The Third Rail: New Stakeholders Tackle Security Threats and Solutions

Similar documents
All about Threat Central

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Machine-to-Machine Exchange of Cyber Threat Information: a Key to Mature Cyber Defense

Separating Signal from Noise: Taking Threat Intelligence to the Next Level

Threat Intelligence Buyer s Guide

Redefining SIEM to Real Time Security Intelligence

Attackers are reusing attacks (because they work)

CaaS Think as a bad guy Petr Hněvkovský, CISA, CISSP HP Enterprise Security

The Role of Threat Intelligence and Layered Security for Intrusion Prevention in the Post-Target Breach Era

Anatomy of Cyber Threats, Vulnerabilities, and Attacks

Security Intelligence Services.

Palo Alto Networks. October 6

September 20, 2013 Senior IT Examiner Gene Lilienthal

FROM INBOX TO ACTION AND THREAT INTELLIGENCE:

Hunting for the Undefined Threat: Advanced Analytics & Visualization

FS-ISAC CHARLES BRETZ

Find the intruders using correlation and context Ofer Shezaf

Testimony of. Mr. Anish Bhimani. On behalf of the. Financial Services Information Sharing and Analysis Center (FS-ISAC) before the

Digital Evidence and Threat Intelligence

Threat Intelligence Platforms: The New Essential Enterprise Software

Active Response: Automated Risk Reduction or Manual Action?

Analytic and Predictive Modeling of Cyber Threat Entities J. Wesley Regian, Ph.D.

White Paper: Leveraging Web Intelligence to Enhance Cyber Security

應 用 SIEM 偵 測 與 預 防 APT 緩 攻 擊

Unified Security Management and Open Threat Exchange

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Sophisticated Indicators for the Modern Threat Landscape: An Introduction to OpenIOC

US-CERT Year in Review. United States Computer Emergency Readiness Team

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

After the Attack: RSA's Security Operations Transformed

Big Data in Action: Behind the Scenes at Symantec with the World s Largest Threat Intelligence Data

JUNIPER NETWORKS SPOTLIGHT SECURE THREAT INTELLIGENCE PLATFORM

WildFire. Preparing for Modern Network Attacks

Cloud and Critical Infrastructures how Cloud services are factored in from a risk perspective

Threat Intelligence: An Essential Component of Cyber Incident Response. Jeanie M Larson, CISSP-ISSMP, CISM, CRISC

ESG Threat Intelligence Research Project

Combating a new generation of cybercriminal with in-depth security monitoring

Software that provides secure access to technology, everywhere.

Threat Intelligence: Friend of the Enterprise

The Cyber Threat Profiler

Operational Lessons from the RSA/EMC CIRC: People, Process, & Threat Intel

The Onslaught of Cyber Security Threats and What that Means to You

Concierge SIEM Reporting Overview

Achieving Actionable Situational Awareness... McAfee ESM. Ad Quist, Sales Engineer NEEUR

Protecting critical infrastructure from Cyber-attack

Threat Intelligence for Dummies. Karen Scarfone Scarfone Cybersecurity

A Primer on Cyber Threat Intelligence

Symantec Cyber Security Services: DeepSight Intelligence

Incident Response. Six Best Practices for Managing Cyber Breaches.

Italy. EY s Global Information Security Survey 2013

The Evolution of Application Monitoring

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Fraud Threat Intelligence

SES / CIF. Internet2 Combined Industry and Research Constituency Meeting April 24, 2012

Things To Do After You ve Been Hacked

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Cyber Security Summit 2015

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Threat Intelligence is Dead. Long Live Threat Intelligence!

Threat Intelligence: What is it, and How Can it Protect You from Today s Advanced Cyber-Attacks A Webroot publication featuring analyst research

CYBER SECURITY INFORMATION SHARING & COLLABORATION

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

Contemporary Web Application Attacks. Ivan Pang Senior Consultant Edvance Limited

As global mobile internet penetration increases the cybercrime and cyberterrorism vector is extended

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Teradata and Protegrity High-Value Protection for High-Value Data

Threat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations

APPLICATION PROGRAMMING INTERFACE

Performing Advanced Incident Response Interactive Exercise

WHITE PAPER: THREAT INTELLIGENCE RANKING

Cyber/IT Risk: Threat Intelligence Countering Advanced Adversaries Jeff Lunglhofer, Principal, Booz Allen. 14th Annual Risk Management Convention

