threat intelligence and risk, a wild goose chase? · october 25, 2017 chicago, il usa threat...
TRANSCRIPT
![Page 1: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/1.jpg)
October 25, 2017 Chicago, IL USA
Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham Security Solutions Architect, Phantom
![Page 2: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/2.jpg)
| 2 October 25, 2017 Chicago, IL USA
My years in information security… Hobbies: Home Improvement, traveling, running @SOCologize Oh and infosec…
Gaming Geek (Atari User)
Cyber Warrior (Information Assurance)
Joins a Startup (likes to work…
A LOT OF work! )
Incident Responder Network Defender
(Team Builder)
![Page 3: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/3.jpg)
| 3 October 25, 2017 Chicago, IL USA
Explosion of IoT and Porous Boundaries
http://assets.investmentu.com/contents/2016/08/iotgraph.jpg
![Page 4: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/4.jpg)
| 4 October 25, 2017 Chicago, IL USA
Understanding Risk Calculus
• Define the risks and measure them • It’s about context and not content • Think like an attacker • Knowing is half the battle, analyzing is one step to winning
https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks
Risk Management: Hazard/Risk = Likelihood x Impact
![Page 5: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/5.jpg)
| 5 October 25, 2017 Chicago, IL USA
Understanding Attack Pathways
https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks
![Page 6: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/6.jpg)
| 6 October 25, 2017 Chicago, IL USA
Tactical Intelligence Threat Library Sharing/Automation – Atomic Indicators,
Incident & Intrusion Analysis, Malware Reverse Engineering
Operational Intelligence Decision Making Awareness & Proactive
Threat Assessments and Analysis, Partner Integration
Overview of Threat Intelligence
Business Threat Landscape Insider Threat and Hacktivists – Cyber Crime – Nation States (External Threats)
Strategic Intelligence Board Level Awareness – Security Vision
Policy and Planning – Threat Statistics & Reporting Strategic
Operational
Tactical
![Page 7: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/7.jpg)
| 7 October 25, 2017 Chicago, IL USA
Why Threat Intelligence Matters to Risk
https://www.owasp.org/index.php/CISO_AppSec_Guide:_Criteria_for_Managing_Application_Security_Risks
![Page 8: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/8.jpg)
| 8 October 25, 2017 Chicago, IL USA
Strategic Intelligence
What reports should I read? How does these threats apply to
my industry? What do I need to do now?
How does the threat landscape affect the business risks? What data is being targeted? How do I plan for the future?
Board Level Threat Awareness with threat statistics and reporting
![Page 9: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/9.jpg)
| 9
Contextual Risk Threat Means and Motive
• Characterize the methods towards motives
• Develop relationships to vulnerabilities • Understand strategic planning and…
What problem are we trying to solve?
28%
3% 4%
23% 1%
11%
9%
7%
6%
4% 4%
Unknown CC Unknown CW
Unknown H Account Hijacking CC
Account Hijacking H Targeted Attack
SQLi DDoS
Malvertising Defacement
Malware
![Page 10: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/10.jpg)
| 10 October 25, 2017 Chicago, IL USA
Contextual Risk Vulnerability Exposure
• 26% - Exploited User • 38% - Malicious Files • 25% - Email/Website Malicious content Equals 89% Risk from Phishing
Nothing new right? Q: When does a cool sexy new security product protect? e.g. Endpoint Detection and Response (EDR/IDR)
[CATEGORY NAME],
[PERCENTAGE]
Authenticated locally logged on user with
limited privileges
26%
Website or e-mail with malicious content
25%
Malicious remote
network traffic 6%
Website with malicious content
5%
![Page 11: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/11.jpg)
| 11 October 25, 2017 Chicago, IL USA
Adversarial Tactics, Techniques and Common Knowledge (ATT&CK)
Containment & Incident Response Proactive Detection Mitigation
• Persistence • Privilege Escalation • Credential Access • Host Enumeration • Defense Evasion • Lateral Movement • Execution • Collection • Command and Control • Exfiltration
Higher fidelity on right-of-exploit, post-access phases
Describes behavior sans adversary tools
MITRE, https://attack.mitre.org
![Page 12: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/12.jpg)
| 12 October 25, 2017 Chicago, IL USA
Understand Defensive Courses of Actions
Source: http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
Phase Detect Deny Disrupt Degrade Deceive Recon Web Analytics Firewall ACL Weaponize Network
Intrusion Detection (NIDS)
Network Intrusion Prevention
Delivery Vigilant User Email Gateway Proxy filter
In-line AV Queuing Quarantine
Exploit HIDS Sandbox
Patching Data Execution Protection
Control NIDS Firewall ACL Content Filters
NIPS Tarpit DNS Redirect
Execute Host Intrusion Detection (HIDS)
chroot jail Host Firewall
AV EDR?
Maintain Audit Logs SIEM
IR Analyst DLP
IR Analyst DLP
Quality of Service
Honeypot HoneyToken
![Page 13: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/13.jpg)
| 13
Operational Intelligence Decision Making Analysis
Decision Making
What information is already out there? Paste sites, Dark Web, etc.
