OpenTPX 2015 LookingGlass Cyber Solutions Inc.
|
|
- Quentin Nicholson
- 8 years ago
- Views:
Transcription
1 OpenTPX v2.2 Oct 8 th 2015 LookingGlass Cyber Solutions PRESENTER:
2 OpenTPX Contribution OpenTPX is a contribution by LookingGlass Cyber Solutions to the open source community 1 Specifications and source code are distributed under Apache License 2.0 Checkout OpenTPX was created to build highly scalable machine-readable threat intelligence, analysis and network security products that exchange data at large volumes and at high speed We welcome your feedback and contributions 1 OpenTPX is designed for optimized network security & threat intelligence use cases and does support mappings for select threat intelligence formats including CSV, STIX, OpenIOC etc. 2
3 Contents OpenTPX Introduction What Where Who Threat Scores Threat Observables, Associations & Collections Networks, Packet Capture & Mitigation Queries Additional Capabilities 3
4 Introducing OpenTPX Comprehensive data exchange for the security landscape All context required for Network Security Operations and Threat Intelligence exchange Modular approach Defines threat score model across all elements Designed for efficient data processing Focus on the raw context to convey Minimalist representation of the basic raw observations without significant overhead or confused representations Designed for graph relationships Referencing across multiple data relationships OpenTPX Open source technology sharing spec, code and examples Optimized and extensible data model & representation For machine to machine ingest with large volume and high speed Dictionary keys easily added OpenTPX - Network OpenTPX - Threat OpenTPX - Collections OpenTPX Mitigation OpenTPX Feeds Efficient data ingest designed for highly connected data Easy indexing of data Faster ingest to systems that are typical in threat intelligence Simplified keys identifying types, easy creation Flexibility of schema and data ingest Normalized schema but not limited to extension 4
5 OpenTPX Scoring & Queries Underpinning OpenTPX building blocks, it provides Comprehensive scoring framework Query Language Scoring Across meta-data, networks, domains, users Query Language Comprehensive language allowing combinatorial queries to be constructed across threat context OpenTPX - Network OpenTPX OpenTPX - Threat OpenTPX - Collections Scoring OpenTPX Mitigation OpenTPX Feeds Query Language 5
6 OpenTPX Content Categories Threat Observable Dictionary Observable names, their associated criticality, description and the set of classifications to which the observable belongs to The dictionary allows the provider to define observables (e.g meta-data) once and then refer to that observable name for each subject Threat Observable Associations An observable to one or more subjects (i.e. elements) including network, host or user subjects Network subjects include IP, CIDR, ASN, FQDN Host subjects include file hashes, application identifiers, malware identifiers User subjects include user name, user identity, alias, address Collections may define country information, named grouping of network, host elements and observables A collection may contain zero or more collections Networks where each network may define network membership, routing topology, ownership, network announcements Mitigation What mitigation is recommended for particular threat observable 6
7 Where OpenTPX is used Trusted Communities and Integrated Systems including Threat Analysts Sends manual defined Collections containing sector or company specific information Malware Analysis Automated Malware Analysis system sends network packet capture and threat observations to Threat Analyst Feed Provider Sends Threat Observables associated with global Internet Threat Intelligence Management System Exchanges all information used to collaborate on security Sharing across systems Network Capture Captures packets and behaviors and sends summarized results on threats Network Security Receives mitigation rules to change security posture Feed Provider Threat Analyst TPX Threat Threat Intelligence Management System TPX Collection TPX - All TPX Network, Threat Threat Intelligence Management System TPX Mitigation TPX Network Malware Analysis Network Capture Network Security 7
8 Who can benefit from OpenTPX? CERTS/Security Operations To provide information on incidents Threat researchers to exchange all context available that defines a threat not just IOCs but full set of observables including analysis Sensor/feed providers To provide context on network, threats, sectors, actors etc. Security Companies or organizations wishing to exchange common definition of threat segmentation Any Machine to Machine threat exchange Requiring optimal data processing and data exchange for large (Tbytes of data, in real-time) 8
9 What is a Threat Observable We define the term threat observable loosely to be any observation that may have an associated threat score and may be associated with one or more elements of interest It is deliberate that OpenTPX has a very loose definition of the threat observable to ensure increased flexibility and extensibility Thereby removing some of the rigidity of a more structured approach A threat observable can be one or more of the following: An Indication Of Compromise (IOC) An Originating or Destination Network A network topology A Target Network, domain A Command & Control behavior An application (malware or otherwise) An actor A behavior A TTP A report A human defined note or description Threat observables may be combined into collections and reference each other Threat observables comprise an identifying name, and one or more key/value attributes that capture the observation s data Threat observable attributes keys may come from a pre-defined dictionary or may introduce new terms 9
10 Threat Scoring OpenTPX
11 Threat Score Conceptual Model Scoring across the security landscape 1 st layer in the model starts with network devices, topology, routing, endpoints, servers 2 nd layer defines the applications and services that run over the core layer devices 3 rd layer defines the users that run those applications 4 th layer defines the observables and meta-data associated with all of the 3 core layers Observables/ Meta Users Applications Network (infr, hosts) Score
