Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Losing battles, winning wars

1,764 views

Published on

When it comes to intrusions and breaches, most security teams take a short-game view. This means that they look at events as discrete and individual and focus efforts on short-term goals. While not universally detrimental, this view does harm the overall security of an organization in the "long game”. Additionally, “active defense” has been hopelessly confused by marketing hype even though its meaning is powerful to security’s operational goals.
This talk focuses on how enterprise security defenders can adjust their mindset, refocus, and beat adversaries by leveraging active defense over the long game. The basis of this talk is the extensive research done in support of the threat intelligence solution blueprint, a comprehensive guide to understanding, architecting, operationalizing and maturing a threat intelligence program.

Published in: Technology
  • Be the first to comment

Losing battles, winning wars

  1. 1. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved. Losing  Battles,   Winning  Wars Frustrating  adversaries  using  threat  intelligence
  2. 2. AGENDA Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.2 • 1st – Background  and  perspective • 2nd – Understanding  “winning”  and  “losing” • 3rd – Playing  the  defensive  long  game
  3. 3. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.3 Background • This  is  knowledge  based  on  research • Leading  practices  from  world-­class  (and  not-­so-­world-­class)   security  organizations • Drawing  from  industry  experts,  leading  minds • YMMV,  this  is  not  a  silver  bullet  (and  there  are  no  werewolves) • Trident  Research  Methodology • 60+  enterprise  adopters • 30+  leading  industry  experts • 60+  solution  providers
  4. 4. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.4 UNDERSTANDING   WINNING  AND  LOSING
  5. 5. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.5 Are  we  winning yet?
  6. 6. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.6 Have  you  beaten  an  adversary  today?
  7. 7. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.7 How  would  you  know?
  8. 8. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.8 We’ve  been  thinking  about  this  wrong.
  9. 9. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.9 What  does  it  mean  to  “lose”?
  10. 10. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.10 Any  guesses?
  11. 11. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.11 If  you’ve  been  hacked,  is  that  losing?
  12. 12. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.12 The  bar  is  set  unrealistically high.
  13. 13. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.13 As  defenders  – 3  key  questions
  14. 14. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.14 Do  you control  the  situation?
  15. 15. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.15 If  no,  you’re  losing.
  16. 16. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.16 Have  critical  assets been  exfiltrated?
  17. 17. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.17 If  yes,  you’re  losing.
  18. 18. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.18 Is  the  situation  recoverable?
  19. 19. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.19 If  no,  you’ve  lost.
  20. 20. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.20 For  perspective  –
  21. 21. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.21 Malware  on  your  systems Distributed  Denial  of  Service  (DDoS) Website  defacement
  22. 22. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.22 versus
  23. 23. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.23 Stolen  trade  secret(s).
  24. 24. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.24 Defenders  must understand   difference.
  25. 25. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.25 As  attackers  – 1 key  question.
  26. 26. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.26 Have  you  achieved  your  objective?
  27. 27. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.27 If  no,  you  haven’t  won.
  28. 28. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.28
  29. 29. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.29 With  this  new  focus  we  shift  the  game
  30. 30. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.30 From  short-­game (discrete  incident)
  31. 31. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.31 To  long-­game (campaign  à objectives)
  32. 32. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.32 PLAYING  THE   DEFENSIVE  LONG   GAME
  33. 33. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.33 Fundamentals  – live  it,  love  it.
  34. 34. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.34 Asset Classification Configuration Change
  35. 35. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.35 Know.  Your. Battlefield.
  36. 36. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.36 “Home  ice  advantage.”
  37. 37. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.37 Defending   the  unknown  is  unpossible.
  38. 38. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.38 Actively  map  your  protected  space.
  39. 39. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.39 Collect  data,  build  baselines.
  40. 40. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.40 Get  some  threat  intelligence goodness.
  41. 41. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.41
  42. 42. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.42 Intelligently  incorporate  externalities.
  43. 43. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.43 More data  is  not  necessarily  good.
  44. 44. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.44 10,000  bad IP  addresses.
  45. 45. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.45 and?
  46. 46. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.46 Where  will  you  put  this  data?
  47. 47. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.47 What  will  you  do with  this  new  data?
  48. 48. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.48 Much  harder  question.
  49. 49. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.49 Your  security  tools  are  killing you.
