The Cyber Threat Profiler

Transcription

1 Whitepaper The Cyber Threat Profiler Good Intelligence is essential to efficient system protection

2 INTRODUCTION As the world becomes more dependent on cyber connectivity, the volume of cyber attacks are exploding exponentially, as are the risks of compromise from cyber attacks. This is a situation that is only going to get worse. The number of suitably qualified and experienced security experts are not able to increase proportionately with this fast changing cyber world. The answer is not to recruit more experts to handle the increasing workload, but instead use technology force multipliers to reduce the analytical burden and increase staff efficiency. Organisations will only be able to reduce the risk from cyber attacks with the use of sophisticated security controls to monitor, understand and ultimately prevent these attacks. Cyberlytic has developed the Cyber Threat Profiler to support an organisation by utilising the latest artificial intelligence and heuristic techniques to analyse and manage the risk that any malicious activity may bring to an organisation s network. It provides an effective suite of decision support tools to exploit a range of cyber threats, providing intelligent security risk assessments. The tool compliments security experts and existing network security components, removing the need to increase human resources to manage the increasing situational awareness requirements of responding to malicious activity on the network. OVERVIEW The volume and sophistication of cyber attacks is growing at an alarming rate. Government and large businesses are subject to constant and simultaneous cyber attacks from multiple threat actors, of varying skill and capability. THE PROBLEM Keeping pace with security breaches is a major challenge. According to the 2014 Information Security Breaches Survey prepared by consultants PWC for the UK Government s Department of Business Innovation and Skills, over 80% of large organisations reported having experienced a cyber security incident in the previous year. The research found that 55% of large businesses were attacked by an unauthorised outsider during the year and 73% of large organisations, including those in the public sector, suffered a virus infection or a malware incident. It is clear that organisations can no longer accept conventional security controls to protect against the growing cyber threat. Highly sought after security experts are required to keep on top of the attacks, using their judgment and experience to prioritise the organisation s response. It is their job to avert potentially catastrophic attacks. MAINTAIN YOUR SECURITY TEAM, MAKE THEM MORE EFFICIENT TO HANDLE TOMORROW S CYBER THREATS The CTP increases the efficiency of expert security staff, meaning less staff can handle more cyber incidents Expert staff required to handle tomorrow s cyber threats of cyber attacks every day Millions of atacks every day Today. Large businesses are coping with the scale of attack (e.g. 3 SOC staff) Next year. An exponential increase in expert security staff is needed to handle the likely increase in cyber attack. Figure 1: Exponential Growth from Cyber Attacks GCHQ state there is likely to be a 20 year skills gap of expert security staff. Cisco state there is a 1M shortfall in security experts today. Copyright Cyberlytic Limited All Rights Reserved. info@cyberlytic.com 2

3 THE CTP CONCEPT The Cyber Threat Profiler (CTP) is a software solution that complements existing network security components to provide real-time risk assessment and prioritise security alerts. The CTP provides an additional layer of security intelligence to enhance the capabilities of attack containment and provide cyber resilience. Security intelligence: The CTP complements existing network security monitoring suites to provide a real-time cyber risk assessment. Artificial Intelligence: The CTP provides a unique approach to analysing large volumes of pure attack data to determine and continually adapt to changing and new threat profiles. It uses several Artificial Intelligence (AI) techniques, including machine learning, to analyse live and historic data. Heuristic analysis: Attacks on live networks are correlated against normalised attack data to determine the relative sophistication of the attack, as well as the likely capability and effectiveness of the attacker. THE CYBER DOMAIN The CTP analyses the risks within the Cyber Sphere and is built on the ISO standard to define the Cybersecurity domain. In essence Cybersecurity is a subset of multiple security layers as described in the figure below. The Cybersecurity domain is a complex interaction between people, software and services using the internet, supported by worldwide distributed physical Information and Communications Technology (ICT) devices and connected networks. INFORMATION SECURITY APPLICATION SECURITY CYBER SECURITY NETWORK SECURITY INTERNET SECURITY Critical Information Infrastructure protection Figure 2: BS ISO : Relationship between Cybersecurity and the other Security Domains CYBER THREAT Cyber threat is where an individual or group of attackers try to compromise a weakness in the ICT devices and connected networks where the effect is an unwanted action that results in potential harm to the assets, a system, individual or organisation within the Cybersecurity domain. At a high level, the cyber threats can take several different forms. They can range from the internal Insider or external Hacker threat where they attack an organisation using: Weaknesses in the configuration of IT systems; or Weaknesses in the applications hosted on the IT Systems. CYBER ATTACKS A cyber attack is where an individual or group seeks to identify a misconfiguration or software vulnerability and then attempts to exploit the weakness in order to access sensitive information. These attacks could take the form of: Malicious code (buffer overflows); Injection Attacks (SQL injection, Cross Site Scripting); Manipulation of business logic (understand the processes); Exploitation of misconfigurations (incorrect or missing hardening); or Phishing attacks (malicious s). They may combine these with non-cyber attacks such as social engineering, weak physical controls or the human insider. The exploitation of the weakness could result in the attacker destroying, exposing, altering, disabling, stealing or gaining unauthorised access to the organisations asset. This resource is usually an information asset that is stored, processed and transmitted within an ICT device and connected network, but could just as easily be a physical asset. CYBER RISK Cyber risk is the probability of an attacker (threat actor) identifying and compromising a vulnerability that results in an impact to the organisation affecting the confidentiality, integrity and/or availability of that asset within an ICT device or connected network. i.e. Cyber Risk is a function of (Threat & Impact & Vulnerability). THE CYBERLYTIC RISK METHODOLOGY A unique function of the CTP is that it provides a residual risk rating using the Cyberlytic methodology. It is based on quantifying the Cyber Risk defined above. An optional step in the configuration of the CTP is to work with the client organisation to configure the impact values. The client is best placed to assess the impact of a compromised asset, as they are the only ones to appreciate fully the consequence of that asset being compromised. The vulnerability values are defined by identifying the applications and services that are in use within the organisation. Once identified, they are then cross Copyright Cyberlytic Limited All Rights Reserved. info@cyberlytic.com 3

