SlideShare a Scribd company logo

Huntsman - Threat intelligence (for IAP2015)

Huntsman Security
Huntsman Security

This document discusses making threat data intelligent by applying security intelligence. It describes how a threat intelligence ecosystem can integrate various data sources like logs, vulnerabilities, malware details and external threat sources. Real examples are provided of how intelligence is used in the defense, government and MSSP sectors to detect suspicious activity, improve security decisions and aid in incident resolution. The benefits are said to include deriving meaningful intelligence from all security data to better identify real attacks.

Related slideshows

Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony Cyber incident response or how to avoid long hours of testimony
Cyber incident response or how to avoid long hours of testimony
 
How to Build a Successful Incident Response Program
How to Build a Successful Incident Response ProgramHow to Build a Successful Incident Response Program
How to Build a Successful Incident Response Program
 
Telesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting InfographicTelesoft Cyber Threat Hunting Infographic
Telesoft Cyber Threat Hunting Infographic
 
1 of 15
Download to read offline
Making Threat Data Intelligent Applied Security Intelligence   March 2015 – Piers Wilson
Setting the scene •  Threat Intelligence is more than just data •  Examples and applications •  Summary / Benefits
A Threat Intelligence “eco-system” ... Applied   Security   Intelligence   “Tradi(onal”   Log  Sources   Vulnerability   informa(on   Geographic   informa(on   Cyber-­‐security/ malware/aAack   context   External   threat  sources   Internal   context   databases   Loca(ons,  staff   roles,  HR  systems,   physical  controls   IP  reputa(on,  known  bad   URLs,  phishing  sources,   C&C  sites,  botnets,  CERTs   Scan  informa(on,  asset   sensi(vi(es,  vulnerable   plaNorms   Countries,  sites   that  pose  risk,   poli(cal  factors   Networks,  systems,  applica(ons,  devices   Malware  details,  network  captures  
Real Threat Intelligence Examples  
Traditional public sources / external “TI” •  Externally available threat data source lists –  Botnets, C&C systems, known malware sites, compromised URLs, DLP risks •  Regular updates / scheduled retrieval •  Different sources/feeds used for different purposes •  Detection of : –  Communication with suspicious/risky hosts/domains –  Data exfiltration risks –  Etc... © 2015 Tier-3 Pty Limited. All rights reserved.
•  Emerging Threats – Raw IP list –  C&C servers (Shadowserver) –  Spam nets (Spamhaus) –  Top Attackers (Dshield) –  Compromised IP addresses •  Abuse.ch –  SSLBL IP Blacklist –  ZeuS Tracker –  Palevo Tracker –  SpyEye Tracker •  Malc0de – IP blacklist •  URLBlacklist.com •  Malware domains •  Threat Expert Plus various commercial sources Traditional public sources / external “TI” © 2015 Tier-3 Pty Limited. All rights reserved.
•  Display or reference to GeoIP information •  Risk locations/attack sources used in security decisions •  Additionally WHOIS and DNS information useful Getting to this information quickly in the decision making process is key Geo-location Visualisation © 2015 Tier-3 Pty Limited. All rights reserved.
•  Defence customers are major user of Threat Intelligence •  Intelligence agencies provide threat information to Defence network administrators •  Reference data used to raise real-time alerts of suspicious network traffic •  Information from alerts subsequently adds to their internal threat intelligence reference data –  i.e. Observed incidents create “new” TI that automatically adds to the reference data set Defence sector – Real example © 2015 Tier-3 Pty Limited. All rights reserved.
Internal Security Intelligence •  Creation of bespoke/local Threat Intelligence –  Manual or Automated •  Particular value in MSSPs –  Leverage threat observations across customers •  Better decision making in context of “real”, observed threats © 2015 Tier-3 Pty Limited. All rights reserved.
Government sector •  Suspicious network/IP addresses received from intelligence agency •  Post-analyse logs for traffic to/from those addresses 1.  Suspicious hosts data set (high risk destinations) 2.  Predefined reports use data for analysis •  Threat intelligence MATCHED WITH Observed activity and traffic •  Minimal operational workload –  Data automatically updated in the background –  Scheduled, automated, pre-defined processes © 2015 Tier-3 Pty Limited. All rights reserved.
Detection leads to Resolution Apply Security Intelligence during resolution •  When an attack occurs, specific information relating to the threat is vital •  More than just log data –  System configurations/registry –  Changes to affected systems files –  Network traffic/connections –  Other behaviour •  Malware - Specific examples –  Network sessions/connection patterns –  Known effects of specific malware activity within file system and registry © 2015 Tier-3 Pty Limited. All rights reserved.
Summary  
© 2015 Tier-3 Pty Limited. All rights reserved. Applied Security Intelligence •  Derive meaningful threat intelligence from all available security data •  Better context during triage, diagnosis and investigation •  Confident exclusion of false positives •  Automatically identify real attacks and known threats •  Increase speed and accuracy of detection
piers.wilson@huntsmansecurity.com +44 (0) 7800 508517 www.huntsmansecurity.com www.tier-3.com @tier3huntsman Questions © 2015 Tier-3 Pty Limited. All rights reserved.
:60 seconds The new way to deal with cyber threats www.huntsmansecurity.com

