Infosec 2015 - Using threat intelligence to improve security response
- 1. Using Threat Intelligence to
Improve Security Response
Piers Wilson | Head of Product Management | Huntsman Security
+44 (0) 7800 508517 | piers.wilson@huntsmansecurity.com
www.huntsmansecurity.com | @tier3huntsman
- 2. Setting the Scene
• Threat Intelligence is more than just data
• Examples and applications
• Summary / Benefits
- 3. A Threat Intelligence “eco-system” ...
Applied Security
Intelligence
“Traditional” Log
Sources
Vulnerability
information
Geographic
information
Cyber-
security/malware/
attack context
External threat
sources
Internal context
databases
Locations, staff
roles, HR systems,
physical controls
IP reputation,
known bad URLs,
phishing sources,
C&C sites,
botnets, CERTs
Scan information, asset
sensitivities, vulnerable
platforms
Countries, sites
that pose risk,
political factors
Networks, systems,
applications, devices
Malware details, network captures
- 5. Threat Intelligence derived alerts showing the nature of various
connections
Traditional public sources / external “TI”
• Externally available threat data source
lists
– Botnets, C&C systems, known malware sites,
compromised URLs, DLP risks
• Regular updates / scheduled retrieval
• Different sources/feeds used for
different purposes
• Detection of :
– Communication with suspicious/risky
hosts/domains
– Data exfiltration risks
– Etc...
- 6. Traditional public sources / external “TI”
• Emerging Threats – Raw IP list
– C&C servers (Shadowserver)
– Spam nets (Spamhaus)
– Top Attackers (Dshield)
– Compromised IP addresses
• Abuse.ch
– SSLBL IP Blacklist
– ZeuS Tracker
– Palevo Tracker
– SpyEye Tracker
• Malc0de – IP blacklist
• URLBlacklist.com
• Malware domains
• Threat Expert
• Norse
Plus various commercial sources
- 7. Geo-location is useful – both external (risky locations) and internal
(sensitive sites)
Geo-location Visualisation
• Display or reference to GeoIP
information
• Risk locations/attack sources used in
security decisions
• Additionally WHOIS and DNS
information useful
Getting to this information quickly in the
decision making process is key
- 8. Defence sector – Real example
• Defence customers are
major user of Threat
Intelligence
• Intelligence agencies
provide threat information
to Defence network
administrators
• Reference data used to raise real-time alerts of suspicious network traffic
• Information from alerts subsequently adds to their internal threat intelligence
reference data
– i.e. Observed incidents create “new” TI that automatically adds to the reference data set
- 9. Internal Security Intelligence
• Creation of bespoke/local Threat Intelligence
– Manual or Automated
• Particular value in MSSPs
– Leverage threat observations across customers
• Better decision making in context of “real”, observed threats
- 10. Government sector use case
• Suspicious network/IP addresses received from intelligence
agency
• Post-analyse logs for traffic to/from those addresses
1. Suspicious hosts data set (high risk destinations)
2. Predefined reports use data for analysis
Threat intelligence MATCHED WITH Observed activity and traffic
• Minimal operational workload
• Data automatically updated in the background
• Scheduled, automated, pre-defined processes
- 11. Detection and Resolution
Apply Security Intelligence during
resolution
• When an attack occurs, specific information
relating to the threat is vital
• More than just log/event/activity data
– System configurations/registry
– Changes to affected systems files
– Network traffic/connections
– Other behaviour
• Malware - Specific example
– Network sessions/connection patterns
– Known effects of specific malware activity within file
system and registry
- 13. Applying Security Intelligence
• Meaningful threat intelligence involves all available security data –
internal and external – to give context
• Automatic identification of known attacks and threats needs to happen in
real-time
• Intelligence is vital for both detection AND during the diagnosis and
investigation of cyber attacks
• Dealing with false positives efficiently means having processes and tools
that rapidly provide understanding of threats and confident resolution
Speed and Accuracy are key to Cyber Resilience