SlideShare ist ein Scribd-Unternehmen logo

Threat Intelligence - Routes to a Proactive Capability

Ollie Whitehouse
Ollie Whitehouse

A presentation originally from 2007 on how organisations could look to build a threat intelligence capability.

TechnologieBusiness
1 von 18
Downloaden Sie, um offline zu lesen
Threat Intelligence – Routes to a Proactive Capability Ollie Whitehouse, Architect, Advanced Threat Research 22nd November, 2007
Agenda 1 Introduction 2 Intelligence Sources 3 Some Examples 4 Discussion Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 2
Introduction Symantec Advanced Threat Research Symantec and Cellular Security 3
Introduction – The Presentation • Original purpose of this presentation – An open discussion between A Client and Symantec • About the types of intelligence sources A Client could leverage • How these could be used to gain insight into threats – Present of a number of ideas on how to achieve this – Designed to be interactive • Braining storming, guidance, questions, answers all welcome… • What this presentation is NOT – A presentation on productized technology available from Symantec • Goal of a well developed intelligence program – Gain visibility ahead of time – Predict likely targets – Detect stealthy attacks or attack precursors Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 4
Introduction – The Presentation • Problem statement guidance – Existing threat intelligence data is re-active • Patch Tuesday etc… – A Client want to develop more of a pro-active capability • How to gain visibility before the attack – Technology threat intelligence – Aggressor threat intelligence • How to detect attacks for which there is no signature • Additional guidance already given – This will not focus on web based applications – This will look at infrastructure, standard client based threats Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 5
Intelligence Sources Symantec Advanced Threat Research Symantec and Cellular Security 6
Intelligence Sources • So what does A Client have access to? – A lot! – However deciding what to process will be difficult – Actual processing will present some unique challenges – Result – risk / effort versus reward will come into play • Caveat: You may be analyzing some of these already • What follows is a relatively high-level overview – Designed to capture the key sources – Does not cover in detail all the methods of analysis Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 7
Intelligence Sources Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 8
Intelligence Sources • A couple key observations – Gaining insight into where/how an attack will happen ahead of time is hard • Unlike fraud attackers aren’t going to hang out on publically accessible channels discussing their targets/methods • Monitoring for sentiment is going to throw up false positives (annoyed customers etc) • Attacks which hit you fall into two categories – mass exploitation & targeted • Mass exploitation – some indication ahead of time • Targeted – little to no indication ahead of time – However detecting the early stages of an attack is far easier – Detecting an in-progress attack is even easier – So some discussion around the key objectives will need to be had Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 9
Couple of Examples Symantec Advanced Threat Research Symantec and Cellular Security 10
Binary File Format Exploitation - PDF • Goal – Process PDFs at mail server/AV/SPAM layer to identify suspicious files potentially trying to exploit a vulnerability • Approach – Does it comply with the file format? • Does your AV/SPAM solution successfully parse it? • Can you automate the opening of all PDF files in a sandbox to detect crashes and/or suspicious behavior? – What does it contain? • Is it a re-work of press release either issues by you, a competitors, regulator or publically listed company? • Shell code heuristics trigger? – What produced it? • Surprising amount of meta data in PDFs which could be used to influence the risk profile of it. Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 11
Binary File Format Exploitation - PDF Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 12
Binary File Format Exploitation - JAR • Goal – Log accesses made to JARs via A Client web proxies – Isolate those of interest and analyze off-line to detect targeted attacks • Approach – Has it changed? • Over time if you generate hashes for the JARs accessed you’ll be able to spot changes – Is it signed? • Is the archive signed by a trusted company? – Does it comply with the file format? • Does your AV/SPAM solution successfully parse it? • Can you automate the opening of all JAR files in a sandbox to detect crashes and/or suspicious behavior using multiple JVMs? Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 13
The Generic E-Mail Attack • Goal – Detect the generic targeted e-mail attachment born attack.. • Lots of things to look at – Is the source IP actually assigned to the company it’s claimed to be from? – If you’ve received e-mail from that organization before did the e-mail originate from the same source? – Does the message header contain character set information which indicates it’s originated from a non friendly or suspicious country? – Have you seen e-mails from that person to that person before? – Does the message content contain public information re-worked? – Does the attachment contain public information re-worked? Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 14
Pro-Active Strategies for Attachments • Goal – How do we identify the next zero-day that would work against our organization? • We utilize some of the pre-filtering already discussed • Then we have a copy of our geographic or departmental standard builds inside a couple of virtualized environments* • We then pass a selection of received e-mails/attacks through • We also regularly visit a selection of web sites commonly visited by the entire organization or specific departments • We also visit a sample of URLs sent into the organization (EMail/IM etc.) • All to monitor for any unexpected behavior Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 15
Other Things to Consider • All of the strategies I’ve discussed are because we know the modi operandi of certain classes of attacker • However there are a number of other approaches we can consider to spot attacker evolution – Trending • We’ve seen attackers go after images (JPG/PNG/TIFF), Office (DOC/XLS/PPT), Web Containers (JAR), Other (WMF,PDF,ZIP) for binary format exploitation • It doesn’t take a rocket scientist to realize this isn’t going to stop while it’s so successful • So what application do you run which haven’t be targeted (either propriety, niche or common)? Why don’t you go after them aggressively, find the vulnerabilities, develop mitigations and/or detections ahead of time Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 16
Open Discussion Symantec Advanced Threat Research Symantec and Cellular Security 17
Thank You! Ollie Whitehouse ollie_whitehouse@symantec.com http://www.symantec.com/ Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Symantec Advanced Threat Research Symantec and Cellular Security 18