12 Threat Score Risk scoring across all elements of threat Scores across Observables Course and fine grained Classifications Sources Scores can be associated with both positive and negative observables 12
13 Threat Sources Individual sources may be scored indicating the provider s confidence "schema_version_s": "2.2.0", "provider_s": "Pcap Intel Provider Company", "list_name_s": "Pcap Provider Company List Data", "source_observable_s": "PCAP_IND_NAME", "source_file_s": "/var/lg/data/json/list_name/2014/06/01/2014.pcap", "source_description_s": "This feed provides information on PCAP behavior captured by X", "distribution_time_t": , "last_updated_t": , "score_i": 90, 13
14 Threat Classifications Observables can be assigned multiple classifications At least 1 coarse grained classification Each classification has an associated score 14
15 Threat Classification Scores Individual classifications may be scored "observable_dictionary_c_array": [ { "observable_id_s" : "Conficker A", "criticality_i": 70, score_24hr_decay_i : 40, "description_s": "If an IP address or domain has been associated with this tag, it means that Intel Provider Company has identified the IP address or domain to be associated with the Conficker botnet variant A.", "classification_c_array" : [ { "classification_id_s": "APT", "classification_family_s": "Malware", "score_i": 70 } ], }, 15
16 Threat Observable Criticality Scores Criticality is how serious or impactful an observation has been assessed by the provider Example "observable_dictionary_c_array": [ { "observable_id_s" : "Conficker A", "criticality_i": 70, score_24hr_decay_i : 40, "description_s": "If an IP address or domain has been associated with this tag, it means that Intel Provider Company has identified the IP address or domain to be associated with the Conficker botnet variant A.", "classification_c_array" : [ { "classification_id_s": "APT", "classification_family_s": "Malware", "score_i": 70 } ], }, 16
17 Observable Definitions & Associations OpenTPX
18 Why Observable Dictionary and Association An observable is any network or threat observation An observable has a definition that defines what it represents Defines the identifier, score, description, classification, criticality and common attributes shared across all instances of the observable Observable Definition An observable is then associated with one or more networked assets where that observation has been seen Defines the specific information of the observable as seen on this specific network asset By defining the observable separately from the instance information we avoid duplicative and unnecessary bloat of information focus on the minimum information necessary to convey that observation on a specific IP or Domain Observable Association Observable Association Observable - Asset Association Observable #1 - Asset Association Observable #1 - Asset Association #1 - Asset #1 - Asset #n 18
19 Observable Dictionary and Association Inheritance Observational Model Information defined in the observable dictionary can be overridden in the instance if necessary Observable Dictionary Define an observable once Acts as the base definition of the observable Can have classification, score, raw behaviors common to all observables of this type Observable Association Associate many times to different subjects The instance of the observable Specific attributes associated with this instance possible allowing for derived definitions { "observable_id_s": Conficker A", "criticality_i": 70, score_24hr_decay_i : 4, "description_s": "If an IP address or domain has been associated with this tag, it means that Intel Provider Company has identified the IP address or domain to be associated with the Clicker botnet.", "classification_c_array": [ { "classification_id_s": "Worm", "classification_family_s": "Malware", "score_i": 70 } "element_observable_c_array": [ { "subject_ipv4_s": " ", "score_i": 90, "threat_observable_c_map": { "Conficker A": { "occurred_at_t": , "last_seen_t": 13123, "country_code_s": "IR", "destination_fqdn_s": "ddd.com", "score_i": 70, }, 19
20 Observables over time Efficient observable model allows association rather than repetition of data unnecessarily T0: The dictionary entry is created by the provider. The provider defines the description and the classification of the threat T1: The 1 st instance of the Observable associated with Element #1 The provider observes the Threat associated with an element T1: The 1 st instance of the Observable associated with Element #2 The provider observes the Threat associated with another element T2: The 2 nd instance of the Observable associated with Element #1 The provider observes the Threat again on the same element T0 Threat Observable Dictionary Entry Time T1 Observable Element Association #1 Observable Element Association #2 Element #1 Element #2 T2 Observable Element Association #2 Element #1 20
21 Threat Intelligence OpenTPX
22 Threat Intelligence Observable definition in the dictionary Done once Common attributes of this observation shared by all instances "observable_dictionary_c_array": [ { "observable_id_s" : "Conficker A", "criticality_i": 70, "score_i": 72, "summary_s": "This is a summary of the observable", "description_s": "If an IP address or domain has been associated with this tag, it means that Intel Provider Company has identified the IP address or domain to be associated with the Conficker botnet variant A.", "notes_s": "User defined notes", "reference_s_array": [ " " ], "classification_c_array" : [ { "classification_id_s": "Malware", "classification_family_s": "Worm", "score_i": 70 } ], }, Observable associated with a subject Done for each subject Subjects can be IP, FQDN, File Hashes etc Specific attributes that define the particular instance with this subject "element_observable_c_array": [ { "subject_ipv4_s": " ", "score_i": 90, "threat_observable_c_map": { "Conficker A": { "occurred_at_t": , "last_seen_t": 13123, "country_code_s": "IR", "dest_fqdn_s": "ddd.com", "score_i": 70 }, "Clicker": { "occurred_at_t": , "last_seen_t": 13123, "country_code_s": "CH", "dest_fqdn_s": "aaa.com" } } Distributed }, under Apache License
23 Collections OpenTPX
