global cyber threat intelligence

Global Cyber Threat Intelligence

Kenji Takahashi

NTT Innovation Institute, Inc.

2016 Copyright NTT Innovation Institute, Inc. All rights reserved.

2

NTT i3

ACCELERATING THE TRANSFORMATION OF IDEAS FROM LAB TO MARKET

Full Lifecycle Innovation

FOCUS

NTT Global Strategic Assets

LEVERAGE

Leading Companiesand Startups

ENGAGE

INNOVATION

Internet of Things

Wearables

Machine Learning

MARKET-READY PLATFORMS

Elastic Services Infrastructure

Global Threat Intelligence Platform

Cloud Service Orchestration Platform


3

THE EVOLVING GLOBAL SECURITY LANDSCAPE

Cybercriminals

• Large and sophisticated global crime groups

• Black markets for stolen data, tool, and hacker talent

• Detailed knowledge on targets (vulnerabilities, businesses, organizations and people)

Enterprise Security Team

• Technology vulnerability of IT

• Largely reactive security practices

• Limited data sources and analytic capabilities

• Security skills gaps

Threats and attacks generated by criminals outpace security team capabilities


4

THE GLOBAL THREATS LANDSCAPE IN 2016Global Threat Intelligence Report 2016 (GTIR 2016)www.nttgroupsecurity.com

Top 10 External Vulnerabilities

Outdated PHP Version 8%

Cross-Site Scripting (CSS/XSS) 7%

Outdated Apache Web Server 7%

SSL/TLS Information Disclosure 6%

Web Clear Text Username/Password 5%

Weak SSL/TLS Ciphers/Certificate 5%

Outdated Apache Tomcat Server 4%

Weak/No HTTPS cache policy 4%

Cookie without HTTPOnly attribute set 3%

SSL Certificate Signed using Weak Hashing Algorithm 3%

Top 10 Internal Vulnerabilities

Outdated Java Version 51%

Outdated Adobe Flash Player 11%

Outdated Adobe Reader and Acrobat 5%

Outdated Microsoft Windows 3%

Outdated Microsoft Internet Explorer 3%

Outdated Mozilla Firefox 2%

Outdated Microsoft Office 1%

Outdated Linux Kernel 1%

Outdated Novell Client 1%

Outdated OpenSSH Version 1%

The data presented is based on information gathered through 2015

Vulnerabilities


5

THE GLOBAL THREATS LANDSCAPE IN 2016Attacks



6

THE GLOBAL THREATS LANDSCAPE IN 2016Incidents



7

HACKING FOR PROFIT – THE JP MORGAN CYBERATTACK

100 million customersof 12 companies in the US

8 years of operation2007-2015

$100Msin illicit proceeds

Global cybercrime network


8

RANSOM32: RANSOMWARE AS A SERVICE

(source: http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/)


9

THE CYBERCRIME INFRASTRUCTURE OF BOTNETS

• Consists of thousands of victimized computers (”nodes”)

• Buy or rent tools, data, services, and talents on the cyber black market using bitcoins

• Recycled in 30 – 90 day cycle


10

CYBER KILL CHAINTHE SEVEN PHASES OF A CYBER ATTACK

*1: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” by E. Hutchins, M. Cloppert, R. Amin, Lockheed Martin Corporation, 2011. http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdfCyber Kill Chain is a registered trademark of Lockheed Martin Corporation.

RECONNAISSANCE

WEAPONIZATION

DELIVERY

EXPLOITATION

INSTALLATION

COMMAND & CONTROL

ACTIONS & OBJECTIVES


11

CYBER KILL CHAIN: CASE STUDY

RECONNAISSANCERecon, PHP and SQL fingerprinting

0

DELIVERY&

Delivery of SQL injection via Havij tool &Exploitation of injection attack

Command & ControlEstablish and maintain C2

WEAPONIZATION

Recon data analyzed and Havij tool selected and configured for attack

Creation of accounts and installation of RAT

EXPLOITATION

46 53 58

51 55

ACTIONS & OBJECTIVES

0 6059

65

First Identified Log

Public Disclosure Observed


Data exfiltration

INSTALLATION

12

CKC AS A GUIDELINE FOR THREAT INTELLIGENCE

• Analysis of earlier phase provides threat intelligence for later phases

• Attribution underpins the analysis of CKC phases§ Victims

§ Capabilities

§ Resources

§ Objectives

• Strategic priority and focus are essential§ Systems, services, data, and people of importance

13

WHAT CONSTITUTE THREAT INTELLIGENCE

Threat intelligence is gathered from disparate sources and synthesized by human analysts to identify a specific threat and its target in advance of an incident.


