Ty Miller. Director, Threat Intelligence Pty Ltd

Transcription

1 Ty Miller Director, Threat Intelligence Pty Ltd Security Specialist Creator of Threat Analytics CREST Tech Lead, Assessor, Board of Directors Trained likes of FBI, US DoD, US Mil, International Govt agencies, Palo Alto, FireEye, Juniper, Tripwire, Cisco, VMware, Yahoo and so on. Black Hat Practical Threat Intelligence Training The Shellcode Lab Training Security Researcher Black Hat Reverse DNS Tunneling Shellcode Core Impact DNS Channel Shellcode BeEF Bind Shellcode Author Hacking Exposed Linux 3rd Edition

2 What are we doing here? Help you how to understand how to implement Intelligence-Based Security into your organisation

3 What is the current Threat Landscape? Threats: Script Kiddies Hactivists Cyber-Criminals State-Sponsored Attacks Attacks Zero-days Malware Infections Web Application Vulnerabilities Spear Phishing Attacks Internal Threats

4 Why do we suddenly care? We Are All Running Zero Day Vulnerabilities CVE / OSVDB: Buying Into The Bias - Why Vuln Stats Suck

5 What is the Cyber Kill Chain? What is the Cyber Kill Chain? Reconnaissance Weaponization Delivery Exploit Installation Command & Control Actions Where do attacks typically get detected?

6 What is Intelligence-Based Security? What do people think Intelligence-Based Security is? What is Intelligence-Based Security actually?

7 What is Intelligence-Based Security?

8 Intelligence Strategy What key assets do you really want to protect? Calculate the costs associated with a security breach What are your global and local threats? How would those threats compromise your key assets? Develop Threat Scenarios Identify Indicators of Compromise (IOCs) Develop likelihood and impact at each Threat Scenario Phase

9 Intelligence Strategy Identify techniques to gather the intelligence to detect the IOCs Identify techniques to proactively prevent the security breach before it occurs Calculate the costs of implementing and operating your Intelligence-Based Security Strategy

10 What do you need to invest in to implement intelligence? Security Team Threat Analysts Intelligence Capabilities Security Systems Systems/Software that will detect your IOCs Intelligence Architecture (Cloud?) Processes IOC detection monitoring Incident Pre-sponse Automated Response Threat Dissemination

11 Intelligence Aggregation Which intelligence sources are right for you? Open Source Intelligence (OSINT) Human Intelligence (HUMINT) Internal Intelligence Counter Intelligence Intelligence Sharing Which systems and feeds help you detect your IOCs?

12 Threat Analysis What are we looking for? Detect an IOC (Indicator of Compromise) SIEM Data Visualisation Big Data Analytics Third Party Systems and Software Map where that indicator fits into our threat scenarios Identify how far the attacker has breached the environment

13 Threat Analysis Identify the Threat Intent If we know the type of attacker, we can gain insight into their intent Script kiddie looking for another point on a score board Hactivist going to paste our data onto Pastebin State sponsored attack stealing our Intellectual Property

14 Threat Analysis Data Visualisation Attack Map

15 Threat Analysis Attack Severity and Frequency over Time

16 Operational Intelligence Threat Detected. Now What? Threat Calculation Step 2 of 10 in Threat Scenario 4: = 5% chance of $1,500,000 in losses Step 6 of 10 in Threat Scenario 4: = 75% chance of $1,500,000 in losses

17 Course of Action Operational Intelligence Step 2 of 10 in Threat Scenario 4: = 5% chance of $1,500,000 in losses Actions: Search for IOCs relating to steps 3-10, Inform security team members, Enable automated prevention measures.

18 Course of Action Operational Intelligence Step 6 of 10 in Threat Scenario 4: = 75% chance of $1,500,000 in losses Actions: Inform board, Restrict access to Australia only, Disseminate threat info, Remove and clean up breach.

19 Operational Intelligence Strategy Feedback Loop Feed lessons back into the strategy, processes, procedures, and systems.

20 Questions? Questions and Thanks Thanks for attending Ty Miller Director, Threat Intelligence