Utilizing Cyber Intelligence to Combat Cyber Adversaries

Jon DiMaggioIntelThreat

7 October 2014

Problem• Advanced threats driven by state sponsored

groups, hacktivists and organized crime rings have made threats increasingly difficult to defend against with traditional Computer Network Defense (CND) security practices

• Traditional use of indicator and signature driven solutions alone are no longer sufficient to protect against these threats

• Historically intelligence was only being conducted by military and government organizations

Cyber Intelligence• Purpose– Cyber intelligence products provide information on cyber

threats, track trends and allow for predictive analysis on cyber threat groups

• Process– Process of taking open source research, official reporting

(reporting from credible organizations) and internal cyber attack data, and fusing them into an actionable product for information dissemination specific to your organization

• Intent– Provide support to other security operation teams by filling intelligence gaps and providing information not currently being identified or tracked

Advanced Threats Categories• APT

– Malware– Spear phishing emails and watering holes

• Hacktivists– Attack in large numbers– DDoS attacks– Data compromise– Public posts of sensitive data

• Crime Rings– Ransomware– TOR network– Blend in

• Unknown– Similar tactics, techniques & procedures (TTPs) – Use of buckets or clustering

Complexity of Advanced Threats• Advanced threats often go undetected– Human operators driving attacks – Malware

• These advanced attackers create/collect intelligence through analysis of their targets

• The planning, patience and human driven aspects of advanced threats makes traditional security models less effective

CND vs. Cyber Intelligence• Computer Network Defense & Cyber Intelligence…

What is the Difference?– CND: Direct and immediate impact to operations– CND: Identify malicious traffic and stop it– Cyber Intelligence: Understand why attacks are being

conducted and the motivation behind it– Cyber Intelligence: Understand who is targeting your

organization and what they want• Think the role of a police officer compared to a

detective

Cyber Intelligence & Tracking Adversaries• Making cyber intelligence actionable– Targeting– Infrastructure– Personas used in advanced attacks– Malware– Spear Phishing emails

Pivoting• Using an indicator or information to discover new

related intelligence that is obtained by identifying a relationship between the two

• Use of open source and commercial services can assist with pivoting on intelligence to learn about new unknown information about your adversary

Cyber Intelligence Fusion Process

• Track• Research• Pivot• Analyze• Fuse• Document

Track

Research

Pivot

Analyze

Fuse

Document

Creating Actionable Products• Use data gained from tracking adversaries and the

cyber intelligence fusion process to create actionable products which are described in detail on the following slides

Cyber intelligence product

Distributed and digested by security

analysts/ managers /network

defenders

Informed Action or defense decision

taken

Threat Actor Profiling• Objective: – Provide a cyber fingerprint of advanced threats to assist

in minimizing the time it takes for an analyst to recognize activity on their network is from an advanced threat group

• Provide profiling of:– Threat actor groups

– CNE operators / hackers – who, where and what are they targeting

Threat Actor “Attack” Time LinesCreate time lines showing the events and dates of activity targeting your organization– Identify trends and patterns in

activity, such as most active months, weeks and days for each threat group

– Identify gaps in activity– Compare against other campaigns– Compare against other significant

events (public events, military or political events, major hacktivists operations etc.)

– Allow for predictive analysis based on patterns and trends in the data

Adversary Historical Data

+Analysis of Trends

& Patterns

= Smart Predictive

Analysis

Malware Intelligence • Different than a malware report– Focus is on what can be learned from malware when

tracked from multiple events over time – Track and plot malware and the files associated with a

malware family– Can produce links in malware families not traditionally

seen when doing reverse engineering focusing on one sample

Cyber Intelligence + CND reporting = Fusion

• Fusion reporting is designed to provide value for organizations by pivoting off of multiple data sources and connecting the dots

• Fusion reporting focuses on who the attacker is, what they want and where they are likely going

• Fusion reporting focuses on intelligence to track and trend threat actors and provide insight into the TTPs of the infrastructure, tools and personas adversaries use

• Fusion done correctly can lead to predictive analysis

Conclusion• Advanced threats have changed the threat landscape making it difficult

to detect advanced cyber threats

• Mitigating and cleaning up an infection, post compromise, can cost hundreds of thousands and into millions of dollars

• Cyber Intelligence can be combined with CND capabilities, giving organizations a much broader view into the who, what, when and why they are being targeted

• This information can be used to arm CND teams, as well as senior leadership, with the information they need to make decisions and get ahead of todays targeted advanced cyber threats

Contact Info Jon DiMaggio

IntelThreatJon.dimaggio@intelthreat.com