Transcription

1

2

3

4

5

6 Attribution: The Holy Grail or Waste of Time? Billy Leonard Google

7 Should this be the end, our Holy Grail?

8 How s that picture going to help you now?

9 But, the pictures make me safer!

10 We can do better.

11 Our quest for the Grail starts here. How they operate Who and how they target What tools do they use What order do they use them in How do they customize them How do they move laterally When do they operate How do they take your data Are they good at what they do

12 Don t be a victim of Badtribution.

13 Cheers!

14

15 CYBERSECURITY AT THE NSA Dave Hogue Operations Lead NSA/CSS Threat Operations Center National Security Agency

16 Cyber Attacks Against U.S. Doubled Over Past Three Years DNSChanger shutdown 92% of the Top 100 Mobile Apps have been Hacked Spearphishing s over 90% of targeted attacks Flame and Gauss: nation-state cyber-espionage campaigns Facebook Hacked 99% of web applications vulnerable to attack Business cost of malware spirals to $114B a year 2.4M Canadian Voters Exposed After Loss of 2 USB Drives Global hacking attempts will hit 1 Billion Apple Hacked China Military Unit Behind Prolific Hacking LinkedIn, Last.fm, Dropbox and Gamigo password leaks Google detects 9,500 malicious sites per day Flashback hits Mac OS X Adobe certificates theft and the omnipresent APT Android threats increase dramatically Cyber attack could turn US weapons against America Microsoft Hacked Cybercrime Costs Consumers $110 Billion Washington Confirms Chinese Hack Attack on White House Computer

17 EVER EVOLVING, VOLATILE ENVIRONMENT

18 NSA NEEDS TO MAINTAIN CONSTANT AWARENESS

19 THE COMPLETE PICTURE DRAGONFLY

20 THE COMPLETE PICTURE HACKER

21 !!!! DoD WORK TOGETHER PROTECT OUR EQUITIES

22 GOV CYBER SECURITY INDUSTRY DEFENSE INDUSTRIAL BASE PILOT NSA + DHS + ISPs TRANSITION

23 TRANSITION

24 TEAM CYBER INDUSTRY INDUSTRY INDUSTRY

25 HACKERS BREACH NASDAQ X1,000 30,000 INFECTED COMPUTERS

26 BEST OF BOTH WORLDS J2 Intel J3 Ops J6 Infrastructure

27 INDUSTRY INDUSTRY GOV INDUSTRY INDUSTRY GOV

28 RIGID GUIDELINES WE RE MAKING THIS UP AS WE GO

29 WHAT DO WE NEED: PREEXISTING RELATIONSHIPS DEFINED MEASURES OF INTEL COMBINED GOVERNMENT/INDUSTRY RESPONSE

30 NEED: PREEXISTING RELATIONSHIPS DEFINED MEASURES OF INTEL COMBINED GOVERNMENT/INDUSTRY RESPONSE

31

32 Intelligence Driven Security In Action Operationalizing Intelligence Seth Geftic Associate Director RSA Security Analytics RSA, The Security Division of EMC Copyright 2012 EMC Corporation. All rights reserved. 32

33 Today s Security Requirements Big Data Infrastructure Need a fast and scalable infrastructure to conduct short term and long term analysis High Powered Analytics Give me the speed and smarts to discover and investigate potential threats in near real time Comprehensive Visibility See everything happening in my environment and normalize it Integrated Intelligence Help me understand what to look for and what others have discovered Copyright 2012 EMC Corporation. All rights reserved. 33

34 How Do I Know What To Look For? Copyright 2012 EMC Corporation. All rights reserved. 34

35 RSA Live: Intelligence Converted Into An Operationalized Format Indicators converted into operationalized format Parser helps search for specific behavior within a feed Removes hay to help find needles Copyright 2012 EMC Corporation. All rights reserved. 35

36 RSA Security Analytics: Intelligence Driven Security In Action Operationalized intelligence is far greater than detached intelligence Analysts need to understand what to look for and take advantage of what others have found Compare intelligence with historical data to see if indicators of compromise were found Apply in real-time to defend against future attacks Copyright 2012 EMC Corporation. All rights reserved. 36

37

38

39

40 Intelligence Led Incident Response Sean Catlett, Vice President

41 Incident Response My Experience Decision Pressures Business Customer Protection Regulatory Financial Crisis Response Internal Information Sources Vulnerabilities Log data Forensics System Performance Script Output Customer Contacts 41

