Post on 15-Jan-2015
description
Crowd-Sourced Threat Intelligence
About me
- Director, AlienVault Labs
- Security Research- Malware Analysis- Incident response
The attacker’s advantage
• They only need to be successful once
• Determined, skilled and often funded adversaries
• Custom malware, 0days, multiple attack vectors, social engineering
• Persistent
The defender’s disadvantage
• They can’t make a mistake• Understaffed, jack of all trades, underfunded• Increasing complex IT infrastructure:– Moving to the cloud– Virtualization– Bring your own device
• Prevention controls fail to block everything• Hundreds of systems and vulnerabilities to
patch
What is Threat Intelligence?
• Information about malicious actors
• Helps you make better decisions about defense
• Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..
How can I use Threat Intelligence?
• Detect what my prevention technologies fail to block
• Security planning, threat assessment
• Improves incident response / Triage
• Decide which vulnerabilities should I patch first
State of the art
• Most sharing is unstructured & human-to-human
• Closed groups
• Actual standards require knowledge, resources and time to integrate the data
Standards & Tools
• IODEF: Incident Object Description Exchange Format
• MITRE:– STIX: Structured Threat Information eXpression– TAXXII: Trusted Automated eXchange of Indicator
Information – MAEC, CAPEC, CyBOX
• CIF: Collective Intelligence Framework
Collective Intelligence Framework
The Threat Intelligence Pyramid of Pain
The Power of the “Crowd” for Threat Detection
Cyber criminals are using (and reusing) the same exploits against others (and you).
Sharing (and receiving) collaborative threat intelligence makes us all more secure.
Using this data, detect, flag and block attackers using indicators (Threat Intel)
Disrupt the Incident response cycle
Detect
Respond
Prevent
A traditional cycle …1. Prevents known threats.2. Detects new threats in the
environment.3. Respond to the threats –
as they happen.
This isolated closed loop offers no opportunity to learn from what others have experienced
….no advance notice
Traditional Response
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Traditional Response
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Attack
Traditional Response
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Attack
Detect
Traditional Response
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Attack
DetectRespond
Traditional Response
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Attack
DetectRespond
OTX Enables Preventative Response
Through an automated, real-
time, threat exchange framework
A Real-Time Threat Exchange framework
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Attack
Detect
Open Threat Exchange
Puts Preventative Response Measures in Place Through Shared Experience
A Real-Time Threat Exchange framework
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Attack
Detect
Open Threat Exchange
Protects Others in the Network With the Preventative Response Measures
Benefits of open Threat Exchange
Shifts the advantage from the attacker to the defender
Open and free to everyone
Each member benefits from the incidents of all other members
Automated sharing of threat data
Open Source Security Information Management
OSSIM/USM
ASSET DISCOVERY• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VULNERABILITY ASSESSMENT• Continuous
Vulnerability Monitoring• Authenticated /
Unauthenticated Active Scanning
BEHAVIORAL MONITORING• Log Collection• Netflow Analysis• Service Availability Monitoring
SECURITY INTELLIGENCE• SIEM Event Correlation• Incident Response
THREAT DETECTION• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
USM Product Capabilities
Open Threat Exchange
Thank you!!
@jaimeblascob
http://www.alienvault.com/open-threat-exchange/blog