Anatomy of Cyber Threats, Vulnerabilities, and Attacks



Similar documents
The Cyber Threat Profiler

WHITE PAPER: THREAT INTELLIGENCE RANKING

Combating a new generation of cybercriminal with in-depth security monitoring

High End Information Security Services

THE 2014 THREAT DETECTION CHECKLIST. Six ways to tell a criminal from a customer.

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Threat Intelligence Platforms: The New Essential Enterprise Software

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

Cyber4sight TM Threat. Anticipatory and Actionable Intelligence to Fight Advanced Cyber Threats

THE BLIND SPOT IN THREAT INTELLIGENCE THE BLIND SPOT IN THREAT INTELLIGENCE

IBM Security Intelligence Strategy

THREAT VISIBILITY & VULNERABILITY ASSESSMENT

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

Eight Essential Elements for Effective Threat Intelligence Management May 2015

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

The Big Data Paradigm Shift. Insight Through Automation

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

IMPROVING VULNERABILITY MANAGEMENT EFFECTIVENESS WITH APPLICATION SECURITY MONITORING

How To Create An Insight Analysis For Cyber Security

CaaS Think as a bad guy Petr Hněvkovský, CISA, CISSP HP Enterprise Security

All about Threat Central

Symantec Cyber Security Services: DeepSight Intelligence

Security strategies to stay off the Børsen front page

Security Intelligence Services.

Introducing IBM s Advanced Threat Protection Platform

PALANTIR CYBER An End-to-End Cyber Intelligence Platform for Analysis & Knowledge Management

Protecting critical infrastructure from Cyber-attack

IBM Security Strategy

Advanced Threat Detection: Necessary but Not Sufficient The First Installment in the Blinded By the Hype Series

Business white paper. Missioncritical. defense. Creating a coordinated response to application security attacks

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

The Third Rail: New Stakeholders Tackle Security Threats and Solutions

Find the intruders using correlation and context Ofer Shezaf

RSA Security Anatomy of an Attack Lessons learned

Unstructured Threat Intelligence Processing using NLP

End-user Security Analytics Strengthens Protection with ArcSight

Symantec Managed Security Services The Power To Protect

First Line of Defense

Cyber Security Operations: Building or Outsourcing

The Future of the Advanced SOC

The webinar will begin shortly

Visualization, Modeling and Predictive Analysis of Internet Attacks. Thermopylae Sciences + Technology, LLC

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

Teradata and Protegrity High-Value Protection for High-Value Data

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Take the Red Pill: Becoming One with Your Computing Environment using Security Intelligence

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Threat Intelligence Pty Ltd Specialist Security Training Catalogue

ALERT LOGIC FOR HIPAA COMPLIANCE

Modern Approach to Incident Response: Automated Response Architecture

DYNAMIC DNS: DATA EXFILTRATION

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

Protecting against cyber threats and security breaches

Attackers are reusing attacks (because they work)

Overcoming Five Critical Cybersecurity Gaps

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Analyzing Security for Retailers An analysis of what retailers can do to improve their network security

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

WAN security threat landscape and best mitigation practices. Rex Stover Vice President, Americas, Enterprise & ICP Sales

Imperva Cloud WAF. How to Protect Your Website from Hackers. Hackers. *Bots. Legitimate. Your Websites. Scrapers. Comment Spammers

Security Information and Event Management. White Paper. Expand the Power of SIEM with Real-Time Windows Security Intelligence

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

End-to-End Application Security from the Cloud

IBM Security IBM Corporation IBM Corporation

Managed Intrusion, Detection, & Prevention Services (MIDPS) Why Sorting Solutions? Why ProtectPoint?

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection

Cyber Security. BDS PhantomWorks. Boeing Energy. Copyright 2011 Boeing. All rights reserved.

Full-Context Forensic Analysis Using the SecureVue Unified Situational Awareness Platform

The Next Generation Security Operations Center

After the Attack: RSA's Security Operations Transformed

Unified Cyber Security Monitoring and Management Framework By Vijay Bharti Happiest Minds, Security Services Practice

Incident Response. Six Best Practices for Managing Cyber Breaches.

How To Integrate Intelligence Based Security Into Your Organisation

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

QUARTERLY REPORT 2015 INFOBLOX DNS THREAT INDEX POWERED BY

The Business Justification for Cyber Threat Intelligence. How advanced intelligence improves security, operational efficiency and strategic planning

The Growing Need for Real-time and Actionable Security Intelligence Date: February 2014 Author: Jon Oltsik, Senior Principal Analyst

First Line of Defense

IBM QRadar Security Intelligence April 2013

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

Website Security. End-to-End Application Security from the Cloud. Cloud-Based, Big Data Security Approach. Datasheet: What You Get. Why Incapsula?

