Cyber Threat Management platform. Defense against known and unknown threats

Transcription

1 Cyber Threat Management platform Defense against known and unknown threats Management Summary April 2015

2 The cyber threat landscape is constantly evolving Cyber security is not just about technology What do Sony, Target, Home Depot, JPMorgan Chase, AT&T and Gemalto have in common? They have all been hacked recently. Valuable customer and business secrets were stolen, resulting in great financial loss, bruised reputations and in some cases departure of company management. In recent years the number of IT security incidents have risen sharply. Digital scams, fraud, espionage and blackmail seem to be daily news. The overall cyber threat landscape has changed to a degree we have not seen since our establishment in Unfortunately it is getting even more problematical. From our intelligence operations we see international criminal groups operating increasingly under the protection, and in some cases with the help of governments. We have been involved in a number of high-profile espionage cases where we led the emergency response. From this we see highly advanced malware used by state actors, that is designed to circumvent current (state of the art) detection methods. Eventually, this type of sophisticated malware finds its way into the hands of criminals. Employed by criminal groups, hackers could disrupt the economic and financial interests of companies as well as their reputations. Hackers with more political motives may even be positioned to endanger national security. This means the cyber threat landscape is about to change even further. It continues to threaten the economic growth, geopolitical relations, business interests and through the internet of things our personal safety. Our belief is that the current state of cyber security solutions is insufficient to protect against these threats. We feel a more holistic, intelligence-driven and operational approach to cyber security is required to protect against such advanced threats. First off, cyber security is not just about technology. To counter the evolving cyber threat facing organizations today, business leaders must ensure they have an understanding of the cyber threat landscape specific to their organizations. From this insight, an integrated approach to cyber security can be developed that is tailored to the threat landscape and underlying business risk, addressing not only the technical aspects of their defense, but also the human and organizational elements. Ronald Prins CTO and co-founder Previously, Ronald Prins worked as a scientific researcher at the Netherlands Forensic Institute (NFI). He gained recognition by breaking codes on cryptographic security systems encountered by law enforcement in criminal investigations. Ronald also contributed to new methods and best practices for obtaining digital information in criminal investigations. He co-founded Fox-IT with Menno van der Marel in 1999, seeking to fully apply his creativity in developing innovative security solutions for highly sensitive environments. Ronald studied applied math e- matics and went on to specialize in cryptography at the Delft University of Technology. This is why we are presenting our approach and Cyber Threat Management platform in this brochure informing you how you can be better prepared against advanced attacks. 2 fox-it Cyber Threat Management Platform Management Summary April 2015

3 How to manage your risks? Dealing with the unknown Dealing with the unknown That pretty much sums up the problem all organizations face with regards to defending against cyber threats. The challenges we face as a community are part of risk management and mitigation more than anything else. The people, processes and technology we employ cater for this necessity. Just a couple of years ago, attackers mostly used the same tools & techniques, and by looking for these knowns and incorporating such information into semi-automated detection systems, we had a reasonable line of defense. Today this is no longer the case. We are constantly being confronted with unknown actors as well as new attack vectors and changing methods and customized tooling. Protecting an organization with a high-risk profile against cyber threats has become a game of cat and mouse. Once a new security system is implemented, hackers will immediately be trying to break it. It is therefore important to understand the threat landscape and the associated risks. To stay ahead of the cyber adversaries it is no longer sufficient to protect against known threats. Organizations also have to be able to protect against unknown threats. The difference between known and unknown threats The common denominator is time. Even relatively novel and highly sophisticated techniques like Stuxnet, Regin and Quantum Insert eventually become known. The challenge then, becomes shortening this time differential as much as possible. Traditional and current solutions focus on attempting to incorporate as many known threats in the form of static information such as IP addresses into detection and blocking mechanisms. This makes sense, and is good practice to maintain a baseline level of security. The trouble is that the effectiveness of this method is rapidly decreasing and is primarily protecting organizations mostly Unknown threats Known threats Time (Potential) risk and impact Low High High Low Volume of intelligence against nuisance. As attackers are getting ever more nimble with their attack infrastructure, the life-cycle of static information is rapidly becoming shorter. What s more, the detection solutions that rely on static intelligence don t focus on the specific organizational context. The time-delay of information on more sophisticated attacks is relatively long. Advanced Persistent Threats (APT s) sit at the top with a high-risk profile range and are rarely known. This means that the effectiveness of this method is becoming limited. Another issue with these traditional and current solutions is that they aren t designed to facilitate security analytics. When something is blocked, they typically do not offer context or metrics to help an organization to fully understand or learn from the security event. Addressing these two aspects is in our view the next critical challenge, and implies that organizations should not merely rely on vendor intelligence, but require the capability to detect both known and unknown threats from their own environment. fox-it Cyber Threat Management platform Management Summary April

