SlideShare a Scribd company logo

Infosec 2015 - Using threat intelligence to improve security response

Download as PPTX, PDF
Huntsman Security
Huntsman Security

Real use cases for threat intelligence that show the benefits in both detection and resolution of cyber risks

Related slideshows

Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
 
Cyber Threat Hunting with Phirelight
Cyber Threat Hunting with PhirelightCyber Threat Hunting with Phirelight
Cyber Threat Hunting with Phirelight
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda Security
 
1 of 14
Using Threat Intelligence to Improve Security Response Piers Wilson | Head of Product Management | Huntsman Security +44 (0) 7800 508517 | piers.wilson@huntsmansecurity.com www.huntsmansecurity.com | @tier3huntsman
Setting the Scene • Threat Intelligence is more than just data • Examples and applications • Summary / Benefits
A Threat Intelligence “eco-system” ... Applied Security Intelligence “Traditional” Log Sources Vulnerability information Geographic information Cyber- security/malware/ attack context External threat sources Internal context databases Locations, staff roles, HR systems, physical controls IP reputation, known bad URLs, phishing sources, C&C sites, botnets, CERTs Scan information, asset sensitivities, vulnerable platforms Countries, sites that pose risk, political factors Networks, systems, applications, devices Malware details, network captures
Real Threat Intelligence Examples
Threat Intelligence derived alerts showing the nature of various connections Traditional public sources / external “TI” • Externally available threat data source lists – Botnets, C&C systems, known malware sites, compromised URLs, DLP risks • Regular updates / scheduled retrieval • Different sources/feeds used for different purposes • Detection of : – Communication with suspicious/risky hosts/domains – Data exfiltration risks – Etc...
Traditional public sources / external “TI” • Emerging Threats – Raw IP list – C&C servers (Shadowserver) – Spam nets (Spamhaus) – Top Attackers (Dshield) – Compromised IP addresses • Abuse.ch – SSLBL IP Blacklist – ZeuS Tracker – Palevo Tracker – SpyEye Tracker • Malc0de – IP blacklist • URLBlacklist.com • Malware domains • Threat Expert • Norse Plus various commercial sources
Geo-location is useful – both external (risky locations) and internal (sensitive sites) Geo-location Visualisation • Display or reference to GeoIP information • Risk locations/attack sources used in security decisions • Additionally WHOIS and DNS information useful Getting to this information quickly in the decision making process is key
Defence sector – Real example • Defence customers are major user of Threat Intelligence • Intelligence agencies provide threat information to Defence network administrators • Reference data used to raise real-time alerts of suspicious network traffic • Information from alerts subsequently adds to their internal threat intelligence reference data – i.e. Observed incidents create “new” TI that automatically adds to the reference data set
Internal Security Intelligence • Creation of bespoke/local Threat Intelligence – Manual or Automated • Particular value in MSSPs – Leverage threat observations across customers • Better decision making in context of “real”, observed threats
Government sector use case • Suspicious network/IP addresses received from intelligence agency • Post-analyse logs for traffic to/from those addresses 1. Suspicious hosts data set (high risk destinations) 2. Predefined reports use data for analysis Threat intelligence MATCHED WITH Observed activity and traffic • Minimal operational workload • Data automatically updated in the background • Scheduled, automated, pre-defined processes
Detection and Resolution Apply Security Intelligence during resolution • When an attack occurs, specific information relating to the threat is vital • More than just log/event/activity data – System configurations/registry – Changes to affected systems files – Network traffic/connections – Other behaviour • Malware - Specific example – Network sessions/connection patterns – Known effects of specific malware activity within file system and registry
Summary
Applying Security Intelligence • Meaningful threat intelligence involves all available security data – internal and external – to give context • Automatic identification of known attacks and threats needs to happen in real-time • Intelligence is vital for both detection AND during the diagnosis and investigation of cyber attacks • Dealing with false positives efficiently means having processes and tools that rapidly provide understanding of threats and confident resolution Speed and Accuracy are key to Cyber Resilience
Any Questions ? piers.wilson@huntsmansecurity.com +44 (0) 7800 508517 www.huntsmansecurity.com @tier3huntsman