Business Case Outsourcing Information Security: The Benefits of a Managed Security Service

ENISA s Study on the Evolving Threat Landscape. European Network and Information Security Agency

KASPERSKY SECURITY INTELLIGENCE SERVICES. EXPERT SERVICES.

CYBER SECURITY, A GROWING CIO PRIORITY

Hunting for the Undefined Threat: Advanced Analytics & Visualization

Transcription:

Anatomy of Cyber Threats, Vulnerabilities, and Attacks ACTIONABLE THREAT INTELLIGENCE FROM ONTOLOGY-BASED ANALYTICS 1 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

ABOUT RECORDED FUTURE The open web is both a platform to create attacks and a source of information to prevent attacks. To shift the balance of power in your favor, our revolutionary technology organizes the public web for analysis to provide you future, present, and past insight for emerging cyber threats. Our Temporal Analytics Engine structures data around cyber security events, actors, locations, and time to give you forecasting power. Operating at a massive scale in real time, Recorded Future scans, collects, and analyzes hundreds of thousands of web sources in seven languages, and processes billions of events to cast the widest open source intelligence net and deliver tailored, timely insights to you. 2 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

Recorded Future organizes the web for analysis of past and future cyber security events, which enables analysts to generate meaningful threat intelligence to more accurately and proactively defend their organization. To enable this, unstructured text from internet forums, websites, paste sites, news articles, blogs, tweets, etc. is transformed into structured information, which can be visualized for human analysis, aggregated to support (algorithmic) quantitative analysis, and analyzed to detect anomalies and trends. The end goal is to forecast future events and even create automated predictive models. To ensure threat intelligence is accurate and quickly actionable, it s critical that it s based on a standardized ontology to ensure a consistent integration with security products and other intelligence sources, and enable confusion-free collaboration with analyst teams. This white paper introduces the data model that underpins Recorded Future s real-time threat intelligence solution. It describes what entities are involved in representing cyber threats, vulnerabilities, and attacks, how these entities are related in our cyber ontology, and how cyber events represent relationships between different involved entities. We re not alone in trying to structure the complex world of cyber security. According to MITRE, STIX is a collaborative communitydriven attempt to define and develop a standardized language to represent structured cyber threat information. The STIX Language intends to convey the full range of potential cyber threat information and strives to be fully expressive, flexible, extensible, automatable, and as human-readable as possible. We always strive to follow standards when possible. We have monitored the growing adoption of standards like STIX for 1 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

representing threat intelligence information. These standards are a useful point of reference for explaining our approach. In fact, there s a straightforward mapping between STIX and much of our entity ontology and CyberAttack and CyberExploit events, as described in this paper. Our approach is designed for the full breadth of threat information that s found on the web, which includes reporting from defenders, security researchers, and more. This consists of ambiguously reported clues about current threats, and even reporting from threat actors, such as statements linking attacks to hacktivist operations and hashtags. We ve designed our approach with the expressiveness needed for these additional characteristics. Creating Structure With Entities and Events Internal data regarding cyber security tends to be highly structured (e.g. in the form of network logs, data from intrusion detection systems, etc.). External, open source intelligence comes primarily in the form of unstructured text, and needs to be organized before it can be quantitatively analyzed and correlated with internal data. Recorded Future uses natural language processing (NLP) to extract entities and events from unstructured text, and organizes (mostly) static relationships between entities into ontologies to relate them to each other. Entities Recorded Future uses entities to model concrete and abstract nouns, such as persons, organizations, companies, products, and technologies. An entity represents a physical or virtual object, and can have several 2 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

names associated with it. We refer to the alternative names for the same entity as synonyms. For example, the malware entity DDoS has several synonyms, including Distributed Denial of Service. Synonyms allow the user to not have to worry about alternative names and spellings of an entity when querying the Recorded Future system. For the cyber domain, we have introduced a number of domain-specific entity types. Malware This entity type is used to represent malware. The name is intended to be the non-technical name or street name used to discuss the malware. Examples include Zeus and Duqu. Malware entities are detected by harvesting industry expert and government sources as well as through a statistical entity extractor. MalwareSignature A malware signature is the technical name of a malware, as reported by a cyber security company, for example Trojan.W32.Zeus. MalwareSignature entities are identified by regular expression detectors. CyberVulnerability A vulnerability is a bug or a weakness that can be directly used by a hacker to gain access to a system or network. A CyberVulnerability entity represents a vulnerability defined, for example, in the US National Vulnerability Database (NVD), such as CVE-2014-0094. 3 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