4 1 5 Know your adversaries The continuous process of advanced cyber security operations In our view, it is no longer tenable for organizations to assume they can cope with the current threat landscape by employing fragmented and static solutions. To stand a fighting chance against the more advanced threats, organizations need to build up (or outsource) operational capabilities in the four critical areas of intelligence, prevention, detection and response. CS Strategy, policy and architecture 2 Asset & vulnerability Advanced threat management management 8 Intelligence (P) Prevent Intelligence know your adversaries! Without knowing your enemies and their intent, it is impossible to protect against the threats they pose. To counter the evolving cyber threats organizations face today, business leaders must ensure they have an understanding about their organization s specific cyber threat landscape and how it relates to their critical assets. From this insight, an integrated approach to cyber security can be developed that it is tailored to particular risks of the organization. 3 Threat analysis intelligence Respond Intelligence (R) 7 Detect Emergency response and investigation Threat detection Intelligence (D) (triage) 6 Effective Security Operations Developed from Incident Response experience 4 Security monitoring Operational security incident management This should not only address the technical aspects of their defense, but also the people and organizational elements. On an operational level, all information and knowledge about current threats and threat actors should be stored and used to derive threat coverage pertaining to the security operations. Prevent the key here is to develop a layered defense in accordance with the overall threat landscape, aiming to increase the odds of threat coverage, detection and remediation. This forms the basis for cyber security strategy formulation, architecture design and policy formulation. Once implemented, this is followed by the active monitoring and control of critical assets. This includes continuous scanning for vulnerabilities that may be exploited by adversaries to gain access to the organization. Detect threat detection is as good as the relevant intelligence that is feeding into the deployed solutions to detect relevant (business) threats. This increasingly means developing the ability to detect as yet unknown threats from an organization s own environment. This requires an operational environment that facilitates intelligence-driven security analytics, where threat intelligence can be translated to threat coverage models, tested for effective detection and efficient deployment into the threat management platform. When new threat coverage is deployed, the security analytics team needs to continuously research and optimize the threat detection output. 4 fox-it Cyber Threat Management Platform Management Summary April 2015

5 Adversaries This is typically done by expert threat analysts with in-depth knowledge of the threat environment (actors, attack vectors and modus operandi, etc). The output of this process will then feed the operational security monitoring and provide relevant threat context to the analysts with knowledge about the organization s IT environment. They then perform triage and investigations to assess (prioritized) security events on their potential business risk and initiate the response accordingly. Unknown threats Threat intelligence Prevent Detect Known threats Threat intelligence Respond the respond process gets activated when security incidents have been validated through triage and initial investigation. Once it has been confirmed that no false positives exist, a swift response is required. The incident response management process depends on the severity of the incident. Most incidents will have relatively little business impact (as they are detected directly upon entry), while some could imply serious business risks, such as a large data breach, financially-related crime, espionage or even worse. These are crisis situations that require an emergency response & investigation process. In some cases this may also require observing attacker behavior as part of their intelligence gathering before removing a specific threat. These are considered advanced threat management techniques and are primarily reserved for organizations with high maturity in cyber security. This essentially describes the continuous process of advanced cyber security operations. This process can Respond Time Cyber Threat Management greatly increase the overall posture through its intelligence-driven, operational approach that investigates not merely known threats but also indications of unknown threats. When executed well, it increases the speed of translation from coverage, to intelligence and back. This process should be as seamless as possible and can be reflected in the model above. Traditional products fox-it Cyber Threat Management platform Management Summary April

