هوش تهدید سایبری

سید علیرضا کامرانی

فشرکت مدیریت امن الکترونیکی کاش

مسئولیت و اطالعیه حقوقیسلب

ی یادآورلذا است جهت آگاهی رسانی تهیه شده و نام بردن از شرکت ها یا سازمان های خارجی تنها باهدف بیان رویکردهای جهانی صرفاً ارائه این

.نیستارائهیا رد به کارگیری آن ها در قلمرو این تأیید می شود که

اهم مطالب

مقدمه•تهدیدهوشانواع•سایبریتهدیدهوشبلوغمدلوحیاتچرخه•تهدیداطالعاتاشتراک‌گذاریبهاستانداردهای•STIX/TAXIIاستانداردازمختصریمعرفی•

سایبریتهدیدهوشسکوهایومحصوالتخدمات،•CSIRTوSOCدرسایبریتهدیدهوشجایگاه•

بانکیصنعتدرتهدیدهوش•

The main trends in the 2017’s cyber threat landscape

• IncreasingAttack Volume, Complexity

• Threat agent of all types have advanced in obfuscation, that is, hiding their trails

• Malicious infrastructures continue their transformation

• Cyber-war is entering dynamically into cyberspace

ENISA Threat Landscape Report 2017 15 Top Cyber-Threats and Trends -JANUARY 2018

Deloitte & Touche Middle East 7

Financial services threat landscape report -July 2018

* Statistics provide by IBM 2015 Cyber Security Intelligence Index Report & Ponemon Institute - 2015 Cost of Data Breach Study: Global Analysis

151% Increase in attack

indications

135 % Increase in bank data

offered for sale in the black

market

91% Increase in corporate email

addresses found on

phishing target list

40% Increase in corporate

credential leakage

(Employee or customer)

149% Increase in stolen credit

card information

49% Rise in fake social media

(profiles, apps, accounts)

Survey scope:

50 banks and financial services organizations in the US and Europe

Risk

Managementprocess

Identify

Access

Mitigate

Review

1تعریف -هوش تهدید سایبری

CTI: Cyber Threat Intelligence

It’s an important part of managing risk

• Threat intelligence is a critical tool for enabling the threat-centric side of a security equation and, at least in part, taking the fight to the adversary by identifying, exposing and sometimes prosecuting the threat actors.

2تعریف -هوش تهدید سایبری

CTI: Cyber Threat Intelligence

ا،سازوکارهادله ،نشانگرها،وضعیت،دربردارندهکهتهدیدشواهدبرمبتنیاستدانشی

بابطمرتتهدیدییاخطرآمدنوجودبهیاوجودخصوصدرقابل پیگیریتوصیه هایوپیامدها

خاذاتتهدیدبهپاسخدررامناسبیاقداموتصمیمآن،اساسبرمی توانوباشدمیدارایی ها

.نمود

گارتنر-

Types of Threat Intelligence

• Informal

• formal

• Strategic

• Operational

• Strategic

• Tactical

• Strategic

• Operational

• Tactical

• Technical

Real World Example: Email Found on DarkWeb

YourName@company.com

• Date & Time?• Where and who had this on the DarkWeb?• Captured for spam?• Stolen credentials?• Targeted campaign?• Without any context what will you do?• http://haveibeenpwned.com/

Real World Example: Phishing URL

http://www.shaparaksaman.ga/payment.php

• Collected from telegram?• Date & Time?• Related to what threat vector or threat?• Mobile app?• Propagation methods• ….

Real World Example: DDoS attack

• Campain? motivation?• Internal or external?• Botnet quality• Related to what threat vector or threat?• If you’re not looking how can you protect with

assurance?• ….