Into the cybersecurity breach

EXTENDING NETWORK SECURITY: TAKING A THREAT CENTRIC APPROACH TO SECURITY

UNCLASSIFIED. Briefing to Critical Infrastructure Sector Organizations on the Canadian Cyber Incident Response Centre (CCIRC)

Evolution Of Cyber Threats & Defense Approaches

Symantec Global Intelligence Network 2.0 Architecture: Staying Ahead of the Evolving Threat Landscape

Advanced Visibility. Moving Beyond a Log Centric View. Matthew Gardiner, RSA & Richard Nichols, RSA

CORE INSIGHT ENTERPRISE: CSO USE CASES FOR ENTERPRISE SECURITY TESTING AND MEASUREMENT

Know Your Foe. Threat Infrastructure Analysis Pitfalls

RETHINKING ORC: NRF S CYBER SECURITY EFFORTS. OMG Cross Domain Threat & Risk Information Exchange Day, March 23, 2015

Advanced Threats: The New World Order

The Advanced Attack Challenge. Creating a Government Private Threat Intelligence Cloud

CYBER4SIGHT TM THREAT INTELLIGENCE SERVICES ANTICIPATORY AND ACTIONABLE INTELLIGENCE TO FIGHT ADVANCED CYBER THREATS

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

STRATEGIC ADVANTAGE: CONSULTING & ISIGHT INTELLIGENCE

Advanced Cyber Threats in State and Local Government

Cyber Threats Insights from history and current operations. Prepared by Cognitio May 5, 2015

Security Operations Metrics Definitions for Management and Operations Teams

Comprehensive Malware Detection with SecurityCenter Continuous View and Nessus. February 3, 2015 (Revision 4)

Marble & MobileIron Mobile App Risk Mitigation

Transcription:

SESSION ID: CXO-R03 The Third Rail: New Stakeholders Tackle Security Threats and Solutions Ted Ross Director, Threat Intelligence HP Security Research @tedross

Agenda My brief background An example of a successful collaboration Quick review of some basics Stakeholders Next Gen sharing Use cases 2

HPSR Threat Intelligence Strategic Human-to-human Field Intelligence Tactical Machine-to-machine Facilitates strategic human-to-human interaction Threat Central Monitor the Underground Profile Threat Actors Human Intel

The Power of Collaboration: A View from the Underground

The Adversary Collaborates Effectively Experts Marvel At How Cyber thieves Stole $45 Million In Hours, Thieves Took $45 Million in A.T.M. Scheme Bank Hack Global Network Results in of Hackers Steal $45 Million Million From ATMs Stunning $45 Heist The Circuit: Hackers took $45 million in ATM heist

Recruiting

But they don t trust each other

Collaboration

Payment Options Escrow, Laundering, Assets

Lessons Learned from the Adversary Sharing is social - social rules apply Protect your identity Credibility is key Reuse what others have learned Leverage each others strengths

Challenges that We Must Overcome Limited participation Not comfortable sharing (social issues) No time No trust Data is not actionable lacks context and relevance Overly manual not timely

The Power Of Collaboration: What are the Good Guys doing?

ISACs (Information Sharing & Analysis Centers) Created from Presidential Directive in 1998 (updated in 2003). Public and private sector to create a partnership to share information about threats, vulnerabilities, and events to help protect the critical infrastructure. U.S. Treasury, DHS and other relevant government agencies / entities use ISACs to disseminate critical information. Last count there are 18 different ISACs (i.e. Financial Services, Energy, Water, National Health, Surface Transportation, etc). FS-ISAC (launched in 1999) is the most advanced and leading the way for others In early 2013, FS-ISAC extended their charter to include information sharing for financial services entities world-wide.

