CSM-ACE 2014 Cyber Threat Intelligence Driven Environments

Size: px

Start display at page:

Download "CSM-ACE 2014 Cyber Threat Intelligence Driven Environments"

Maude Bradley
10 years ago
Views:

1 CSM-ACE 2014 Cyber Threat Intelligence Driven Environments Presented by James Calder Client Services Manager, Singapore 1

2 CONTENTS Digital criminality Intelligence-led security Shylock case study Making threat intelligence work Countering digital criminality 2

3 DIGITAL CRIMINALITY Convergent trends in cyber and financial crime 3

4 RISKS IN CYBER SPACE Dec 2013 Initial disclosure Jan 2014 Full extent revealed Feb 2014 Supply chain link May 2014 Target CEO resigns 4

Criminal Gains Applied Intelligence EVOLUTION OF FRAUD ATTACK METHODOLOGIES "I've poured a glass of water down the back of the TV... but, I was told to do it by the man from the TV repair shop.

Claims Benefit Fraud Tax Evasion Internal Fraud Opportunistic Individuals First Party Fraud Application Fraud Tax Evasion Benefit Fraud Insurance Fraud Planned Planned Individuals and Small Groups

5 Criminal Gains Applied Intelligence EVOLUTION OF FRAUD ATTACK METHODOLOGIES "I've poured a glass of water down the back of the TV... but, I was told to do it by the man from the TV repair shop. - Woman from Europe Staged / Induced Accidents Tax Refund Fraud Identify Theft Insider Fraud Social Engineering First Party Fraud Cyber Attack + Fraud Phishing Account Takeover Automated Insurance Claims Benefit Fraud Tax Evasion Internal Fraud Opportunistic Individuals First Party Fraud Application Fraud Tax Evasion Benefit Fraud Insurance Fraud Planned Planned Individuals and Small Groups Organised Teams Skills for hire Hierarchy Technology enabled Highly scalable International After penetrating the computer network, the crime ring allegedly made more than 4,500 ATM transactions in about 20 countries around the world - Fox news Time / Confidence / Sophistication 5

6 Threat Actor Goal Method Definition Applied Intelligence THE ROLE OF CYBER IN ENABLING FRAUD Definitions Cyber-crime: Illegal or damaging acts in cyber-space (eg hacking, DDoS, information theft) Fraud Challenge Fraud attacks are attacks against a business process Cyber Challenge Cyber attacks are against information technology infrastructure Cyber-enabled crime: Crimes facilitated or enhanced through use of cyber-space Criminals seek to create or manipulate transactions. Criminals seek to steal data or control/disrupt systems. Digital criminal: Organised criminals who specialise in stealing money using cyber techniques Financial Gain Information Theft System Manipulation Economic Espionage Denial of Service 6

Cyber-enabled crime: Crimes facilitated or enhanced through use of cyber-space Criminals seek to create or manipulate transactions.

7 Intelligence-led security Understanding threat intelligence 7

INTELLIGENCE Targets (sector / region) Motivation / Persistence Tools / Tactics /

8 UNDERSTANDING THREAT INTELLIGENCE Malware signatures IOCs / IOAs Domain blacklists IP reputation lists Security mailing lists RSS feeds Open-source reports THREAT INTELLIGENCE Targets (sector / region) Motivation / Persistence Tools / Tactics / Procedures Attribution / Affiliation Socio-political context Business impacts Suggested mitigations 8

9 DRIVES THE BUILDING OF INTELLIGENCE MODELS Police Banks Investigators Criminals Malware Victims Infrastructure Researchers CERTs 9

10 SIX STEPS TO INTELLIGENCE-LED SECURITY PERFORM THREAT ASSESSMENT DETERMINE INTELLIGENCE REQUIREMENTS BUILD COLLECTION SOURCES OPERATIONALIZE THREAT INTELLIGENCE INTRODUCE SECURITY ANALYTICS GAIN SITUATIONAL AWARENESS 10

