global cyber threat intelligence
Post on 14-Apr-2017
484 Views
Preview:
TRANSCRIPT
Global Cyber Threat Intelligence
Kenji Takahashi
NTT Innovation Institute, Inc.
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
2
NTT i3
ACCELERATING THE TRANSFORMATION OF IDEAS FROM LAB TO MARKET
Full Lifecycle Innovation
FOCUS
NTT Global Strategic Assets
LEVERAGE
Leading Companiesand Startups
ENGAGE
INNOVATION
Internet of Things
Wearables
Machine Learning
MARKET-READY PLATFORMS
Elastic Services Infrastructure
Global Threat Intelligence Platform
Cloud Service Orchestration Platform
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
3
THE EVOLVING GLOBAL SECURITY LANDSCAPE
Cybercriminals
• Large and sophisticated global crime groups
• Black markets for stolen data, tool, and hacker talent
• Detailed knowledge on targets (vulnerabilities, businesses, organizations and people)
Enterprise Security Team
• Technology vulnerability of IT
• Largely reactive security practices
• Limited data sources and analytic capabilities
• Security skills gaps
Threats and attacks generated by criminals outpace security team capabilities
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
4
THE GLOBAL THREATS LANDSCAPE IN 2016Global Threat Intelligence Report 2016 (GTIR 2016)www.nttgroupsecurity.com
Top 10 External Vulnerabilities
Outdated PHP Version 8%
Cross-Site Scripting (CSS/XSS) 7%
Outdated Apache Web Server 7%
SSL/TLS Information Disclosure 6%
Web Clear Text Username/Password 5%
Weak SSL/TLS Ciphers/Certificate 5%
Outdated Apache Tomcat Server 4%
Weak/No HTTPS cache policy 4%
Cookie without HTTPOnly attribute set 3%
SSL Certificate Signed using Weak Hashing Algorithm 3%
Top 10 Internal Vulnerabilities
Outdated Java Version 51%
Outdated Adobe Flash Player 11%
Outdated Adobe Reader and Acrobat 5%
Outdated Microsoft Windows 3%
Outdated Microsoft Internet Explorer 3%
Outdated Mozilla Firefox 2%
Outdated Microsoft Office 1%
Outdated Linux Kernel 1%
Outdated Novell Client 1%
Outdated OpenSSH Version 1%
The data presented is based on information gathered through 2015
Vulnerabilities
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
5
THE GLOBAL THREATS LANDSCAPE IN 2016Attacks
The data presented is based on information gathered through 2015
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
6
THE GLOBAL THREATS LANDSCAPE IN 2016Incidents
The data presented is based on information gathered through 2015
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
7
HACKING FOR PROFIT – THE JP MORGAN CYBERATTACK
100 million customersof 12 companies in the US
8 years of operation2007-2015
$100Msin illicit proceeds
Global cybercrime network
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
8
RANSOM32: RANSOMWARE AS A SERVICE
(source: http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/)
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
9
THE CYBERCRIME INFRASTRUCTURE OF BOTNETS
• Consists of thousands of victimized computers (”nodes”)
• Buy or rent tools, data, services, and talents on the cyber black market using bitcoins
• Recycled in 30 – 90 day cycle
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
10
CYBER KILL CHAINTHE SEVEN PHASES OF A CYBER ATTACK
*1: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” by E. Hutchins, M. Cloppert, R. Amin, Lockheed Martin Corporation, 2011. http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdfCyber Kill Chain is a registered trademark of Lockheed Martin Corporation.
RECONNAISSANCE
WEAPONIZATION
DELIVERY
EXPLOITATION
INSTALLATION
COMMAND & CONTROL
ACTIONS & OBJECTIVES
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
11
CYBER KILL CHAIN: CASE STUDY
RECONNAISSANCERecon, PHP and SQL fingerprinting
0
DELIVERY&
Delivery of SQL injection via Havij tool &Exploitation of injection attack
Command & ControlEstablish and maintain C2
WEAPONIZATION
Recon data analyzed and Havij tool selected and configured for attack
Creation of accounts and installation of RAT
EXPLOITATION
46 53 58
51 55
ACTIONS & OBJECTIVES
0 6059
65
First Identified Log
Public Disclosure Observed
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
Data exfiltration
INSTALLATION
12
CKC AS A GUIDELINE FOR THREAT INTELLIGENCE
• Analysis of earlier phase provides threat intelligence for later phases
• Attribution underpins the analysis of CKC phases§ Victims
§ Capabilities
§ Resources
§ Objectives
• Strategic priority and focus are essential§ Systems, services, data, and people of importance
13
WHAT CONSTITUTE THREAT INTELLIGENCE
Threat intelligence is gathered from disparate sources and synthesized by human analysts to identify a specific threat and its target in advance of an incident.
