Cyber Threat Intelligence - La rilevanza del dato per il business

Cyber Threat
Intelligence
La rilevanza del dato per il business
Francesco Faenzi Andrea Zapparoli Manzoni

Cyber Threat Intellingence – F.Faenzi / A.Zapparoli Manzoni 2
Licenza
I contenuti di questo documento sono distribuiti con una licenza Creative Commons "Attribuzione
- Non commerciale - Condividi allo stesso modo 3.0 Italia"
(http://creativecommons.org/licenses/by-nc-sa/3.0/it/legalcode)
Tu sei libero di:
 Condividere — riprodurre, distribuire, comunicare al pubblico, esporre in pubblico,
rappresentare, eseguire e recitare questo materiale con qualsiasi mezzo e formato
 Modificare — remixare, trasformare il materiale e basarti su di esso per le tue opere
 Il licenziante non può revocare questi diritti fintanto che tu rispetti i termini della licenza.
Alle seguenti condizioni:
 Attribuzione — Devi riconoscere una menzione di paternità adeguata, fornire un link alla licenza
e indicare se sono state effettuate delle modifiche. Puoi fare ciò in qualsiasi maniera
ragionevole possibile, ma non con modalità tali da suggerire che il licenziante avalli te o il tuo
utilizzo del materiale.
 NonCommerciale — Non puoi utilizzare il materiale per scopi commerciali.
 StessaLicenza — Se remixi, trasformi il materiale o ti basi su di esso, devi distribuire i tuoi
contributi con la stessa licenza del materiale originario.
 Divieto di restrizioni aggiuntive — Non puoi applicare termini legali o misure tecnologiche che
impongano ad altri soggetti dei vincoli giuridici su quanto la licenza consente loro di fare.

Chi siamo
 Francesco Faenzi
Father, raw meat / pinot noir / former fitness addict,
wannabe traveller, used to read before crushing into
DFWallace, Head of Cybersecurity @Lutechspa
f.faenzi@lutech.it, @francescofaenzi
 Andrea Zapparoli Manzoni
Non servono presentazioni …

Agenda
 Scenario delle Cyber Threat
 Cyber Threat Intelligence
 CTI come fase della Cyber Defense
 Intelligence & Cleverness
 "In real life"
 Rilevanza della CTI per il Business
 Punti di attenzione per il CISO in un CTI
Program

Agenda
 "In real life"
Program

New Information & Communication Technology models and trends (Consumerization, BYOD, Open Knowledge Society, Cyber (In-)
Security, Cloud Services, App Economy & Always-on Workers, Internet of Everything etc.) together with Globalization trend thanks
to Internet bring many advantages to our society (sharing of information and thoughts, global communication, transparency, etc.)
but also issues …
Together with growth of Internet and online business, organizations around are progressively more exposed to malicious activities
IBM X-Force Report 2016
Scenario delle Cyber Threat

Defender-detection deficit
Verizon DBIR Report 2015

Europol Cybercrime Conference 2013, CERT-EU data
We cannot avoid infection
Taking control requires from 10m to 48h
Detection takes up to 1 year
Remediation up to 6 months & more
- Freddy Dezeure, Head of CERT-EU

Casual Attacker power grows at the rate of
Metasploit
- HD Moore (Rapid7 and Metasploit, CTO)
There is no longer a window to patch when a
vulnerability or exploit is discovered, in public or
private
- Mike Reavey, Director of the Microsoft
Security Response Center
If it's software is hackable
If it's connected it's exposed
- Joshua Corman, Security Director @Akamai

Actor Categories
Verizon DBIR Report 2015

Agenda
 "In real life"
Program

CTI: una fase della Cyber Defense

SANS Institute
The Sliding Scale of Cyber Security

Agenda
 "In real life"
Program

Intelligence …
 La Cyber Threat Intelligence è l'arte di fornire
information sulle cyber threat actionable, ovvero
tali da permettere alle organizzazioni di
focalizzarsi su rischi di maggiore criticità per il
loro business, legati alla dipendenza dalle
infrastrutture ICT

Intelligence …
Top risks which Threat Intelligence can
address:
Today, even companies who have made responsible and sustained investments in IT, continue to be compromised.
Sophisticated & targeted attacks will continue to cause breaches and damage in the future.
Traditional passive defense is not enough anymore. Companies need to address possible future malicious threat before it’s
too late.

Intelligence …

… & Cleverness
 Le Cyber Threat sono "umane". Sono gli
avversari non i loro tool (es. il malware) che
devono ricevere attenzione. Questi avversari –
ancora, non i tool - sono persistenti e flessibili,
capaci di iniziare un attacco in modo molto
morbido ma di mantenere la propria footprint nel
sistema target per molto tempo.
Undetected.

