Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5...
Transcript of Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5...
![Page 1: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/1.jpg)
Public© Siemens AG 2016 Siemens CERT
Building an Efficient
Incident Response Process Using Threat Intelligence
A Global Enterprise Perspective Thomas Schreck | Siemens CERT | Borderless Cyber Europe 2016
![Page 2: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/2.jpg)
Public© Siemens AG 2016
September 2016 Seite 2 Siemens CERT
Principal Engineer at Siemens CERT
Director of FIRST.org
![Page 3: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/3.jpg)
Public© Siemens AG 2016
September 2016 Seite 3 Siemens CERT
How we think Cyber Threat Intelligence is working …
![Page 4: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/4.jpg)
Public© Siemens AG 2016
September 2016 Seite 4 Siemens CERT
… and here is the reality!
4741a7df46e61985544c647a401e94f7
PDF Reports
Empty File Hash
![Page 5: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/5.jpg)
Public© Siemens AG 2016
September 2016 Seite 5 Siemens CERT
What is Cyber Threat Intelligence?
Threat intelligence is a vital part of network
defense and incident response, including
information about threats, TTPs, and devices that
adversaries employ; the systems and information
that they target; and any other threat-related
information that provides greater situational
awareness with the following characteristics:
• Timely
• Relevant
• Accurate
• Specific
• Actionable
Strategic
Tactical
TTPs
IoCs
![Page 6: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/6.jpg)
Public© Siemens AG 2016
September 2016 Seite 6 Siemens CERT
What can it be used for?
Situational Awareness
CTI
Hardening Detection Response
![Page 7: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/7.jpg)
Public© Siemens AG 2016
September 2016 Seite 7 Siemens CERT
Capabilities and Tasks
Intel Sourcing
Other CERTs & TI communities, Open source intelligence
Subscriptions to Intel companies
Internal sources, like Malware Analysis and Investigations
Intel Usage
Integrate Intel in our existing TI platform
Make Intel “actionable” for our consumers
Aggregate strategic Intel to build Threat Landscape
Intel Management
Manual Vet incoming Intel
Store Intel in a structured way
Integrate other forms of QA in Intel lifecycle (e.g., rating)
Link Intel to respective IOCs
Intel Sharing
Share Intel with different communities
Fast sharing using open standards
Contribute in development of sharing platforms
The 4 pillars of Threat Intelligence
![Page 8: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/8.jpg)
Public© Siemens AG 2016
September 2016 Seite 8 Siemens CERT
Managing and Utilizing Threat Intellingence
![Page 9: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/9.jpg)
Public© Siemens AG 2016
September 2016 Seite 9 Siemens CERT
Managing Cyber Threat Intelligence
Collection
Processing
Analysis & Production
Dissemination
Planing
![Page 10: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/10.jpg)
Public© Siemens AG 2016
September 2016 Seite 10 Siemens CERT
Utilizing Threat Intelligence
Threat Intelligence Platform
Proxies
Firewall
Shadowserver
DHCP DNS
Analysis
pDNS
Malware Analysis
various data
sources
Forensic
various scripts
Indicators Threat
Intelligence
Ticketing
Abuse Reporting
etc.
Cleaning up
Lessons Learned
Analyst
Internal &
External
Intelligence
Sharing
Monitoring Solution
Ticketsytem (RT, OTRS, Jira)
Wiki (Mediawiki, Confluence)
Emailing (PGP, SMIME)
Incident Handling
etc.
Scripts for Automation
![Page 11: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/11.jpg)
Public© Siemens AG 2016
September 2016 Seite 11 Siemens CERT
Sourcing and Sharing Threat Intelligence
![Page 12: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/12.jpg)
Public© Siemens AG 2016
September 2016 Seite 12 Siemens CERT
Sharing Communities
Governance
• BSI / BMI /
Verfassungsschutz
• CERT-EU
• Various European GOV-
CERTs (e.g., NCSC.NL,
UK-CERT, CERT.at)
• US – CERT
• ICS-CERT
• CN-CERT
Siemens
CERT/
ProductCERT
Vendors
• Microsoft
• CISCO
• Amazon
• Juniper
• SAP
• ORACLE
• SuSE/Red Hat
• Intel
• IBM
Science
• University of California,
Santa Barbara
• Northeastern University
Boston
• iSecLab
• Ruhr-Universität Bochum
• Friedrich-Alexander-
Universität Erlangen
• Fraunhofer AISEC/SIT/FKIE
• Technische Universität
München
Sec. Companies
• Trend Micro
• Kaspersky
• Symantec
• BFK
• CSIS Security Group
• Team Cymru
• Crowdstrike
• Farsight
Trusted Groups
• FIRST
• Trusted Introducer/ TF-CSIRT
• CERT-Verbund
• AkSiGro
• German Cyber Security Alliance
• CSSA e.V.
• Various OpSec Groups
OSINT
• Sec. Mailinglists (full-disc.)
• Sec. Blogs
• Pastebin
• SANS
• Various websites, e.g.
XSSed, Zone-h,…
• DNS and Malware
Blacklists (about 110
different blacklists in total)
• …
Law Enforcement
• Europol
• FBI
• German State Police
Active TI Sharing
• DoD CRADA Program
• DHS:
• CISCP
• ICS
• Microsoft MAPP for
Responder
• German APT WG
![Page 13: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/13.jpg)
Public© Siemens AG 2016
September 2016 Seite 13 Siemens CERT
https://www.first.org
![Page 14: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/14.jpg)
Public© Siemens AG 2016
September 2016 Seite 14 Siemens CERT
![Page 15: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/15.jpg)
Public© Siemens AG 2016
September 2016 Seite 15 Siemens CERT
Sharing Standards and Tools
OpenIOC
IETF MILE MANTIS
JSON, CSV, PDF, …
Mailinglists
Chatrooms
![Page 16: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/16.jpg)
Public© Siemens AG 2016
September 2016 Seite 16 Siemens CERT
Sharing 101
• Use a common standard like Traffic Light Protocol: https://www.first.org/tlp
• Define the standard how to exchange information
• Share as early with others as possible
• Evaluate commercial vendors carefully and re-evaluate them
![Page 17: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/17.jpg)
Public© Siemens AG 2016
September 2016 Seite 17 Siemens CERT
Activites you should joing
• OASIS Cyber Threat Intelligence (CTI) TC
• FIRST Information Exchange Policy SIG
• FIRST Traffic Light Protocol (TLP) SIG
• MISP Summit 02 https://2016.hack.lu/misp-summit/
![Page 18: Building an Efficient Incident Response Process Using ... · Public© Siemens AG 2016 Seite 5 September 2016 Siemens CERT What is Cyber Threat Intelligence? Threat intelligence is](https://reader033.fdocuments.net/reader033/viewer/2022060402/5f0e5c4e7e708231d43ede8d/html5/thumbnails/18.jpg)
Public© Siemens AG 2016
September 2016 Seite 18 Siemens CERT
Siemens AG
Thomas Schreck
Principal Engineer
Internet
https://www.siemens.com/cert
Thomas Schreck
Contact Details