6 1 Data breach investigations Verizon Report Denial of service attacks 14 % Crimeware 31 % Web application attacks 38 % Cyber-espionage 7 % Everything else 3 % Miscellaneous errors 2 % Card skimming 0 % Physical theft or loss 1 % Insider misuse 3 % Point-of-sale intrusions 0 % Insight into the overall threat landscape The Data Breach Investigations Report (DBIR) is an annual study conducted by Verizon with contributions from 50 organizations, representing public and private entities from around the world. The dataset that underpins the DBIR is comprised of over 63,000 confirmed security incidents. Security incidents are therefore no longer restricted to confirmed data breaches. This evolution of the Verizon DBIR reflects the experience of many security practitioners and executives who know that an incident need not result in data infiltration for it to have a significant impact on the targeted business. Security incidents are defined as: 1. Incident a security event that compromises the integrity, confidentiality, or availability of an information asset 2. Breach an incident that results in the disclosure or potential exposure of data 3. Data disclosure a breach for which it was confirmed that data was actually disclosed (not just exposed) to an unauthorized party As the Verizon DBIR report includes confirmed incidents, it provides insight into the overall threat landscape. The threat landscape picture per sector accurately matches that of Fox-IT, with the notable exception of cyber espionage-related incidents. Based on our data, Fox-IT recognizes a larger espionage threat for the public sector than outlined in the Verizon DBIR report. 6 fox-it Cyber Threat Management Platform Management Summary April 2015 Miscellaneous errors 34 % Cyber-espionage <1 % Denial of service attacks 10 % Point-of-sale intrusions 75 % Crimeware 21 % Physical theft or loss 19 % Insider misuse 24 % Web application attacks <1 % Point-of-sale intrusions 0 % Everything else 4 % Card skimming 1 % Crimeware 1 % Miscellaneous errors 1 % Cyber-espionage <1 % Denial of service attacks <1 % Card skimming 0 % Physical theft or loss 1 % Insider misuse 8 % Everything else 2 % Web application attacks 1 % Public sector Travel and hospitality Everything else 10 % CS Strategy, policy Cyber-espionage <1 % and architecture Denial of service attacks 2 % 2 Asset & vulnerability Advanced threat management Card skimming <1 % management 8 Crimeware 3 % Energy and utilities Miscellaneous errors 12 % Physical theft or loss 46 % Intelligence (P) Health care Insider misuse 15 % Prevent 3 Threat a intellig Resp Intellige 7 Emergency and inves Web application attacks 3 % Point-of-sale intrusions 9 %

7 5 1 % Point-of-sale intrusions nalysis ence ond Detect nce (R) 27 % Web application attacks response tigation 7 % Insider misuse 3 % Physical theft or loss Financial services Threat detection Intelligence (D) Retail 5 % Miscellaneous errors (triage) 6 4 % Crimeware 4 Security 22 % Card skimming monitoring Operational security incident management 2 % Crimeware 2 % Miscellaneous errors 2 % Physical theft or loss 4 % Insider misuse 26 % Denial of service attacks <1 % Cyber-espionage 6 % Everything else <1 % Point-of-sale intrusions Manufacturing professional services 10 % Web application attacks 8 % Everything else 14 % Web application attacks 8 % Insider misuse 4 % Physical theft or loss 2 % Miscellaneous errors <1 % Card skimming 9 % Crimeware <1 % Card skimming 3 % Crimeware 31 % Point-of-sale intrusions 29 % Cyber-espionage 9 % Everything else 1 % Point-of-sale intrusions 6 % Insider misuse 4 % Physical theft or loss 3 % Miscellaneous errors 24 % Denial of service attacks 37 % Denial of service attacks 30 % Cyber-espionage 9 % Web application attacks Top 10 discovery methods within Cyber-espionage (n=302) 85% Total External 15% Total Internal 65% Related party 16% Law enforcement 8% Antivirus 2% NIDS 2% Reported by user 1% Log review 1% Unknown 1% Other 1% Customer <1% Audit Significant increases in cyber security spending Although the increased awareness of cyber threats and related business risks has led to significant increases in cyber security spending, according to several studies, this does not result in a significant reduction in cyber security incidents (see chart above). This raises questions on the effectiveness of the current cyber security strategies and implementation. First off, cyber security is not just about technology. To counter the evolving threats facing organizations today, business leaders must ensure they have a clear understanding about their organization s specific cyber threat landscape. From this specific insight, an integrated approach to cyber security can be developed that is tailored to the particular business risks, addressing not only the technical aspects of their defense, but also the people and organizational elements. Drawing on this experience, organizations can reduce the risks to their business significantly by building up (or outsourcing) specialized and dedicated operational capabilities in the four critical areas intelligence, prevention, detection and response. The effectiveness of cyber security investments and overall posture can greatly increase through an intelligence-driven, operational approach that investigates not merely known threats but also indications of unknown threats. Source: Verizon DBIR 2014 <1 % Cyber-espionage 6 % Card skimming 10 % Everything else 33 % Denial of service attacks fox-it Cyber Threat Management platform Management Summary April