  50. 50. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.50 How  many  alerts do  you  receive… per  day?
  51. 51. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.51 Typically  10x your  capacity  to  respond.
  52. 52. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.52 Average:  24-­32 alerts  /8hr  shift Realistic
  53. 53. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.53 Receive  à Triage à Decision
  54. 54. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.54 You  will  drown  chasing  “incidents”.
  55. 55. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.55 STOP and  FOCUS
  56. 56. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.56 What  threats  are  relevant?
  57. 57. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.57 Malware.  Malware.  Adversary. Malware.
  58. 58. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.58 3  types of  threats.
  59. 59. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.59 Keys  to  differentiating  threat  types: • Targeting –whether   the  victim  is  one  of  opportunity,  or  specifically   tasked  (individually,  by  industry,  or  in  another   manner) • Persistence –whether   the  intent is  a  long-­term   embedded   or   short-­term  infiltration;;  generally  speaking  to  a  level  of  stealth  and   extent  of  infiltration Category Targeting Persistence Example Generic no no ransomware Targeted yes no credential  thief Persistent yes yes embedded  RAT
  60. 60. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.60 Why  does  this  matter?
  61. 61. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.61 Vastly  different  responses.
  62. 62. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.62 Generic: “Kill  it  with  fire” Tier  1  automated   response
  63. 63. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.63 Destroy  or  re-­image.  Move  on.
  64. 64. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.64 Near-­zero  human  time  expended.
  65. 65. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.65 Targeted:  Focused,  tier  2  response.
  66. 66. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.66 Contain.  Analyze.  Destroy.
  67. 67. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.67 Minimal  human  time  expended.
  68. 68. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.68 Persistent:  Focused,  tier  3  response.
  69. 69. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.69 Contain.  Analyze.  Remove.  Recover.
  70. 70. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.70 Necessary  human  time  expended.
  71. 71. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.71 How  do  you  tell  the  difference?
  72. 72. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.72 Your  threat  intelligence  works  here.
  73. 73. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.73 Atomic  indicators  need  c o n t e x t .
  74. 74. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.74 The  goal:  intelligent  prioritization.
  75. 75. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.75 Opportunistic  malware  vs.  adversary.
  76. 76. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.76 Feeding  an  intelligence  process  loop.
  77. 77. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.77 core processes strategy acquisition triage executiondistribution development collaboration enrichment governance feedback measurement Intialize refinement (finishing) secondary development
  78. 78. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.78 Start  with  (external)  indicators.
  79. 79. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.79 core processes strategy acquisition triage executiondistribution development collaboration enrichment governance feedback measurement Intialize refinement (finishing) secondary development
  80. 80. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.80 Enrich  with  context  (internal  &  external).
  81. 81. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.81 core processes strategy acquisition triage executiondistribution development collaboration enrichment governance feedback measurement Intialize refinement (finishing) secondary development
  82. 82. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.82 Distribute  and  execute.
  83. 83. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.83 core processes strategy acquisition triage executiondistribution development collaboration enrichment governance feedback measurement Intialize refinement (finishing) secondary development
  84. 84. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.84 Which  type  of  response  does  it  warrant?
  85. 85. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.85 Tier  1  à 3  response  type.
  86. 86. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.86 Can  you  learn from  the  incident? Can  you  improve from  the  incident?
  87. 87. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.87 Now  let’s  figure  out  how  to  win.
  88. 88. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.88 Goal  1:  Raise  the  cost  for  adversary.
  89. 89. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.89 Goal  2:  Frustrate the  adversary.
  90. 90. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.90 Goal  3:  Keep  from  achieving  objective.
  91. 91. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.91 An  adversary  will  be  persistent.
  92. 92. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.92 Malware  won’t  care.
  93. 93. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.93 Tie  atomic  indicators  à adversary
  94. 94. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.94 Disrupt efforts  to  achieve  objective.
  95. 95. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.95 Repeat as  necessary.
  96. 96. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.96 This  is  winning.
  97. 97. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.97 Releasing  our  research  at  RSA  Conf. Comprehensive   program  guidance on  threat  intelligence  as  a  program.
  98. 98. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved.98 Want  it?
  99. 99. Proprietary   and  Confidential.   Do  Not  Distribute.  ©  2014   Accuvant,  Inc.  All  Rights  Reserved. 1125  17th  Street,  Suite  1700,  Denver,  CO  80202   800.574.0896 SolutionsResearch@accuvant.com www.accuvant.com

×