Attribution: The Holy Grail or Waste of Time? Billy Leonard Google
Should this be the end, our Holy Grail?
How s that picture going to help you now?
But, the pictures make me safer!
We can do better.
Our quest for the Grail starts here. How they operate Who and how they target What tools do they use What order do they use them in How do they customize them How do they move laterally When do they operate How do they take your data Are they good at what they do
Don t be a victim of Badtribution.
Cheers!
CYBERSECURITY AT THE NSA Dave Hogue Operations Lead NSA/CSS Threat Operations Center National Security Agency
Cyber Attacks Against U.S. Doubled Over Past Three Years DNSChanger shutdown 92% of the Top 100 Mobile Apps have been Hacked Spearphishing emails over 90% of targeted attacks Flame and Gauss: nation-state cyber-espionage campaigns Facebook Hacked 99% of web applications vulnerable to attack Business cost of malware spirals to $114B a year 2.4M Canadian Voters Exposed After Loss of 2 USB Drives Global hacking attempts will hit 1 Billion Apple Hacked China Military Unit Behind Prolific Hacking LinkedIn, Last.fm, Dropbox and Gamigo password leaks Google detects 9,500 malicious sites per day Flashback hits Mac OS X Adobe certificates theft and the omnipresent APT Android threats increase dramatically Cyber attack could turn US weapons against America Microsoft Hacked Cybercrime Costs Consumers $110 Billion Washington Confirms Chinese Hack Attack on White House Computer
EVER EVOLVING, VOLATILE ENVIRONMENT
NSA NEEDS TO MAINTAIN CONSTANT AWARENESS
THE COMPLETE PICTURE DRAGONFLY
THE COMPLETE PICTURE HACKER
!!!! DoD WORK TOGETHER PROTECT OUR EQUITIES
GOV CYBER SECURITY INDUSTRY DEFENSE INDUSTRIAL BASE PILOT NSA + DHS + ISPs TRANSITION
TRANSITION
TEAM CYBER INDUSTRY INDUSTRY INDUSTRY
HACKERS BREACH NASDAQ X1,000 30,000 INFECTED COMPUTERS
BEST OF BOTH WORLDS J2 Intel J3 Ops J6 Infrastructure
INDUSTRY INDUSTRY GOV INDUSTRY INDUSTRY GOV
RIGID GUIDELINES WE RE MAKING THIS UP AS WE GO
WHAT DO WE NEED: PREEXISTING RELATIONSHIPS DEFINED MEASURES OF INTEL COMBINED GOVERNMENT/INDUSTRY RESPONSE
NEED: PREEXISTING RELATIONSHIPS DEFINED MEASURES OF INTEL COMBINED GOVERNMENT/INDUSTRY RESPONSE
Intelligence Driven Security In Action Operationalizing Intelligence Seth Geftic Associate Director RSA Security Analytics RSA, The Security Division of EMC Copyright 2012 EMC Corporation. All rights reserved. 32
Today s Security Requirements Big Data Infrastructure Need a fast and scalable infrastructure to conduct short term and long term analysis High Powered Analytics Give me the speed and smarts to discover and investigate potential threats in near real time Comprehensive Visibility See everything happening in my environment and normalize it Integrated Intelligence Help me understand what to look for and what others have discovered Copyright 2012 EMC Corporation. All rights reserved. 33
How Do I Know What To Look For? Copyright 2012 EMC Corporation. All rights reserved. 34
RSA Live: Intelligence Converted Into An Operationalized Format Indicators converted into operationalized format Parser helps search for specific behavior within a feed Removes hay to help find needles Copyright 2012 EMC Corporation. All rights reserved. 35
RSA Security Analytics: Intelligence Driven Security In Action Operationalized intelligence is far greater than detached intelligence Analysts need to understand what to look for and take advantage of what others have found Compare intelligence with historical data to see if indicators of compromise were found Apply in real-time to defend against future attacks Copyright 2012 EMC Corporation. All rights reserved. 36
Intelligence Led Incident Response Sean Catlett, Vice President
Incident Response My Experience Decision Pressures Business Customer Protection Regulatory Financial Crisis Response Internal Information Sources Vulnerabilities Log data Forensics System Performance Script Output Customer Contacts 41
TB TB TB TC TC TB Threat Beachhead & Continuation Incident Indicators Threat Predictors Attribution Predictors Vulnerabilities C & Cs Geolocation Logs Forensics System Performance Script Output Customer Contacts Drop Sites External data flows ISP contacts Backdoors Open source Closed source Market offering in underground 42
Intelligence Difference: Managing a breach VS Investment in immediate remediation actions which follow the attacker s path Strategic investment in containment that is continually mapped against threat capabilities Current model of incident response relies on internal data that can be collected from attacked systems, leaving gaps in knowledge such as: What will the attacker do with the data they stole? Who was it? Why are they doing it? What are their ongoing capabilities? Are they coming back? 43 What/Who else are they attacking?
