Minutes, hours, days - each one counts when responding to a security incident. Yet most firms have a lot of room for improvement. According to the 2013 Verizon Data Breach Investigations Report, in 66% of cases (up from 56% last year), breaches remained undiscovered for years, and in 22% of cases, it took months to fully contain the incident.
This webinar will review the challenges firms face in trying to create a rapid and decisive incident response (IR) process. It will then highlight the crucial role that timely, contextual threat intelligence can play in turbo-charging incident response, particularly when tightly integrated with the broader IR discipline. Finally, it will reveal the power of this approach by demonstrating Co3's integrated threat intelligence capabilities including intel from industry-leader iSIGHT Partners.
2. Page 2
Agenda
• Introductions
• What is threat intelligence?
• Why does threat intelligence matter?
• How threat intelligence can turbo-charge IR
• Demo: IR management with integrated threat intelligence
3. Page 3
Introductions: Today‟s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Matt Hartley, Senior Director of Intelligence Services,
iSIGHT Partners
• Tim Armstrong, Security Incident Response Specialist, Co3
Systems
4. Page 4
Co3 – Automating IR based on E.R. standards
PREPARE
Improve Organizational
Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table
tops)
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate
Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment
strategy
• Isolate and remediate cause
• Instruct evidence gathering and
handling
• Log evidence
5. Page 5
About iSIGHT Partners
Research
Identify the Threat
• Identify threats with personnel
operating globally in 16 countries in
local language, dialect, culture
• Recognize, categorize threat actors,
groups, and campaigns
• Capture motivation, intents
• Characterize technologies, targets
Dissemination
Cyber Threat Intelligence
• Deliver technical and threat intelligence
connected to indicators and observables
• Tagged, categorized into areas of threat
• High fidelity actionable insights
• Knowledge and context, not just data
Analysis
Fused Threat Context
• Fuse knowledge and context across
threats, sectors
• Focus on threats of highest import
• Link observable attack
methodologies to threat sources
• Define threat ecosystem
• Tactical, operational, strategic intel
Intelligence Research Intelligence Analysis Intelligence Dissemination
70+ Researchers in
16 countries and 24 languages
70+ Cyber Threat Analysts in
Washington, DC area
190+ total employees
working as a global team
Vulnerability &
Exploit
Threats to
Enterprise
IT
DDoS
Mobile
Threats
Cyber
Espionage
Cyber
Crime
Hacktivism
Threats to
Industrial
Control
Systems
6. Page 6
What is threat intelligence?
Name: uxsue.exe
Identifier: Gameover Zeus
Extension: exe
Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size: 329216
Packer: ['MinGW GCC 3.x']
MD5sum: 045b793b2a47fbea0d341424262c8c5b
Sha1: 5ca6943f557489b510bd0fe8825a7a68ef00af53
Sha256: 8a4036289762a4414382fee8463d2bc7892cd5cab8fb6995eb94706d47e781dd
Fuzzy: 6144:ka23d0lraSurrtt/xue1obsXD8J3Ej+rbC80tsX9GR:kFd0lWzrrtxdowT8U8hYR
MIME:
Compiled: 2012-10-10 17:33:25
Malware Payload Indicators:
Gameover Zeus is a frequently used Trojan in financial cybercrime
Basic Context:
Exploitation Vector:
hxxp://26.azofficemovers.com/links/persons_jobs.php
Unique Threat-focused Information:
We believe the following actors are either members of or are close
associates with the petr0vich group: …
Bottom Line:
Zeus Malware Author Probably Working with Gameover Zeus Operators,
but Current Level of Involvement Remains Uncertain
Contextual Analysis:
…the primary Zeus author partnered with the "petr0vich group,"
which most likely controls Gameover Zeus, to develop custom Zeus
versions…. his continued participation will probably help fuel further
innovative developments to Zeus.
Knowledge and context, not just data
Technical Threat
7. Page 7
IR Suffers From A Lack Of Intelligence
• “75% said they conduct forensic investigations to „find and investigate incidents
after the fact.‟”
- SANS Survey of Digital Forensics and Incident Response, July 2013
• “60% … agree that their company at some point in time failed to stop a
material security exploit because of insufficient or outdated threat intelligence.”
• “49% said it can take within a week to more than a month to identify a
compromise.”
- Ponemon Institute Live Threat Intelligence Impact Report 2013
• “In 66% of cases (up from 56% last year), breaches remained undiscovered for
years, and in 22% of cases, it took months to fully contain the incident.”
