Presentation is loading. Please wait.

Presentation is loading. Please wait.

Let Espionage Drive Your Security

Published byHilary Austin Modified over 9 years ago

Similar presentations

Presentation on theme: "Let Espionage Drive Your Security"— Presentation transcript:

1 Let Espionage Drive Your Security
Applying Intel Agency Tradecraft and best practices to maximize your enterprise cyber security Steven Bay

2 The Problem We get hacked … But we can’t do anything in retaliation. There is little we can do to make it painful for the hackers We can’t hack back Attribution is hard and never exact We can’t prosecute (mostly) We can’t freeze bank accounts (we’re not the government)

3 So we build a “Castle on a Hill”
Active defense is our only option: Firewalls Multi-Tiered Networks IDS and Monitoring Systems Security Operations Analytics DLP / Encryption But this gets us no closer to knowing what’s coming or how to prepare. Spis Castle, Slovakia. It’s incredible.

4 Intelligence is key: Know your enemy
Where is your organization? Do you know your networks? Do you see what is going on? Do you know who the largest threats are to your org? Do you know what malware is out there that is likely to affect you? Are your employees trained? Do they know what to look for? What are the trends in hacking? How are attackers operating?

5 How do we know our enemy? We must think like them.
If you were the adversary, how would you hack into the network? How would you get the information you need? Starting with that in mind, you can build an intel program that fits your organization’s goals and budget The key is applying best intelligence practices learned from the Intelligence Community married with corporate information security

6 Who/what is your biggest threat?
Insider Threat: A common threat Malicious Intent Unwitting user External: Threat depends on your company/industry Your intel capability must include internal data. Your intel team must be synced with the SOC.

7 APT Espionage Driven Want your IC China is the major player
Do you have anything of value to them? Financially Driven Want your company’s $$, your customer’s $$, and anything they can monetize Driven by a Cause Loud, want attention. Seek to embarrass your company or make you less desirable to consumers APT CyberCrime Hacktivism Advanced Tech Pharma / Health Financial Services Defense Energy Retail Services (Consumer) Financial Services Health Defense Police Oil & Gas Counter to a Cause Large Corporations

8 Opinions and approaches to intel
CTI is trendy Newly required by many regulatory and standards bodies Some think it’s a waste of money or see little return from it But it’s only as good as the People, Data, Processes, and Technology you have Company 1 Company 2 Company 3 Company 4 Company 5 No Intel capability, not even security operations! 2 Intel Staff; Staff came out of security team; no intel background Only source is the ISAC and whatever hits the news No integration with InfoSec team 2 Intel staff 1 tech expert, 1 Intel Analyst Feed IOCs to SOC Monthly Intel Product Limited Integration Vendor Data sources 5 Intel Staff Mix of tech experts and Intel experts Produce various intel products Employ tradecraft Multi-sourced Collaboration with various teams 15 Intel staff Intel driven CSIRT 24/7 integration with SOC Advanced tradecraft Multi-Sourced Advanced tech analysis Threat focused analysis Multiple products

9 Intelligence Best Practices + Corporate Enterprise
Priority Intelligence Requirements Analytic Tradecraft Collection Management & Data Sources Intel Driven Security Operations Effective IOC Processing Invested Leadership Team Composition Knowledge Management “Covering Analyst Program” Metrics and Justifying Your Existence

10 Intelligence Life Cycle
Planning and Direction: Invested Leadership, Priority Intel Requirements, Governance Collection: External and Internal Data Sources, Collection Management. Raw data gathering Processing: Processes in place to make data usable. E.g. IOCs ingested into SIEM Analysis and Production: Analyzing and documenting information and turning it into actionable intelligence through production of products. Dissemination: Useful and actionable products are sent to the correct customers with an effective feedback loop. Collection Processing Analysis and Production Dissemination Planning and Direction U.S. Intelligence Community Developed: Process is simple and equally applies to corporate intelligence capabilities

11 Military Decision Making Process “Information Preparation of the Battlefield”
To think like the enemy and be prepared for attacks, an intel team must be equipped with as much info as possible. It should have: Asset Inventory (incl Hardware, Applications, IP addresses, device names, VLANs, etc. Network Maps Ingress/Egress points Details of externally facing / DMZ devices and apps Access to SIEM / Security Logs

12 Commander’s Critical Information Requirements (CCIR)
CCIRs translate to everything the CISO needs to know to protect the Enterprise PIRs = Essential to an effective Intel team FFIRs = What does your enterprise network and security infrastructure look like? What are your security capabilities? Etc. EEFI = What is your attack surface that is discoverable by the adversary? Vulnerabilities?

13 Priority Intelligence Requirements
Critical Element CISO and Senior Leadership Determine what is essential to know to protect the enterprise Must be prioritized ALL work performed by CTI team addresses one or more of the PIRs, otherwise don’t waste time doing it PIRs can focus on threat actors, malware, industry events, and anything else that falls within the Cybersecurity Domain. Beware of scope-creep

14 Cyber Specific Analytic Tradecraft
Adversary Infrastructure Capabilities Victim Diamond Model of Intrusion Analysis: Ideal for categorizing seemingly disparate threats and attribution Recon Weaponize Deliver Exploit Install C&C Actions on Target The Cyber Kill Chain: ideal for analyzing attacks from an adversarial points of view and for identifying gaps in detection, prevention, and security controls.

