Digital Evidence and Threat Intelligence

Digital Evidence and Threat Intelligence 09 November 2015 Mark Clancy CEO www.soltra.com @soltraedge

External Threats Growing 117,339 incoming attacks every day The total number of security incidents detected by respondents climbed to 42.8 million this year, an increase of 48% over 2013. Findings from The Global State of Information Security Survey 2015 Graphic Source: PwC 2

Evolution of Cyber Attacks Cyber Threats on the Private Sector Fun Technically curious individuals 2001 Fortune Cyber criminals and organized gangs stealing money, data ransom schemes and competitive information 2010 1988 Fame Technically adept groups leaving their mark on public websites 2004 Force Nation states and non-nation state groups launching targeted attacks for strategic purposes Academic Nature of Threat Script Kiddies Commodity Threats Advanced Persistent Threats (APT) Targeting government entities APT Targeting private sector 3

The Need for Speed Attackers Act 150x Faster Than Victims Respond o Minutes vs. Weeks/ Months Attackers have honed their skills to come at you rapidly Defenders take a long time to feel the impact of an attack Initial Attack to Initial Compromise (Shorter Time Worse) Seconds Minutes Hours Days Weeks Months Initial Compromise to Data Exfiltration (Shorter Time Worse) 10% 75% 12% 2% 0% 1% Initial Compromise to Discovery (Longer Time Worse) 8% 38% 14% 25% 8% 8% 0% 0% 2% 13% 29% 54% 4

The problem Majority of victims are not able to determine a compromised has occurred themselves Attackers are able to operate in victim's networks for long periods of time uncontested Source: Mandaint/FireEye: https://www2.fireeye.com/rs/fireye/images/rpt-m-trends-2015.pdf 5

Criminals Hacktivists Espionage War Who are the adversaries? Money Money And more money Large number of groups Skills from basic to advanced Present in virtually every country Up to $$$ Protest Revenge Large number of groups Groups tend to have basic skills with a few 'standout' individuals with advanced technical and motivational skills" Up to $ -$$ Acquiring Secrets for national security or economic benefit Small but growing number of countries with capability Larger array of supported or tolerated groups Up to $$$$+ Motivation is to destroy, degrade, or deny capabilities of an adversary Politics by other means Small but growing number of countries with capability Non-state actors may utilize war like approaches Up to $$$$$? but, a lot less expensive than a nuclear weapon $ - Under thousands $$ - Tens to hundreds of thousands $$$ - Millions $$$$ - Tens to hundreds of millions $$$$$ - Billions 6

What is Digital Evidence? Information about activity in your systems that record actions of attackers Log entries from IT systems Network/firewalls/proxy severs Host system logs Emails / communications of threats Forensic evidence Malware or attack tools Network addresses / urls Records of losses 7

What is cyber threat intelligence Information about cyber threats Bad people, things, or events Plans to attack victims Tactics used by bad people Actions to deal with bad events Weaknesses targeted by bad people 8

Cyber threat Constructs Atomic What threat activity are we seeing? Tactical What threats should I look for on my networks and systems and why? Operational Where has this threat been seen? What can I do about it? What weaknesses does this threat exploit? Strategic Who is responsible for this threat? Why do they do this? What do they do? 9

Attackers workflow Attackers or Threat Actors have Motivation, Capability and Intent Motivation: We are mad at the US for applying sanctions on our economy Motivation: I want money to sustain my lifestyle Motivation: We Need to expose the government s wrong doing Motivation: We need to win the drilling rights contract 10 Motivation: I'm bored stealing money from ATMs. I want a better score. Motivation: We need to teach the 1 percent a lesson

Attacker s workflow Many threat actors have the same Motivation but different Intentions Motivation: I want money to sustain my lifestyle Intention: I can rob an online bank Network Scanner Intention: I can manipulate the prices of penny stocks Bullet-proof hosting Rent a copy of the Zeus Trojan Intention: I can encrypt data on a workstation and get a ransom reward to unlock BotNet Capabilities 11

How Attackers Engage a Target Attackers have a development lifecycle they need to follow to conduct their business Motivation, Capability and Intent I should socially engineer somebody at the processor I bet they have people who travel so let me send fake airline notices to every email address I can find When the link is clicked the malware gets installed from the BotNet I should target an ATM card processor I need to get from the office computer network to the transaction network Joe in accounting clicked on the fake airline notice 12

How defenders respond to incidents When an incident occurs the defender assesses damages and looks for the cause $5MM walks out the door so investigation starts Network communications to www.evil2015.com Block Access to www.evil2015.com Malware is found on a point of sale device Encrypted Data is flowing to www.evil2015.com Push rule to proxy server to categorize www.evil2015.com at bad and block it 13