COLLECTION SOURCES OPERATIONALIZE THREAT INTELLIGENCE

11 Shylock Case Study Use of threat intelligence to counter digital crime 11

12 SHYLOCK A CYBER CRIMINAL INTELLIGENCE PROBLEM Criminals Malware Intelligence Model Infrastructure Victims 12

13 SHYLOCK FINANCIAL CRIME OPERATION Estimated at over 50K machines compromised Global victimisation, but with a preference for UK, US, and Italy UK US IT BR TW UA DE Other 13

14 HOW IT WORKS COMPROMISING THE VICTIM Criminals Malware Intelligence Model Infrastructure Victims 14

15 HOW IT WORKS MALWARE AUTOMATION Malware Criminals Intelligence Model Infrastructure Victims 15

16 HOW IT WORKS MALWARE AUTOMATION Malware Criminals Intelligence Model Infrastructure Victims 16

17 HOW IT WORKS MALWARE AUTOMATION Malware Criminals Intelligence Model Infrastructure Victims 17

18 HOW IT WORKS BANKING WEBSITE MODIFICATION Criminals Malware Intelligence Model Infrastructure Victims 18

19 FINDING THE C2 INFRASTRUCTURE Malware Criminals Intelligence Model Infrastructure Victims 19

20 LINKS TO MULE RECRUITMENT Malware Criminals Intelligence Model Infrastructure Victims 20

21 PUTTING IT ALL TOGETHER 21

22 THE SHYLOCK TAKEDOWN INTELLIGENCE INTO ACTION 22

23 Making threat intelligence work Turning people, process and technology into action 23

MONITORING Applied Intelligence FORMS OF THREAT INTELLIGENCE INCREASING VOLUME, DETAIL AND URGENCY Tactical Intelligence Operational Intelligence Strategic intelligence Immediate threat Emerging

24 MONITORING Applied Intelligence FORMS OF THREAT INTELLIGENCE INCREASING VOLUME, DETAIL AND URGENCY Tactical Intelligence Operational Intelligence Strategic intelligence Immediate threat Emerging threats Trend analysis Knowledge of threats Investment decisions Horizon scanning HOT SPOT SECURITY OPERATIONS SECURITY MANAGEMENT CORPORATE STRATEGY AND RISK DIFFERENCES IN LANGUAGE AND PERSPECTIVE 24

25 MAKING THREAT INTELLIGENCE WORK PEOPLE 25

26 MAKING THREAT INTELLIGENCE WORK ACTION APPLICATION OF THREAT INTELLIGENCE PAST Exposure Testing Apply the threat details to historical log data, and even closed alerts and incidents to easily identify previously unknown exposures to the threat PRESENT Current Investigations Apply the threat details to current alarms and incidents in the queue or under investigation to immediately alert operators and analysts to the active threat FUTURE Sensor Enrichment Apply the threat details to monitoring infrastructure to begin monitoring for and preventing new instances of the identified threat activity 26

27 IN A SECURITY OPERATIONS ENVIRONMENT Information sharing with trusted partners Centrally managed threat intelligence repository Indicators deployed to monitoring systems Ingest of structure and unstructured feeds Contextual information available to SOC analysts Integrated threat models for security analytics research 27

28 BAE Systems Applied Intelligence Level 28, Menara Binjai 2 Jalan Binjai Kuala Lumpur, Malaysia James Calder Client Services Manager, Singapore T: +60 (3) F: +60 (3) Copyright BAE Systems All rights reserved. BAE SYSTEMS, the BAE SYSTEMS Logo and the product names referenced herein are trademarks of BAE Systems plc. BAE Systems Detica and BAE Systems Applied Intelligence are trading names of Detica Limited registered in England (No ) with its registered office at Surrey Research Park, Guildford, England, GU2 7RQ. 28

If an alert falls in the forest, does your SOC hear it?

If an alert falls in the forest, does your SOC hear it? If an alert falls in the forest, does your SOC hear it? 2 It s a good question, and very topical. In the world of cyber, since the release of the