… & Cleverness
 Avversari focalizzati e con opportuno funding
non possono essere contrastati da apparati
unattended
 Analogamente la ricerca degli avversari non si
può basare su soli Indicatori di Compromissione,
cercando pattern rispetto ai quali attivarsi per la
risposta
 La ricerca delle Cyber Threat deve essere
umana e proattiva

… & Cleverness
Your threat program will have
limited effectiveness
without
human intelligence

… & Cleverness
 Il web presenta un insieme enorme di Cyber
Threat Data – db di vulnerabilità, forum, chat,
honeypot, siti di malware noti, botnet, URL
malicious, siti di phishing, ecc.
 Si tratta di un'enormità di dati da raccogliere e
metabolizzare: compito semplice per un
computer
 Come renderli actionable?

… & Cleverness
 La chiave per rendere i Cyber Threat Data
actionable e attendibili per il business è di farne
un fine-tuning per filtrarli in modo che siano
rapidamente portati all'attenzione solo i rilevanti
 Questo task richiede una certa "intelligence". O
meglio "cleverness", tipica dell'uomo, non delle
macchine e spesso dimenticata nei programmi
di Cyber Threat Intellitence

… & Cleverness
 Un Cyber Threat Analyst esperto può esaminare
i dati e giungere con balzi logici a conclusioni
non immediate per un software di analisi dati,
anche se fornito di molte e complesse regole
 La maggior parte dei programmi di Cyber Threat
Intelligence e di Cyber Security in generale
mancano dell'elemento creativo

Agenda
 "In real life"
Program

In real life

Analyze the web searching for
websites used for phishing scopes.
In this case a web page, which
claims to represent an internet
banking login form, has been
detected and reported as
malicious.
1. Suspected
Phishing
Report the URL of the cloned
page and the URL of the phishing
web page too. If the phishing
page has been closed a google
cache link is reported.
2. URL of Phishing
Report where and how the
phishing website have been
found.
3. Source
Phishing Website which claims to be a banking login page
In real life

From the analysis of potential
malicious link, a .zip archive has
been found which contains
malicious files containing the
name of the target company
inside the payload
1. Web App Scan
The analysis made by a Cyber
Crime Research Team revealed
that the .zip archive contains the
source code of a Phishing Kit,
used by the attacker
to retrieve users credentials.
2. Phishing Kit
This is the malicious form used
by the attacker to steal
credentials from targeted users
wile they were thinking to login
into the real customer webportal.
3. Malicious Form
Phishing KIT package used to create a lot of fake banking pages
In real life

During continuous monitoring
phase, a malware infection has
been detected from a malicious
website analyzed
1. Malware
Detection
The analysis of the executable
detected, confirmed that the
malware has been uploaded to a
malicious website in order to
infect as many as possible
victims and to use them as
zombies to conduct reflected
DDoS attacks
2. Reflected DDoS
The detected webserver has
been used (in conjunction with a
lot of other webserver) as a
victim, in order to conduct
reflected DDoS attacks against
multiple targets
3. Web Server
Impacted
Malware used to conduct DDoS attacks against multiple targets
In real life

Analyze massive data from
"indexed Internet", public &
private social web, and different
private channels in order to
identify any possible confidential
documents exposed over the
internet
1. Confidential
Docs
Report the link on the malicious
website where the confidential
financial document has been
published.
2. Download Link
This is the content of the
downloaded documents from the
malicious website.
3. Content
Website containing confidential documents publicly exposed
In real life

Scans and analyze data from
"indexed Internet", public &
private social web, IRC chats,
black markets, deep web black
markets, public and private
channels, in order to identify any
possible financial data leakage or
credit cards, home banking
credential login, etc. buying &
selling platforms
1. Event Type
Findings of data leakages are
reported and categorized. In this
case an user is trying to buy &
sell credit card data of a well
known Italian bank institute
2. Resources
The title and the Link of the page
where data leakage or non-public
resources have been found
3. Title & Link
Black market threads where users tried to buy and sell Italian banking accounts
In real life

Analyze social networks trends
with hashtag and mentions in
order to identify any possible
malicious hot topic related to a
specific company.
1. Social Networks
In particular, report different
mentions on social networks,
related to a vulnerability that is
resulted as exposed over the
internet on the customer
webportal
2. Vulnerability
Report a real evidence which
consist in a conversation between
2 users about the vulnerability
found
3. Evidence
Analyze social network mentions in order to detect & verify a vulnerability on a website
In real life

Detection of a malicious Mobile
APP uploaded on Google Pay
store too, confirmed to be
malicious by different AV.
The APP has been detected as
malicious because of the injection
of a financial Trojan, used to steal
credentials on the mobile phones
of the end users.
1. Detection
Extraction of all the information
about file and file type, kill chain,
md5 and sha of the file, etc.
2. File Information
Sample download link, with all the
captured evidence of the
malicious package detected and
analyzed
3. Mobile APP
Analysis
Detect a mobile application uploaded on Google Play store infected with a financial trojan
In real life

