threat intelligence in cyber risk programs

Threat Intelligence in Cyber Risk Programs

www.pwc.com

Strictly Private and Confidential

March 11, 2016

Sangram Gayal

Agenda

1 Why are we talking about this? 1

2 We already have threat intelligence!!! 6

3 Using Threat Intelligence 13

Page

Active Discovery

This publication has been prepared for general guidance on matters of interest only, and does not constitute

professional advice. You should not act upon the information contained in this publication without obtaining

specific professional advice. No representation or warranty (express or implied) is given as to the accuracy

or completeness of the information contained in this publication, and, to the extent permitted by law, PwC, its

members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of

you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or

for any decision based on it.

This publication contains certain examples extracted from third party documentation and so being out of

context from the original third party documents; readers should bear this in mind when reading the

publication. The copyright in such third party material remains owned by the third parties concerned, and

PwC expresses its appreciation to these companies for having allowed it to include their information in this

publication. For a more comprehensive view on each company’s communication, please read the entire

document from which the extracts have been taken. Please note that the inclusion of a company in this

publication does not imply any endorsement of that company by PwC nor any verification of the accuracy of

the information contained in any of the examples.

© 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC” refers to

PricewaterhouseCoopers Private Limited (a limited liability company in India), which is a member firm of

PricewaterhouseCoopers International Limited, each member firm of which is a separate legal entity.

PwC

March 11, 2016

Why are we talking about this?

Threat Intelligence in Cyber Risk Programs •

1

PwC

March 11, 2016

Today, every organization endeavouring to improve its cyber posture is following the trend of adapting to various security solutions…. Unfortunately many still face security incidents

Section 1 – Why are we talking about this?


2

Our study shows that Indian organizations detected more incidents over the previous year, shooting up from an average of 2,895incidents to 6,284 incidents a year.

117%

Source: PwC India GSISS 2015

Estimated average financial loss as a result of security incident per survey respondent: India (USD)

PwC

March 11, 2016



3

We believe it is possible not only adapt to these increasing incidents but grow stronger because of them. A new type of organization -‘The antifragile’

PwC

March 11, 2016



4

“Some things benefit from shocks; they

thrive and grow when exposed to

volatility, randomness, disorder, and

stressors” – Antifragile, Nassim Nicholas Taleb

Nature is full of anti-fragile systems. The human muscles are a good example of anti-fragile system. The more they are subjected to bouts of stress, the stronger they grow.

PwC

March 11, 2016

The mechanism of antifragility is about early discovery, response and improving resistance.



5

1 2 3

Early discovery of existence of known and unknown threat vectors in the environment is important to prevent its spread and causing damage.

It is important to contain spread, assess damage, analyze characteristics of the threat and finally eardicate the threat.

Codify the learnings into mechanisms to detect or prevent recurrence of the threat vector. Share with others and learn from others.

Early Discovery

Rapid Response

Threat Resistance

All antifragile systems found in nature work on these principles including human muscles, vaccinations, human society etc.

PwC

March 11, 2016

We already have threat intelligence!!!


6

PwC

March 11, 2016

Threat = Capability to Cause Harm

Intelligence = Information, Analysis & Context

Threat Intelligence = Information, its Analysis and Context Regarding ‘Things’ that might cause

Harm

What is threat intelligence?

Section 2 – We already have threat intelligence!!!


7

PwC

March 11, 2016

Types of Threat Intelligence



8

High Level Information on changing risks

Attacker methodologies, tools and tactics

Details of incoming attack

Indicators of Specific Malware

Low LevelHigh Level

Short

Term

Long T

erm

Area of Enterprise Focus

PwC

March 11, 2016

Threat Intelligence Explained



9

Strategic Threat

Intelligence

• Target Audience is The Board, Executive Management• Focus on changing risks, high level topics: Geopolitics, Foreign

markets, Cultural background• Vision timeframe: years

Tactical Threat

Intelligence

• Target Audience: System Admins, Pen Testers, Hunters• Focus on TTPs (tactics, techniques, procedures, tools etc.), C2

behaviour etc.• Vision timeframe: Weeks to Months

Operational Threat

Intelligence

• Target Audience: strategic security teams• Focus on Threat Actors, Nation-State actors, future attacks etc.

