threat intelligence - routes to a proactive capability

Threat Intelligence – Routes to a

Proactive Capability

Ollie Whitehouse, Architect, Advanced Threat Research

22nd November, 2007

Symantec Advanced Threat Research 2

Agenda

Introduction11

Intelligence Sources22

Some Examples33

44

Threat Intelligence – Routes to a Proactive Capability

Discussion

Symantec Advanced Threat Research Symantec and Cellular Security 3

Introduction


Introduction – The Presentation

• Original purpose of this presentation

– An open discussion between A Client and Symantec

• About the types of intelligence sources A Client could leverage

• How these could be used to gain insight into threats

– Present of a number of ideas on how to achieve this

– Designed to be interactive

• Braining storming, guidance, questions, answers all welcome…

• What this presentation is NOT

– A presentation on productized technology available from Symantec

• Goal of a well developed intelligence program

– Gain visibility ahead of time

– Predict likely targets

– Detect stealthy attacks or attack precursors



Introduction – The Presentation

• Problem statement guidance

– Existing threat intelligence data is re-active

• Patch Tuesday etc…

– A Client want to develop more of a pro-active capability

• How to gain visibility before the attack

– Technology threat intelligence

– Aggressor threat intelligence

• How to detect attacks for which there is no signature

• Additional guidance already given

– This will not focus on web based applications

– This will look at infrastructure, standard client based threats



Intelligence

Sources


Intelligence Sources

• So what does A Client have access to?

– A lot!

– However deciding what to process will be difficult

– Actual processing will present some unique challenges

– Result – risk / effort versus reward will come into play

• Caveat: You may be analyzing some of these already

• What follows is a relatively high-level overview

– Designed to capture the key sources

– Does not cover in detail all the methods of analysis




• A couple key observations

– Gaining insight into where/how an attack will happen ahead of time is hard

• Unlike fraud attackers aren’t going to hang out on publically accessible channels discussing their targets/methods

• Monitoring for sentiment is going to throw up false positives (annoyed customers etc)

• Attacks which hit you fall into two categories – mass exploitation & targeted

• Mass exploitation – some indication ahead of time

• Targeted – little to no indication ahead of time

– However detecting the early stages of an attack is far easier

– Detecting an in-progress attack is even easier

– So some discussion around the key objectives will need to be had



Couple of

Examples


Binary File Format Exploitation - PDF

• Goal

– Process PDFs at mail server/AV/SPAM layer to identify suspiciousfiles potentially trying to exploit a vulnerability

• Approach

– Does it comply with the file format?

• Does your AV/SPAM solution successfully parse it?

• Can you automate the opening of all PDF files in a sandbox to detect crashes and/or suspicious behavior?

– What does it contain?

• Is it a re-work of press release either issues by you, a competitors, regulator or publically listed company?

• Shell code heuristics trigger?

– What produced it?

• Surprising amount of meta data in PDFs which could be used to influence the risk profile of it.



Binary File Format Exploitation - PDF



Binary File Format Exploitation - JAR

• Goal

– Log accesses made to JARs via A Client web proxies

– Isolate those of interest and analyze off-line to detect targeted attacks

• Approach

– Has it changed?

• Over time if you generate hashes for the JARs accessed you’ll be able to spot changes

– Is it signed?

• Is the archive signed by a trusted company?

– Does it comply with the file format?

• Does your AV/SPAM solution successfully parse it?

• Can you automate the opening of all JAR files in a sandbox to detect crashes and/or suspicious behavior using multiple JVMs?



The Generic E-Mail Attack

• Goal

– Detect the generic targeted e-mail attachment born attack..

• Lots of things to look at

– Is the source IP actually assigned to the company it’s claimed to be from?

– If you’ve received e-mail from that organization before did the e-mail originate from the same source?

– Does the message header contain character set information which indicates it’s originated from a non friendly or suspicious country?

– Have you seen e-mails from that person to that person before?

– Does the message content contain public information re-worked?

– Does the attachment contain public information re-worked?



Pro-Active Strategies for Attachments

• Goal

– How do we identify the next zero-day that would work against our organization?

• We utilize some of the pre-filtering already discussed

• Then we have a copy of our geographic or departmental standard builds inside a couple of virtualized environments*

• We then pass a selection of received e-mails/attacks through

• We also regularly visit a selection of web sites commonly visited by the entire organization or specific departments

• We also visit a sample of URLs sent into the organization (E-Mail/IM etc.)

• All to monitor for any unexpected behavior



Other Things to Consider

• All of the strategies I’ve discussed are because we know the modi operandi of certain classes of attacker

• However there are a number of other approaches we can consider to spot attacker evolution

– Trending

• We’ve seen attackers go after images (JPG/PNG/TIFF), Office (DOC/XLS/PPT), Web Containers (JAR), Other (WMF,PDF,ZIP) for binary format exploitation

• It doesn’t take a rocket scientist to realize this isn’t going to stop while it’s so successful

• So what application do you run which haven’t be targeted (either propriety, niche or common)? Why don’t you go after them aggressively, find the vulnerabilities, develop mitigations and/or detections ahead of time



Open Discussion


Copyright © 2007 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.

This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.

Thank You!

Ollie Whitehouse

[email protected]

http://www.symantec.com/