More Related Content Similar to Best Practices for Leveraging Security Threat Intelligence (20) More from AlienVault (20) Best Practices for Leveraging Security Threat Intelligence1. Best Practices for
Leveraging Security
Threat Intelligence
Dave Shackleford, Voodoo Security and SANS
Russell Spitler, AlienVault
© 2014 The SANS™ Institute - www.sans.org
2. What IS threat intelligence?
• Threat intelligence is the set of
data collected, assessed, and
applied regarding:
– Security threats
– Threat actors
– Exploits
– Malware
– Vulnerabilities
– Compromise indicators
© 2014 The SANS™ Institute - www.sans.org
3. What Threat Intelligence ISN’T
• Regarding data for threat
intelligence:
– Not just one type of data
– Not just one source of data
– Not just internal or external
• Threat intelligence is also not one
form of analysis or reporting
• Threat intelligence can mean
different things to different
organizations
– This is 100% OK.
© 2014 The SANS™ Institute - www.sans.org
4. Advanced Threats
• Malware-based espionage staged
by threat actors that
– Aggressively pursue and
compromise specific targets
– Often leveraging social engineering
– Maintain a persistent presence
within the victim’s network
– Escalate privilege and move
laterally within the victim’s network
– Extract sensitive information to
locations under the attacker’s
control
© 2014 The SANS™ Institute - www.sans.org
5. Today’s Attack Cycle
© 2014 The SANS™ Institute - www.sans.org
1. Intelligence Gathering: Target
individuals
2. Point of Entry: Social Engineering and
malware deployment
3. C&C Communication
4. Lateral Movement
5. Asset/Data Discovery: What is important
and/or sensitive?
6. Data Exfiltration: Data sent outbound to
systems under the attacker’s control
6. What’s This Leading To?
Source: http://www.forrester.com/Five+Steps+To+Build+An+Effective+Threat+Intelligence+Capability/fulltext/-/E-RES83841
© 2014 The SANS™ Institute - www.sans.org
7. Why Threat Intelligence?
• Attackers are innovating faster
than we are
• “Productization” of malware
– Attack kits and “crimeware”
– Reuse of malware and C2 protocols
– Botnets for rent
• Other organizations have likely
seen similar attacks or variants
– We can help each other share
information to defend better
© 2014 The SANS™ Institute - www.sans.org
8. Adversary Analysis
• Why develop adversary profiles?
– Adversary profiles can provide clues
as to attacks, targets, techniques
commonly used
• Adversary Types
– Unsophisticated – “script kiddies”
– Competitors
– State-sponsored
– Organized Crime
– Insiders (can also be one of above)
© 2014 The SANS™ Institute - www.sans.org
9. What kinds of data can we share?
• DNS entries that are or should be
blacklisted
• Countries of origin with specific
reputation criteria
• Types of events to look out for:
– Application attacks
– Ports and IP addresses
– Specific types of malware detected
• Vertical-specific likelihood
• And more…
© 2014 The SANS™ Institute - www.sans.org
10. Intelligence can drive
Investigations
• Intelligence-driven investigations
are based on the preservation of
the relationships between the
components of individual attacks
so that they can be clustered as a
campaign.
• Investigative Components
– Malware Analysis
– Network Analysis
– Underground Analysis
– “Big Data” Analysis
© 2014 The SANS™ Institute - www.sans.org
11. How to Evaluate Threat Intel
Services and Providers
• The first key differentiator is data
DIVERSITY:
– Where does the data come from?
– What type(s) of data do you get?
– Do IOC artifacts come in one
format (ie file hashes) or multiple?
– What specific are available
(vertical/industry, geography, etc)?
© 2014 The SANS™ Institute - www.sans.org
12. How to Evaluate Threat Intel
Services and Providers
• The second differentiator is data
ANALYSIS:
– What kind of analysis is performed?
– Who does the analysis?
– To what depth is analysis done –
basic IOCs, or full traceback?
– Is the data correlated with other
information?
© 2014 The SANS™ Institute - www.sans.org
13. How to Evaluate Threat Intel
Services and Providers
• The third differentiator is data
QUALITY:
– Does the data go through a “QA”
process?
– Is data revisited/re-analyzed to
ensure it is still accurate?
– When are indicators “expired”?
– What is the expiration
strategy/lifecycle … on an ongoing
basis?
© 2014 The SANS™ Institute - www.sans.org
14. Example: Sinkhole Case
• A known malware propagation
platform communicating with a
C&C server
• This can fuel a sinkhole approach
© 2014 The SANS™ Institute - www.sans.org
15. Example: C&C Events
• Active malware command and
control communications
© 2014 The SANS™ Institute - www.sans.org
17. Example: Java File Download
• Another malware download
example, this time with a Java .jar
file:
© 2014 The SANS™ Institute - www.sans.org
18. AlienVault Open Threat Exchange
Open Threat Exchange (OTX) is a framework
to allow collaboration for enhanced threat
assessment and response
© 2014 The SANS™ Institute - www.sans.org
19. Built into AlienVault USM & OSSIM
• Diverse threat data
– Unified Security Management
– SIEM, IDS, VA, HIDS, Netflow in
one product
• Diverse install base
– >12,000 installations
– Open Source & Commercial
© 2014 The SANS™ Institute - www.sans.org
20. Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
1. Observed Attack
21. Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
2. Anonymous
Contribution
1. Observed Attack
22. Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
3. Data Validation
2. Anonymous
Contribution
1. Observed Attack
23. Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
AlienVault USM or
OSSIM
Installation 2
4. Distribute Threat
Intelligence
3. Data Validation
2. Anonymous
Contribution
1. Observed Attack
24. Automate Threat Sharing & Action
© 2014 The SANS™ Institute - www.sans.org
AlienVault USM or
OSSIM
Installation 1
Bad
Guy
AlienVault OTX
AlienVault USM or
OSSIM
Installation 2
4. Distribute Threat
Intelligence
3. Data Validation
2. Anonymous
Contribution
1. Observed Attack 5. Identify Malicious Activity
25. Current OTX Participation
• 17,000 Contributions per day
• 140 Countries
• 500k IP’s, URL’s, and Malware
Samples analyzed daily
© 2014 The SANS™ Institute - www.sans.org
26. Attack Trends and Examples
• Current Attack Trends include:
– Stealth malware
– HTTP/HTTPS C&C channels
– Anti-forensics
– New and varied DDoS tactics
– Myriad Web app attacks
– Client-side attacks with social
engineering as the primary attack
vector
• How can we learn about these?
© 2014 The SANS™ Institute - www.sans.org
27. Conclusion
• We’re all facing attacks, all the
time
• We have a lot of data – why not
share it?
• To advance the state of threat
intelligence, we’ll need to
collaborate and correlate data at a
much larger scale
• OTX is one effort to do just that
© 2014 The SANS™ Institute - www.sans.org