Cyber Threat Intelligence Midterm Spring 2018 Dr. Li

OSINT Challenges

) everyone has access which devalues it 2) Hard to tell which sources to use 3) hard to collect

Threat Trending

-Model organizations threat landscape -allows to forecast and plan for future - justifies the development of CTI to upper management -incldues: -global threat landscape -local threat landscape

Please explain why an organization must understand its critical assets

-Need to know what to protect based on current threat climate. -Correctly identifying critical assets leads to proper CTI investment and effort -Critical assets are any data/systems that will majorly impact to the organization if breached

Common cyber threats:

-Ransomware -WannaCry -DDOS -Phishing/Spoofing - Social engineering

The 2 STIX Objects

-STIX Domain Objects(SDO) -STIX Relationship Objects (SRO)

Attack Based SDO's

-Threat Actor:Individuals, groups, or organizations believed to be operating with malicious intent. -Campaign:A grouping of adversarial behaviors that describes a set of malicious activities or attacks that occur over a period of time against a specific set of targets. -Intrusion Set :A grouped set of adversarial behaviors and resources with common properties believed to be orchestrated by a single threat actor.

Please identify 3-4 questions which should be answered in the executive summary. What value do each of these questions provide?

-What is the current threat landscape? -How often do organizations suffer security breaches? -How is this changing the strategies that organizations must take to move intocyber threat intelligence? -What are some real data breach costs for organizations?

Why use hacker communities?

-identify threat actors -identify cyberattack tools -identify breaches that arent publicized -identify potential breaches

Top 10 threat trends

-malicious worms -web based attacks -web app / injection attacks -botnets -ddos -spamm -exploit kits -data breach -physical damage/theft/ loss

Global Threat Landscape

-what is going on out there? -How many companies are being attacked? How often? -What are they losing? -How much money are they losing? -How are they being attacked? -How much do organizations spend on security? -Have the amount of attacks increased in the last 12 months? By how much?

Please describe some of the key functionalities of SIEM's.

1) Log collection 2) Log retention 3) User activity monitoring 4) Real time event correlation 5)IT compliance reports 6) File Integrity monitoring 7) Log forensics 8) Dashboards

Please describe 3-5 different types of attack vectors and corresponding IoC's.

1) Unauthorized access - Access Logs 2) Privilege Escalation - Password logs 3) Data Dumping- Database Logs 4) NMap - Network logs

OSINT can show

1) what breaches occurred 2) who is talking about you and how 3) what devices are exposed 4)what tools are being used

Operational Intelligence

Actionable intelligence Course of action Proactive defense Intelligence dissemnation

Value of CTI in IT Organizations Who, What, When, Where, Why, How x 3

Answers: Who is attacking What they want When they attack Where they are from Why they are attacking How they are attacking (TTP) How to recognize them How to mitigage

Who are some of the major providers of commercial intelligence feeds today?

Anubis - real time cyber feed Intel Security/McAfee- cyber threat library FireEye- Blogs, Reports, Attack Databases iSight - Reports, API LogRhythm- Reports

Counter Intelligence

Both external and internal Providing false information to deceive attackers honeypots safely identify tools and methods used by attacker to track attacker

Finished intelligence

Both external and internal finished intelligence ready to be shared commercial data feeds refined, analyzed intelligence

HUMINT

Both external and internal manual research and data collection direct hacker interactions provides very precise and deep knowledge

Carding

Carding shops are a major channel for distributing stolen credit/debit cards. The metadata of stolen cards (risk measure/type, location analysis, pricing structure) allows us to infer useful knowledge to identify emerging threats/targets.

Please describe 2-3 different types of threat actors.

Competitor Hacktivist Vandal Data miner Wreckless employee

Threat Analytics

Cyber kill chain Hacker profiling and tracking Fundamental analytics Visulization

Darknet markets

Darknet marketplaces are commercial websites on the dark web that act as black markets. They can list batch data breaches, malware (keyloggers, SQL injections), hacking tutorials, carding-related products, zero-day attacks.

SIEM process flow

Data collection Extract Intelligence Information Add Value Presentation, Dashboards, and Reports

SIEM Shortcomings

Do not consider external data (OSINT, feeds, etc) Logs and alerts can be expensive to manage Logs can be prone to sabotage SIEM's are difficult to tune Siloed information and processes

LogRhythm data sources

Event logs, network data logs

Open Source Intelligence

External Data that can be collected from the internet or from other CTI companies Public statements, commercial data feeds, social media, exploit feeds Provides comprehensive views of external threat landscape

Ranking critical assets in categories of

Financial Reputational Health Downtime Cost Total

Hacker forums

Hacker forums are an online discussion site where hackers congregate to share hacking knowledge/tools/ideas/tutorials/source code/attachments/hyperlinks

What are some considerations when selecting a SIEM?

How much native support does the SIEM provide for the relevant log sources? Can the SIEM supplement existing logging capabilities? How effectively can the SIEM make use of threat intelligence? What forensic capabilities can the SIEM provide? What features does the SIEM provide that assist in data examination and analysis? How timely, secure, and effective are the sIEM's automated response capabilities? For which security compliance initiatives does SIEM provide built-in reporting support?

