best practices for leveraging security threat intelligence

Best Practices for Leveraging Security Threat Intelligence

Dave Shackleford, Voodoo Security and SANSRussell Spitler, AlienVault

© 2014 The SANS™ Institute - www.sans.org

What IS threat intelligence?

• Threat intelligence is the set of data collected, assessed, and applied regarding:– Security threats– Threat actors– Exploits– Malware– Vulnerabilities– Compromise indicators


What Threat Intelligence ISN’T

• Regarding data for threat intelligence:– Not just one type of data– Not just one source of data– Not just internal or external

• Threat intelligence is also not one form of analysis or reporting

• Threat intelligence can mean different things to different organizations– This is 100% OK.


Advanced Threats

• Malware-based espionage staged by threat actors that– Aggressively pursue and

compromise specific targets– Often leveraging social engineering– Maintain a persistent presence within

the victim’s network – Escalate privilege and move laterally

within the victim’s network– Extract sensitive information to

locations under the attacker’s control


Today’s Attack Cycle


1. Intelligence Gathering: Target individuals

2. Point of Entry: Social Engineering and malware deployment

3. C&C Communication4. Lateral Movement5. Asset/Data Discovery: What is important

and/or sensitive?6. Data Exfiltration: Data sent outbound to

systems under the attacker’s control

What’s This Leading To?

Source: http://www.forrester.com/Five+Steps+To+Build+An+Effective+Threat+Intelligence+Capability/fulltext/-/E-RES83841


Why Threat Intelligence?

• Attackers are innovating faster than we are

• “Productization” of malware– Attack kits and “crimeware”– Reuse of malware and C2 protocols– Botnets for rent

• Other organizations have likely seen similar attacks or variants– We can help each other share

information to defend better


Adversary Analysis

• Why develop adversary profiles?– Adversary profiles can provide

clues as to attacks, targets, techniques commonly used

• Adversary Types– Unsophisticated – “script kiddies”– Competitors– State-sponsored– Organized Crime– Insiders (can also be one of above)


What kinds of data can we share?

• DNS entries that are or should be blacklisted

• Countries of origin with specific reputation criteria

• Types of events to look out for:– Application attacks– Ports and IP addresses– Specific types of malware detected

• Vertical-specific likelihood• And more…


Intelligence can drive Investigations

• Intelligence-driven investigations are based on the preservation of the relationships between the components of individual attacks so that they can be clustered as a campaign.

• Investigative Components– Malware Analysis– Network Analysis– Underground Analysis– “Big Data” Analysis


How to Evaluate Threat Intel Services and Providers

• The first key differentiator is data DIVERSITY:– Where does the data come from?– What type(s) of data do you get?– Do IOC artifacts come in one format

(ie file hashes) or multiple?– What specific are available

(vertical/industry, geography, etc)?



• The second differentiator is data ANALYSIS:– What kind of analysis is performed?– Who does the analysis?– To what depth is analysis done –

basic IOCs, or full traceback?– Is the data correlated with other

information?



• The third differentiator is data QUALITY:– Does the data go through a “QA”

process?– Is data revisited/re-analyzed to

ensure it is still accurate?– When are indicators “expired”?– What is the expiration

strategy/lifecycle … on an ongoing basis?


Example: Sinkhole Case

• A known malware propagation platform communicating with a C&C server

• This can fuel a sinkhole approach


Example: C&C Events

• Active malware command and control communications


Example: File Download Activity

• File download IOC:


Example: Java File Download

• Another malware download example, this time with a Java .jar file:


AlienVault Open Threat Exchange

Open Threat Exchange (OTX) is a framework to allow collaboration for enhanced threat

assessment and response


Built into AlienVault USM & OSSIM

• Diverse threat data– Unified Security Management– SIEM, IDS, VA, HIDS, Netflow in one

product• Diverse install base

– >12,000 installations– Open Source & Commercial


Automate Threat Sharing & Action


AlienVault USM or

OSSIM

Installation 1

Bad

Guy

AlienVault OTX

1. Observed Attack



AlienVault USM or

OSSIM

Installation 1

Bad

Guy

AlienVault OTX

2. Anonymous

Contribution

1. Observed Attack



AlienVault USM or

OSSIM

Installation 1

Bad

Guy

AlienVault OTX

3. Data Validation

2. Anonymous

Contribution

1. Observed Attack



AlienVault USM or

OSSIM

Installation 1

Bad

Guy

AlienVault OTX

AlienVault USM or

OSSIM

Installation 2

4. Distribute Threat

Intelligence

3. Data Validation

2. Anonymous

Contribution

1. Observed Attack



AlienVault USM or

OSSIM

Installation 1

Bad

Guy

AlienVault OTX

AlienVault USM or

OSSIM

Installation 2

4. Distribute Threat

Intelligence

3. Data Validation

2. Anonymous

Contribution

1. Observed Attack 5. Identify Malicious Activity

Current OTX Participation

• 17,000 Contributions per day• 140 Countries

• 500k IP’s, URL’s, and Malware Samples analyzed daily


Attack Trends and Examples

• Current Attack Trends include:– Stealth malware– HTTP/HTTPS C&C channels– Anti-forensics– New and varied DDoS tactics– Myriad Web app attacks– Client-side attacks with social

engineering as the primary attack vector

• How can we learn about these?


Conclusion

• We’re all facing attacks, all the time

• We have a lot of data – why not share it?

• To advance the state of threat intelligence, we’ll need to collaborate and correlate data at a much larger scale

• OTX is one effort to do just that


Questions?

Follow-up?

[email protected]

Thank You!


best practices for leveraging security threat intelligence

Technology

sans institute

types of data

threat intelligence

external threat intelligence

source of data

data exfiltration

data diversity

data quality