Huntsman - Threat intelligence (for IAP2015)
- 2. Setting the scene
• Threat Intelligence is more than just data
• Examples and applications
• Summary / Benefits
- 3. A Threat Intelligence “eco-system” ...
Applied
Security
Intelligence
“Tradi(onal”
Log
Sources
Vulnerability
informa(on
Geographic
informa(on
Cyber-‐security/
malware/aAack
context
External
threat
sources
Internal
context
databases
Loca(ons,
staff
roles,
HR
systems,
physical
controls
IP
reputa(on,
known
bad
URLs,
phishing
sources,
C&C
sites,
botnets,
CERTs
Scan
informa(on,
asset
sensi(vi(es,
vulnerable
plaNorms
Countries,
sites
that
pose
risk,
poli(cal
factors
Networks,
systems,
applica(ons,
devices
Malware
details,
network
captures
- 5. Traditional public sources / external “TI”
• Externally available threat data
source lists
– Botnets, C&C systems, known malware
sites, compromised URLs, DLP risks
• Regular updates / scheduled
retrieval
• Different sources/feeds used for
different purposes
• Detection of :
– Communication with suspicious/risky
hosts/domains
– Data exfiltration risks
– Etc...
© 2015 Tier-3 Pty Limited. All rights reserved.
- 6. • Emerging Threats – Raw IP list
– C&C servers (Shadowserver)
– Spam nets (Spamhaus)
– Top Attackers (Dshield)
– Compromised IP addresses
• Abuse.ch
– SSLBL IP Blacklist
– ZeuS Tracker
– Palevo Tracker
– SpyEye Tracker
• Malc0de – IP blacklist
• URLBlacklist.com
• Malware domains
• Threat Expert
Plus various commercial sources
Traditional public sources / external “TI”
© 2015 Tier-3 Pty Limited. All rights reserved.
- 7. • Display or reference to GeoIP
information
• Risk locations/attack sources
used in security decisions
• Additionally WHOIS and DNS
information useful
Getting to this information
quickly in the decision making
process is key
Geo-location Visualisation
© 2015 Tier-3 Pty Limited. All rights reserved.
- 8. • Defence customers are
major user of Threat
Intelligence
• Intelligence agencies
provide threat information
to Defence network
administrators
• Reference data used to raise real-time alerts of suspicious network traffic
• Information from alerts subsequently adds to their internal threat
intelligence reference data
– i.e. Observed incidents create “new” TI that automatically adds to the reference data set
Defence sector – Real example
© 2015 Tier-3 Pty Limited. All rights reserved.
- 9. Internal Security Intelligence
• Creation of bespoke/local Threat Intelligence
– Manual or Automated
• Particular value in MSSPs
– Leverage threat observations across customers
• Better decision making in context of “real”, observed threats
© 2015 Tier-3 Pty Limited. All rights reserved.
- 10. Government sector
• Suspicious network/IP addresses received from intelligence
agency
• Post-analyse logs for traffic to/from those addresses
1. Suspicious hosts data set (high risk destinations)
2. Predefined reports use data for analysis
• Threat intelligence MATCHED WITH Observed activity and traffic
• Minimal operational workload
– Data automatically updated in the background
– Scheduled, automated, pre-defined processes
© 2015 Tier-3 Pty Limited. All rights reserved.
- 11. Detection leads to Resolution
Apply Security Intelligence during
resolution
• When an attack occurs, specific
information relating to the threat is vital
• More than just log data
– System configurations/registry
– Changes to affected systems files
– Network traffic/connections
– Other behaviour
• Malware - Specific examples
– Network sessions/connection patterns
– Known effects of specific malware activity within
file system and registry
© 2015 Tier-3 Pty Limited. All rights reserved.
- 13. © 2015 Tier-3 Pty Limited. All rights reserved.
Applied Security Intelligence
• Derive meaningful threat intelligence from all
available security data
• Better context during triage, diagnosis and
investigation
• Confident exclusion of false positives
• Automatically identify real attacks and known threats
• Increase speed and accuracy of detection