8 The need for integrated solutions How to conduct your operations successfully Following the challenges and conclusions outlined in the above sections, Fox-IT is expanding on its existing cyber security technology, and is continuously developing additional functionalities and more efficient operations to address these new challenges. This intelligence-driven Cyber Threat Management platform is in essence the underlying technology for conducting advanced cyber security operations. General overview Our experience is that most clients already have a myriad of solutions in place providing functionality like antivirus, firewalling, and baseline intrusion prevention. Many companies then choose to feed the output from this disparate solution landscape into a Security Information and Event Management (SIEM) appliance where correlation is then applied. This works, up to a point. SIEM s excel at applying well thought-out use cases, but lack the depth of information required to provide the investigative and intelligence cycles required for successful advanced threat management. One of the reasons is the lack of a feedback loop to most of the data generators (or log sources). This means that you need visibility and the ability to control and manipulate output, particularly on network and host levels. Accordingly, Fox-IT has developed solutions for both these levels. In order to actually make use of this visibility, these solutions must work together in a logical way. To do this, we are developing the following components: 1. Cyber Threat Management Portal The portal serves as the gateway to all underlying systems in the Cyber Threat Management environment. It will be used by our own analysts, or those of our partners (managed service deployment) or by end-customers (hybrid service deployment) to conduct cyber security operations on various levels. The portal also abstracts the technical and operational information for tactical and strategic management. The level determines the functionality, information form, and abstraction. On the operational layer, analysts are presented with a threat analytics environment with integrated workflow from which they are able to see and investigate security incidents. The environment also enables analysts to do threat research and apply intelligence to the overall platform. Operational The portal provides an operational environment that streamlines the day-to-day security operations and boosts security effectiveness, through a multi-layered defense model that prevents or detects threats at each stage of the attack. The workflows in this environment are based on our experience in conducting cyber security operations for many years, and are currently in use in our Security Operations Center. Tactical & Strategic On these levels the portal incorporates intelligence and operational data to provide a useful overview showing the current threat landscape for an organization. This enables both the reduction and prioritization of security alerts that the security teams will handle in the operational 8 fox-it Cyber Threat Management Platform Management Summary April 2015

9 Processing & operations Data capture Intelligence Contextual Applied Cyber Threat Management Cyber Threat Components Forensic Retention SIEM Bidirectional Management SIEM Operations Intelligence & analysis-driven Normal sources Unidirectional Use case-driven security monitoring and incident response functions. The tactical response benefits from the fusion of intelligence-based context to security events. On a strategic level, the portal feeds the CISO and senior management with threat landscape information as a basis for both cyber threat mitigation and risk management. This is added by the contextual intelligence from which an understanding is gained of adversarial motives and intents, enabling organizations to transition from a reactive security model to a proactive model based on risk management, and driving better, more informed responses to security incidents. 2. Intelligence as a core component Intelligence is delivered as a central component of the entire platform via our Cyber Threat Management Portal. The intelligence module consists of two major divisions in terms of the information supplied: Contextual intelligence Contextual information is the information which, when combined with the experience of an analyst, enables an organization to make informed decisions about attackers, their methods and any infrastructure that is available as part of the platform. This information often includes very detailed descriptions of major participants in the current threat landscape, which is either applicable to any organization or specific to a sector, or organization. From this starting point, it is often possible to draw conclusions regarding the intent of an attacker. When an alert is received, this information is correlated and is accessible to the analyst. Applied intelligence Contextual information is translated into detection mechanisms for use on network- and endpoint systems. Where contextual information describes the attacker and his or her modus operandi, applied intelligence focuses on how to detect it. This information is maintained in a specialized coverage system, giving an overview of what threats the organization is protected against, and how this was determined. This is an important aspect in making the translation from operations to a strategic overview. This intelligence is delivered via correlation on alerting and incidents, and on-demand via our Cyber Threat Management Portal. In both contextual and applied reporting, it is possible to ask our threat analysts questions about the information presented. 3. Network module Based on our existing network monitoring service, the network module provides broad coverage over the entire network. The primary functionality of the network module is designed to investigate and apply detection to known (rules) and unknown (heuristics) threats. It therefore has built-in forensic data retention capabilities allowing for retroactive investigation. The network fox-it Cyber Threat Management platform Management Summary April