CyberVulnerability entities are harvested through a set of regular expression detectors, defined for the different companies and organizations that assign vulnerability identifiers. MalwareCategory The MalwareCategory entity type is used to group Malware entities into logical groups, for example by what kind of systems they target (e.g. POS malware and Android malware). AttackVector Malware uses different attack vectors to gain access to a computer in order to deliver a payload or malicious outcome. These classes of attack vectors is represented by the AttackVector entity type. Examples include SQL Injection and Phishing. Operation This entity type represents operations, typically defined by hacktivist organizations. Examples include OpIsrael and OpGCHQ. Operation entities are defined by a regular expression entity detector. Ontology The Recorded Future cyber ontology represents primarily static relationships between entities, as described in the picture below, and the following example. The central Malware entity type can for example be associated 4 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

with an arbitrary number of AttackVector, MalwareCategory, MalwareSignature, CyberVulnerability, and Product entities, as well as with an arbitrary number of technical indicators such as hashes, file names, Windows registry keys, etc. Example Below is an example of (parts of) the ontology information for the Zeus malware: 5 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

Events Events in Recorded Future capture dynamic relationships between entities, and are also associated with an event time. Currently there are two event types specific to the cyber security domain: CyberAttack and CyberExploit. Just like synonyms allow us to abstract away from alternative spellings and names for the same entity, events allow us to abstract away from the exact wording used to describe an event. For example, phrases such as XYZ Bank was hacked, The hackers went after XYZ Bank, and Data breach hits XYZ Bank all result in a CyberAttack event where 6 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

XYZ Bank is designated as target. CyberAttack CyberAttack is the event type used to represent information about a cyber attack. Note that information might be partial, for example only a Target or an Attacker and a Method might be known. In general, a CyberAttack event is described by an (optional) Attacker, Target, and Method attribute. In some cases, a (hacktivist) Operation attribute can also be identified. Entities which occur in a sentence discussing a cyber attack but that cannot be assigned a specific role get collected in the RelatedEntities attribute: Example The following is an example of a cyber attack where several attributes have been identified: 7 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

This results in the following event data structure. Note that KKK gets identified as a synonym and is automatically resolved to the entity Ku Klux Klan. CyberExploit CyberExploit is the event type used to represent when a known vulnerability (e.g. one which has been assigned some CyberVulnerability identifier) has been exploited, either malignantly (in the wild) or as a Proof of Concept (PoC) to illustrate its potential. The CyberExploit event currently only relates the CyberVulnerability to the method used to exploit it. Future versions might add specific products or other targets hit by the exploit. Entities which occur in a sentence discussing a cyber exploit but that cannot be assigned a 8 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

specific role get collected in the RelatedEntities attribute: Example The following is an example of a CyberExploit event connecting CVE- 2014-8440 to the Angler Exploit Kit malware: 9 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

Mapping to STIX As mentioned above, our representation of cyber entities and events can be mapped into the emerging STIX standard: Structured Threat Information expression (STIX) v1.1 Architecture (Source) As a simple example, consider the following STIX data: 10 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

Nodes in this graph correspond to entities in our system, and edges represent a mix of ontological information and events (e.g. a CyberAttack event with Bad Guy as attacker and Backdoor as method, and potentially BankJob123 as an operation). The exact mapping between our representation and STIX is however beyond the scope of this paper. Conclusions Once information has been structured into entities and events, it can be aggregated, clustered, and used for different kinds of analyses. As an example, the Recorded Future Cyber product shows a realtime view of the most important threat actors, targets, methods and operations, all based on data structured as we have described in this white paper. Recorded Future Cyber 11 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

From this top level view an analyst can drill down, for example, to look for targets affected by a certain malware, such as Regin: Recorded Future Enterprise The structured representation and the ability to search for a specific event type, and with certain attribute values, is part of what makes Recorded Future the best choice for creating a more insightful world. Analysis does not have to be confined to the Recorded Future system. Through our integration with the HP ArcSight security information and event management (SIEM) solution, security operations center (SOC) analysts can directly link to Recorded Future s real-time threat intelligence solution for actionable insight on relevant technical indicators. 12 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

Recorded Future Integration via the HP ArcSight SIEM Solution -- References CVE: http://cve.mitre.org/ NVD: http://nvd.nist.gov STIX: http://stix.mitre.org/ OpenIOC: http://openioc.org/ 13 Anatomy of Cyber Threats, Vulnerabilities, and Attacks Copyright 2015 Recorded Future, Inc.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information