24 Why Collections? A collection is a group of related entities to convey a structure Use Case #1: Organization assets Problem: Many organizations have multiple CIDRs, Ips, Domains etc that have no direct network linkage but from a security perspective they wish to convey what is important to secure and monitor. Solution: Collections allow an organization to convey a structure to those assets and associate Internet and Threat intelligence with those structures Use Case #2: Industry Segments Problem: Many organizations wish to understand threats associated with industry segments such as financial sector, energy sector etc to understand overall threat health Solution: Collections allow segmentation of organizations and convey threat intelligence across those segments Use Case #3: Incident Investigations Problem: A threat incident may represent a set of networks, malware and other artifacts that need to be conveyed to others working on the incident in a collected form. Solution: Collections allow an incident response team to create the group of information relevant to the incident so that they can share a common view of that information and assess the impact Many other use cases possible 24
25 Collections Define segments, sectors, user organizations, groups, companies, incidents Collections are hierarchical May have confidence score associated May contains IPs, CIDRs, FQDNs, ASN, Observables, other Collections "collection_c_array": [ { // a top level collection "name_id_s": "MarketSeg1", "last_updated_t": , "description_s": "This collection is related to MarketSeg1, "author_s": "Allan Thomson", "workspace_s": "lg-system", // the score of the MarketSeg1 collection "score_i": 90, "collection_c_array": [ { // a 2nd level collection MarketSeg1 -> NCR10205 // with FQDN, IP, CIDR, ASN and sub-collection defined "name_id_s": "NCR10205", "description_s": "This is NCR10205 subcollection", "last_updated_t": , "author_s": "Gerry Eaton", "score_i": 70, "fqdn_c_array": [ { "fqdn_s": "seguintexas.gov" }, { "fqdn_s": "tenaska.com" }, ], "ip_c_array": [ { "ip_ipv4_s": " " }, { "ip_ipv4_s": " " }, ], "cidr_c_array": [ { "cidr_cidrv4_s": " /29" }, { "cidr_cidrv4_s": " /29" }, ], 25
26 Networks, Packet Capture & Mitigation OpenTPX
27 Why Networks? Network information and how the internet is connected represents a fundamental baseline for understanding threats Knowing what networks exist without requiring threat information provides a basis for analysts to understand their exposure and attack surface It also allows them to understand and assess the full scope of networks that are of interest, in the absence of threats Network information contains Topology Upstream connections Downstream connections Advertised routes and sub-networks Ownership 27
28 Networks Example Useful for describing networks that are involved in threat context Includes: Network topologies Ownership Routers Announcements "asn_c_array": [ { // // This information is for ASN = 1 // "asn_i": 1, "as_owner_s": "ABC Corp", // // The list of routers that are part of the ASN // "asn_routers_ip_array" : [ , , , ], // // The router interconnections in the ASN // "asn_router_conns_c_array": [ { "router_1_u": , "router_2_u": }, { "router_1_u": , "router_2_u": } ], // // The CIDR announcements from the ASN // "asn_cidr_announcements_c_array": [ { "start_ip_u": , "end_ip_u": , "aggregator_ip_u": , "observed_at_t": }, { "start_ip_u": , "end_ip_u": , "aggregator_ip_u": }, 28
29 Packet Capture Captures all packet exchanges Any protocol Any attribute Key/value pairs Optimized data indexing May represent TTPs, Behaviors or patterns "Threat_Inject_tiger_mama": { "dns_request_c_array": [ { "req_fqdn_s": "irc.freenode.net" }, ], "dns_response_c_array": [ { "record_s": "A", "resp_ipv4_s": " " }, { "record_s": "CNAME", "resp_fqdn_s": "chat.freenode.net"}, { "record_s": "AAAA", "resp_ipv6_s": "2001:708:40:2001:a822:baff:fec4:2428"}, { "record_s": "TXT", "resp_fqdn_s": "google-siteverification=mrswln2ncqsbgduywer9f6y0euau0mr_anpgna0mwes" }], "fqdn_c_array": [ { "fqdn_s": "eff.com", "ip_ipv4_s": " " }, { "fqdn_s": "isatap.f.sck.im", "ip_ipv4_s": " "} ], "host_c_array": [ { "host_fqdn_s": "badguy.com" }, ], "http_c_array": [ { "body_s": "", "method_s": "GET", "version_s": "1.1", "agent_s": "Battle.net/ ", "uri_fqdn": " "dest_port_i": 8653}, { "body_s": "", "method_s": "GET", "version_s": "1.1", "agent_s": "Battle.net/ ", "uri_fqdn": " "dest_port_i": 8654}, ], "icmp_c_array": [ { "src_ipv4_s": " ", "dest_ipv4_s": " ", "type_i": 9 }, ], 29
30 Malware Report Captures malware reports including all IOCs without requiring association to specific network assets { } "source_observable_s": "LG CTIG", "list_name_s": "Automated Malware Analysis", "observable_dictionary_c_array": [ { "criticality_i": 60, "classification_c_array": [ { "score_i": 30, "classification_id_s": "Malware Artifacts", "classification_family_s": "Malware" } ], "observable_id_s": "Automated Malware Analysis Report - 0dd3f6a b88f3013dce592d3d", "attribute_c_map": { "magic_s": "PE32 executable (console) Intel 80386, for MS Windows", "tlp_i": 1, "last_seen_t": , "dest_fqdn_s_array": [ "xthefo.com", "qyupbu.com", "lbuyzo.com" ], "hash_md5_h": "0dd3f6a b88f3013dce592d3d", "hash_sha256_h": " ff7e99613a58a3af3890d9304d912cb15b388f42875a212035e5f8a", "filepath_s_array": [ "C:\\WINDOWS\\system32\\ntkrnlpa.exe", "\\Device\\NamedPipe\\lsass" ], "registrykey_s_array": [ "HKEY_LOCAL_MACHINE\\SYSTEM\\ControlSet001\\Services\\PDRELI\\ObjectName ], "hash_sha1_h": "a2dbf3a419a0cf9f190b47ae624bf c9c", "filesize_i": 56832, "dest_ipv4_s_array": [ " ", " ", " " ] }, "description_s": "A report containing the summary of an automated malware detection" } ], "last_updated_t": , "score_i": 95, "schema_version_s": "2.2.0", "provider_s": "LookingGlass" 30
31 Mitigation Supports inheritance mitigation recommendations Enables recommendations at a dictionary level or specific association level of an observable Multiple mitigation terms possible Log Drop Others easily added "threat_observable_c_map": { "Conficker A": { "occurred_at_t": , "last_seen_t": 13123, "country_code_s": "IR", "destination_fqdn_s": "ddd.com", "score_i": 70, mitigation_c_array : [ { action : log destination }, { action : drop }, ], }, "Clicker": { "occurred_at_t": , "last_seen_t": 13123, "country_code_s": "CH", "destination_fqdn_s": "aaa.com", mitigation_c_array : [ { action : log 1/1 }, ], } 31