10 The Nuclear Security Summit in 2014 was a huge challenge for our city. Because of its diplomatic intensity, we knew there were chances of being targeted by sophisticated cyber adversaries. That s why we needed the best experts in cyber security. For us it was self-evident to work with Fox-IT, our partner within The Hague Security Delta. The result? A successful and safe summit, thanks also to Fox-IT s hard work in the background. Jan Willem Duijzer CIO of The Municipality of The Hague module also enables the rapid deployment of customized detection policies following from events from other modules. 4. Endpoint module The endpoint module provides both prevention and threat visibility to hosts (endpoints and servers). It uses a signature-less approach to provide strong prevention and detection layers to hosts, enabling the detection of both known and unknown threats. Additionally, it also forms an integral part of the investigation and response functions. It allows for the deployment of customized policies and rules for specifically identified threats and has functionality for remote remediation. Where the network module provides breadth to the Cyber Threat Management platform, the endpoint module provides depth. by definition an anomaly and is an instant trigger for further investigation. The adaptive defense module not only provides organizations with awareness of attack and breach activity, but it is also contributing to intelligence by making unknown threats known. 6. Log module to enable SIEM integration The Cyber Threat Management platform can communicate with existing SIEM technology through the open common event format standard. We are able to feed events in various SIEM s to prioritize customers operational security monitoring activities. Currently under development is the ability to provide intelligence context to specific SIEM s. Where most SIEM s have correlation rules, we foresee the ability to enhance these existing rules by providing intelligence from both an applied and contextual standpoint. 5. Adaptive Defense module As cyber attacks are becoming increasingly advanced in nature, it becomes imperative for organizations to deploy security tools that enable the detection of targeted attacks by as yet unknown attack vectors or methods. The adaptive defense module will provide the possibility to detect heretofore unknown attacks, and complements other modules. The adaptive defense module is essentially a honeypot network of fake end-points and servers. When unsimulated activity is noted on these machines, it is 10 fox-it Cyber Threat Management Platform Management Summary April 2015

11 Ten key benefits Our clients have worked with us to develop the Cyber Threat Management platform. They have had a wide array of reasons for challenging us to develop a solution platform that offers: 1. Intelligence on adversaries in such a way that tactics can be developed to protect their business interests from them. 2. Enhanced communications between the security teams, Security Operations Center (SOC), management and board members. 3. One integrated platform that brings network-, cloud- and endpoint security into a common architecture, with complete visibility and control, ensuring that analysts can prevent, detect and respond to advanced cyber attacks. 4. An operational environment that streamlines the day-to-day security operations and boosts security effectiveness, through a multi-layered defense model that prevents or detects threats at each stage of the attack. 5. An environment that enables security analysts to have visibility on all attack stages in a unified way, enabling a seamless threat analytics workflow to confidently investigate both known and unknown threats before they impact the business. If you are interested in our Cyber Threat Management solutions, please contact For clients Marcel van Oirschot Sales Director [email protected] For partnerships Jurjen Harskamp Chief Strategy Officer [email protected] 6. Reduction of security alerts that overwhelm most security teams by providing threat intelligence-based context and prioritization to alerts as well as improve tactical response by merging intelligence context with security events. 7. Change from a reactive security model to a proactive model based on risk management, driving better, more informed responses to security incidents. 8. A hybrid service delivery model that enables them to start with a fully managed offering and to granularly take operations in-house as their overall Cyber Threat Management capabilities improve. 9. Intelligence to security events to gain an understanding of adversarial motives and intents, and prioritizing policies and security investments around them. 10. Insight into threat intelligence coverage for greater transparency about the applied intelligence used in the platform and against what threats they provide coverage. fox it White Paper Cyber Threat Management April

12 fox-it Fox-IT was founded in 1999 as a consultancy firm for Forensic Expertise (the name was derived from Forensic Experts). Within the first few years of operations, Fox-IT was asked by a large telecommunications operator to deliver a service based on network monitoring. This led to the first Cyber Security Operations Center in the Netherlands and one of an initial handful in Europe. From these beginnings, Fox-IT has developed into Europe s largest specialized cyber security company. Fox-IT operates in three business areas: 1. Cyber Threat Management this is a solution portfolio aimed at reducing the risks of cyber threats, and includes: professional services, managed security services, and technology 2. Web/Mobile event analytics this is a solution portfolio that is aimed at reducing financial risks in (online) payment transactions 3. High Assurance these are solutions that make trusted communication possible to the highest classification levels Fox-IT has been involved in many high-profile Incident Response cases. Most of the high profile cases we worked on are secret, but DigiNotar, KPN are public examples. Fox-IT continuously uses its experience from its professional services to improve its managed security services and underlying technology platform to enhance prevention, detection and responses to known and unknown cyber threats. fox-it Olof Palmestraat 6, Delft po box 638, 2600 ap Delft The Netherlands t +31 (0) f +31 (0) e [email protected]