The document discusses improving computer network defense using intelligence-based approaches. It outlines three key components: leveraging threat intelligence, considering indicators of compromise, and optimizing and automating incident response. Threat intelligence can be gathered internally from security tools and externally from open sources. Monitoring systems and networks for indicators of compromise can help detect attacks earlier. Response processes can be made more efficient by automating data gathering and analysis to speed incident understanding and focus resources. The goal is more reliable and earlier detection of threats throughout the cyber attack lifecycle.

1. © 2014 Tier-3 Pty Ltd, All rights reserved 1 Intelligent Security. We deliver it.
Intelligence-based
Computer Network Defence
Piers Wilson
Tier-3 Huntsman® - Head of Product Management

2. © 2014 Tier-3 Pty Ltd, All rights reserved 2 Intelligent Security. We deliver it.
• Cyber attacks continue to
increase
• Even closed networks are
vulnerable
• Both External and Internal
attacks
• Increasing sophistication
• Every organisation is at risk
Setting the Scene

3. © 2014 Tier-3 Pty Ltd, All rights reserved 3 Intelligent Security. We deliver it.
The Cyber security “kill chain” concept
Cyber Kill Chain – sequential chain of events for successful attack
© Lockheed Martin
Increasing risk / cost to contain and remediate
Pre-Compromise Post-CompromiseCompromise

4. © 2014 Tier-3 Pty Ltd, All rights reserved 4 Intelligent Security. We deliver it.
Considering Attack Cycles
• Harvesting email addresses, conference
information, staff bios, Press coverage
Reconnaissance
• Coupling exploit with backdoor into a
deliverable payload
Weaponisation
• Getting the payload to the victim via email,
web drive-by, USB
Delivery
• Exploiting the vulnerability to execute codeExploitation
• Installing the malware/payload on the
system
Installation
• Establishing channel back to the attack
source
Command &
Control
• Undertaking the automatic and attacker-
driven activity desired
Actions on
Objectives
• “Thinking like an attacker”
• The likelihood of being caught & ROI ?
• What's the best way to test the attack method ?
• Enumeration of the organisation
• Identify valuable/vulnerable assets
• Establish how to get the information out
• Acceptance that defences may not be sufficient
and thus detection and diagnosis are key
• Rapid detection means less cost, more chance to mitigate,
better chance of recovery
• Dealing with both external and insider threats
• Need to consider the “indicators of compromise”
at each stage
• Anomalies detected
• Events on boundary egress points
• Critical documents / information silos
• System performance and health
• Activity levels, session lengths, traffic and flow patterns

5. © 2014 Tier-3 Pty Ltd, All rights reserved 5 Intelligent Security. We deliver it.
Leverage Threat Intelligence
Consider ‘Indicators of Compromise’
Optimise and Automate
Incident response
Agenda - Three Components

6. © 2014 Tier-3 Pty Ltd, All rights reserved 6 Intelligent Security. We deliver it.
Threat Intelligence
Integration of external
TI feeds for detection
AND analysis purposes
to aid efficient operations
Capture of static or
dynamic internal
information and
intelligence on threats
and risks
Operational incident detection
and analysis process generate
real-time, interpreted Threat
Intelligence
Automation and confidence in
alerting, detection and
escalation processes

7. © 2014 Tier-3 Pty Ltd, All rights reserved 7 Intelligent Security. We deliver it.
Internal & Contextual
• Import and cross-reference to (internal) state databases
• E.g. users of different types, physical/location status, risk levels, system sensitivities,
even self-created lists of systems that are the subject of incidents and investigations
• Recent use case was a list of users who are “under increased vigilance”
• Integration of vulnerability assessment tools
• Network capture to derive asset information, deduce port usage,
flow statistics in real time
• Provides understanding of likely vulnerability/threat
• Understanding of ongoing incidents and system statuses/risks
• Integrated information from specific security/capture solutions
• Active response to capture real-time alert data
• Camera images
• System configuration, process, network sessions, file system snapshot
Internal
Intelligence
Databases
Contextual
Vulnerability,
Incident and
Asset Data
Internal Security,
Malware and
Attack Context

8. © 2014 Tier-3 Pty Ltd, All rights reserved 8 Intelligent Security. We deliver it.
• Import of external data for use in detection, correlation and alerting
• Compromised sites, malicious URLs, phishing sources, IP reputations
• Ensure you “know what everyone else knows” – throughout the kill
chain (diagnosis and response)
• Open source and/or commercial feeds
• Mapping from IP address
to world location
• Make decisions
based on risk profiles or
known operational
locations
External Threat Intelligence
External
Geographic
Information
External Threat
Intelligence
Sources

