization ›  Unless you have a data science skills, navigating vendor marketing can be challenging ›  Ask vendors to provide use cases
  31. 31. 31 CONFIDENTIAL© 2015 Forrester Research, Inc. Reproduction Prohibited 31 asdf ›  asdf
  32. 32. 32 CONFIDENTIAL OpenDNS Research Applied ResearchThought Leadership Response Customer / Prospect Engagements
  33. 33. 33 CONFIDENTIAL Requests Per Day 70B Countries 160+ Daily Active Users 65M Enterprise Customers 10K Our Perspective Diverse Set of Data & Global Internet Visibility
  34. 34. 34 CONFIDENTIAL Our view of the Internetproviding visibility into global Internet activity (e.g. BGP, AS, DNS)
  35. 35. 35 CONFIDENTIAL Apply statistical models and human intelligence Identify probable malicious sites Ingest millions of data points per second How it works .com .cn .ru .net .com
  36. 36. 36 CONFIDENTIAL How we develop our statistical models… 3D Visualization Data MiningSecurity Research Expertise
  37. 37. 37 CONFIDENTIAL Single, correlated source of information Investigate Types of threat information provided WHOIS record data ASN attribution IP geolocation IP reputation scores Domain reputation scores Domain co-occurrences Anomaly detection (DGAs, FFNs) DNS request patterns/geo. distribution Passive DNS database
  38. 38. 38 CONFIDENTIAL Predictive Intelligence InferenceKnowledge Learning Pre-Compromise Compromise Post-Compromise
  39. 39. 39 CONFIDENTIAL Predictive Intelligence InferenceKnowledge Learning Reconnaissance Exploitation C & C Weaponization Delivery Installation Actions & Objectives
  40. 40. 40 CONFIDENTIAL Before the Kill Chain Reconnaissance Weaponization Delivery Plan Build Test / Iterate
  41. 41. 41 CONFIDENTIAL Predictive Intelligence Plan Build Test / Iterate •  Where will we host the infrastructure? •  How will it be fault tolerant? •  What domain / IP / Networks will I utilize? •  How will the backend scale? Reporting? Uptime? •  Private and public announcement and advertising? •  Testing and iteration of the solution
  42. 42. 42 CONFIDENTIAL We see where attacks are staged
  43. 43. 43 CONFIDENTIAL Examples
  44. 44. 44 CONFIDENTIAL Malaysia Airlines DNS Hijack January 25, 2015
  45. 45. 45 CONFIDENTIAL MALICIOUS ASN/IP IDENTIFIED Owned  by  Lizard  Squad   who  hacked  PS3  and  Xbox   Networks  in     December  2014  
  46. 46. 46 CONFIDENTIAL OpenDNS recognized the domain hijacking on Jan 25th and blocked the DNS request, and hence any subsequent attack
  47. 47. 47 CONFIDENTIAL WHOIS: BEDEP Example
  48. 48. 48 CONFIDENTIAL WHOIS: Visualization of Inferences
  49. 49. 49 CONFIDENTIAL WHOIS: Visualization of Inferences
  50. 50. 50 CONFIDENTIAL WHOIS Registration date after first seen!
  51. 51. 51 CONFIDENTIAL Anomaly Detection: Identify DGAs Domain Generation Algorithms: technique for generating malware domains on-the-fly yfrscsddkkdl.com qgmcgoqeasgommee.org iyyxtyxdeypk.com diiqngijkpop.ru Does the probability distribution of letters appear random? N-gram” analysis Do letter pairings match normal language patterns?
  52. 52. 52 CONFIDENTIAL DGA Example: Gameover Min: May 30: Plan, Build, Test, Iterate
  53. 53. 53 CONFIDENTIAL Conclusion §  Do not give up on prevention and shift *all* resources to detection §  Analyze your security posture for predictive elements §  Utilize hunting and analytic tools to increase security efficacy §  Explore security analytics to identify and map attacker infrastructure before the kill chain
  54. 54. 54 CONFIDENTIAL Start a 14-Day Trial signup.opendns.com/freetrial
  55. 55. 55 CONFIDENTIAL Questions?

×