Am I already compromised? How can I be attacked? Open Source Intelligence Contextual Threat Intelligence (Region & Vertical)
![Page 14: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/14.jpg)
![Page 15: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/15.jpg)
| 15 October 25, 2017 Chicago, IL USA
Lost Credentials - https://haveibeenpwned.com/
![Page 16: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/16.jpg)
| 16 October 25, 2017 Chicago, IL USA
Lost Credentials - https://haveibeenpwned.com/
![Page 17: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/17.jpg)
| 17 October 25, 2017 Chicago, IL USA
Bank Identification Numbers
Visualize your lost credentials here…
![Page 18: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/18.jpg)
| 18 October 25, 2017 Chicago, IL USA
Dark Web Exploits for Sale
![Page 19: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/19.jpg)
| 19 October 25, 2017 Chicago, IL USA
Operational Intelligence – Do we need to act?
![Page 20: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/20.jpg)
| 20 October 25, 2017 Chicago, IL USA
Is the Vuln Exploitable?
![Page 21: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/21.jpg)
| 21 October 25, 2017 Chicago, IL USA
Operational Intelligence – Define the So What?
![Page 22: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/22.jpg)
| 22 October 25, 2017 Chicago, IL USA
Operational Intelligence – Define the So What?
![Page 23: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/23.jpg)
| 23 October 25, 2017 Chicago, IL USA
Open Source Intelligence – Dig Deep
![Page 24: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/24.jpg)
| 24 October 25, 2017 Chicago, IL USA
Operational Intelligence Define the So What then Pivot to Tactical
![Page 25: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/25.jpg)
| 25 October 25, 2017 Chicago, IL USA
Operational Intelligence Define the So What then Pivot to Tactical
![Page 26: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/26.jpg)
| 26 October 25, 2017 Chicago, IL USA
Tactical Intelligence Signatures, Indicators of Compromise, Behavior Analysis Intrusion prevention sandbox endpoint Vendors, industry partners, are you sharing? Bring the HEAT to the Adversary!!
TTPs
Tools
Network/ Host Artifacts
Domain Names
IP Addresses
Hashes David Bianco, Pyramid of Pain, http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
![Page 27: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/27.jpg)
| 27 October 25, 2017 Chicago, IL USA
Contextual Impact
![Page 28: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/28.jpg)
| 28 October 25, 2017 Chicago, IL USA
Contextual Impact - Focus on what is important
Protect the pathways to and from critical systems and data Use the business continuity
plans to define the crown jewels Reduce the impact to the
enterprise
![Page 29: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/29.jpg)
| 29 October 25, 2017 Chicago, IL USA
Ineffective Response = Huge Business Impact
From 200 to 2100 affected systems in less than 48 hours – why?? Pinkslipbot/Qbot – a cybercrime worm that spreads over network
shares and that steals banking credentials, logged on and admin credentials, among others
0
500
1000
1500
2000
2500
Server Workstation
Eradicate
Contain Recover 2nd Detect
1st Detect
![Page 30: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/30.jpg)
| 30
Key Takeaways
Where’s the Val
• Intelligence preparation allows us to understand what’s important
• Strategic Intelligence supports technology needs
• Operational Intelligence remediates risk and supports process
• Tactical intelligence mitigates impact • Vulnerabilities will continue... • People can understand the threat,
respond quickly and reduce the impact 3
![Page 31: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/31.jpg)
| 31 October 25, 2017 Chicago, IL USA
About Phantom
Resources Resource shortage of
1 million security professionals
Products Endless assembly line
of point products
Static Static independent controls
with no orchestration
Speed Speed of detection, triage, and response time must improve
Costs Costs continue
to increase
Problem Today
![Page 32: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/32.jpg)
| 32 October 25, 2017 Chicago, IL USA
Automating Security Operations
Point Products (Observe / Sensing)
Analytics (Orient / Sense-making)
Decision Making Acting
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
AUTOMATED MANUAL (TODAY)
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
TIER 1
TIER 2
TIER 3
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
![Page 33: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/33.jpg)
| 33 October 25, 2017 Chicago, IL USA
Automating Security Operations
Point Products (Observe / Sensing)
Analytics (Orient / Sense-making)
Decision Making Acting
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
AUTOMATED MANUAL (TODAY)
SIEM
THREAT INTEL PLATFORM
HADOOP
GRC
TIER 1
TIER 2
TIER 3
FIREWALL
IDS / IPS
ENDPOINT
WAF
ADVANCED MALWARE
FORENSICS
MALWARE DETONATION
![Page 34: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/34.jpg)
| 34 October 25, 2017 Chicago, IL USA
Shameless Plug
blog.phantom.us
twitter.com/tryphantom
Phantom-community Rob Gresham Security Solutions Architect [email protected] JOIN US @ phantom.us/join
![Page 35: Threat Intelligence and Risk, a Wild Goose Chase? · October 25, 2017 Chicago, IL USA Threat Intelligence and Risk, a Wild Goose Chase? Rob Gresham . Security Solutions Architect,](https://reader034.vdocument.in/reader034/viewer/2022051606/6017b4f091536911905ccfec/html5/thumbnails/35.jpg)
The 1st Community-Powered Security Automation & Orchestration Platform
Thank You
The 1st Community-Powered Security Automation & Orchestration Platform