"lists of bad IP addresses without context isn’t CTI”• No ability to determine the precise nature of their badness

• No information about an actual threat and threat actors, and no sources for the conclusions

• No timing information about when the IP address was actually associated with malicious

• Single usage ("block this IP") rather than faceted range of uses that enriches your understanding of the threat

Black and white in nature (good/bad), while intelligence is never black and white

CTI must be

Actinoable

Timely

Relevant and Accurate

Structured and linked format

Durability

Acquire Threat Intelligence

• Various servicesCommercial

• Social media, Web sites, Public resources

• Dark web, Deep web,…OSINT

• FS-ISAC, ISAOs

• CSIRT , …Community-driven

or industry-led

Use case regards to commercial providers-1

Phishing Detection

• PhishMe

• DomainTools

Vulnerability Prioritization

• Kenna Security

• Core Security,

Social Media Monitoring

• ZeroFOX

• Recorded Future,

Surface, Deep and Dark Web Monitoring

• Flashpoint

• IntSights

Brand Monitoring

• Digital Shadows, BrandProtect

Threat Indicator Investigations and

Response

• Verisign

• Group IB

Use case regards to commercial providers-3

Threat Intelligence Analyst

Augmentation

• FireEye (iSIGHT)

• Digital Shadows

Threat Intelligence Sharing

• EclecticIQ,

• ThreatConnect

Threat Actor Tracking

• Intel 471

• SenseCy

Rogue or Fake Mobile App Detection

• RiskIQ, PhishLabs, BrandProtect

Sample: Kaspersky Threat Intelligence Service

• Threat Data Feeds – enhance your SIEM solution and improve forensicscapabilities using Cyber Threat Data from Kaspersky Lab.

• APT Intelligence Reporting – gain exclusive, proactive access to descriptions of high-profile cyber-espionage campaigns, including indicators of compromise (IOC).

• Customer-specific Threat Intelligence Reporting – identify externally available critical components of your network - employee social network profiles, personal email accounts and other information - that are potential targets for attack.

OSINT

Sample of community driven / Industry-led

• ISACs: Information Sharing and Analysis Centers

collect, analyze and disseminate private-sector threat information to industry and government and provide members with tools to mitigate risks and enhance resiliency

• ISAOs: Information Sharing and Analysis Organizations

• CSIRTs

FS-ISAC

• Enable trusted sharing between members globally

• Track 500,000+ industry-specific threat indicators

• Add 1000’s of industry threat indicators monthly

• Process 10,000+ threat repository requests/day

• Handle 420 significant threat advisories/month

• Periodic threat calls in Europe and Asia Pacific

February 4, 2019 — FS-ISAC Confidential. © 2016 FS-ISAC32

Analysis

• Full-time ISAC Analysis Team (IAT)

o Additional analyst locations under development

• Two Security Operations Centers (SOCs) 24x7

operations (Virgina, Poland)

• Senior staff embedded at US National Cybersecurity

and Communications Integration Center (NCCIC)

o Any information shared by FS-ISAC with government organizations is

anonymous and only with the permission of the originator (submitter). The

FS-ISAC community is based on trust and the originator (submitter)

controls where the information goes.

• Real-time monitoring & sharing of threats,

vulnerabilities and incidents as attacks unfold

“For threat intelligence, the FSISAC is…one of the best and most valuable resources of

information I’ve ever experienced in my career.” – A Member

TLP Green

Local source for threat hunting

Malware analysis and reverse eng.

Incident investigation and forensic

Honeypots or deception solutions

SIEM/IDS/NGFW/WAF/EP/etc. solutions

Spam (and phishing email) traps

Botnet connections

…..

Threat

Modern SOCs

Threat intelligence fusion

Link Enrich RelateValidate and

ContextualizeRank Reformat

Suspect IP is not duplicate and link to

pre-exist data.

Whois, check in blacklists, …

Correlation such as IP to campain

…

Compare with logs, other reports,…

Trust and usage

malware IPs into

NIDS signatures

• Firewall, Flow data, IPS,…IP

• IPS/IDS, Email Gateway, Web Proxy,…URL

• DNS , IPS/IDS, Web Proxy,…Domain

• NGFW, Email gateway, Endpoint management, …File Hash

• Email Gateway, IPS/IDS, …Email Addr

Share it!