15 Common Analytic Tradecraft
Analysis of Competing Hypotheses (ACH) Identification of alternative explanations (hypotheses) and evaluation of all evidence that will disconfirm rather than confirm hypotheses. Devil’s Advocacy Challenging a single, strongly held view or consensus by building the best possible case for an alternative explanation Outside-In Thinking To identify the full range of basic forces, factors, and trends that would indirectly shape an issue Red Team Analysis Models the behavior of an individual or group by trying to replicate how an adversary would think about an issue Goal is to prevent bias and produce ACCURATE intelligence Never produce a product based on what you think someone wants to hear.

16 Collection Management & Data Sources
Sample Intel Providers Sample Intel Tools You don’t need every vendor and you don’t need every tool Determine what works best for your team. Each vendor produces slightly different intel; some will tailor collection; some focus on deep web CM monitors value of each through metrics and drops what they don’t need Perform Open Source research: RSS, Twitter, Reddit, PasteBin, VirusTotal…

17 Intel Driven Security Operations
You will never optimize your CSIRT/SOC without an intelligence feedback loop. There are too many IOCs and most of them are old. Constantly looking outward, Intel identifies the most pertinent threats to the enterprise and obtains the latest indicators. Intel feeds these to the SOC for monitoring and alerting Incidents are addressed by the SOC, Intel provides context SOC provides Intel with current incidents to drive intel collection Put an Intel guy in your SOC and have a strong partnership with Vulnerability Management Often Intel Folks may be a little better communicators due to a liberal arts background, so feeding comms through intel may be valuable Perceived risks; threat priorities Alerts; anomalies; Significant events Vuln. Exceptions; Vuln scans Strategic Risk Priorities Operational security related Issues Feedback; Trends Exec. Threat Memo Indicator Processing Vuln. Reports Weekly Summary RFI RFI Monthly Metrics SOC Enrichment Quarterly Briefing CISO SOC Vuln Mgmt Risk Mgmt Corporate Ops Business Continuity Qualys; Knowledge Store; API; SIEM; Knowledge Store; Meetings; Cyber Intel

18 Example: Phishing Option 1: Simply remove Email Result:
Received: from abclniron01-ext.ABCD.com ([## ]) by abclnexbh01.resource.ds.ABCD.com with Microsoft SMTPSVC( );   Fri, 16 Jan :01: Received: from espresso.XXXXX.edu ([## ])   by abclniron01-ext.ABCD.com with ESMTP; Fri, 16 Jan :01: Received: from webmail2.XXXXX.edu (webmail2.XXXXXX.edu [## ])   by espresso.XXXXX.edu (Sad Mail Daemon) with ESMTP id 760A11404B90;   Sat, 17 Jan :01: (GMT) Received: from XXX    (SquirrelMail authenticated user spruce2)         by webmail2.XXXXXX.edu with HTTP;         Fri, 16 Jan :01: (EST) Message-ID: Date: Fri, 16 Jan :01: (EST) Subject: RE: GIS Distance Learning From: To:  “Utes, Chad" User-Agent: SquirrelMail/1.4.9a MIME-Version: 1.0 Option 1: Simply remove Result: Threat gone. No valuable information gathered Option 2: Share with Intel then remove Result: Threat gone. New leads for bad stuff: IP Addresses Domain Names User Names Addresses Mail Servers Perform Intel Analysis on these, run through Maltego, and find more indicators. Feed valid indicators into SIEM.

19 IOC Vetting and Processing
IOCs seem easy and like low-hanging fruit, but they’re not! Yes, you can API them into your SIEM from multiple vendors But if you do too many you’ll… Flood your SOC with Alerts Have a high Percentage of false positives Overwhelm your intel analysts But if you have too few you risk missing important events Recommendations: Confirm how the vendor vets the IOCs before ingestion. Develop a semi-automated vetting process Age off IP addresses and domains after days, but keep a knowledge store Ignore IOCs for threats that likely won’t target you

20 Conclusion Military/Government intel is not the end-all be-all for intelligence, but there are many strategies that have been tested and proven that can improve processes, efficiencies, and overall intelligence quality if adopted into a corporate environment. THANK YOU! Steven Bay or Add me on LinkedIn

Download ppt "Let Espionage Drive Your Security"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Chapter 1 Business Driven Technology

Chapter 1 Business Driven Technology
1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.

1© Copyright 2011 EMC Corporation. All rights reserved. Anatomy of an Attack.
Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.

Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.
Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.

Classification The Threat Environment Joyce Corell, NCSC Assistant Director for Supply Chain National Defense Industrial Association Global Supply Chain.
Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –

Introducing WatchGuard Dimension. Oceans of Log Data The 3 Dimensions of Big Data Volume –“Log Everything - Storage is Cheap” –Becomes too much data –
Self-Service Business Intelligence for the Product Management Department (Concurrency Corporation)

Self-Service Business Intelligence for the Product Management Department (Concurrency Corporation)
Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.

Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
Network security policy: best practices

Network security policy: best practices
Privileged and Confidential Strategic Approach to Asset Management Presented to October 2004 2004 Urban Water Council Regional Seminar.

Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.
Introduction to Network Defense

Introduction to Network Defense
© 2004-2014. Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.

© Centrify Corporation. All Rights Reserved. Unified Identity Management across Data Center, Cloud and Mobile.
SEC835 Database and Web application security Information Security Architecture.

SEC835 Database and Web application security Information Security Architecture.
InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.

InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
Did You Hear That Alarm? The impacts of hitting the information security snooze button.

Did You Hear That Alarm? The impacts of hitting the information security snooze button.
Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.

Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.

Similar presentations

Ads by Google