9. © 2014 Tier-3 Pty Ltd, All rights reserved 9 Intelligent Security. We deliver it.
Leverage Threat Intelligence
Consider ‘Indicators of Compromise’
Optimise and Automate
Incident response
Agenda - Three Components

10. © 2014 Tier-3 Pty Ltd, All rights reserved 10 Intelligent Security. We deliver it.
Activity to/from risky or strange locations
Personal sensitivities (role, seniority, access)
Patterns of traffic between IP address pairs
Session durations
Data flow volumes and directions
Activity on sensitive internal hosts
Number of files open(ed)
Number of pages or documents printed
Query/search results (numbers)
User account group membership activity
Use of media like USB/CD
Connections to cloud-based storage
Indicators of Compromise
Think how
an Insider
might
behave,
what they
might do,
how they
would steal
data
What might
be the early
signs of an
external
attack or
Trojan, APT,
spear
phishing
activity

11. © 2014 Tier-3 Pty Ltd, All rights reserved 11 Intelligent Security. We deliver it.
Monitor / learn behavioural profile
automatically to create a dynamic
baseline of system behaviour
Continuously updated as the
environment changes
Correlating with other events,
detections for any deviations from
the “normal” baseline to alert
operators
Detecting Anomalous Behaviour
Hard in complex systems for analysts:
To know the network
To estimate thresholds
Have to constantly re-write rules
Make safe/reliable assumptions
Attack nature can be more easily
predictable
Start from the Indicator of Compromise
– or IoC - for APTs, zero-day & insider
threats
Indicators and behaviours play a role at
different stages of the kill chain

12. © 2014 Tier-3 Pty Ltd, All rights reserved 12 Intelligent Security. We deliver it.
Leverage Threat Intelligence
Consider ‘Indicators of Compromise’
Optimise and Automate
Incident response
Agenda - Three Components

13. © 2014 Tier-3 Pty Ltd, All rights reserved 13 Intelligent Security. We deliver it.
Automating Responses
Manual analysis and
triage
Automatic response
(can be risky)
Suspicion / Detection
Automatic
information/context
gathering
Making changes, turning things off,
closing sessions can help, but may
impact normal business
System, user, process, network
information is transient – needs to be
gathered at the time (later is no use)
Manual response
Making sense of the data to
understand the incident and effect
appropriate
containment/investigation/remediatio
n

14. © 2014 Tier-3 Pty Ltd, All rights reserved 14 Intelligent Security. We deliver it.
Process efficiency:
Automating as much as possible and streamlining everything else
More than just purely “actively responding”
closing sessions, disrupting attacker, disabling user accounts...
Key use case:
Gather data/context “at the time of an alert” ...
Webcam photo, screen shot
System configuration, running processes, network sessions
... and from “just before”
i.e. caching a rolling data set (e.g. network traffic) and freezing it when an alert occurs
Note:
Only really works with real-time analysis and detection systems
You have a way to work with the dataset that is collected
Automatic Response

15. © 2014 Tier-3 Pty Ltd, All rights reserved 15 Intelligent Security. We deliver it.
To close ...

16. © 2014 Tier-3 Pty Ltd, All rights reserved 16 Intelligent Security. We deliver it.
Remember the “kill chain” concept
Cyber Kill Chain – sequential chain of events for successful attack
© Lockheed Martin
Monitor, detect and respond throughout attack lifecycle
Pre-Compromise Post-CompromiseCompromise

17. © 2014 Tier-3 Pty Ltd, All rights reserved 17 Intelligent Security. We deliver it.
What will “good” look like?
More
Confident/Reliable
Detection
• Given that “something” has been
detected have to decide if it is
significant (with confidence)
• “Potential incident” investigated based
on the surrounding or associated
contextual data
• Maximise use of established data
sources and automation:
• Swifter “confirmed detection”
• Fewer false positives/negatives
• Single view of information across sources
• Throughout the kill chain, and as early
as possible
Earlier Understanding
/Faster Analysis
• Anticipate obvious questions for triage,
analysis, escalation process
• Predictable requests dealt with automatically
• Pre-emptive information gathering
• Leverage data available from at / before
the time of incident:
• Screen shots, systems’ configurations, file
contents, network sessions, open files ...
• Focus staff concentration on decision
making rather than manual information
gathering

18. © 2014 Tier-3 Pty Ltd, All rights reserved 18 Intelligent Security. We deliver it.
Thank you
Piers Wilson
piers.wilson@tier-3.com +44 (0) 7800 508517
info@tier-3.com
+44 (0) 118 900 1550
www.tier-3.com twitter.com/Tier3huntsman