Empfohlen

What is pentest
What is pentestWhat is pentest
What is pentestitissolutions
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
2015 Global APT Summit Matthew Rosenquist
2015 Global APT Summit Matthew Rosenquist2015 Global APT Summit Matthew Rosenquist
2015 Global APT Summit Matthew RosenquistMatthew Rosenquist
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?Bhavin Shah
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalInfosec
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 

Empfohlen

What is pentest
What is pentestWhat is pentest
What is pentestitissolutions
 
Penetration Testing Execution Phases
Penetration Testing Execution Phases Penetration Testing Execution Phases
Penetration Testing Execution Phases Nasir Bhutta
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
2015 Global APT Summit Matthew Rosenquist
2015 Global APT Summit Matthew Rosenquist2015 Global APT Summit Matthew Rosenquist
2015 Global APT Summit Matthew RosenquistMatthew Rosenquist
 
What is Penetration & Penetration test ?
What is Penetration & Penetration test ?What is Penetration & Penetration test ?
What is Penetration & Penetration test ?Bhavin Shah
 
Red Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalRed Team Operations: Attack and Think Like a Criminal
Red Team Operations: Attack and Think Like a CriminalInfosec
 
Vulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingVulnerability and Assessment Penetration Testing
Vulnerability and Assessment Penetration TestingYvonne Marambanyika
 
Penetration testing reporting and methodology
Penetration testing reporting and methodologyPenetration testing reporting and methodology
Penetration testing reporting and methodologyRashad Aliyev
 
Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless networkHadi Fadlallah
 
Highly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
Highly Adaptive Cybersecurity Services (HACS) -- Cyber HuntHighly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
Highly Adaptive Cybersecurity Services (HACS) -- Cyber HuntDavid Sweigert
 
Introduction to Penetration testing and tools
Introduction to Penetration testing and toolsIntroduction to Penetration testing and tools
Introduction to Penetration testing and toolsVikram Khanna
 
Penetration Testing Services
Penetration Testing ServicesPenetration Testing Services
Penetration Testing ServicesCyber 51 LLC
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by primePrime Infoserv
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsGSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsDavid Sweigert
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat ModelingRochester Security Summit
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseInfocyte
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Penetration Testing Services, Penetration Testing
Penetration Testing Services, Penetration TestingPenetration Testing Services, Penetration Testing
Penetration Testing Services, Penetration TestingeNinja Technologies
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)eNetSPI
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career pathVikram Khanna
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Security and Penetration Testing Overview
Security and Penetration Testing OverviewSecurity and Penetration Testing Overview
Security and Penetration Testing OverviewQA InfoTech
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Joel Aleburu
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceAlienVault
 
Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillOllie Whitehouse
 
Smart grid in the Critical National Infrastructure
Smart grid in the Critical National InfrastructureSmart grid in the Critical National Infrastructure
Smart grid in the Critical National InfrastructureOllie Whitehouse
 

Weitere ähnliche Inhalte

Was ist angesagt?

Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless networkHadi Fadlallah
 
Highly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
Highly Adaptive Cybersecurity Services (HACS) -- Cyber HuntHighly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
Highly Adaptive Cybersecurity Services (HACS) -- Cyber HuntDavid Sweigert
 
Introduction to Penetration testing and tools
Introduction to Penetration testing and toolsIntroduction to Penetration testing and tools
Introduction to Penetration testing and toolsVikram Khanna
 
Penetration Testing Services
Penetration Testing ServicesPenetration Testing Services
Penetration Testing ServicesCyber 51 LLC
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by primePrime Infoserv
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testingAbu Sadat Mohammed Yasin
 
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsGSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsDavid Sweigert
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskSecurity Innovation
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseInfocyte
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical HackingS.E. CTS CERT-GOV-MD
 
Penetration Testing Services, Penetration Testing
Penetration Testing Services, Penetration TestingPenetration Testing Services, Penetration Testing
Penetration Testing Services, Penetration TestingeNinja Technologies
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)eNetSPI
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career pathVikram Khanna
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testingAmine SAIGHI
 
Security and Penetration Testing Overview
Security and Penetration Testing OverviewSecurity and Penetration Testing Overview
Security and Penetration Testing OverviewQA InfoTech
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Joel Aleburu
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterpriseRafal Los
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceAlienVault
 

Was ist angesagt? (20)

Penetration testing in wireless network
Penetration testing in wireless networkPenetration testing in wireless network
Penetration testing in wireless network
 
Highly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
Highly Adaptive Cybersecurity Services (HACS) -- Cyber HuntHighly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
Highly Adaptive Cybersecurity Services (HACS) -- Cyber Hunt
 
Introduction to Penetration testing and tools
Introduction to Penetration testing and toolsIntroduction to Penetration testing and tools
Introduction to Penetration testing and tools
 
Penetration Testing Services
Penetration Testing ServicesPenetration Testing Services
Penetration Testing Services
 
VAPT Services by prime
VAPT Services by primeVAPT Services by prime
VAPT Services by prime
 
Vulnerability assessment and penetration testing
Vulnerability assessment and penetration testingVulnerability assessment and penetration testing
Vulnerability assessment and penetration testing
 
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract OralsGSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
GSA calls out Cyber Hunt skills in final Cybersecurity Contract Orals
 
Application Threat Modeling
Application Threat ModelingApplication Threat Modeling
Application Threat Modeling
 
Threat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security RiskThreat Modeling to Reduce Software Security Risk
Threat Modeling to Reduce Software Security Risk
 
Threat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident ResponseThreat Hunting 101: Intro to Threat Detection and Incident Response
Threat Hunting 101: Intro to Threat Detection and Incident Response
 
Penetration testing & Ethical Hacking
Penetration testing & Ethical HackingPenetration testing & Ethical Hacking
Penetration testing & Ethical Hacking
 
Penetration Testing Services, Penetration Testing
Penetration Testing Services, Penetration TestingPenetration Testing Services, Penetration Testing
Penetration Testing Services, Penetration Testing
 
Declaration of Mal(WAR)e
Declaration of Mal(WAR)eDeclaration of Mal(WAR)e
Declaration of Mal(WAR)e
 
Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down Intruders
 
What is penetration testing and career path
What is penetration testing and career pathWhat is penetration testing and career path
What is penetration testing and career path
 
Introduction to penetration testing
Introduction to penetration testingIntroduction to penetration testing
Introduction to penetration testing
 
Security and Penetration Testing Overview
Security and Penetration Testing OverviewSecurity and Penetration Testing Overview
Security and Penetration Testing Overview
 
Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities Covert channels: A Window of Data Exfiltration Opportunities
Covert channels: A Window of Data Exfiltration Opportunities
 
Threat modeling the security of the enterprise
Threat modeling the security of the enterpriseThreat modeling the security of the enterprise
Threat modeling the security of the enterprise
 
Crowd-Sourced Threat Intelligence
Crowd-Sourced Threat IntelligenceCrowd-Sourced Threat Intelligence
Crowd-Sourced Threat Intelligence
 

Andere mochten auch

Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillOllie Whitehouse
 
Smart grid in the Critical National Infrastructure
Smart grid in the Critical National InfrastructureSmart grid in the Critical National Infrastructure
Smart grid in the Critical National InfrastructureOllie Whitehouse
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assuranceOllie Whitehouse
 