Detect a possibly malicious activity
on social networks because an
user posted a link with a password
for a free poker tournament on an
Italian gambling web site
1. Virus Total
Report
The user (probably hacked too)
has posted the link on Twitter
2. The tweet
Visiting the link with a vulnerable
mobile phone, users become
immediately infected by a
ransomware app which encrypt all
the data and ask money for
decription
3. Mobile Infection
Visiting the link from a classic
browser users get infected
because of the execution of an
exploit kit which inject a specific
Trojan on the victim’s computer
4. Exploit Kit
Detect a ransomware, from different sources, which was targeting users
In real life

Detect misconfigured services exposed in the org perimeter in order to identify possible data-leakage and id-theft
Passively identify and tag service
misconfigurations in the monitored
perimeter
1. Misconfiguration
Detection
For example, it is possible to
identify exposed FTP server with
anonymous access, Directory
Listing, web-application with
default credentials and many other
misconfigurations
3. Misconfiguration
example
In the event detail is possible to
visualize all the details related to
the identified misconfiguration, like
IP address, country, netname and
geolocation
2. Service details
In real life

Before a major event, hacktivists
organized attacks with different
techniques to web portals related
to the manifestation; they just used
a private pads to organize and
plan their job. CTI automatically
have detected them
1. Target List
Hacktivists organized through IRC
channels (and then conducted)
coordinated DDoS attacks against
event web portals in order to
disrupt official services
2. DDoS Prepatation
Hacktivist organized attacks trying
to deface and dump different web
sites related to the manifestation,
uploading results on private pad or
IRC channels detected by CTI
3. Website Hacking
Analyze the preparation, the methodology, the exposed contents & information and the media reactions of an
hacktivism attack, conducted during an international event
In real life

Attack planning evidence with details of targets, vulnerabilities and potential exploit/tools
Exposed network/naming details of internal DB servers with full OS/version details
(After a few days) Exposed internal details of same DB servers: tables, E&R structure, data
– including customer details
Domain Name Abuse with proven evidence of malicious sites redirection
Unknown exposed services on customer perimeter with leaked working access
credentials available
External sites password leakage & reuse of same credentials internally
Unknown exposed HTTP/S sites with directory listings and downloadable confidential
files (pre-RFPs, configuration, design details, etc), with no authentication or
authorization
Company VIPs exposed credentials and/or PII (i.e. phone numbers, birthdate, etc)
In real life

Test and pre-production services exposed on public IaaS, with no authentication
Internal assets compromised with advanced malware, able to steal visiting clients credentials
Company data exposed on Dropbox and Google Drive, with no authentication
Malware in the wild, specifically crafted to access company assets and replicate or steal
employees credentials
Activation and delivery of phishing campaigns
Malware in the wild, crafted to steal customers credentials or redirect customers to
malicious site for further and deeper compromission
Company, employees and fans Social Webpages compromised with injected malicious
URLs/docs
In real life

Brand Abuse and Malicious content on Mobile Application related to the monitored
customer
Detection of Denial of Service Attack against company Server and related attacker
claim
Detection of post about fake free access to company services that lead to specially
crafted webpage serving malware via Exploit-kit
Leaked Internal servers configuration files, providing outside relevant and massive information
about internal network layout and services
Fully working carding stores hidden in Darknets
Employees and fans Social Webpages leaked access credentials
In real life

Agenda
 Scenario delle cyber threat
 "In real life"
Program

 Cosa manca ora per il programma CTI
"perfetto"? Il business
 L'expertise nei business driver, obbligazioni
legali, fattori legati a risorse umane, relazioni
con terzi sono fondamentali per il
completamento: si rischi altrimenti di ottenere un
risultato tecnicamente perfetto ma collocato in
un vacuum, cieco rispetto alla big picture del
business o addirittura incapace di indirizzare i
rischi di business e che è solo una voce di costo
Rilevanza della CTI per il Business

 Ancora una volta è fondamentale il fattore
umano: non l'analista di Intelligence Operations,
ma il business che decide cosa è importante e
cosa no

http://www.mitre.org/capabilities/cybersecurity/situation-awareness

 E' necessario condurre una Crown Jewels
Analysis, ovvero identificare i Cyber Asset
maggiormente critici rispetto alla capacità di
un'organizzazione di realizzare la sua missione
 La CJE crea una mappa di dipendenze che
permette di identificare la missione e a partire da
quella dare la prioritizzazione dei livelli inferiori
 La CJA permette di predire l'impatto di un failure
di un Cyber Asset fino agli obiettivi e attività
strettamente inerenti la missione

http://www.mitre.org/capabilities/cybersecurity/situation-awareness

Agenda
 "In real life"
Program

Punti di attenzione per il CISO

Non c'è mai abbastanza tempo
Grazie per il vostro
(cit. Dan Geer)

Cyber Threat Intelligence - La rilevanza del dato per il business

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Cyber Threat Intelligence - La rilevanza del dato per il business

Similar to Cyber Threat Intelligence - La rilevanza del dato per il business (20)

More from Francesco Faenzi

More from Francesco Faenzi (12)

Recently uploaded

Recently uploaded (20)

Cyber Threat Intelligence - La rilevanza del dato per il business