4 referenced against a known set of vulnerabilities. The Cyberlytic Risk Methodology provides a risk value that takes into account the effectiveness of the existing security controls that are in place. Whilst we may not know the full extent of the security controls that have been implemented, the Cyberlytic Risk Methodology can identify the effectiveness of the resultant security controls that are protecting the assets. algorithms are updated regularly to remain current with the changing threat profiles. The CTP consists of two key core design components: Cyberlytic Adaptive Ruleset (CAR); a virtual application hosted inline on customer environment Cyberlytic Intelligence Platform (CIP); an offline analytics platform The threat characteristics are determined fully by the CTP. The CTP assesses the characteristics of the attacker and the sophistication of an individual attack. The combination of the vulnerability, the impact and the threat characteristics are calculated using our Artificial Intelligence algorithms to provide the residual risk rating, which is an accurate measure of the infosec risk of a specific attack. THE CTP DESIGN The CTP profiles the threat of an attack, and where applicable the attacker, to CLIENT NETWORK CTP Interface Security Event Collector Security Event Storage Database (NoSQL) Security Event Storage Database (NoSQL) Cyberlytic Adaptive Ruleset (CAR) SQLIA (SQL Injection Attack) XSS (Cross site Scripting) CSRF (Cross Site Request Forgery) DDOS (Distributed Denial of Service) Update CAR Modules Training the Classifier Cyberlytic Intelligence Platform (CIP) Prioritisation of Events (Risk Rating) CTP create a set of quantifiable features that are used to determine, in a consistent, quantifiable and reliable manner, the Cyber security risk. Security Event Collector Anonymised Client Network Segment Cyberlytic Classification baselining process DATA /CTF The CTP is dependent on alerts being initiated by existing network security monitors, Security Information and Event Management (SIEM) or Intrusion Detection Systems (IDS), to provide an additional layer of security intelligence. The Cyberlytic API provides the mechanism to connect to existing security environments. The CTP prioritises alerts received by these systems, depending on the risk they pose to the target system and underlying data. The results are presented in realtime to security teams and incident handlers within the operations centre. It is agnostic of existing security systems, but is dependent on alerts being initiated by the security tools within the client network. The CTP has been designed to: Connect to existing IDS, SIEM or NSM and receive attack data. Optionally, deploy our own sensors to detect the threats and capture the attack data Optionally, replicate un-attributable aspects of the customer target network within an un-attributable honeypot environment to receive and refine more relevant attack data gained from the wider hacking community Apply Machine Learning algorithms in a multi-layered approach to the data received from the target and CTF environments, to safely learn the effectiveness of existing and new attack characteristics Artificial Intelligence (AI) algorithms within the locally installed CTP determine the relative sophistication and likely capability of the attacker Each attack is prioritised and presented to security teams based on the risk to your business Supervised, semi-supervised and unsupervised learning means the AI Figure 3: The CTP Components THE CYBERLYTIC ADAPTIVE RULESET (CAR) The CAR provides an inline real-time assessment of each attack detected. It collects relevant attack data from the existing security tools and parses them to the threat modules. The CAR has a series of threat modules to determine the relative sophistication of attacks, together with the likely capability of the attacker. Each threat module represents a particular attack category, such as SQL (Standard Query Language) Injection Attack (SQLIA), Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF) and Distributed Denial of Service (DDOS). This supports the security incident response handler in taking appropriate and immediate action. These modules provide the real-time intelligence assessment and event prioritisation. Our unique and patented approach to characterising attacks means the CTP provides the highest accuracy of any security intelligence tool of its type. The adaptive ruleset is frequently and automatically updated via analysis of the Cyberlytic Intelligence Platform (CIP) without the need for a cyber security expert to interpret the rules. This allows the inline security event assessment to remain current, even as the threat sources are changing. CYBERLYTIC INTELLIGENCE PLATFORM (CIP) The CIP undertakes detailed analysis of all security data to identify changing threat profiles. The analysis process uses a multi-layered approach to perform a number of mathematical techniques. The CIP has been designed to analyse large volumes of data and has been designed to support big data analytics. Copyright Cyberlytic Limited All Rights Reserved. info@cyberlytic.com 4

