so you want a threat intelligence function (but were afraid to ask)
TRANSCRIPT
© 2015 Lancope, Inc. All rights reserved.
About the Presenter• Gavin Reid is Vice President of Threat Intelligence
at Lancope, With over 25 years of experience in threat intelligence, Reid was a driving force behind the development of big data analytics and threat identification.
• While serving at Cisco Systems as director of threat research for Security Intelligence Operations, he led a team that developed new data analytics technologies to detect and remediate advanced cybersecurity threats.
• Reid also created and led Cisco’s Computer Security Incident Response Team (CSIRT), a global organization of information security professionals responsible for monitoring, investigating and responding to cybersecurity incidents.
• In addition to his time at Cisco, Reid also served as the vice president of threat intelligence at Fidelity Investments and oversaw IT security at NASA’s Johnson Space Center.
© 2015 Lancope, Inc. All rights reserved.
What can threat intelligence help you with?
Are we part of x new hack? If the hackers reuse
infra will notice and be able to take
advantage of that?
Is this file malicious?
What has this IP done in the
past?
How did we get infected?
Are we compromised?
How do we know if we are completely
clean of compromise?
© 2015 Lancope, Inc. All rights reserved.
Indicators of Compromise…
Site C
CLOUD
Internet
Data Center
Site B
Site A• Observables
• Measurable events
• Stateful properties
“An IOC is an observable artifact of an intrusion on a host or network. Analysts can use it to trace the steps of an attack and identify what was affected, how long it was active or if there are any persisting elements of the intrusion.”
© 2015 Lancope, Inc. All rights reserved.
What is an indicator?
* Full list at http://openioc.org/terms/Current.iocterms
© 2015 Lancope, Inc. All rights reserved.
IP with context…Attachment MD5s:b4fe7224da594703e78d62d9cb85c5f4c3a00c36ea51040c3a10c557154bc7b15b9acbcd65555398a7e3fd0f0a389cf9582b75b4f8855dbe555bff080c57808aBe699ba4855340adf5c9d7092e9df08b
Payload URLs:hxxp://internetz1[.]com/03/39.exehxxp://gggrp[.]com/03/59.exehxxp://fefg[.]com/03/39.exehxxp://woofe[.]com/03/39.exehxxp://contestswin[.]net/03/39.exe
Payload MD5:5e91af2e44c17de55134ff935c0f30f1
C2:130.0.133[.]35
Malware: Dridex
Attachment File Name: RZZA3440.doc
© 2015 Lancope, Inc. All rights reserved.
Sources…
Industry Orgs Secret Groups Vendor Threat Intel
First Party Data Government Orgs Peer Groups
Open Source CIRTS ISACS
© 2015 Lancope, Inc. All rights reserved.
What IS context?
Start time?
End time?
Impact?
Datarestriction?
Who found it?(contact)
How wasit found? Related
activity?
Description?
Confidence?
© 2015 Lancope, Inc. All rights reserved.
Data Enrichment…
Whois GeoLocation Reputation
History Hash PDNS
VirusTotal Sandboxing Confidence
© 2015 Lancope, Inc. All rights reserved.
Types of ingestion…
STIX Email lists
Machine Manual
TAXIPDF alerts
Phone call from other IRT
CSV
JASON
© 2015 Lancope, Inc. All rights reserved.
Operationalizing…
Data Source Feed Manager Comparison EngineInternalData
© 2015 Lancope, Inc. All rights reserved.
DecisionIs there a match?
IDS/IPSHIDSNetFlow…
Splice/SplunkSIM, Logger
SoltraThreatConnectCrits
Internet IdentityiSight PartnersZuesTrackerCriticalStack
Operationalizing…
Data Source Feed Manager Comparison EngineInternalData
Subscribed Feeds
© 2015 Lancope, Inc. All rights reserved.
0101010010
11
0101010010
11
0101010010
11
0101010010
11
Can you protect what you can’t see?
© 2015 Lancope, Inc. All rights reserved.
Concerns…
False Positives No or Poor context Time
Inability to Operationalize
Only gives a48hr head start Issue with Sharing
© 2015 Lancope, Inc. All rights reserved.
IOC Lifecycle…
Create IOCs
Deploy IOCs
Identify Affected Systems
Collect Data
Analyze Data
© 2015 Lancope, Inc. All rights reserved.
Make sure you have deliverables…
Beyond needleand haystack
Prove thenegative Deliver daily,
weekly, monthly
Lead the organizationsperspective on threat
© 2015 Lancope, Inc. All rights reserved.
Bringing it TogetherInvestigator finds new malware in word doc used in spearphish– hashes file 7c47ff87c0frca93e135c9acffee48d3f
– Sandboxes and Finds c2 Query TI dbase (Intel 471)finds that same file/C2 has been used before by a specific hacker group X
Group X uses various hacker forums, IRC, samples , URLS and C2’s
Check nF for IRC connections to server. Runs the new IOCS into comparison engine and finds other infections – helping organization completely understand and fix the problem