32 OpenTPX Query Language (QL) OpenTPX
33 OpenTPX QL Introduction Is a dialect of Solr Lucene with extensions that ease querying network elements OpenTPX QL supports advanced query grouping ranges wildcarding of values passed to terms Allows providers and consumers to exchange queries as part of threat context Examples observable_s:zeus - return all entities where observable_s matches Zeus observable_s:banking* - return all entities where observable_s begins with Banking url_s: - return all entities where the URL begins with msn and ends with.com. timestamp_i:[ TO *] - return all entities which were last updated sooner than NOT observable_s:banking* - return all entities where observable_s does NOT begin with Banking (ip_i: AND observable_s:banking*) OR (ip_i: AND observable_s:trojan*) - return any Banking observable associated with IP address, or return any Trojan observable associated with IP address 33
34 Language Syntax whitespace = { " " "\t" "\n" "\r" } ; string = '"', { characters }, '"' ; integer = { '0', '1', '2', '3', '4','5', '6', '7', '8', '9' }, field-separator = ':' ; group-begin = '(', [ whitespace ] ; group-end = ')', [ whitespace ] ; range-begin = '[', [ whitespace ] ; range-end = [ whitespace ], ']' ; range-to = whitespace, 'TO', whitespace ; wildcard = '*' ; wildcard_single = '?' ; and-token = [ whitespace ], 'AND', [ whitespace ] ; or-token = [ whitespace ], 'OR', [ whitespace ] ; not-token = [ whitespace ], 'NOT' '!', [ whitespace ] ; symbol = [ whitespace symbol ] begin-of-input, {characters}, [ whitespace end-of-input ]; range = range-begin, [ integer, string, symbol, wildcard ], whitespace, range-to, whitespace, [ integer, string, symbol, wildcard ]; term = symbol, field-separator, [ string, symbol, integer, range ] ; and = { term, group, and, or, not }, and-token, { term, group, and, or, not }; or = { term, group, and, or, not }, or-token, { term, group, and, or, not }; not = not-token, { term, group, and, or, not } ; group = group-begin, { group, term, and, or, not }, group-end ; 34
35 OpenTPX QL Basic Queries The most basic Query in OpenTPX QL is a single Term Terms are in the following format: field:value which is a Field, followed by a :, followed by a Value. Examples: foo:bar - searches foo for String "bar". foo:5 - searches foo for Integer 5. All Fields in queries against a data store is typed explicitly as either an Integer or String. The Field in a query is typed by appending the relevant type indicator to the Field: Integer - _i String - _s 35
36 OpenTPX QL Wildcard Queries In OpenTPX Solr, the following wildcards are supported in Values: * - Wildcard - multi-character? - WildcardChar - single-character Wildcards have the following restrictions: Wildcards are not permitted for Integers Values cannot start with a wildcard. i.e. left-anchored wildcards in strings such as *foobar will not be accepted Values can themselves be a single Wildcard to express a query that wishes to select for the existence of a Field Fields cannot contain wildcards Examples: observable_s:banking* - return all entities where observable_s begins with Banking. sha1_s:????f4f4e4cf2f9669cc61e2565effcd8f923d28 - return all entities where the last 36 characters of the sha1_s match the provided hex digest. url_s: - return all entities where the URL begins with msn and ends with.com. 36
37 OpenTPX QL - Grouping Supports sub query grouping, which can be useful for altering the order and precedence of the Boolean statements. Groups are begun with the (character and terminated with the) character. Groups can also be nested to an arbitrary depth, as needed. Example: Default: a:1 b:2 OR c:3 would evaluate as an implicit AND in between a:1 and b:2. OR takes precedence before AND in Boolean Algebra, so this would evaluate as (a:1 AND (b:2 OR c: 3)). Example: (ip_i: AND observable_s:banking*) OR (ip_i: AND observable_s:trojan*) 37
38 Additional Capabilities OpenTPX
39 OpenTPX Dictionary and Extensions OpenTPX specifies dictionary of terms used for many common protocols, networks, threat observables Examples: occurred_at_i New terms easily added without pre-registration New OpenTPX terms require no registration to be added Contributors are encouraged to add common terms they consider to be missing back to the community New OpenTPX Observables require no registration to be distributed via OpenTPX files 39
40 OpenTPX Structural Options Ingest of OpenTPX content is intended to be efficient and focused on machine-to-machine communications Option #1: Single Payload/File Ideal for smaller payloads Containing just one feed option threat observations Collections Networks Mitigations Option #2: Manifest + Multiple Payload/Files Ideal for larger payloads Containing a manifest file that indexes other content in separate files No limit to number of files 40
41 Protocols to exchange OpenTPX data OpenTPX content may be transported by any transport protocol that makes sense for a machine to machine exchange Examples in use: Syslog SMTP HTTP Rsync FTP 41
Open Threat Partner Exchange (OpenTPX) Version 2.2.0
Open Threat Partner Exchange (OpenTPX) Version 2.2.0 Tables Index Figures Index 1 Introduction 4 1.1 License 4 1.2 Version 5 1.3 Definitions 5 2 Overview 6 2.1 Threat Observables 7 2.2 TPX Conventions
More informationConcierge SIEM Reporting Overview
Concierge SIEM Reporting Overview Table of Contents Introduction... 2 Inventory View... 3 Internal Traffic View (IP Flow Data)... 4 External Traffic View (HTTP, SSL and DNS)... 5 Risk View (IPS Alerts
More informationThe New ROI: Results Oriented Intel. David Amsler, Founder
The New ROI: Results Oriented Intel David Amsler, Founder Foreground Security Dedicated Security services firm Founded in 2000 with offices in Florida, Virginia, and Maryland Federal and commercial clients
More informationSES / CIF. Internet2 Combined Industry and Research Constituency Meeting April 24, 2012
SES / CIF Internet2 Combined Industry and Research Constituency Meeting April 24, 2012 Doug Pearson Technical Director, REN-ISAC dodpears@ren-isac.net Background on REN-ISAC The REN-ISAC mission is to
More informationThe Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era