Designing and building post compromise recoverable services
Designing and building post compromise recoverable servicesDesigning and building post compromise recoverable services
Designing and building post compromise recoverable servicesOllie Whitehouse
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversOllie Whitehouse
 
NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesOllie Whitehouse
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldOllie Whitehouse
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesOllie Whitehouse
 
Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Ollie Whitehouse
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply ChainOllie Whitehouse
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentOllie Whitehouse
 
Countering the Cyber Threat
Countering the Cyber ThreatCountering the Cyber Threat
Countering the Cyber ThreatOllie Whitehouse
 
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Ollie Whitehouse
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Ollie Whitehouse
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsOllie Whitehouse
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureOllie Whitehouse
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesOllie Whitehouse
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersOllie Whitehouse
 

Andere mochten auch (18)

Why defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skillWhy defensive research is sexy too.. … and a real sign of skill
Why defensive research is sexy too.. … and a real sign of skill
 
Smart grid in the Critical National Infrastructure
Smart grid in the Critical National InfrastructureSmart grid in the Critical National Infrastructure
Smart grid in the Critical National Infrastructure
 
Agile software security assurance
Agile software security assuranceAgile software security assurance
Agile software security assurance
 
Designing and building post compromise recoverable services
Designing and building post compromise recoverable servicesDesigning and building post compromise recoverable services
Designing and building post compromise recoverable services
 
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook DriversFrom Problem to Solution: Enumerating Windows Firewall-Hook Drivers
From Problem to Solution: Enumerating Windows Firewall-Hook Drivers
 
NCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory ServicesNCC Group C Suite Cyber Security Advisory Services
NCC Group C Suite Cyber Security Advisory Services
 
Secure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real worldSecure App Aspirations: Why it is very difficult in the real world
Secure App Aspirations: Why it is very difficult in the real world
 
Finding The Weak Link in Windows Binaries
Finding The Weak Link in Windows BinariesFinding The Weak Link in Windows Binaries
Finding The Weak Link in Windows Binaries
 
Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)Securing your supply chain & vicarious liability (cyber security)
Securing your supply chain & vicarious liability (cyber security)
 
Red Teaming and the Supply Chain
Red Teaming and the Supply ChainRed Teaming and the Supply Chain
Red Teaming and the Supply Chain
 
NCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat AssessmentNCC Group Pro-active Breach Discovery: Network Threat Assessment
NCC Group Pro-active Breach Discovery: Network Threat Assessment
 
Countering the Cyber Threat
Countering the Cyber ThreatCountering the Cyber Threat
Countering the Cyber Threat
 
Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...Assuring the Security of the Supply Chain - Designing best practices for cybe...
Assuring the Security of the Supply Chain - Designing best practices for cybe...
 
Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems Practical Security Assessments of IoT Devices and Systems
Practical Security Assessments of IoT Devices and Systems
 
Technical Challenges in Cyber Forensics
Technical Challenges in Cyber ForensicsTechnical Challenges in Cyber Forensics
Technical Challenges in Cyber Forensics
 
Cyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics LectureCyber Incident Response & Digital Forensics Lecture
Cyber Incident Response & Digital Forensics Lecture
 
Private sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodesPrivate sector cyber resilience and the role of data diodes
Private sector cyber resilience and the role of data diodes
 
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security EngineersIntroduction to Advanced Persistent Threats (APT) for Non-Security Engineers
Introduction to Advanced Persistent Threats (APT) for Non-Security Engineers
 

Ähnlich wie Threat Intelligence - Routes to a Proactive Capability

SIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibilitySIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibilityAlienVault
 
pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdfRamya Nellutla
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing ExplainedRand W. Hirt
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA SensePost
 
Introduction_Software Security.pptx
Introduction_Software Security.pptxIntroduction_Software Security.pptx
Introduction_Software Security.pptxssuser6e5862
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsZane Lackey
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Jorge Orchilles
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Denim Group
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber riskStephen Cobb
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayChris Gates
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNorth Texas Chapter of the ISSA
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuSplunk
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Splunk
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTSimone Onofri
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementMayur Nanotkar
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...Marcin Ludwiszewski
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentortmbainjr131
 

Ähnlich wie Threat Intelligence - Routes to a Proactive Capability (20)

SIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibilitySIEM-plifying security monitoring: A different approach to security visibility
SIEM-plifying security monitoring: A different approach to security visibility
 
pentration testing.pdf
pentration testing.pdfpentration testing.pdf
pentration testing.pdf
 