More Related Content

Infosec 2015 - Using threat intelligence to improve security response

  • 1. Using Threat Intelligence to Improve Security Response Piers Wilson | Head of Product Management | Huntsman Security +44 (0) 7800 508517 | piers.wilson@huntsmansecurity.com www.huntsmansecurity.com | @tier3huntsman
  • 2. Setting the Scene • Threat Intelligence is more than just data • Examples and applications • Summary / Benefits
  • 3. A Threat Intelligence “eco-system” ... Applied Security Intelligence “Traditional” Log Sources Vulnerability information Geographic information Cyber- security/malware/ attack context External threat sources Internal context databases Locations, staff roles, HR systems, physical controls IP reputation, known bad URLs, phishing sources, C&C sites, botnets, CERTs Scan information, asset sensitivities, vulnerable platforms Countries, sites that pose risk, political factors Networks, systems, applications, devices Malware details, network captures
  • 5. Threat Intelligence derived alerts showing the nature of various connections Traditional public sources / external “TI” • Externally available threat data source lists – Botnets, C&C systems, known malware sites, compromised URLs, DLP risks • Regular updates / scheduled retrieval • Different sources/feeds used for different purposes • Detection of : – Communication with suspicious/risky hosts/domains – Data exfiltration risks – Etc...
  • 6. Traditional public sources / external “TI” • Emerging Threats – Raw IP list – C&C servers (Shadowserver) – Spam nets (Spamhaus) – Top Attackers (Dshield) – Compromised IP addresses • Abuse.ch – SSLBL IP Blacklist – ZeuS Tracker – Palevo Tracker – SpyEye Tracker • Malc0de – IP blacklist • URLBlacklist.com • Malware domains • Threat Expert • Norse Plus various commercial sources
  • 7. Geo-location is useful – both external (risky locations) and internal (sensitive sites) Geo-location Visualisation • Display or reference to GeoIP information • Risk locations/attack sources used in security decisions • Additionally WHOIS and DNS information useful Getting to this information quickly in the decision making process is key
  • 8. Defence sector – Real example • Defence customers are major user of Threat Intelligence • Intelligence agencies provide threat information to Defence network administrators • Reference data used to raise real-time alerts of suspicious network traffic • Information from alerts subsequently adds to their internal threat intelligence reference data – i.e. Observed incidents create “new” TI that automatically adds to the reference data set
  • 9. Internal Security Intelligence • Creation of bespoke/local Threat Intelligence – Manual or Automated • Particular value in MSSPs – Leverage threat observations across customers • Better decision making in context of “real”, observed threats
  • 10. Government sector use case • Suspicious network/IP addresses received from intelligence agency • Post-analyse logs for traffic to/from those addresses 1. Suspicious hosts data set (high risk destinations) 2. Predefined reports use data for analysis Threat intelligence MATCHED WITH Observed activity and traffic • Minimal operational workload • Data automatically updated in the background • Scheduled, automated, pre-defined processes
  • 11. Detection and Resolution Apply Security Intelligence during resolution • When an attack occurs, specific information relating to the threat is vital • More than just log/event/activity data – System configurations/registry – Changes to affected systems files – Network traffic/connections – Other behaviour • Malware - Specific example – Network sessions/connection patterns – Known effects of specific malware activity within file system and registry
  • 13. Applying Security Intelligence • Meaningful threat intelligence involves all available security data – internal and external – to give context • Automatic identification of known attacks and threats needs to happen in real-time • Intelligence is vital for both detection AND during the diagnosis and investigation of cyber attacks • Dealing with false positives efficiently means having processes and tools that rapidly provide understanding of threats and confident resolution Speed and Accuracy are key to Cyber Resilience
  • 14. Any Questions ? piers.wilson@huntsmansecurity.com +44 (0) 7800 508517 www.huntsmansecurity.com @tier3huntsman