Pick a sharing mechanism

• Web server

• File sharing site

• Threat intelligence platform (TIP)

• …

Tell people how to get it

• Internal customers

• a friend

• External Trust communities

Recent trends of CTI Sharing

MRTITIP

Open standards

Increasing Cyber Risks• Malicious actors have become much

more sophisticated & money driven.• Losses to US companies now in the tens

of millions; WW hundreds of millions.• Cyber Risks are now ranked #3 overall

corporate risk on Lloyd’s 2013 Risk Index.

Solving the Problem• Security standards recently matured.• Cyber Intelligence Sharing Platform

revolutionizing sharing and utilization of threat intelligence.

Manually Sharing Ineffective• Expensive because it is slow manual

process between people.• Not all cyber intelligence is processed;

probably less than 2% overall = high risk.• No way to enforce cyber intelligence

sharing policy = non-compliance.

Yesterday’s Security

Intelligence SharingIdentify and track threats, incorporate knowledge and share what you know manually to trusted others, which Is

extremely time consuming and ineffective in raising the costs to the attackers.

Network AwarenessProtect the perimeter and patch the holes

to keep out threats share knowledge internally.

Situational AwarenessAutomate sharing – develop clearer picture

from all observers’ input and pro-actively mitigate.

Today’s Problem Tomorrow’s Solution

?

? ?

? ??

45

Sharing Solution

Intelligence

Repository

Org A Many Trusted

Orgs

1

2 4

3

5

46

CTI standards

• IODEF 2007 Incident Object Description and Exchange Format

• CIF 2009 Educause Collective Intelligence Framework

• VERIS 2010 Verizon Vocabulary for Event Recording and Incident Sharing

• OpenIOC 2011 Mandiant

• MILE 2011 Managed Incident Lightweight Exchange

• OTX 2012 Alien Vault Open Threat Exchange

• TLP

47

MITRE

Traffic Light Protocol (TLP)

Restricted to a defined group (e.g., only those present in a meeting.) Information labeled RED should not be shared with anyone outside of the group

AMBER information may be shared with FS-ISAC members.

GREEN Information may be shared with FS-ISAC members and partners (e.g., vendors, MSSPs, customers). Information in this category is not to be shared in public forums

WHITE information may be shared freely and is subject to standard copyright rules

49

50

You Host the Connection

Indicators are pulled from the DHS TAXII server via your own TAXII capability where they can be used in multiple ways.

AIS Indicators

DHS TAXII Server

Analysts

Securitydevices

Database

TAXIIclient

Splunk, etc.

Soltra Edge,etc.

STIX v1.0

What Activity are

we seeing?

What Threats

should I be

looking for and

why?

Where has this

threat been

Seen?

What does it Do?

What

weaknesses

does this threat

Exploit?

Why does it do

this?

Who is

responsible for

this threat?

What can I do?

51

| 52 |

| 53 |

| 54 |

| 55 |

| 56 |

| 57 |

| 58 |

| 59 |

| 60 |

What you are looking for

Why were they doing it?

Who was doing it?

What were they looking to exploit?

What should you do about

it?

Where was it seen?

What exactly

were they doing?

| 61 |

Why should you care about it?

Key Features of Sample TIP

ThreatConnect ،EclecticIQ ،LookingGlass ،MISP ،TruSTAR،CRITS ،Threstelligence

Standards and Guidelines for information sharing

65

Challenges for not sharing

• Quality issues

• Untrusted participants

• The natural instinct for organizations to not share

• Believing that there is a little chance of a successful prosecution

• The unawareness of the victimized organization about a cyber incident

• Sharing faster is not sufficient

Threat IntelligenceSources

Validation

Vetted Intel

SIEM Use Cases

Security Operations Center

False Positives

Cyber Investigators

Business Partners

STIX/TAXI

STIX/TAXI

Event Remediation

Cyber Intelligence Incident Response Team

Sample process

SWIFT ISAC – Cyber security information sharing

Next-Gen Threat Intelligence providersTruSTAR was selected for its unique “Connective Defense” approach to cybersecurity, which fuses threat intelligence, fraud, and physical security data into the platform for increased data correlation and collaboration across teams

Q&A