- 2013 Verizon Data Breach Investigations Report
8. Page 8
Incident Response Needs Threat Intel
PREPARE
• Who has attacked you in
the past?
• How have they attacked
you?
• What are those attackers
known to be interested
in?
Ensure alignment
with real threats and
actors
MITIGATE
• How are threats
evolving?
• How should you update
your preventive and
detective controls?
• Can you eliminate the
target?
• Should you add some
new partners /
resources?
• Should you update /
expand training?
Inform mitigation
and preparation
based on real threats
and actors
ASSESS
• Who is behind the attack?
• How are they attacking?
• What might they ultimately
be after?
• Time is of the essence
Prioritize an informed
response
MANAGE
• What items in the IR
plan are most
important?
• Law enforcement? The
FBI? Who do you need
to call?
Accelerate a decisive
response
10. Page 10
Data Capture Analysis Link Analysis Case Prep /
Resolution
Detect
RespondRecover
Prepare
Traditional approaches: where does intelligence fit?
Incident
Report
Notification
Event Driven
Basic Investigative Framework
Basic
IR
Framework
Intelligence enhances every
stage of IR by providing
situational awareness,
context, and attribution
- where does it fit?
11. Page 11
Investigations enhanced by intelligence
Intelligence
Proactive
Informed by knowledge of threat sources, activities, methods, and historical context
Look for:
• different
indicators
• other activity
Look in different
places
Consider:
• adversary
intent
• previous
activity
• alternative
targeting
• additional
information
Fusion of sources
Consider:
• affiliations
• adversary
intent
• previous
activity
• alternative
targeting
Historical links
Proactive,
detective, and
preventative
measures
Training and
exercises
Business impact
analysis
Reporting
Data Capture Analysis Link Analysis Case Prep /
Resolution
Incident
Report
Notification
Event Driven
Enhanced Investigative Framework
14. Page 14
Threat Intel With Incident Artifacts in Co3
• Artifacts are attributes of an incident that can indicate the presence
and nature of a threat.
• Artifacts can be anything from a suspected malware file, to the IP
address of a foreign server.
• Co3 supports multiple artifact types:
• URL‟s
• IP addresses
• Malware hashes
• DNS names
• Log files
• Emails
• Malware samples
15. Page 15
Threat Intelligence
• Actionable context about the nature of the incident based
on its associated artifacts. This insight can include:
• Actor(s)
• Means
• Methods
• Initial threat intelligence feeds include:
• iSIGHT Partners
• Abuse.ch
• AlienVault
• SANS
• Campaign
• Historical context
• Impacts
16. Page 16
Enabling Actionable, Intelligent, Efficient Response
Co Investigate
Incident Artifacts
Threat Intel
Detailed Threat Info
• Which actors
• What methods
• What impacts
Correlated Threat Context
• Who else
• How else
• Why you
Accelerated Response
• Automatic discovery
• Enhanced collaboration
• Workforce enablement,
enhancement
19. One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“Co3 makes the process of planning for a
nightmare scenario as painless as possible,
making it an Editors‟ Choice.”
PC MAGAZINE, EDITOR’S CHOICE
“Platform is comprehensive, user friendly, and
very well designed.”
PONEMON INSTITUTE
Matt Hartley
Senior Director of Intelligence Services
mhartley@isightpartners.com
571.287.7700
“One of the hottest products at RSA…”
NETWORK WORLD – FEBRUARY 2013
“Adding the Security Module... to this otherwise
fine suite of services, Co3 has done better than a
home-run...it has knocked one out of the park.”
SC MAGAZINE
Hinweis der Redaktion
Matt is the Senior Director of Intelligence Services at iSIGHT Partners where he has held a variety of responsibilities including leading government programs, managing technology partnerships, and leading a team enabling government and industry leaders worldwide to recognize their actual cyber threat reality. Previously, Matt was a Senior Program Manager at Lockheed Martin’s Advanced Technology Laboratory where he responsible for research and development of emerging information sciences and technologies in information operations and cyber security. He is an US Air Force veteran, and has been recognized with numerous awards throughout his 15 year career as a thought leader in advanced cyber warfare and security, and information operations and security. Matt is a CISSP.Tim Armstrong is a Security Incident Response Specialist at Co3. Tim has a deep background in the security industry including vulnerability management and malware analysis from his time at Rapid7 and Kaspersky Labs.
Adapted from the standard Emergency Response Process of : Prepare Respond Recover Mitigate
Adapted from the standard Emergency Response Process of : Prepare Respond Recover Mitigate