session id: cxo-r03 the third rail: new stakeholders ... · pdf filenew stakeholders tackle...
TRANSCRIPT
![Page 1: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/1.jpg)
SESSION ID:
#RSAC
Ted Ross
The Third Rail: New Stakeholders Tackle Security Threats and Solutions
CXO-R03
Director, Threat Intelligence
HP Security Research
@tedross
![Page 2: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/2.jpg)
#RSAC
Agenda
My brief background
An example of a successful collaboration
Quick review of some basics
Stakeholders
“Next Gen” sharing
Use cases
2
![Page 3: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/3.jpg)
#RSAC
HPSR Threat Intelligence
Field
Intelligence Threat Central
Strategic Human-to-human
Tactical Machine-to-machine
Facilitates strategic human-to-human interaction
Monitor the Underground
Profile Threat Actors
Human
Intel
![Page 4: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/4.jpg)
#RSAC
The Power of Collaboration: A View from the Underground
![Page 5: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/5.jpg)
#RSAC
The Adversary Collaborates Effectively
Global Network of Hackers Steal $45 Million From ATMs
Bank Hack Results in Stunning $45 Million ATM Heist
Experts Marvel At How Cyber thieves Stole $45 Million
In Hours, Thieves Took $45 Million in A.T.M. Scheme
The Circuit: Hackers took $45 million in ATM heist
![Page 6: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/6.jpg)
#RSAC
Recruiting
![Page 7: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/7.jpg)
#RSAC
But… they don’t trust each other
![Page 8: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/8.jpg)
#RSAC
Collaboration
![Page 9: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/9.jpg)
#RSAC
Payment Options – Escrow, Laundering, Assets
![Page 10: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/10.jpg)
#RSAC
Lessons Learned from the Adversary
Sharing is social - social rules apply
Protect your identity
Credibility is key
Reuse what others have learned
Leverage each others strengths
![Page 11: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/11.jpg)
#RSAC
Challenges that We Must Overcome
• Limited participation
• Not comfortable sharing (social issues)
• No time
• No trust
• Data is not actionable – lacks context and relevance
• Overly manual – not timely
![Page 12: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/12.jpg)
#RSAC
The Power Of Collaboration: What are the Good Guys doing?
![Page 13: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/13.jpg)
#RSAC
ISACs (Information Sharing & Analysis Centers) • Created from Presidential Directive in 1998 (updated in 2003).
• Public and private sector to create a partnership to share information about threats, vulnerabilities, and events to help protect the critical infrastructure.
• U.S. Treasury, DHS and other relevant government agencies / entities use ISACs to disseminate critical information.
• Last count there are 18 different ISACs (i.e. Financial Services, Energy, Water, National
Health, Surface Transportation, etc).
• FS-ISAC (launched in 1999) is the most advanced and leading the way for others • In early 2013, FS-ISAC extended their charter to include information sharing for
financial services entities world-wide.
![Page 14: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/14.jpg)
#RSAC
STIX / TAXII
Structured Threat Information eXpression A Structured Language for Cyber Threat Intelligence Information Source - https://stix.mitre.org
Trusted Automated eXchange of Indicator Information Enabling Cyber Threat Information Exchange Source - http://taxii.mitre.org
![Page 15: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/15.jpg)
#RSAC
STIX Data Model https://stix.mitre.org
![Page 16: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/16.jpg)
#RSAC
Observable (lowest level)
![Page 17: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/17.jpg)
#RSAC
Indicator
![Page 18: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/18.jpg)
#RSAC
Incident
![Page 19: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/19.jpg)
#RSAC
Evolution 2015 Embedded Human Threats
Video Removed for security purposes
![Page 20: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/20.jpg)
#RSAC
Evolution
2015 2014 2016 2013
Building the pipes (infrastructure & tools for sharing)
Analyze the Data
Apply results
We are here
Props to Chris Blask (ICS-ISAC)
![Page 21: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/21.jpg)
#RSAC
The Next Phase- Analyze the Data
Indicators come from multiple sources, each with a unique view on
the threat
Collaboration allows us to LINK artifacts
Interacting with an intelligent system allows us to determine which
threats are important to you – RELEVANCE
Using the context to score the indicators makes them ACTIONABLE
21
![Page 22: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/22.jpg)
#RSAC
Key Stakeholders
YOU Threat
DB
Privacy Enhanced Forums
Threat DB
Threat DB
HP Security Research
Private Community
Friend
STIX SIEM
Sector Community
STIX
SIEM
SIEM
Portal
Global Community
YOUR SIEM
YOUR STIX
![Page 23: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/23.jpg)