The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era Dave Plzak Security Evangelist Sentinel IPS davep@econet.com * Agenda Review of the current Network
More informationAll about Threat Central
All about Threat Central Ted Ross & Nadav Cohen #HPProtect Forward-looking statements This is a rolling (up to three year) Roadmap and is subject to change without notice. This document contains forward
More informationThe Third Rail: New Stakeholders Tackle Security Threats and Solutions
SESSION ID: CXO-R03 The Third Rail: New Stakeholders Tackle Security Threats and Solutions Ted Ross Director, Threat Intelligence HP Security Research @tedross Agenda My brief background An example of
More informationThe Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era
The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era Ted Gruenloh Director of Operations Sentinel IPS * Agenda! Review of the current Network Security
More informationWhat s New in Security Analytics 10.4. Be the Hunter.. Not the Hunted
What s New in Security Analytics 10.4 Be the Hunter.. Not the Hunted Attackers Are Outpacing Detection Attacker Capabilities Time To Discovery Source: VERIZON 2014 DATA BREACH INVESTIGATIONS REPORT 2 TRANSFORM
More informationKMx Enterprise: Integration Overview for Member Account Synchronization and Single Signon
KMx Enterprise: Integration Overview for Member Account Synchronization and Single Signon KMx Enterprise includes two api s for integrating user accounts with an external directory of employee or other
More informationHow To Configure Voice Vlan On An Ip Phone
1 VLAN (Virtual Local Area Network) is used to logically divide a physical network into several broadcast domains. VLAN membership can be configured through software instead of physically relocating devices
More informationMachine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense
Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense By: Daniel Harkness, Chris Strasburg, and Scott Pinkerton The Challenge The Internet is an integral part of daily
More informationAccess Control Rules: URL Filtering
The following topics describe how to configure URL filtering for your Firepower System: URL Filtering and Access Control, page 1 Reputation-Based URL Filtering, page 2 Manual URL Filtering, page 5 Limitations
More informationEight Essential Elements for Effective Threat Intelligence Management May 2015
INTRODUCTION The most disruptive change to the IT security industry was ignited February 18, 2013 when a breach response company published the first research that pinned responsibility for Advanced Persistent
More information2. What is the maximum value of each octet in an IP address? A. 28 B. 255 C. 256 D. None of the above
CCNA1 V3.0 Mod 10 (Ch 8) 1. How many bits are in an IP C. 64 2. What is the maximum value of each octet in an IP A. 28 55 C. 256 3. The network number plays what part in an IP A. It specifies the network
More informationSECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION
SECURITY ANALYTICS MOVES TO REAL-TIME PROTECTION How ThreatBLADES add real-time threat scanning and alerting to the Analytics Platform INTRODUCTION: analytics solutions have become an essential weapon
More informationTHREAT VISIBILITY & VULNERABILITY ASSESSMENT
THREAT VISIBILITY & VULNERABILITY ASSESSMENT Date: April 15, 2015 IKANOW Analysts: Casey Pence IKANOW Platform Build: 1.34 11921 Freedom Drive, Reston, VA 20190 IKANOW.com TABLE OF CONTENTS 1 Key Findings
More informationGuide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst
INTEGRATED INTELLIGENCE CENTER Technical White Paper William F. Pelgrin, CIS President and CEO Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst This Center for Internet Security
More informationSHARING THREAT INTELLIGENCE ANALYTICS FOR COLLABORATIVE ATTACK ANALYSIS
SHARING THREAT INTELLIGENCE ANALYTICS FOR COLLABORATIVE ATTACK ANALYSIS Samir Saklikar RSA, The Security Division of EMC Session ID: CLE T05 Session Classification: Intermediate Agenda Advanced Targeted
More informationEnterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst
ESG Brief Enterprise Organizations Need Contextual- security Analytics Date: October 2014 Author: Jon Oltsik, Senior Principal Analyst Abstract: Large organizations have spent millions of dollars on security
More informationAPPLICATION PROGRAMMING INTERFACE
DATA SHEET Advanced Threat Protection INTRODUCTION Customers can use Seculert s Application Programming Interface (API) to integrate their existing security devices and applications with Seculert. With
More informationHow To Create An Insight Analysis For Cyber Security
IBM i2 Enterprise Insight Analysis for Cyber Analysis Protect your organization with cyber intelligence Highlights Quickly identify threats, threat actors and hidden connections with multidimensional analytics
More informationRedefining SIEM to Real Time Security Intelligence
Redefining SIEM to Real Time Security Intelligence David Osborne Security Architect September 18, 2012 Its not paranoia if they really are out to get you Malware Malicious Insiders Exploited Vulnerabilities
More informationCYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION
CYBER SCIENCE 2015 AN ANALYSIS OF NETWORK TRAFFIC CLASSIFICATION FOR BOTNET DETECTION MATIJA STEVANOVIC PhD Student JENS MYRUP PEDERSEN Associate Professor Department of Electronic Systems Aalborg University,
More informationSANS Top 20 Critical Controls for Effective Cyber Defense
WHITEPAPER SANS Top 20 Critical Controls for Cyber Defense SANS Top 20 Critical Controls for Effective Cyber Defense JANUARY 2014 SANS Top 20 Critical Controls for Effective Cyber Defense Summary In a
More informationThreat Intelligence UPDATE: Cymru EIS Report. www.team- cymru.com
Threat Intelligence Group UPDATE UPDATE: SOHO Pharming A Team Cymru EIS Report Powered Page by T1eam Threat Intelligence Group of 5 C ymru s This is an update on the SOHO Pharming case we published a little
More informationDDoS Protection on the Security Gateway
DDoS Protection on the Security Gateway Best Practices 24 August 2014 Protected 2014 Check Point Software Technologies Ltd. All rights reserved. This product and related documentation are protected by
More information81% of participants believe the government should share more threat intelligence with the private sector.
