Cyber Threat Intelligence Midterm Spring 2018 Dr. Li
OSINT Challenges
) everyone has access which devalues it 2) Hard to tell which sources to use 3) hard to collect
Threat Trending
-Model organizations threat landscape -allows to forecast and plan for future - justifies the development of CTI to upper management -incldues: -global threat landscape -local threat landscape
Please explain why an organization must understand its critical assets
-Need to know what to protect based on current threat climate. -Correctly identifying critical assets leads to proper CTI investment and effort -Critical assets are any data/systems that will majorly impact to the organization if breached
Common cyber threats:
-Ransomware -WannaCry -DDOS -Phishing/Spoofing - Social engineering
The 2 STIX Objects
-STIX Domain Objects(SDO) -STIX Relationship Objects (SRO)
Attack Based SDO's
-Threat Actor:Individuals, groups, or organizations believed to be operating with malicious intent. -Campaign:A grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets. -Intrusion Set :A grouped set of adversarial behaviors and resources with common properties believed to be orchestrated by a single threat actor.
Please identify 3-4 questions which should be answered in the executive summary. What value do each of these questions provide?
-What is the current threat landscape? -How often do organizations suffer security breaches? -How is this changing the strategies that organizations must take to move intocyber threat intelligence? -What are some real data breach costs for organizations?
Why use hacker communities?
-identify threat actors -identify cyberattack tools -identify breaches that arent publicized -identify potential breaches
Top 10 threat trends
-malicious worms -web based attacks -web app / injection attacks -botnets -ddos -spamm -exploit kits -data breach -physical damage/theft/ loss
Global Threat Landscape
-what is going on out there? -How many companies are being attacked? How often? -What are they losing? -How much money are they losing? -How are they being attacked? -How much do organizations spend on security? -Have the amount of attacks increased in the last 12 months? By how much?
Please describe some of the key functionalities of SIEM's.
1) Log collection 2) Log retention 3) User activity monitoring 4) Real time event correlation 5)IT compliance reports 6) File Integrity monitoring 7) Log forensics 8) Dashboards
Please describe 3-5 different types of attack vectors and corresponding IoC's.
1) Unauthorized access - Access Logs 2) Privilege Escalation - Password logs 3) Data Dumping- Database Logs 4) NMap - Network logs
OSINT can show
1) what breaches occurred 2) who is talking about you and how 3) what devices are exposed 4)what tools are being used
Operational Intelligence
Actionable intelligence Course of action Proactive defense Intelligence dissemnation
Value of CTI in IT Organizations Who, What, When, Where, Why, How x 3
Answers: Who is attacking What they want When they attack Where they are from Why they are attacking How they are attacking (TTP) How to recognize them How to mitigage
Who are some of the major providers of commercial intelligence feeds today?
Anubis - real time cyber feed Intel Security/McAfee- cyber threat library FireEye- Blogs, Reports, Attack Databases iSight - Reports, API LogRhythm- Reports
Counter Intelligence
Both external and internal Providing false information to deceive attackers honeypots safely identify tools and methods used by attacker to track attacker
Finished intelligence
Both external and internal finished intelligence ready to be shared commercial data feeds refined, analyzed intelligence
HUMINT
Both external and internal manual research and data collection direct hacker interactions provides very precise and deep knowledge
Carding
Carding shops are a major channel for distributing stolen credit/debit cards. The metadata of stolen cards (risk measure/type, location analysis, pricing structure) allows us to infer useful knowledge to identify emerging threats/targets.
Please describe 2-3 different types of threat actors.
Competitor Hacktivist Vandal Data miner Wreckless employee
Threat Analytics
Cyber kill chain Hacker profiling and tracking Fundamental analytics Visulization
Darknet markets
Darknet marketplaces are commercial websites on the dark web that act as black markets. They can list batch data breaches, malware (keyloggers, SQL injections), hacking tutorials, carding-related products, zero-day attacks.
SIEM process flow
Data collection Extract Intelligence Information Add Value Presentation, Dashboards, and Reports
SIEM Shortcomings
Do not consider external data (OSINT, feeds, etc) Logs and alerts can be expensive to manage Logs can be prone to sabotage SIEM's are difficult to tune Siloed information and processes
LogRhythm data sources
Event logs, network data logs
Open Source Intelligence
External Data that can be collected from the internet or from other CTI companies Public statements, commercial data feeds, social media, exploit feeds Provides comprehensive views of external threat landscape
Ranking critical assets in categories of
Financial Reputational Health Downtime Cost Total
Hacker forums
Hacker forums are an online discussion site where hackers congregate to share hacking knowledge/tools/ideas/tutorials/source code/attachments/hyperlinks
What are some considerations when selecting a SIEM?
How much native support does the SIEM provide for the relevant log sources? Can the SIEM supplement existing logging capabilities? How effectively can the SIEM make use of threat intelligence? What forensic capabilities can the SIEM provide? What features does the SIEM provide that assist in data examination and analysis? How timely, secure, and effective are the sIEM's automated response capabilities? For which security compliance initiatives does SIEM provide built-in reporting support?