STIX / TAXII Structured Threat Information expression A Structured Language for Cyber Threat Intelligence Information Source - https://stix.mitre.org Trusted Automated exchange of Indicator Information Enabling Cyber Threat Information Exchange Source - http://taxii.mitre.org

STIX Data Model https://stix.mitre.org

Observable (lowest level)

Indicator

Incident

Evolution 2015 Embedded Human Threats Video Removed for security purposes

Evolution Props to Chris Blask (ICS-ISAC) 2013 2014 2015 2016 We are here Building the pipes (infrastructure & tools for sharing) Analyze the Data Apply results

The Next Phase- Analyze the Data Indicators come from multiple sources, each with a unique view on the threat Collaboration allows us to LINK artifacts Interacting with an intelligent system allows us to determine which threats are important to you RELEVANCE Using the context to score the indicators makes them ACTIONABLE 21

Key Stakeholders Privacy Enhanced Forums HP Security Research YOU YOUR SIEM YOUR STIX Threat DB Threat DB Threat DB Private Community Friend STIX Sector Community SIEM Global Community SIEM STIX Portal SIEM

Automated Action Influenced by Context Collect Normalize Analyze/Correlate Distribute / ACT ESM Connector Actionable Intel TC Community Open Source API IP address \ Domain File Hash Registry Key URL Add Context Compare & Correlate Match Customer Case Match to Actors, TTPs \ Verticals Targeted Linked Indicators Portal Security Event Manager Feeds Sightings \ Source Reliability Severity SET SCORE RELEVANT Y/N Edge Device Confidence Research Community Feedback

Results & Actions First Sighting Second Sighting Vote Down Effect Third Sighting Fourth Sighting Highest Possible Reliability Normal Normal Normal Normal Normal HIGH Severity M M M M M H Confidence M M M M M H Sightings 1 2 4 3 4 4 Votes 0 0-4 0 0 4 SCORE 35 47 52 59 73 100 Monitor Activity Take Action

Results & Actions First Sighting Second Sighting Vote Down Effect Third Sighting Fourth Sighting Highest Possible Reliability Normal Normal Normal Normal Normal HIGH Severity M M M M M H Confidence M M M M M H Sightings 1 2 4 3 4 4 Votes 0 0-4 0 0 4 SCORE 35 47 52 59 73 100 Monitor Activity Take Action

Results & Actions First Sighting Second Sighting Vote Down Effect Third Sighting Fourth Sighting Highest Possible Reliability Normal Normal Normal Normal Normal HIGH Severity M M M M M H Confidence M M M M M H Sightings 1 2 4 3 4 4 Votes 0 0-4 0 0 4 SCORE 35 47 52 59 73 100 Monitor Activity Take Action

Query Depth = 2 3 Observabl e Observabl e Domain IP Address Observabl e

Automated APT Actor Recognition Possible distractions/ Easy attack vectors TTP How APT actors are recognized TTP The power of linking Actors (courtesy of CERT-EU) Secondary recognition

Use Case: Automated Actions Brute force login Invalid Login Attacker Invalid Login IPS Key Assets

Use Case: Automated Actions Current approach Attacker Invalid Login Invalid Login IPS Company A Attacker Attacker Invalid Login Invalid Login IPS Invalid Login Invalid Login IPS Company B Company C

Use Case: Automated Actions New approach Attacker Invalid Login Invalid Login IPS Company A LOW SCORE Sharing Community Medium HIGH LOW SCORE Attacker Invalid Login Invalid Login IPS Invalid Login Company B Company C LOW SCORE LOW SCORE HIGH SCORE Company D If score = HIGH, push to IPS Attacker Invalid Login IPS IPS/Firewall

Use Case: Proactive Block Lists - RECON Current approach Recon Source IPS Source 2.2.2.X Key Assets Attack Source(s)

Recon IP Attack IPs Use Case: Proactive Block Lists - RECON with Threat Central Sharing Community IPS Recon Source Source 2.2.2.X Key Assets Attack IP List Attack Source(s)

Summarizing: Leveraging the Community Zero day Company A NEW EVENT Malwar e variant Company B NEW EVENT Sharing MALWARE ZERO BAD DAY IP Community Malicious IP address Company C NEW EVENT

What to Look for in Threat Sharing Systems Automated bi-directional sharing Analysis of the data Actionable derived results Tap into the existing community of security experts Product agnostic sharing is a must

How to Apply Within three months, select a collaboration system that produces A- Actionable results B- Indicators that are relevant to you Start collaborating with both human-human and machine-machine using a system that will send indicators automatically as a result of the collaboration. Leverage strategic intelligence (context) to better defend defend with purpose 36

Thank You 37

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information