#RSAC
Automated Action Influenced by Context
Portal
Actionable Intel
\
IP address
Domain
File Hash
Registry Key
URL
Add Context
\
Sightings
Source Reliability
Severity
Confidence
Community
Feedback
Collect Normalize Analyze/Correlate Distribute / ACT
Compare & Correlate
\
Match Customer
Case Match to Actors,
TTPs Verticals Targeted
Linked Indicators
SET SCORE
RELEVANT Y/N
Open Source
Feeds
TC Community
Edge Device
Security Event
Manager
ESM
Connector
API
Research
![Page 24: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/24.jpg)
#RSAC
Results & Actions
First Sighting
Second Sighting
Vote Down Effect
Third Sighting Fourth Sighting
Highest Possible
Reliability Normal Normal Normal Normal Normal HIGH
Severity M M M M M H
Confidence M M M M M H
Sightings 1 2 4 3 4 4
Votes 0 0 -4 0 0 4
SCORE 35 47 52 59 73 100
Monitor Activity Take Action
![Page 25: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/25.jpg)
#RSAC
Results & Actions
First Sighting
Second Sighting
Vote Down Effect
Third Sighting Fourth Sighting
Highest Possible
Reliability Normal Normal Normal Normal Normal HIGH
Severity M M M M M H
Confidence M M M M M H
Sightings 1 2 4 3 4 4
Votes 0 0 -4 0 0 4
SCORE 35 47 52 59 73 100
Monitor Activity Take Action
![Page 26: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/26.jpg)
#RSAC
Results & Actions
First Sighting
Second Sighting
Vote Down Effect
Third Sighting Fourth Sighting
Highest Possible
Reliability Normal Normal Normal Normal Normal HIGH
Severity M M M M M H
Confidence M M M M M H
Sightings 1 2 4 3 4 4
Votes 0 0 -4 0 0 4
SCORE 35 47 52 59 73 100
Monitor Activity Take Action
![Page 27: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/27.jpg)
#RSAC
Observable
Qu
ery
Dep
th =
2
Observable
Domain Observable
IP Address Observable
Qu
ery
Dep
th =
3
![Page 28: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/28.jpg)
#RSAC
The power of linking Actors (courtesy of CERT-EU)
Automated APT Actor Recognition
TTP
TTP
How APT actors
are recognized
Secondary
recognition
Possible distractions/
Easy attack vectors
![Page 29: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/29.jpg)
#RSAC
Use Case: Automated Actions Brute force login
Key Assets
Attacker
IPS
Source 1.1.1.1
Source 1.1.1.1
Invalid Login Source 1.1.1.1
Invalid Login
![Page 30: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/30.jpg)
#RSAC
Use Case: Automated Actions Current approach
Attacker
IPS
Company
A
Source 1.1.1.1
Source 1.1.1.1
Invalid Login Source 1.1.1.1
Invalid Login
Attacker
IPS
Company
B
Source 1.1.1.1
Source 1.1.1.1
Invalid Login Source 1.1.1.1
Invalid Login
Attacker
IPS
Company
C
Source 1.1.1.1
Source 1.1.1.1
Invalid Login Source 1.1.1.1
Invalid Login
![Page 31: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/31.jpg)
#RSAC
Use Case: Automated Actions New approach
Attacker
IPS
Company
A
Source 1.1.1.1
Source 1.1.1.1
Invalid Login Source 1.1.1.1
Invalid Login
Attacker
IPS
Company
C
Source 1.1.1.1
Source 1.1.1.1
Invalid Login Source 1.1.1.1
Invalid Login
Sharing
Community
Attacker
IPS
Company
B
Source 1.1.1.1
Source 1.1.1.1
Invalid Login Source 1.1.1.1
Invalid Login
LOW
SCORE
LOW
SCORE Medium
SCORE
HIGH
SCORE
Company
D
IPS/Firewall
If score = HIGH, push to
IPS
LOW
SCORE
LOW
SCORE
HIGH
SCORE
![Page 32: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/32.jpg)
#RSAC
Source 2.2.2.X
Use Case: Proactive Block Lists - RECON Current approach
Recon Source
Attack
Source(s)
IPS
Source 1.1.1.1
Key Assets
Source 1.1.1.1
![Page 33: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/33.jpg)
#RSAC
Use Case: Proactive Block Lists - RECON with Threat Central
Recon Source
Source 1.1.1.1
Attack
Source(s)
IPS Re
con
IP
Att
ack
IPs
Attack IP List
Source 1.1.1.1
Key Assets
Source 2.2.2.X
Sharing
Community
![Page 34: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/34.jpg)
#RSAC
Sharing
Community
Summarizing: Leveraging the Community
Company A NEW
EVENT
Zero
day
Company B
Company C Malicious
IP address
Malwar
e
variant
BAD IP BAD IP MALWARE MALWARE ZERO DAY ZERO DAY NEW
EVENT
NEW
EVENT
![Page 35: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/35.jpg)
#RSAC
What to Look for in Threat Sharing Systems
Automated bi-directional sharing
Analysis of the data
Actionable derived results
Tap into the existing community of security experts
Product agnostic sharing is a must
![Page 36: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/36.jpg)
#RSAC
How to Apply
Within three months, select a collaboration system that produces
A- Actionable results
B- Indicators that are relevant to you
Start collaborating with both human-human and machine-machine
using a system that will send indicators automatically as a result of
the collaboration.
Leverage strategic intelligence (context) to better defend – defend
with purpose
36
![Page 37: SESSION ID: CXO-R03 The Third Rail: New Stakeholders ... · PDF fileNew Stakeholders Tackle Security Threats and Solutions CXO-R03 Director, Threat Intelligence HP Security Research](https://reader031.vdocument.in/reader031/viewer/2022030422/5aa9ee167f8b9a72188d868d/html5/thumbnails/37.jpg)
#RSAC
Thank You
37