5 The layers range from deep packet inspections through to event log analysis. The various layers gather specific attributes and use them for the differing mathematical analyses. The solution uses supervised, semi-supervised and unsupervised machine learning algorithms to continually update the adaptive rules that are maintained within the CAR. This allows the CTP to identify anomalies and reduce the impact of false positives whilst also being able to accurately classify the attack. This provides the flexibility to identify new attack vectors whilst assessing the risk from already known attack vectors. The machine learning can be carried out within the customer environment or offline within the Cyberlytic s cloud CIP. For customers unable to connect to Cyberlytic s cloud CIP, local CAR rules will be updated at agreed intervals using approved methods. THE DISPLAY The CTP results are presented using real-time displays to the Security Operations Centre (SOC) to support the security teams and incident handlers. The output follows the Structured Threat Information expression (STIX) standard to allow easy communication of the analysed threats to support transfer of data to existing reporting mechanisms. THE BENEFITS Cyberlytic has developed a security intelligence platform that uniquely learns and evolves the classification of cyber attack data. Highest accuracy Patented classification approach provides the most accurate attack detection available Machine learning continues to improve the accuracy of the toolset, meaning the risk of compromise will continue to be reduced over time Attacks are prioritised Security alerts are immediately prioritised based on the risk of the attack Increased effectiveness of the security response team Business Risk Context Protect your most important assets Proportional cyber defence through true recognition of infosec risk Expert decision support Integrates with and enhances existing security management systems Proactive, intelligence led, adaptive ruleset eliminates false positive results Vendor agnostic Complements other security systems Response time reduced from days to minutes Supports the Security Incident Handler in making timely and critical decisions. The CTP is an adaptive, expert learning and decision support tool. It allows security teams to respond immediately to serious attacks. This enables businesses to assess each cyber attack in real-time to determine the security risks to an organisations information assets. Copyright Cyberlytic Limited All Rights Reserved. info@cyberlytic.com 5

6 ABOUT CYBERLYTIC Cyberlytic is the originator and owner of intellectual property relating to real-time risk assessment and prioritisation of cyber-attacks. In January 2013, the founders of Cyberlytic were awarded two proof of concept contracts with the MOD (Defence Science and Technology Laboratory) and GCHQ respectively, to provide a cyber situational awareness software tool. The projects were successful, proving that a cyber attack could be prioritised depending on the relative sophistication of the attack and the likely capability of the attacker. As a result of the proof of concept, Cyberlytic has developed the Cyber Threat Profiler (CTP). The CTP applies security intelligence ( enterprise-security-intelligence-esi) by analysing attack data provided by a Capture the Flag (CTF) environment and customers existing security systems (there could be thousands of alerts at any one time) to instantly determine the risk of each attack and help the security team prioritise their response. For more information, visit Cyberlytic Limited is registered in England (No ) with its registered office at 88 Wood Street, 10th Floor, London, England, EC2 7RS. Copyright Cyberlytic Limited All Rights Reserved. Cyberlytic and the names of Cyberlytic s products referenced herein are trademarks of Cyberlytic Limited and are registered in certain jurisdictions. For more information contact: info@cyberlytic.com Tel: +44(0) MAR-WP-A4-V Real-time Risk and Security Intelligence Copyright Cyberlytic Limited All Rights Reserved. info@cyberlytic.com 6