Indicator-Based SDOs
Indicator=Contains a pattern that can be used to detect suspicious or malicious cyber activity. Observed Data=Conveys information observed on a system or network (e.g., an IP address).
Major CTI Companies
Intel Security, Mcaffee Threat center FireEye iSight Partners LogRhythm Anubis
CTI LifeCycle
Intelligence Strategy Intelligence Aggregation Threat Analytics Operational Intelligence
Intelligence Aggregation
Intelligence sources Internal Intelligence Open Source intelligence
Internal Intelligence
Internal Data collected from internal cyber assets network logs, dabs logs, ip logs provides info about activies internal to the org
What is the role of internal intelligence in CTI?
Internal intelligence is gathered by utilizing data generated from your own systems. While reactive, it offers significant value: low lead time (timeliness), relevance to critical assets, increases trust, massive amount of information--tune to what you want to see. Provides information about activities internal to an organization.
IRC Channels
Internet Relay Chat (IRC) is an application that facilitates plaintext group communication. Many hacker groups and individuals leverage IRC channels to discuss hacking related activities. IRC data must be collected in real time
CTI is NOT:
Just an automated data feed, waiting for an attack, or cleaning up a breach.
Who are some major SIEM vendors today?
LogRhythm Splunk McAfee Nitro IBM QRadar HP ArcSight
What are some considerations when selecting intelligence feeds?
Need--what type of intelligence does your company need? Specialization--publicly available intelligence feeds tend to specialize in certain aspects of threat intelligence more. Support--commercial data feeds will usually have more support than publicly available Cost--commercial data feeds will usually charge for services
Common Intelligence Sources
OSINT Internal Intelligence HUMINT Counter Intelligence Finished Intelligence
What is the value of intelligence formats in CTI?
OSINT and internal intelligence are the most useful and should be primary source of intelligence. Human intelligence is manual research and collection of data; it achieves deeper levels of intelligence and can extract data from difficult places, but it can be less reliable and may return nothing at all. Counter intelligence deceives the attacker and gives them false information (Honeypot). It is used for defensive analysis, counter espionage, and disinformation.
collective intelligence framework (CIF)
Parsing- take in Normalizing- deduplicate Post processing - derive xtra intel Storing-store Querying- search with APIs Sharing - share Producing-create new data sets
SIEM stands for
Security Information and Event Management coined in 2005 by Gartner's employee Mark Nicole
Diamond Model by Threat Connect
See picture Diamond shape 4 Edges: V.I.C.A victim (personas, network assets, email accounts...etc) infrastructure(IP address, domain name) capabilities (malware, exploit, hacker tool) adversary (attacker persona: email address, handles, phone number,...etc)
CTI is
TIA Timely-catch threats as early as possible Informative-improving threat,attack, and threat actor identification to enable decision making Adaptive- customizing and tuning intel for your organization, not just buying intel feeds
TTP
Tactics Techniques Procedures of how an attack is done
Intelligence Strategy
Threat trending Asset identification Indicators of Compromise (IoC) Threat Modeling Intelligence Buy In
What value does a SIEM have in internal intelligence?
Timeliness, Relevance to critical assets, increases trust, massive amount of info--tune to data you want to see
TTP-Based SDOs
Tool=Legitimate software that can be used by threat actors to perform attacks. Attack Pattern=a type of Tactics, Techniques, and Procedures (TTP) that describes ways threat actors attempt to compromise targets. Malware=A type of TTP, also known as malicious code and malicious software, used to compromise the confidentiality, integrity, or availability of a victim's data or system.
Separation of OSINT-
Traditional: facebook, twitter, pastebin, news sources, shodan Hacker community: forums, IRC channels, carding shops, DarkNet Marketplace
Local Landscape
What is your organization and industry experiencing attack wise?
Intel Security/ McAfee gets data from
anti virus engines
FireEye
blogs, reports, attack databases
Dump
can actually make the fake credit card
CCV
can only make online purchases
SRO
capture the interconnections between each of the domain objects
Intel Security, McAfee Threat Center
cyber threat library
SDO
designed to capture specific info about a particular aspect of an environment (5 major categories: indicator, identity, TTP, attack, incident response
Tradional data sources
facebook twitter pastebin shodan news agencys
FireEye data sources
incident responses, sensors
Anubis gets data from
infected computers, files, and emails
Definition of CTI according to iSight
knowledge about adversaries about their motives/intentions/ methods analyzed and disseminated in ways that help security and business protect critical assets
Shodan search
open devices on internet of things Title HTML Devices Versions
Anubis
real time cyber feed
SRO's
relationship sightings
LogRhythm
reports
iSight Partners
reports, API
Card Shops
stolen card details dump=bunch of info together ccv= organized better
Value of OSINT?
the amount of freely available data is immense, gives a good look at what is happening in the real world, growing at a rapid rate.