Indicator-Based SDOs

Indicator=Contains a pattern that can be used to detect suspicious or malicious cyber activity. Observed Data=Conveys information observed on a system or network (e.g., an IP address).

Major CTI Companies

Intel Security, Mcaffee Threat center FireEye iSight Partners LogRhythm Anubis

CTI LifeCycle

Intelligence Strategy Intelligence Aggregation Threat Analytics Operational Intelligence

Intelligence Aggregation

Intelligence sources Internal Intelligence Open Source intelligence

Internal Intelligence

Internal Data collected from internal cyber assets network logs, dabs logs, ip logs provides info about activies internal to the org

What is the role of internal intelligence in CTI?

Internal intelligence is gathered by utilizing data generated from your own systems. While reactive, it offers significant value: low lead time (timeliness), relevance to critical assets, increases trust, massive amount of information--tune to what you want to see. Provides information about activities internal to an organization.

IRC Channels

Internet Relay Chat (IRC) is an application that facilitates plaintext group communication. Many hacker groups and individuals leverage IRC channels to discuss hacking related activities. IRC data must be collected in real time

CTI is NOT:

Just an automated data feed, waiting for an attack, or cleaning up a breach.

Who are some major SIEM vendors today?

LogRhythm Splunk McAfee Nitro IBM QRadar HP ArcSight

What are some considerations when selecting intelligence feeds?

Need--what type of intelligence does your company need? Specialization--publicly available intelligence feeds tend to specialize in certain aspects of threat intelligence more. Support--commercial data feeds will usually have more support than publicly available Cost--commercial data feeds will usually charge for services

Common Intelligence Sources

OSINT Internal Intelligence HUMINT Counter Intelligence Finished Intelligence

What is the value of intelligence formats in CTI?

OSINT and internal intelligence are the most useful and should be primary source of intelligence. Human intelligence is manual research and collection of data; it achieves deeper levels of intelligence and can extract data from difficult places, but it can be less reliable and may return nothing at all. Counter intelligence deceives the attacker and gives them false information (Honeypot). It is used for defensive analysis, counter espionage, and disinformation.

collective intelligence framework (CIF)

Parsing- take in Normalizing- deduplicate Post processing - derive xtra intel Storing-store Querying- search with APIs Sharing - share Producing-create new data sets

SIEM stands for

Security Information and Event Management coined in 2005 by Gartner's employee Mark Nicole

Diamond Model by Threat Connect

See picture Diamond shape 4 Edges: V.I.C.A victim (personas, network assets, email accounts...etc) infrastructure(IP address, domain name) capabilities (malware, exploit, hacker tool) adversary (attacker persona: email address, handles, phone number,...etc)

CTI is

TIA Timely-catch threats as early as possible Informative-improving threat,attack, and threat actor identification to enable decision making Adaptive- customizing and tuning intel for your organization, not just buying intel feeds

TTP

Tactics Techniques Procedures of how an attack is done

Intelligence Strategy

Threat trending Asset identification Indicators of Compromise (IoC) Threat Modeling Intelligence Buy In

What value does a SIEM have in internal intelligence?

Timeliness, Relevance to critical assets, increases trust, massive amount of info--tune to data you want to see

TTP-Based SDOs

Tool=Legitimate software that can be used by threat actors to perform attacks. Attack Pattern=a type of Tactics, Techniques, and Procedures (TTP) that describes ways threat actors attempt to compromise targets. Malware=A type of TTP, also known as malicious code and malicious software, used to compromise the confidentiality, integrity, or availability of a victim's data or system.

Separation of OSINT-

Traditional: facebook, twitter, pastebin, news sources, shodan Hacker community: forums, IRC channels, carding shops, DarkNet Marketplace

Local Landscape

What is your organization and industry experiencing attack wise?

Intel Security/ McAfee gets data from

anti virus engines

FireEye

blogs, reports, attack databases

Dump

can actually make the fake credit card

CCV

can only make online purchases

SRO

capture the interconnections between each of the domain objects

Intel Security, McAfee Threat Center

cyber threat library

SDO

designed to capture specific info about a particular aspect of an environment (5 major categories: indicator, identity, TTP, attack, incident response

Tradional data sources

facebook twitter pastebin shodan news agencys

FireEye data sources

incident responses, sensors

Anubis gets data from

infected computers, files, and emails

Definition of CTI according to iSight

knowledge about adversaries about their motives/intentions/ methods analyzed and disseminated in ways that help security and business protect critical assets

Shodan search

open devices on internet of things Title HTML Devices Versions

Anubis

real time cyber feed

SRO's

relationship sightings

LogRhythm

reports

iSight Partners

reports, API

Card Shops

stolen card details dump=bunch of info together ccv= organized better

Value of OSINT?

the amount of freely available data is immense, gives a good look at what is happening in the real world, growing at a rapid rate.