42 TB TB TB TC TC TB Threat Beachhead & Continuation Incident Indicators Threat Predictors Attribution Predictors Vulnerabilities C & Cs Geolocation Logs Forensics System Performance Script Output Customer Contacts Drop Sites External data flows ISP contacts Backdoors Open source Closed source Market offering in underground 42

43 Intelligence Difference: Managing a breach VS Investment in immediate remediation actions which follow the attacker s path Strategic investment in containment that is continually mapped against threat capabilities Current model of incident response relies on internal data that can be collected from attacked systems, leaving gaps in knowledge such as: What will the attacker do with the data they stole? Who was it? Why are they doing it? What are their ongoing capabilities? Are they coming back? 43 What/Who else are they attacking?

44 As actions become more scalable insight into actions becomes more valuable 44

45

46

47

48 Crowdsourcing Threat Intelligence Based on a True Story

49 Actors - Setting up the Story Computer Scientist Intelligence Analyst ThreatConnect.com 49

50 First Days of Cyber Squared (Part 1) Rich: Security Intelligence is the next BIG idea! Adam: What does that mean? Rich: You know?! We use an advanced understanding of the Threat to protect our customers business operations. Adam: OK, how do we do that? 50

51 Functional Areas of Threat Intelligence Collect & Analyze Decision Support Mitigate Need relevant data with context and validation Which way should we go? Protect the organization 51

52 First Days of Cyber Squared (Part 2) Adam: So you keep all your indicators in a spread sheet? Rich: Yeah, there isn t anything out there that tracks this sort of thing and puts everything together Adam: How do you track everything by hand? Rich: I have a perl script! Adam: How is that working for you? Rich: 52

53 Platform for Threat Intelligence Collect Analyze Share There are many sources of data Create Intel - Add context, and validation manually or with automation Share Intel across your own or with external orgs 53

54 First Days of Cyber Squared (Part 3) Adam: We ve completed V1.0 of ThreatConnect. Team: Nice, we like it. There is one thing though can we have multiple independent organizations work together, and have the software combine their data and analysis as if they were working together the entire time? Adam: Back to the drawing board 54

55 The Aha! Moment Crowdsource the problem - The BIG (Data) Idea Actual Cyber Army Vs. Virtual Cyber Army - Protecting our livelihood 55

56 Three Reasons to Crowdsource Threat Intelligence Resource Crunch Power of Crowd & Cloud Analysis Stop The Threat Are there even enough people to go around? We need to bridge our intel silos and automate analysis Together we can stop the Threat 56

57 Help Each Other 57

58 Play Nice 58

59 Think Outside the Box 59

60 Just Imagine What is Possible 60

61

62 Curating Indicators: Bringing Smarts to Intel SANS CTI Summit 22-March-2013 Douglas Wilson Manager, Threat Indicators Team Copyright 2013

63

64

65

66 The Detection Timeline Julie J.C.H. Ryan, D.Sc. Associate Professor George Washington University Presentation to SANS, March 2013

67 time Event Indicators Discovered Hey! Something is wrong!

68 time Event Event Characterized Indicators Discovered What happened, when did it happen is it still happening??

69 Quick! Do Something! Fix it! Reaction Activities Crisis management Containment of damage Triage, remediation Investigation Forensics data collection, administrative processes, exposure analysis Civil or Criminal legal stuff Firing people Arresting people Continuity of Operations Continuing to operate in a degraded mode Business Recovery Returning to full capability time Event Event Characterized Indicators Discovered

70 Reaction Activities Event Event Characterized Indicators Discovered Damage Assessed time Have we stopped it yet? How bad is it?

71 Reaction Activities time Event Event Characterized Indicators Discovered Event Reported Damage Assessed (Who) do we have to tell?

72 Speed Kills Configuration Changes Heightened Alert Status Reduction of Exposure Continuity of Operations activities Pre-Event Actions Event Duration D P E A E T D I D F Recovery Probabilistic Detection Anomalies Port Scans Weird Stuff Actual Event Start Alert Detection Triggering Event Stop of activity Confirmation of Detection

73 Julie J.C.H. Ryan, D.Sc. Associate Professor George Washington University

74