As actions become more scalable insight into actions becomes more valuable 44
Crowdsourcing Threat Intelligence Based on a True Story
Actors - Setting up the Story Computer Scientist Intelligence Analyst ThreatConnect.com 49
First Days of Cyber Squared (Part 1) Rich: Security Intelligence is the next BIG idea! Adam: What does that mean? Rich: You know?! We use an advanced understanding of the Threat to protect our customers business operations. Adam: OK, how do we do that? 50
Functional Areas of Threat Intelligence Collect & Analyze Decision Support Mitigate Need relevant data with context and validation Which way should we go? Protect the organization 51
First Days of Cyber Squared (Part 2) Adam: So you keep all your indicators in a spread sheet? Rich: Yeah, there isn t anything out there that tracks this sort of thing and puts everything together Adam: How do you track everything by hand? Rich: I have a perl script! Adam: How is that working for you? Rich: 52
Platform for Threat Intelligence Collect Analyze Share There are many sources of data Create Intel - Add context, and validation manually or with automation Share Intel across your own or with external orgs 53
First Days of Cyber Squared (Part 3) Adam: We ve completed V1.0 of ThreatConnect. Team: Nice, we like it. There is one thing though can we have multiple independent organizations work together, and have the software combine their data and analysis as if they were working together the entire time? Adam: Back to the drawing board 54
The Aha! Moment Crowdsource the problem - The BIG (Data) Idea Actual Cyber Army Vs. Virtual Cyber Army - Protecting our livelihood 55
Three Reasons to Crowdsource Threat Intelligence Resource Crunch Power of Crowd & Cloud Analysis Stop The Threat Are there even enough people to go around? We need to bridge our intel silos and automate analysis Together we can stop the Threat 56
Help Each Other 57
Play Nice 58
Think Outside the Box 59
Just Imagine What is Possible 60
Curating Indicators: Bringing Smarts to Intel SANS CTI Summit 22-March-2013 Douglas Wilson Manager, Threat Indicators Team douglas.wilson@mandiant.com Copyright 2013
The Detection Timeline Julie J.C.H. Ryan, D.Sc. Associate Professor George Washington University Presentation to SANS, March 2013
time Event Indicators Discovered Hey! Something is wrong!
time Event Event Characterized Indicators Discovered What happened, when did it happen is it still happening??
Quick! Do Something! Fix it! Reaction Activities Crisis management Containment of damage Triage, remediation Investigation Forensics data collection, administrative processes, exposure analysis Civil or Criminal legal stuff Firing people Arresting people Continuity of Operations Continuing to operate in a degraded mode Business Recovery Returning to full capability time Event Event Characterized Indicators Discovered
Reaction Activities Event Event Characterized Indicators Discovered Damage Assessed time Have we stopped it yet? How bad is it?
Reaction Activities time Event Event Characterized Indicators Discovered Event Reported Damage Assessed (Who) do we have to tell?
Speed Kills Configuration Changes Heightened Alert Status Reduction of Exposure Continuity of Operations activities Pre-Event Actions Event Duration D P E A E T D I D F Recovery Probabilistic Detection Anomalies Port Scans Weird Stuff Actual Event Start Alert Detection Triggering Event Stop of activity Confirmation of Detection
Julie J.C.H. Ryan, D.Sc. Associate Professor George Washington University Jjchryan@gwu.edu