Based on infiltrating Threat Actor groups • Vision timeframe: Hours to Months

Technical Threat

Intelligence

• Target Audience: SOC, IR, Firewall Admins• Focus on Indicators of compromise, malware domains, artefacts,

signatures etc. • Vision timeframe: Hours to years

PwC

March 11, 2016

The Pyramid of Pain



10

Hash Values / IP Address

Domains

System Artifacts

TTPs

Tools

Pyramid of Pain (for the attacker)- David J. Bianco

Tough

Challenging

Annoying

Easy

Trivial

Indicators of Compromise Developed by Client / PwC’s Cyber Threat Intelligence team

Indicators of Compromise provided by most OEM’s and Anti-virus providers

PwC

March 11, 2016

Where do you get the Threat Intelligence?



11

Hash Values / IP Address

Domains

System Artifacts

TTPs

Tools

A number of Open-source and Commercial Feeds

Develop from known malware behaviour.

Analyse malware to understand variants, families, CnC domains and threat actors

PwC

March 11, 2016

Technical & Tactical TI – Looking at the indicators



12

MD5 / Sha-1 Hash

Filename of Initial Malware

Files Dropped by Malware

Registry Keys created by malware

Well Written Yara Rule

Trivial Difficult

IP Address Domain Name

Exact URL accessed

Algorithm for generating Radom domain

Exact Command Channel Structure

PwC

March 11, 2016

Using Threat Intelligence


13

PwC

March 11, 2016

1. Collate and Curate Threat Feeds: Use a platform to collate and curate threat feeds, distribute it to various detection systems. Maintain the intelligence system by adding your own threat Intelligence

2. Tactical Intelligence: Generate tactical intelligence for malware variants prevalent in your environment. Use tactical intelligence generated by communities, peers and professional agencies.

3. Sharing: Share your new threat intelligence with local and global communities. Submit malware samples, submit new indicators, and share the CnC information.

1. Run a Threat Intelligence Program

Section 3 – Using Threat Intelligence


14

PwC

March 11, 2016

2. Use technical and tactical TI to detect Compromises



15

Active Discovery 1. Use enriched and curated Technical TI at Gateways, SIEMs and Domain Controllers to detect compromises

2. Use Tactical TI to analyse host compromises by collecting system and memory artefacts

3. Use Tactical TI by conducting static and dynamic analysis of suspicious file samples

4. Use honeypots to actively detect lateral movement

PwC

March 11, 2016

3. Respond to compromises while leveraging Tactical Indicators



16

1. Develop Tactical Threat Indicators for detected compromises and unknown malware

2. Use the TI to “hunt” for malware and eradicate it

3. Build Threat Intelligence database of detected malware

Cyber Response

PwC

March 11, 2016

- brought to you by PwC’s Active Defence Services



17

PwC CIRCA

Cyber Incident Response and compromise assessment platform

04PwC Nethunt

Network level compromise assessment and hunting platform with flow and packet analysis

02PwC TIP

Threat Intelligence platform for threat feeds aggregation, selection, visualization, and sharing.

01LAMPS

Large –scale Automated Malware Analysis Platform

03

Active Discovery

PwC’s Active Defence Services helps organizations detect, analyse and monitor advanced threats supported by team of Malware Analysts, Data

Scientists and Incident Responders.

PwC ADS Platforms

The information contained in this document is provided 'as is', for general guidance on matters

of interest only. PricewaterhouseCoopers is not herein engaged in rendering legal, accounting,

tax, or other professional advice and services. Before making any decision or taking any

action, you should consult a competent professional advisor.

© 2016 PricewaterhouseCoopers Private Limited. All rights reserved. In this document, “PwC”

refers to PricewaterhouseCoopers Private Limited (a limited liability company in India), which

is a member firm of PricewaterhouseCoopers International Limited, each member firm of

which is a separate legal entity.

“the ring has awoken, it’s heard its masters call” –Gandalf, Lord of the RingsThe sleeping malware in our organizations

Sangram Gayal+91 [email protected]

threat intelligence in cyber risk programs

Technology