Threat Intelligence Sharing & the Government s Role in It Results of a Survey at InfoSec 2015 Section 1 1.1 Executive summary The last few years has seen a rise in awareness regarding security breaches
More informationD. Grzetich 6/26/2013. The Problem We Face Today
Ideas on Using Asset Criticality Inference (ACI) Through Gathering and Processing of Asset Contextual Utilizing Analytical Models and Processing Rules D. Grzetich 6/26/2013 The Problem We Face Today Security
More informationIBM SECURITY QRADAR INCIDENT FORENSICS
IBM SECURITY QRADAR INCIDENT FORENSICS DELIVERING CLARITY TO CYBER SECURITY INVESTIGATIONS Gyenese Péter Channel Sales Leader, CEE IBM Security Systems 12014 IBM Corporation Harsh realities for many enterprise
More informationNiara Security Analytics. Overview. Automatically detect attacks on the inside using machine learning
Niara Security Analytics Automatically detect attacks on the inside using machine learning Automatically detect attacks on the inside Supercharge analysts capabilities Enhance existing security investments
More informationSymantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team
Symantec Cyber Threat Analysis Program Symantec Cyber Threat Analysis Program Team White Paper: Symantec Security Intelligence Services Symantec Cyber Threat Analysis Program Contents Overview...............................................................................................
More informationNetwork as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats
Network as a Sensor and Enforcer Leverage the Network to Protect Against and Mitigate Threats Dragan Novaković Consulting Systems Engineer Security November 2015. New Networks Mean New Security Challenges
More informationComprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)
Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus February 3, 2015 (Revision 4) Table of Contents Overview... 3 Malware, Botnet Detection, and Anti-Virus Auditing... 3 Malware
More informationUnified Security, ATP and more
SYMANTEC Unified Security, ATP and more TAKE THE NEXT STEP Martin Werner PreSales Consultant, Symantec Switzerland AG MEET SWISS INFOSEC! 27.01.2016 Unified Security 2 Symantec Enterprise Security Users
More informationUNMASKCONTENT: THE CASE STUDY
DIGITONTO LLC. UNMASKCONTENT: THE CASE STUDY The mystery UnmaskContent.com v1.0 Contents I. CASE 1: Malware Alert... 2 a. Scenario... 2 b. Data Collection... 2 c. Data Aggregation... 3 d. Data Enumeration...
More informationAdvanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA
Advanced Visibility Moving Beyond a Log Centric View Matthew Gardiner, RSA & Richard Nichols, RSA 1 Security is getting measurability worse Percent of breaches where time to compromise (red)/time to Discovery
More informationDRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario
DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? Drive-by Downloads are a common technique used by attackers to silently install malware on a victim s computer. Once a target website has been weaponized with
More informationThreat Intelligence Platforms: The New Essential Enterprise Software
Gitomer-1 Threat Intelligence Platforms: The New Essential Enterprise Software Due to the ever-increasing volume of cyber attacks and regulatory pressures, there is a need for a new type of enterprise
More informationTECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING
TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING 20 APRIL 2006 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation to
More informationSophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC
WHITE PAPER Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC www.openioc.org OpenIOC 1 Table of Contents Introduction... 3 IOCs & OpenIOC... 4 IOC Functionality... 5
More informationConfiguring Health Monitoring
CHAPTER4 Note The information in this chapter applies to both the ACE module and the ACE appliance unless otherwise noted. The features that are described in this chapter apply to both IPv6 and IPv4 unless
More informationArbor s Solution for ISP
Arbor s Solution for ISP Recent Attack Cases DDoS is an Exploding & Evolving Trend More Attack Motivations Geopolitical Burma taken offline by DDOS attack Protests Extortion Visa, PayPal, and MasterCard
More informationPAN-OS Syslog Integration
PAN-OS Syslog Integration Tech Note Revision M 2012, Palo Alto Networks, Inc. www.paloaltonetworks.com Contents Log Formats...3 TRAFFIC...3 Descriptions...3 Subtype Field...5 Action Field...6 Flags Field...6
More informationCyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.
Cyber Security Automation of energy systems provides attack surfaces that previously did not exist Cyber attacks have matured from teenage hackers to organized crime to nation states Centralized control
More informationPCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data
White Paper PCI Compliance for Branch Offices: Using Router-Based Security to Protect Cardholder Data Using credit cards to pay for goods and services is a common practice. Credit cards enable easy and
More informationMcAfee Web Gateway Administration Intel Security Education Services Administration Course Training
McAfee Web Gateway Administration Intel Security Education Services Administration Course Training The McAfee Web Gateway Administration course from Education Services provides an in-depth introduction
More informationAnalyzing HTTP/HTTPS Traffic Logs
Advanced Threat Protection Automatic Traffic Log Analysis APTs, advanced malware and zero-day attacks are designed to evade conventional perimeter security defenses. Today, there is wide agreement that
More informationApplying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events
Applying Internal Traffic Models to Improve Identification of High Fidelity Cyber Security Events Abstract Effective Security Operations throughout both DoD and industry are requiring and consuming unprecedented
More informationSymantec Cyber Security Services: DeepSight Intelligence
Symantec Cyber Security Services: DeepSight Intelligence Actionable intelligence to get ahead of emerging threats Overview: Security Intelligence Companies face a rapidly evolving threat environment with
More informationRashmi Knowles Chief Security Architect EMEA
Rashmi Knowles Chief Security Architect EMEA AGENDA Transformation of IT New cyber-security challenges Intelligence Driven Security Security Analytics Q&A 2 ENTERPRISE DATA CENTER ADVANCED SECURITY A UNIQUE
More informationFederated Threat Data Sharing with the Collective Intelligence Framework (CIF)
Federated Threat Data Sharing with the Collective Intelligence Framework (CIF) Gabriel Iovino (REN-ISAC), Kevin Benton (REN-ISAC), Yoshiaki Kasahara (Kyushu University), Yasuichi Kitamura (APAN) TIP2013
More informationIBM Security. 2013 IBM Corporation. 2013 IBM Corporation
IBM Security Security Intelligence What is Security Intelligence? Security Intelligence --noun 1.the real-time collection, normalization and analytics of the data generated by users, applications and infrastructure
More informationMcAfee Network Security Platform Administration Course
McAfee Network Security Platform Administration Course Intel Security Education Services Administration Course The McAfee Network Security Platform Administration course from McAfee Education Services
More informationDynamic Decision-Making Web Services Using SAS Stored Processes and SAS Business Rules Manager
Paper SAS1787-2015 Dynamic Decision-Making Web Services Using SAS Stored Processes and SAS Business Rules Manager Chris Upton and Lori Small, SAS Institute Inc. ABSTRACT With the latest release of SAS
More informationCan We Become Resilient to Cyber Attacks?