14

THREAT INTELLIGENCEEVOLVING SECURITY FROM REACTION TO PREDICTION

A new approach to addressing global threats requires:

1

Creation of potential victim/target profiles

2

Prediction of threats based on the

real-time analysisof a variety of data

sources

3

Deployment of security control to

monitor and block both predicted and

existing threats


15

GLOBAL THREAT INTELLIGENCE PLATFORM

• Single holistic view of the real-time evolution of the dynamic threat landscape

• Global dataset of more than 18 million attacks gathered from a wide variety of sources, across geographical and organizational boundaries

• Advanced analytics driven by machine learning (including malware taint analysis)

• API for seamless integration into applications, services and systems

• Support led by managed security service professionals


16

DEMO


CONTEXTUALIZATION

Provide the “right” information best fit to user context

• Context can be expressed by vertical industry, geographical region, CKC phases, attack type, victim profile, used resources (IP addresses, URLs/domains, malware, etc.)

Enable users to formulate contextualized queries• Users can save and manage queries

The information is further enriched• Gathering the data from multiple non threat

sources

• Put them into consistent format

• Pivoting

Facilitate collaboration among security experts• Annotation, Labeling

2016 Copyright NTT Innovation Institute, Inc. All rights reserved. 17

18

GTIP – MALWARE TAINT ANALYSIS ENGINE

Dynamic data flow analysis bytracking down every movement of every bit of data by malware on a computer.

Keep track of the trace of “tags”

• Tags are identifiers placed on data, and are propagated as data moves inside computer, automatically tracking and identifying data provenance.

BLACKLIST

ANALYTICSENGINE

MALWARE BINARIES


19

IMPORTANT ISSUES FOR THE FUTURE OF CYBERSECURITY

• Information Sharing

• Big Data and Machine Learning for Malware and Traffic Analysis

• Software Defined Security Orchestration


20

INFORMATION SHARING


21

MALWARE CLASSIFICATION BY MACHINE LEARNING

Applying Machine Learning to both dynamic and static analysis• Features from execution in GTIP Malware Taint Analysis Engine (dynamic analysis)

• Features extracted from raw files (static analysis)

Preliminary experiments result in promising 98% accuracy• 4,000 malware files and 3,000 benign files

• Windows binaries

Same approach can be applied to other types of malware• Mobile (.apk), PDF, JavaScript, MS Office, etc.


TEMPORAL VISUALIZATION AND ANALYSIS

• Different types of attacks and CKC phases show distinguishing temporal patterns.

• By visualizing and analyzing the patterns, we are exploring a way of taking actions in an earlier, quicker and effective manner.

SSH attacks access many targets in Reconnaissance phase A malware attacks accesses only one target in Exploitation phase

2016 Copyright NTT Innovation Institute, Inc. All rights reserved. 22

23

TRAFFIC ANALYSIS: BOTNET INFRASTRUCTURE DETECTION

Network providers, vendors, and law enforcements could detect bot masters and their infrastructures by working together

Information sharing and massively scalable analytics are the key

• Streaming analytics

• Machine learning

ML outlier detection

Black lists, DNS sink holes, Passive DNS, DNS Cache, Domain Generation Algorithm (DGA), Domain profiling, ML clustering

Netflow analysis, Behavior analysis


24

BENDABLE NETWORKS: SOFTWARE DEFINED SECURITY ORCHESTRATION

The integration of ESI and GTIP

takes security operation integrity

and agility to a new level.

DEVICES

GTIP+

ESI

SOURCES

FW, IPS, IDS, SIEM…

On-demand installation

On-demand policy and configuration

Detect

Install and update

SDN+

NFV+

ThreatIntelligence

BENDABLE NETWORKS

25

ACCELERATING THE TRANSFORMATION OF IDEASFROM LAB TO MARKET

h t t p : / / www. n t t i 3 . c o m

h t t p s : / / t w i t t e r. c o m / n t t i 3

h t t p s : / / www. l i n k e d in . c o m / c o m p a n y / n t t i n n o v a t i o n i n s t i t u t e

h t t p s : / / www. f a c e b o o k . c o m / n t t i n n o v a t i o n

h t t p s : / / www. y o u t u b e . c o m / u s e r / NT Ti3 Ch a n n e l