Mitigation and Prosecution There is a bit of a tension between the objectives of Law Enforcement and victims of cyber crimes Law Enforcement wants to arrest and prosecute offenders Victims want to resume their business function and stop the threat Putting bad guys in jail helps stop threats, but well after the fact The objectives are not incompatible, but prioritization is needed as emphasis on one could reduce the effectiveness of the other Often if not always cyber crime is trans border and a single incident may involve many jurisdictions A number of law enforcement agencies have started a dual focus to assist firms with mitigation while perusing perpetrators Working with ISP to take infrastructure offline and preserve records for evidence Staffing law enforcement agents in other countries to work together on cases Sharing information about attack methods to prevent criminals from re-use of attacks 14

Digital Evidence check list Network Inventory o Victims should provide as much information as possible regarding the inventory of computer systems and network components (i.e., workstations, servers, routers, switches, etc). Software Inventory o Victims should provide as much information as possible regarding the inventory of software applications used in the organization (i.e., operating systems, application versions, proprietary applications). Up-To-Date Network Topology Maps o Network topology maps should provide a current, functional understanding of the organization s network. Network- and Host-Based Incident Logs o These logs include, but are not limited to, web, proxy, IDS, VPN, DNS, database, remote access, and firewall logs. 15

Digital Evidence check list continued Forensic Images of Compromised Hosts o If possible and your organization has the capability, obtain forensic images of identified compromised hosts. It is also recommended your organization maintains a log of activity for reference. List of External and Internal IP Addresses o This list should include DNS, web server, proxies and workstations. Physical Access Logs o These logs typically include video logs from security cameras, entry/exit access logs, keycard logs, and two-factor authentication logs. Legal Banner and Computer Use Agreement o These legal items are essential to assure the data can legally be passed to Law Enforcement. Domain Infrastructure, Group Policy Hierarchy, and Access Control Details o These items can typically be provided by network/system administrators. 16

Using cyber threat intelligence today All these sources, all this data, how do you process it efficiently? Source: Forrester Research 17

Evolution of Cyber Security Defense Yesterday s Security Present Day Problem??? Future Solution??? Network Awareness Protect the perimeter and patch the holes to keep out threats share knowledge internally. Intelligence Sharing Identify and track threats, incorporate knowledge and share what you know manually to trusted others. Situational Awareness Automate sharing develop clearer picture from all observers input and pro-actively mitigate. Increasing Cyber Risks Malicious actors have become much more sophisticated & money driven. Losses to US companies now in the tens of millions; WW hundreds of millions. Cyber Risks are now ranked #3 overall corporate risk on Lloyd s 2013 Risk Index. Manually Sharing Ineffective Time consuming and ineffective in raising the costs to the attackers. Not all cyber intelligence is processed; probably less than 2% overall = high risk. No way to enforce cyber intelligence sharing policy = non-compliance. 18 Crowd Sourcing to solve the Problem Security standards are maturing ISAC s have become the trusted model for sharing industry threat intelligence. Use of automation is revolutionizing sharing and utilization of threat intelligence.

STIX Architecture The Power of Structured Intelligence ostructured Threat Intelligence expression okey to effective strategic cyber intelligence analysis and threat tracking oability to pivot, view, analyze, and enrich complex relationships Graphic Source: Mitre 19

How defenders thwart attacks? Defenders look for sign of potential attacks on their networks before the attacker causes an incident Sensors see activity to www.evil2015.com Share this observation with our friends Receive more observables about related activity Which leads to many more observables and indicators to the community Encrypted data is flowing to www.evil2015. com Receive more indicators of related activity Leads to discovery of previously unknown malware 20

How defenders thwart attacks? Internal and external sightings let us determine common attributes These attacks all seem to have a commonality with fake airline tickets This maps to a set of tactics, attack methods, and victims This can lead to the identification of the attacker Look for other related abuses of similar activity Identify the tools utilized and reduce the attackers effectiveness Analyze lots of sensor data 21

Intelligence Driven Community Defense Maturing An Intelligence Ecosystem o Standards-based Machine Speed Communication o End-to-End (Sensor to Control) Community Defense Model Organization With Intelligence Trusted Member Organizations Cyber Threat Central Intelligence Repository 22

Changing the Economics Cost to Firms The current cost to process a single piece of intelligence is 7 hours. Equal to 2014 =$100m; 2015 = $1b; 2016 = $4b Cost to Adversaries Adversaries must re-tool much more often and their exploits cause less damage Risks from Cyber Threats Frequency and impact of threats decrease while higher adoption leads to exponential benefits Advantage: Attackers Advantage: Defenders Max Cost to Defend Cost Min Current State of Cyber-Symmetry (Unsophisticated Adversaries Can Play) Cost to Attack Policy Effectiveness Reducing asymmetry between attack and defense 23 Future State of Cyber-Symmetry (Only Most Advanced Can Play)

Questions www.soltra.com 24