Can We Become Resilient to Cyber Attacks? Nick Coleman, Global Head Cyber Security Intelligence Services December 2014 Can we become resilient National Security, Economic Espionage Nation-state actors,
More informationHow To Manage Security On A Networked Computer System
Unified Security Reduce the Cost of Compliance Introduction In an effort to achieve a consistent and reliable security program, many organizations have adopted the standard as a key compliance strategy
More informationOpen Source Threat Intelligence. Kyle R Maxwell (@kylemaxwell) Senior Researcher, Verizon RISK Team
Open Source Threat Intelligence Kyle R Maxwell (@kylemaxwell) Senior Researcher, Verizon RISK Team 2 Before we begin All trademarks belong to their respective owners. No association with any other organizations,
More informationUnstructured Threat Intelligence Processing using NLP
Accenture Technology Labs Elvis Hovor @kofibaron Shimon Modi @shimonmodi Shaan Mulchandani @alabama_shaan Unstructured Threat Intelligence Processing using NLP Enhancing Cyber Security Operations by Automating
More informationAutomate the Hunt. Rapid IOC Detection and Remediation WHITE PAPER WP-ATH-032015
Rapid IOC Detection and Remediation WP-ATH-032015 EXECUTIVE SUMMARY In the escalating war that is cyber crime, attackers keep upping their game. Their tools and techniques are both faster and stealthier
More informationAnalyzing Targeted Attacks through Hiryu An IOC Management and Visualization Tool. Hiroshi Soeda Incident Response Group, JPCERT/Coordination Center
Analyzing Targeted Attacks through Hiryu An IOC Management and Visualization Tool Hiroshi Soeda Incident Response Group, JPCERT/Coordination Center Agenda 1. Advanced attacks specifically targeting Japanese
More informationIP Addressing Introductory material.
IP Addressing Introductory material. A module devoted to IP addresses. Addresses & Names Hardware (Layer 2) Lowest level Ethernet (MAC), Serial point-to-point,.. Network (Layer 3) IP IPX, SNA, others Transport
More informationSiteCelerate white paper
SiteCelerate white paper Arahe Solutions SITECELERATE OVERVIEW As enterprises increases their investment in Web applications, Portal and websites and as usage of these applications increase, performance
More informationNiara Security Intelligence. Overview. Threat Discovery and Incident Investigation Reimagined
Niara Security Intelligence Threat Discovery and Incident Investigation Reimagined Niara enables Compromised user discovery Malicious insider discovery Threat hunting Incident investigation Overview In
More informationHunting for the Undefined Threat: Advanced Analytics & Visualization
SESSION ID: ANF-W04 Hunting for the Undefined Threat: Advanced Analytics & Visualization Joshua Stevens Enterprise Security Architect Hewlett-Packard Cyber Security Technology Office Defining the Hunt
More informationProxy Server, Network Address Translator, Firewall. Proxy Server
Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as
More informationActionable information for security incident response
Actionable information for security incident response Cosmin Ciobanu 2015 European Union Agency for Network and Information Security www.enisa.europa.eu European Union Agency for Network and Information
More informationConsiderations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.
Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet
More informationHow Attackers are Targeting Your Mobile Devices. Wade Williamson
How Attackers are Targeting Your Mobile Devices Wade Williamson Today s Agenda Brief overview of mobile computing today Understanding the risks Analysis of recently discovered malware Protections and best
More informationThreat Center. Real-time multi-level threat detection, analysis, and automated remediation
Threat Center Real-time multi-level threat detection, analysis, and automated remediation Description Advanced targeted and persistent threats can easily evade standard security, software vulnerabilities
More informationOn-Premises DDoS Mitigation for the Enterprise
On-Premises DDoS Mitigation for the Enterprise FIRST LINE OF DEFENSE Pocket Guide The Challenge There is no doubt that cyber-attacks are growing in complexity and sophistication. As a result, a need has
More informationDEPLOYMENT GUIDE Version 1.1. DNS Traffic Management using the BIG-IP Local Traffic Manager
DEPLOYMENT GUIDE Version 1.1 DNS Traffic Management using the BIG-IP Local Traffic Manager Table of Contents Table of Contents Introducing DNS server traffic management with the BIG-IP LTM Prerequisites
More informationIBM Unstructured Data Identification and Management
IBM Unstructured Data Identification and Management Discover, recognize, and act on unstructured data in-place Highlights Identify data in place that is relevant for legal collections or regulatory retention.