Pen Testing Explained
Pen Testing ExplainedPen Testing Explained
Pen Testing Explained
 
knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA knowthyself : Internal IT Security in SA
knowthyself : Internal IT Security in SA
 
Introduction_Software Security.pptx
Introduction_Software Security.pptxIntroduction_Software Security.pptx
Introduction_Software Security.pptx
 
How to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOpsHow to adapt the SDLC to the era of DevSecOps
How to adapt the SDLC to the era of DevSecOps
 
Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?Vulnerability Ass... Penetrate What?
Vulnerability Ass... Penetrate What?
 
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
Threat Modeling for System Builders and System Breakers - Dan Cornell of Deni...
 
How to assess and manage cyber risk
How to assess and manage cyber riskHow to assess and manage cyber risk
How to assess and manage cyber risk
 
Top Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions TodayTop Security Challenges Facing Credit Unions Today
Top Security Challenges Facing Credit Unions Today
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 
Conf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsuConf2014_SplunkSecurityNinjutsu
Conf2014_SplunkSecurityNinjutsu
 
Cyber Security # Lec 3
Cyber Security # Lec 3 Cyber Security # Lec 3
Cyber Security # Lec 3
 
Secure Iowa Oct 2016
Secure Iowa Oct 2016Secure Iowa Oct 2016
Secure Iowa Oct 2016
 
002.itsecurity bcp v1
002.itsecurity bcp v1002.itsecurity bcp v1
002.itsecurity bcp v1
 
Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session Building an Analytics - Enabled SOC Breakout Session
Building an Analytics - Enabled SOC Breakout Session
 
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APTCyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
 
Advanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security ManagementAdvanced Persistent Threats (APTs) - Information Security Management
Advanced Persistent Threats (APTs) - Information Security Management
 
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
2020 11-15 marcin ludwiszewski - purple, red, blue and others - rainbow team...
 
Implementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentorImplementing AppSec Policies with TeamMentor
Implementing AppSec Policies with TeamMentor
 

Kürzlich hochgeladen

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentPim van der Noll
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Alkin Tezuysal
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...panagenda
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality AssuranceInflectra
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Mark Goldstein
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfIngrid Airi González
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 

Kürzlich hochgeladen (20)

A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native developmentEmixa Mendix Meetup 11 April 2024 about Mendix Native development
Emixa Mendix Meetup 11 April 2024 about Mendix Native development
 
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
Unleashing Real-time Insights with ClickHouse_ Navigating the Landscape in 20...
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
Why device, WIFI, and ISP insights are crucial to supporting remote Microsoft...
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance[Webinar] SpiraTest - Setting New Standards in Quality Assurance
[Webinar] SpiraTest - Setting New Standards in Quality Assurance
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
Arizona Broadband Policy Past, Present, and Future Presentation 3/25/24
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Generative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdfGenerative Artificial Intelligence: How generative AI works.pdf
Generative Artificial Intelligence: How generative AI works.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 

