Cyber Threat Intelligence SANS360
Foster and enrich cyber threat information sharing relationships, enhance existing trusted partnerships Areas of Focus Organizations Top 5 IT partners Select based on maturity of cyber security capability, value relationship has or will provide Top 5-10 supplier /partners Seek advice from business teams and legal on global suppliers of interest, also from incident data Private sector companies in common vertical Seek out confidentiality agreements with companies in common verticals Internal business functions Internal organizations with common business mission Public sector InfraGard Domestic Security Alliance Council (DSAC ) Cyber Information Sharing & Collaboration Program (CISCP) National Cyber Forensic Training Alliance (NCFTA ) Business focused tactical and strategic actionable intelligence 6 Recommendations Document your organizations business objectives Understand your organizations risk tolerance Perform threat modeling and assess internal intelligence sources Develop intelligence mindset / add data when you identify gaps Develop internal researchers (Focused IoC’s, Yara, CTI) © 2015. For information, contact Deloitte Touche Tohmatsu Limited. 8 Mike Green [email protected] 610-479-5533 Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about for a more detailed description of DTTL and its member firms. Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries and territories, Deloitte brings world-class capabilities and highquality service to clients, delivering the insights they need to address their most complex business challenges. Deloitte’s more than 200,000 professionals are committed to becoming the standard of excellence. This communication contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively, the “Deloitte Network”) is, by means of this communication, rendering professional advice or services. No entity in the Deloitte network shall be responsible for any loss whatsoever sustained by any person who relies on this communication. © 2015. For information, contact Deloitte Touche Tohmatsu Limited. 9 Developing Threat Intel With An Automated Analysis Framework Disclaimer Notice Threat Intelligence Cycle Page 13 February 2015 Presentation title Ingesting Data SEIM Page 14 February 2015 Presentation title Analysis ►Analysis • • • • Page 15 Framework Automated Framework designed for modularity Preprocessing intelligence to ensure sample is run only once Open source tools used for analysis Dumps relevant data to DB February 2015 Presentation title How It All Fits Together Page 16 February 2015 Presentation title To Do ► Python Celery ► ► ► Manage tasks sent to multiple MADDIE instances Integrate DLP policy violations Full Packet Capture alerts Page 17 February 2015 Presentation title Connecting the Zero-Day Dots: Using Data Visualizations of Open Source Intelligence to Uncover Attack Patterns Roselle Safran Uplevel Security Zero Day CVE2015-0311 EFB584DE …. gaabbezrezrhe1k. com wzrdirqvrh07. com 46.105.251.1 jacafyfugdnvoov. com Zero Day CVE2015-0311 25D0A722 …. 6C643FCE …. gaab...com EFB584DE …. wzrd...com 46.105… jaca...com Zero Day CVE2015-0311 EFB584DE …. 60+ domains gaab...com 46.105… wzrd...com jaca...com Zero Day CVE2015-0311 EFB584DE …. gaab...com wzrd...com Gennadiy Borisov [email protected] jaca...com Zero Day CVE2015-0311 EFB584DE …. 8 other domains gaab...com wzrd...co m jaca...com koqpisea.in 217.23.3.204 Gennadiy Borisov [email protected] Zero Day CVE2015-0311 Zero Day CVE2014-0515 EFB584DE …. wzrd.. . .com jaca... .com Gennadiy Borisov [email protected] koqp… .in Thank you! [email protected] Introduction Dominique Kilman Matt Bromiley Meet the heroes of our story… Current State There must be a better way…. A secure network… wrapped up with a bow! (Pink, of course) Which should I choose? Everyone’s talking about it… it must be good. There’s even a SANS summit dedicated to it! Add some fairy dust Add in all that intel… mix vigorously Well… that didn’t work out as expected! What happened? What is YOUR threat… really… Is there any intelligence in that “intel?” • • • • • • • Who What When How How long How do you know Do you care Security Program Metrics Blocked Intrusions False Positives Actionable Alerts The Matt Bromiley @505Forensics End Dominique Kilman @dominique_97 © 2015 KPMG LLP, a Delaware limited liability partnership and the U.S. member firm of the KPMG network of independent member firms affiliated with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Operationalizing Self Sourced Threat Intel Ray Strubinger, SERT Lead February 2015 Standard Disclaimer Page 52 February 2015 Background & Definitions ► ► What to we mean by “self-sourced” intel? How does self-sourced intel differ from external threat sources? Page 53 February 2015 Response Options ► No matter the source of the intel there are three general response options ► Immediate mitigation ► ► Block - Networks, IP addresses, or file hashes Research, Prioritize & Respond ► ► Understand potential business impact Determine the scope and history ► ► ► Page 54 Has this activity or these indicators been seen previously? Take action now or wait? No action February 2015 Preparing for Action ► Gain an understanding of the environment ► Logs ► ► Network ► ► Format, volume, velocity, location, and contents Routers, firewalls and other security systems Develop a capability to review logs ► ► Page 55 Numerous commercial & open source options Indicators may be found here February 2015 Taking Action ► Combine log data and intel ► Determine the scope ► ► ► Identify patterns ► ► ► ► Tip of the iceberg or a flash in the pan? Initiate a formal response? Are there commonalities among the indicators or in the logs? Patterns can be used to develop broader strategy Initiate a formal response? Retiring intel ► Page 56 Keeping indicators fresh February 2015 Questions? Page 57 February 2015 1. Determine Level of Maturity 2. Create Intelligence Requirements 3. Conduct a Gap Analysis 4. Build Your Team 5. Understand your Threat Exposure 6. Identify Key Metrics & Measure 6 © 2014 VeriSign, Inc. All rights reserved. VERISIGN and other trademarks, service marks, and designs are registered or unregistered trademarks of VeriSign, Inc. and its subsidiaries in the United States and in foreign countries. All other trademarks are property of their respective owners. CYBER THREAT INTELLIGENCE #FAILS “CTI” is the new “APT” THREAT “One Down. Billion to Go.” SECTEC ASTRONOMY Captain Obvious
© Copyright 2024