More Related Content

Huntsman - Threat intelligence (for IAP2015)

  • 1. Making Threat Data Intelligent Applied Security Intelligence   March 2015 – Piers Wilson
  • 2. Setting the scene •  Threat Intelligence is more than just data •  Examples and applications •  Summary / Benefits
  • 3. A Threat Intelligence “eco-system” ... Applied   Security   Intelligence   “Tradi(onal”   Log  Sources   Vulnerability   informa(on   Geographic   informa(on   Cyber-­‐security/ malware/aAack   context   External   threat  sources   Internal   context   databases   Loca(ons,  staff   roles,  HR  systems,   physical  controls   IP  reputa(on,  known  bad   URLs,  phishing  sources,   C&C  sites,  botnets,  CERTs   Scan  informa(on,  asset   sensi(vi(es,  vulnerable   plaNorms   Countries,  sites   that  pose  risk,   poli(cal  factors   Networks,  systems,  applica(ons,  devices   Malware  details,  network  captures  
  • 5. Traditional public sources / external “TI” •  Externally available threat data source lists –  Botnets, C&C systems, known malware sites, compromised URLs, DLP risks •  Regular updates / scheduled retrieval •  Different sources/feeds used for different purposes •  Detection of : –  Communication with suspicious/risky hosts/domains –  Data exfiltration risks –  Etc... © 2015 Tier-3 Pty Limited. All rights reserved.
  • 6. •  Emerging Threats – Raw IP list –  C&C servers (Shadowserver) –  Spam nets (Spamhaus) –  Top Attackers (Dshield) –  Compromised IP addresses •  Abuse.ch –  SSLBL IP Blacklist –  ZeuS Tracker –  Palevo Tracker –  SpyEye Tracker •  Malc0de – IP blacklist •  URLBlacklist.com •  Malware domains •  Threat Expert Plus various commercial sources Traditional public sources / external “TI” © 2015 Tier-3 Pty Limited. All rights reserved.
  • 7. •  Display or reference to GeoIP information •  Risk locations/attack sources used in security decisions •  Additionally WHOIS and DNS information useful Getting to this information quickly in the decision making process is key Geo-location Visualisation © 2015 Tier-3 Pty Limited. All rights reserved.
  • 8. •  Defence customers are major user of Threat Intelligence •  Intelligence agencies provide threat information to Defence network administrators •  Reference data used to raise real-time alerts of suspicious network traffic •  Information from alerts subsequently adds to their internal threat intelligence reference data –  i.e. Observed incidents create “new” TI that automatically adds to the reference data set Defence sector – Real example © 2015 Tier-3 Pty Limited. All rights reserved.
  • 9. Internal Security Intelligence •  Creation of bespoke/local Threat Intelligence –  Manual or Automated •  Particular value in MSSPs –  Leverage threat observations across customers •  Better decision making in context of “real”, observed threats © 2015 Tier-3 Pty Limited. All rights reserved.
  • 10. Government sector •  Suspicious network/IP addresses received from intelligence agency •  Post-analyse logs for traffic to/from those addresses 1.  Suspicious hosts data set (high risk destinations) 2.  Predefined reports use data for analysis •  Threat intelligence MATCHED WITH Observed activity and traffic •  Minimal operational workload –  Data automatically updated in the background –  Scheduled, automated, pre-defined processes © 2015 Tier-3 Pty Limited. All rights reserved.
  • 11. Detection leads to Resolution Apply Security Intelligence during resolution •  When an attack occurs, specific information relating to the threat is vital •  More than just log data –  System configurations/registry –  Changes to affected systems files –  Network traffic/connections –  Other behaviour •  Malware - Specific examples –  Network sessions/connection patterns –  Known effects of specific malware activity within file system and registry © 2015 Tier-3 Pty Limited. All rights reserved.
  • 13. © 2015 Tier-3 Pty Limited. All rights reserved. Applied Security Intelligence •  Derive meaningful threat intelligence from all available security data •  Better context during triage, diagnosis and investigation •  Confident exclusion of false positives •  Automatically identify real attacks and known threats •  Increase speed and accuracy of detection
  • 14. piers.wilson@huntsmansecurity.com +44 (0) 7800 508517 www.huntsmansecurity.com www.tier-3.com @tier3huntsman Questions © 2015 Tier-3 Pty Limited. All rights reserved.
  • 15. :60 seconds The new way to deal with cyber threats www.huntsmansecurity.com