More informationNetwork Monitoring using MMT:
Network Monitoring using MMT: An application based on the User-Agent field in HTTP headers Vinh Hoa LA Ɨ Raul FUENTES Ɨ PhD Student Prof. Ana CAVALLI Ɨ Ƭ Supervisor Ɨ Telecom SudParis, IMT Ƭ Montimage
More informationThreatMetrix Persona DB Technical Brief
ThreatMetrix Persona DB Technical Brief Private and Scalable Entity/Attribute Database Persona DB is part of the TrustDefender Cybercrime Prevention Platform from ThreatMetrix. It s an extensible, enterprise-accessible
More informationKnow Your Foe. Threat Infrastructure Analysis Pitfalls
Know Your Foe Threat Infrastructure Analysis Pitfalls Who Are We? Founders of PassiveTotal Analysts/researchers with 10+ years of collective experience Interested in Better UX/UI for security systems Improving/re-thinking
More informationModern Approach to Incident Response: Automated Response Architecture
SESSION ID: ANF-T10 Modern Approach to Incident Response: Automated Response Architecture James Carder Director, Security Informatics Mayo Clinic @carderjames Jessica Hebenstreit Senior Manager, Security
More informationLehrstuhl für Informatik 4 Kommunikation und verteilte Systeme. Firewall
Chapter 2: Security Techniques Background Chapter 3: Security on Network and Transport Layer Chapter 4: Security on the Application Layer Chapter 5: Security Concepts for Networks Firewalls Intrusion Detection
More informationNorth American Electric Reliability Corporation (NERC) Cyber Security Standard
North American Electric Reliability Corporation (NERC) Cyber Security Standard Symantec Managed Security Services Support for CIP Compliance Overviewview The North American Electric Reliability Corporation
More informationFirewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.
Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and
More informationThe Big Data Paradigm Shift. Insight Through Automation
The Big Data Paradigm Shift Insight Through Automation Agenda The Problem Emcien s Solution: Algorithms solve data related business problems How Does the Technology Work? Case Studies 2013 Emcien, Inc.
More information24/7 Visibility into Advanced Malware on Networks and Endpoints
WHITEPAPER DATA SHEET 24/7 Visibility into Advanced Malware on Networks and Endpoints Leveraging threat intelligence to detect malware and exploitable vulnerabilities Oct. 24, 2014 Table of Contents Introduction
More informationWHITE PAPER SPLUNK SOFTWARE AS A SIEM
SPLUNK SOFTWARE AS A SIEM Improve your security posture by using Splunk as your SIEM HIGHLIGHTS Splunk software can be used to operate security operations centers (SOC) of any size (large, med, small)
More informationDealing with Big Data in Cyber Intelligence
Dealing with Big Data in Cyber Intelligence Greg Day Security CTO, EMEA, Symantec Session ID: HT-303 Session Classification: General Interest What will I take away from this session? What is driving big
More informationDetect & Investigate Threats. OVERVIEW
Detect & Investigate Threats. OVERVIEW HIGHLIGHTS Introducing RSA Security Analytics, Providing: Security monitoring Incident investigation Compliance reporting Providing Big Data Security Analytics Enterprise-wide
More informationJUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM
JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM May 2015 Nguyễn Tiến Đức ASEAN Security Specialist Agenda Modern Malware: State of the Industry Dynamic Threat Intelligence on the Firewall
More informationGuide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP
Guide to Network Defense and Countermeasures Third Edition Chapter 2 TCP/IP Objectives Explain the fundamentals of TCP/IP networking Describe IPv4 packet structure and explain packet fragmentation Describe
More informationHow To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)
McAfee Security: Intrusion Prevention System REV: 0.1.1 (July 2011) 1 Contents 1. McAfee Network Security Platform...3 2. McAfee Host Intrusion Prevention for Server...4 2.1 Network IPS...4 2.2 Workload
More informationFROM INBOX TO ACTION EMAIL AND THREAT INTELLIGENCE:
WHITE PAPER EMAIL AND THREAT INTELLIGENCE: FROM INBOX TO ACTION There is danger in your email box. You know it, and so does everyone else. The term phishing is now part of our daily lexicon, and even if
More informationCisco Security Manager 4.2: Integrated Security Management for Cisco Firewall, IPS, and VPN Solutions
Data Sheet Cisco Security Manager 4.2: Integrated Security Management for Cisco Firewall, IPS, and VPN Solutions Security Operations Challenges Businesses are facing daunting new challenges in security
More informationNetworking for Caribbean Development
Networking for Caribbean Development BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n o g. o r g N E T W O R K I N G F O R C A R I B B E A N D E V E L O P M E N T BELIZE NOV 2 NOV 6, 2015 w w w. c a r i b n
More informationConfiguring Health Monitoring
CHAPTER 6 This chapter describes how to configure the health monitoring on the CSM and contains these sections: Configuring Probes for Health Monitoring, page 6-1 Configuring Route Health Injection, page
More informationChapter 6 Virtual Private Networking Using SSL Connections
Chapter 6 Virtual Private Networking Using SSL Connections The FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN provides a hardwarebased SSL VPN solution designed specifically to provide
More informationLeading The World Into Connected Security. Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA
Leading The World Into Connected Security Dipl.-Inform., CISSP, S+ Rolf Haas Enterprise Technology Specialist Content Lead EMEA History of Defining Largest Dedicated Delivering a Next Generation Architecture
More informationDNS Firewall Overview Speaker Name. Date
DNS Firewall Overview Speaker Name 1 1 Date Reserved. Agenda DNS Security Challenges DNS Firewall Solution Customers Call to Action 2 2 Reserved. APTs: The New Threat Landscape Nation-state or organized-crime
More informationCMPT 471 Networking II
CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access
More informationIBM ediscovery Identification and Collection
IBM ediscovery Identification and Collection Turning unstructured data into relevant data for intelligent ediscovery Highlights Analyze data in-place with detailed data explorers to gain insight into data
More informatione2e Secure Cloud Connect Service - Service Definition Document
e2e Secure Cloud Connect Service - Service Definition Document Overview A cloud connectivity service that connects users, devices, offices and clouds together over the Internet. Organisations can choose
More informationUnified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice
Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice Introduction There are numerous statistics published by security vendors, Government
More informationCopyright 2011 Sophos Ltd. Copyright strictly reserved. These materials are not to be reproduced, either in whole or in part, without permissions.
PureMessage for Microsoft Exchange protects Microsoft Exchange servers and Windows gateways against email borne threats such as from spam, phishing, viruses, spyware. In addition, it controls information
More information