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
14
THREAT INTELLIGENCEEVOLVING SECURITY FROM REACTION TO PREDICTION
A new approach to addressing global threats requires:
1
Creation of potential victim/target profiles
2
Prediction of threats based on the
real-time analysisof a variety of data
sources
3
Deployment of security control to
monitor and block both predicted and
existing threats
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
15
GLOBAL THREAT INTELLIGENCE PLATFORM
• Single holistic view of the real-time evolution of the dynamic threat landscape
• Global dataset of more than 18 million attacks gathered from a wide variety of sources, across geographical and organizational boundaries
• Advanced analytics driven by machine learning (including malware taint analysis)
• API for seamless integration into applications, services and systems
• Support led by managed security service professionals
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
16
DEMO
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
CONTEXTUALIZATION
Provide the “right” information best fit to user context
• Context can be expressed by vertical industry, geographical region, CKC phases, attack type, victim profile, used resources (IP addresses, URLs/domains, malware, etc.)
Enable users to formulate contextualized queries• Users can save and manage queries
The information is further enriched• Gathering the data from multiple non threat
sources
• Put them into consistent format
• Pivoting
Facilitate collaboration among security experts• Annotation, Labeling
2016 Copyright NTT Innovation Institute, Inc. All rights reserved. 17
18
GTIP – MALWARE TAINT ANALYSIS ENGINE
Dynamic data flow analysis bytracking down every movement of every bit of data by malware on a computer.
Keep track of the trace of “tags”
• Tags are identifiers placed on data, and are propagated as data moves inside computer, automatically tracking and identifying data provenance.
BLACKLIST
ANALYTICSENGINE
MALWARE BINARIES
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
19
IMPORTANT ISSUES FOR THE FUTURE OF CYBERSECURITY
• Information Sharing
• Big Data and Machine Learning for Malware and Traffic Analysis
• Software Defined Security Orchestration
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
20
INFORMATION SHARING
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
21
MALWARE CLASSIFICATION BY MACHINE LEARNING
Applying Machine Learning to both dynamic and static analysis• Features from execution in GTIP Malware Taint Analysis Engine (dynamic analysis)
• Features extracted from raw files (static analysis)
Preliminary experiments result in promising 98% accuracy• 4,000 malware files and 3,000 benign files
• Windows binaries
Same approach can be applied to other types of malware• Mobile (.apk), PDF, JavaScript, MS Office, etc.
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
TEMPORAL VISUALIZATION AND ANALYSIS
• Different types of attacks and CKC phases show distinguishing temporal patterns.
• By visualizing and analyzing the patterns, we are exploring a way of taking actions in an earlier, quicker and effective manner.
SSH attacks access many targets in Reconnaissance phase A malware attacks accesses only one target in Exploitation phase
2016 Copyright NTT Innovation Institute, Inc. All rights reserved. 22
23
TRAFFIC ANALYSIS: BOTNET INFRASTRUCTURE DETECTION
Network providers, vendors, and law enforcements could detect bot masters and their infrastructures by working together
Information sharing and massively scalable analytics are the key
• Streaming analytics
• Machine learning
ML outlier detection
Black lists, DNS sink holes, Passive DNS, DNS Cache, Domain Generation Algorithm (DGA), Domain profiling, ML clustering
Netflow analysis, Behavior analysis
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
24
BENDABLE NETWORKS: SOFTWARE DEFINED SECURITY ORCHESTRATION
The integration of ESI and GTIP
takes security operation integrity
and agility to a new level.
DEVICES
GTIP+
ESI
SOURCES
FW, IPS, IDS, SIEM…
On-demand installation
On-demand policy and configuration
Detect
Install and update
SDN+
NFV+
ThreatIntelligence
BENDABLE NETWORKS
25
ACCELERATING THE TRANSFORMATION OF IDEASFROM LAB TO MARKET
h t t p : / / www. n t t i 3 . c o m
h t t p s : / / t w i t t e r. c o m / n t t i 3
h t t p s : / / www. l i n k e d in . c o m / c o m p a n y / n t t i n n o v a t i o n i n s t i t u t e
h t t p s : / / www. f a c e b o o k . c o m / n t t i n n o v a t i o n
h t t p s : / / www. y o u t u b e . c o m / u s e r / NT Ti3 Ch a n n e l
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
top related