Threat Intelligence - Routes to a Proactive Capability

  • 1. Threat Intelligence – Routes to a Proactive Capability Ollie Whitehouse, Architect, Advanced Threat Research 22nd November, 2007
  • 2. Agenda 1 Introduction 2 Intelligence Sources 3 Some Examples 4 Discussion Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 2
  • 3. Introduction Symantec Advanced Threat Research Symantec and Cellular Security 3
  • 4. Introduction – The Presentation • Original purpose of this presentation – An open discussion between A Client and Symantec • About the types of intelligence sources A Client could leverage • How these could be used to gain insight into threats – Present of a number of ideas on how to achieve this – Designed to be interactive • Braining storming, guidance, questions, answers all welcome… • What this presentation is NOT – A presentation on productized technology available from Symantec • Goal of a well developed intelligence program – Gain visibility ahead of time – Predict likely targets – Detect stealthy attacks or attack precursors Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 4
  • 5. Introduction – The Presentation • Problem statement guidance – Existing threat intelligence data is re-active • Patch Tuesday etc… – A Client want to develop more of a pro-active capability • How to gain visibility before the attack – Technology threat intelligence – Aggressor threat intelligence • How to detect attacks for which there is no signature • Additional guidance already given – This will not focus on web based applications – This will look at infrastructure, standard client based threats Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 5
  • 6. Intelligence Sources Symantec Advanced Threat Research Symantec and Cellular Security 6
  • 7. Intelligence Sources • So what does A Client have access to? – A lot! – However deciding what to process will be difficult – Actual processing will present some unique challenges – Result – risk / effort versus reward will come into play • Caveat: You may be analyzing some of these already • What follows is a relatively high-level overview – Designed to capture the key sources – Does not cover in detail all the methods of analysis Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 7
  • 8. Intelligence Sources Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 8
  • 9. Intelligence Sources • A couple key observations – Gaining insight into where/how an attack will happen ahead of time is hard • Unlike fraud attackers aren’t going to hang out on publically accessible channels discussing their targets/methods • Monitoring for sentiment is going to throw up false positives (annoyed customers etc) • Attacks which hit you fall into two categories – mass exploitation & targeted • Mass exploitation – some indication ahead of time • Targeted – little to no indication ahead of time – However detecting the early stages of an attack is far easier – Detecting an in-progress attack is even easier – So some discussion around the key objectives will need to be had Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 9
  • 10. Couple of Examples Symantec Advanced Threat Research Symantec and Cellular Security 10
  • 11. Binary File Format Exploitation - PDF • Goal – Process PDFs at mail server/AV/SPAM layer to identify suspicious files potentially trying to exploit a vulnerability • Approach – Does it comply with the file format? • Does your AV/SPAM solution successfully parse it? • Can you automate the opening of all PDF files in a sandbox to detect crashes and/or suspicious behavior? – What does it contain? • Is it a re-work of press release either issues by you, a competitors, regulator or publically listed company? • Shell code heuristics trigger? – What produced it? • Surprising amount of meta data in PDFs which could be used to influence the risk profile of it. Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 11
  • 12. Binary File Format Exploitation - PDF Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 12
  • 13. Binary File Format Exploitation - JAR • Goal – Log accesses made to JARs via A Client web proxies – Isolate those of interest and analyze off-line to detect targeted attacks • Approach – Has it changed? • Over time if you generate hashes for the JARs accessed you’ll be able to spot changes – Is it signed? • Is the archive signed by a trusted company? – Does it comply with the file format? • Does your AV/SPAM solution successfully parse it? • Can you automate the opening of all JAR files in a sandbox to detect crashes and/or suspicious behavior using multiple JVMs? Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 13
  • 14. The Generic E-Mail Attack • Goal – Detect the generic targeted e-mail attachment born attack.. • Lots of things to look at – Is the source IP actually assigned to the company it’s claimed to be from? – If you’ve received e-mail from that organization before did the e-mail originate from the same source? – Does the message header contain character set information which indicates it’s originated from a non friendly or suspicious country? – Have you seen e-mails from that person to that person before? – Does the message content contain public information re-worked? – Does the attachment contain public information re-worked? Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 14
  • 15. Pro-Active Strategies for Attachments • Goal – How do we identify the next zero-day that would work against our organization? • We utilize some of the pre-filtering already discussed • Then we have a copy of our geographic or departmental standard builds inside a couple of virtualized environments* • We then pass a selection of received e-mails/attacks through • We also regularly visit a selection of web sites commonly visited by the entire organization or specific departments • We also visit a sample of URLs sent into the organization (EMail/IM etc.) • All to monitor for any unexpected behavior Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 15
  • 16. Other Things to Consider • All of the strategies I’ve discussed are because we know the modi operandi of certain classes of attacker • However there are a number of other approaches we can consider to spot attacker evolution – Trending • We’ve seen attackers go after images (JPG/PNG/TIFF), Office (DOC/XLS/PPT), Web Containers (JAR), Other (WMF,PDF,ZIP) for binary format exploitation • It doesn’t take a rocket scientist to realize this isn’t going to stop while it’s so successful • So what application do you run which haven’t be targeted (either propriety, niche or common)? Why don’t you go after them aggressively, find the vulnerabilities, develop mitigations and/or detections ahead of time Symantec Advanced Threat Research Threat Intelligence – Routes to a Proactive Capability 16
  • 17. Open Discussion Symantec Advanced Threat Research Symantec and Cellular Security 17
  • 18. Thank You! Ollie Whitehouse ollie_whitehouse@symantec.com http://www.symantec.com/ Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Symantec Advanced Threat Research Symantec and Cellular Security 18