Threat Intelligence: Friend of the Enterprise

Transcription

1 SECURELY ENABLING BUSINESS Threat Intelligence: Friend of the Enterprise Danny Pickens Principal Intelligence Analyst MSS FishNet Security

2 DANNY PICKENS Principal Intelligence Analyst, FishNet Security Expertise: Military & Counterterrorism Intelligence Business & Competitive Intelligence Intrusion Detection Incident Handling & Management Cyber Threat Analysis Background: United States Marine Corps & Army Reserve Federal Contractor (supporting Department of Defense and other organizations) Department of Agriculture Security Operations Center FishNet Security

3 WANT ME SOME INTELLIGENCE Our collective ignorance of intelligence has undermined not only our intelligence capabilities, but ultimately the policy makers and citizens served. ~ Henry A. Crumpton The Art of Intelligence: Lessons from a Life in the CIA s Clandestine Service [Many] just think you can buy intelligence or download intelligence and don t realize they need to develop intelligence. ~ Scott Roberts Director of Bad Guy Catching GitHub

4 INTELLIGENCE: DEFINED Intelligence is the result of the collection, analysis and timely dissemination of intelligence information concerning threats and vulnerabilities to an organization. Why Intelligence? Provides localized threat identification. Assists in remediation and countermeasures for critical infrastructure. Improves the overall security posture for the organization.

5 INTELLIGENCE: DOMAINS COLD WAR Targets of Intelligence Efforts Perpetrators Former Soviet Union and its allies Soviet government seen as source of inimical activity Weapons Potential Targets of Attack Focus Strategic and conventional forces Counterforce and countervalue targets in the U.S. and the territories of its allies Large-scale military action

6 INTELLIGENCE: DOMAINS COUNTERTERRORISM Targets of Intelligence Efforts Perpetrators Individuals, small cells and networks, and state sponsors Increasingly anonymous Weapons Potential Targets of Attack Focus Light arms to large-scale weaponry and potentially weapons of mass destruction Vast number of highly symbolic, relatively soft targets Individual incidents and trends

7 INTELLIGENCE: DOMAINS CYBER Targets of Intelligence Efforts Perpetrators Individuals, cells and networks, and states with information warfare capabilities Anonymous only have technical signatures Weapons Potential Targets of Attack Focus Cyberweapons or conventional weapons against critical information and communication nodes Range from individual websites to national critical infrastructure Individual incidents, trends and patterns in attacks and vulnerabilities that can be exploited

8 INTELLIGENCE: DISCIPLINES DISCIPLINES HUMINT SIGINT GEOINT IMINT OSINT TECHINT Intelligence information derived from human sources. Collected from various communications mediums. Geospatial intelligence concerning terrain. Intelligence derived from satellite imagery or aerial reconnaissance. Intelligence data collected via publicly available resources. Technical information collected from internal technologies and platforms.

9 INTELLIGENCE CYCLE: REPEATABLE Requirement Gaps in knowledge surrounding a threat or vulnerability. Collection Research conducted against the requirement. Analysis & Production The process of fusing raw data and information into a finished product. Analytical methodologies used to visualize and validate hypothesis and conclusions. Dissemination & Integration Distribution of the finished product to Operations in a timely fashion. Dissemination & Integration Requirement Analysis & Production Collection

10 REQUIREMENTS Intelligence Cycle Good IRs are structured based on the following criteria: Necessity: Is it necessary to answer this question? Feasibility: Can we feasibly collect this information? Timeliness: Is the intelligence requirement timely? Specificity: Is the requirement specific enough? Primary Intelligence Requirements Intelligence Requirements Requests for Information

11 COLLECTION Intelligence Cycle Areas to consider: Actual collection of data Collections management Collection process: Obtain information needed to answer requirement Internal (logs and events from network appliances) External (commercial or open source intelligence) Collection sources should be: Trustworthy Reliable IP ADDRESSES URLs / DOMAINS NETWORK / HOST ARTIFACTS TOOLS FILE DATA / HASHES TTPs

12 ANALYSIS & PRODUCTION Intelligence Cycle Intelligence Analysis: Examines and evaluates raw data and information. Determines if it is applicable to organization or environment. Produces products and assessments for implementation. The Intelligence Analyst Role: Identify and retrieve pertinent information within collection management system. Correlate information against additional sources. Research while utilizing personal knowledge and expertise. Produce assessment or finished product. Critical thinkers and Subject Matter Experts (SME) in their field. Draw conclusions based off of differing sources of information and to extract the appropriate information within without bias. Link Analysis Timeline Analysis Analytical Approaches Trend Analysis

13 ANALYSIS Intelligence Cycle :00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00 23:00 Account Locked Brute Force Cncrnt Auth From Multi Cities Cncrnt Auth Multi Regions Detected Malware Activity Detected Virus Activity Failed Virus Activity FNS APT 1 Rule FNS Shun List General Antivirus Warning Group Created Multi Unique Attcks Against ihost Recon followed by Attack Temp Accnt Created, Used, Deleted User Account Created

14 ANALYSIS Intelligence Cycle Country Count % Korea % China % United States % Germany % Taiwan % Brazil % Japan % India % RussianFederation % France % Canada % Ukraine % United Kingdom % Australia %

15 ANALYSIS Intelligence Cycle Event Count % FNS APT1 Rule % Accnt Attck:Brt Force Single ohost % FNS Shun List % Detected Trojan Activity % User Logon Failure % Recon Followed By Attck % VPN Session Started % Policy Modified : Firewall/ACL % User Logon %

16 DISSEMINATION & INTEGRATION Intelligence Cycle Key Sections for a Finished Product: Executive Summary Bottom Line Up Front (B.L.U.F.) Main Body Key Points Technical Analysis Rules to Apply Conclusion Recommendations Assessments The best thing an intelligence analyst can provide to his customer is a finished product which is actionable and timely.

17 SCOPING LEVELS OF EFFORT STRATEGIC IPB/Overall Threat Assessments Risk Assessments Categorizing Threats & Threat Groups Intelligence Informs Policy OPERATIONAL Current & Emerging Threat Research Trend & Historical Analysis Preventative Analysis Intelligence Drives Operations TACTICAL Case/Incident Investigation Damage Assessment Attribution Intelligence Leads Response

18 EFFECTIVE INTELLIGENCE Open lines of communication both with and to the enterprise. Channels of communication should be opened up to: Executive staff Internal IT staff User base External sources Allows for greater collection of information and data, more in-depth analysis and trusted dissemination. INTELLIGENCE SENIOR MANAGEMENT IT STAFF USERS EXTERNAL Intelligence must be tasked to meet operational needs, and equally, it is essential that operations implement the output of intelligence.

19 SHARING Uptick in Intelligence sharing frameworks over the past couple of years, from Mandiant s OpenIOC to MITRE s offerings of CyBox, STIX and TAXII. Organizations should be involved and have a willingness to share collected intelligence data with not only the industry, but with parties seen as competitors.

20 THE TAKE AWAY Invest in the proper PEOPLE and TOOLS. Encourage internal development (DEVOPS). Allow for open COMMUNICATION channels. Don t shy away from SHARING. Make it OPERATIONAL.

21 THANK YOU Danny Pickens Principal Intelligence Analyst - MSS FishNet Security [email protected] Global Threat Intel Center Managed Security Services - gtic FishNet Security [email protected] fishnetsecurity.com/6labs