Cyber Threat Intelligence

Sandeep SinghOWASP Delhi & null Delhi30 January 2015

I am not an intelligence analyst but would love to be The topic is close to my heart Do not expect any FM (Freakin Magic ) The objective is to help attendees get familiar with the

world of threat intel

Disclaimer

Overview of Threat Intel Understanding Threat Intel What is Cyber Threat Intelligence Types of Threat Intel Intelligence Lifecycle Threat Intel – Classification & Vendor Landscape Threat Intel – Standards Open Source Threat Data/Intel Sources Bonus Agenda

Agenda

What is Threat Intelligence?

• Buzzword• Growing field- $250M in 2013- $1.5B in 2018

• Lots of new service providers entering the market

• and still maturing

Overview

Risk = Vulnerability * Threat * ImpactThreat = Intent * Capability

We like the term "Threat Actor". May be any of:• Cybercrime• State-sponsored• Hacktivism• Insider• Industry competition

Threat

Intelligencea.k.a. Renseignement, ré-enseignement

• Environment → Data → Information → Intelligence • Intelligence is a cyclic process• Analysis and contextualization• Models help counter diversity with abstraction

Accurate Relevant Timely Aligned Predictive Integrated

Actionable Intel

Cyber Area of interest/ of collection

Threat Subject of interest

Intelligence Process

Cyber Threat Intelligence

Key Elements of Threat Intel

Types of Threat Intel

• Target audience: decision-makers• Focus on changing risks, high level topics• Geopolitics• Foreign markets• Cultural background

• Vision timeframe: years

Note: You may never have heard of this; could be explained by lack of maturity in orgs

Strategic TI

• Target audience: defenders• Focus on current & future attacks:• Who, what, when?• Early warning on incoming attacks• Social media activity

• Vision timeframe: months, weeks, hours

Operational TI

Note: Hard for private companies to obtain on advanced attackers; traditionally collected through HUMINT / SIGINT

• Target audience: architects & sysadmins• Focus on "TTPs":• Attacker modus operandi• Blue team / red team tools• Exfiltration / C2 methods• Persistence / stealth / deception mechanisms

• Vision timeframe: weeks to a year

Note: The most common form of threat intel (and marketing ) produced today; easy to obtain

Tactical TI

Technical TIa.k.a. Data

• Target audience: SOC, IR people• Focus on raw observables:• Indicators of compromise• Host and network artifacts• Yara, Snort, OpenIOC rules

• Vision timeframe: hours to years

Note: Man-hours are valuable. Technical TI is abundant. Processing should be as automated as possible.

Strategic Will feed SWOT, risk assessments, Porter Diamond model...

Tactical Cyber Kill-chain, Diamond model, ACH

Operational OODA Loop, Pyramid of Pain

Technical F3EAD, CIF, FIR, MISP, Malcom, Maltego,….

Weaponry

Intelligence Cycle

Intelligence Cycle applied to CTI in orgs

• Planning• What are you looking for?

• Collection• OSINT/HUMINT• Logs/Data points inside the org• Honeypots/nets/docs, social networks• FM-5

• Processing• Synthesizing the collected data so that intelligence analyst can

work• Analysis

• Finished Intelligence• Dissemination

• Present to the right audience

Thre

at In

tel

Threat Intel Platform

Threat Intel Enrichment

Threat Intel Integration

Open Source Intel (OSINT)

Human Intel (HUMINT)

Technical Intel

Adversary Intel

Vulnerability Intel

Strategic Intel

Threat Intel - Classification

Vendors

Can you guess the price of commercial threat Intel?

Symantec's 12-month retail subscription to its reputation feed costs $95,300 (INR 6100000 approx.)

FireEye threat intelligence appliances cost around $17000 at starting price and increase upto $175000 per unit

Managing Threat IntelAs tough as it sounds

• MISP - Event-based indicator sharing• FIR - Incident management platform + indicator correlation• CRITS - Platform to store threat-related information• Malcom - Correlation of network traffic with maliciousness feeds• CIF - Query indicators + variety of output formats• Grr, osquery - Endpoint hunting

not mature…but lots of stuff is going on

What’s so nice about “standards”

• MITRE - STIX, TAXII, CybOX, MAEC• IETF - IODEF• Mandiant - OpenIOC• VERIS• MANTIS

Black List IP Address Sources • emergingthreats.net• binarydefense.com• zeustracker.abuse.ch• palevotracker.abuse.ch• feodotracker.abuse.ch• sslbl.abuse.ch• spamhaus

Phishing URL Sources• openphish.com

Vulnerability Database Sources• scip.ch• cxsecurity.com• exchange.xforce.ibmcloud.com• packetstormsecurity.com

Honeypots/Honeynets

Open Source Threat Data Sources

Bonus Agenda

• Developed by REN-ISAC• http://csirtgadgets.org/collective-intelligence-framework/• Does not generate data, simply takes sources normalizes it and

then outputs by given types• Limited in the types of data it can handle

– URLs– Domains– IPs – MD5s

• Certainly more to threat intel than this, but it’s a start

CIF: Collective Intelligence Framework

CIF Architecture

• A target-centric approach to intelligence analysis

• Bridge between operations and intelligence• a.k.a. “Hunting”

F3EAD

• TI is closely related to traditional intelligence• Models help but have limitations• The quality of your TI directly influences the quality of your

response• Tools to store, analyze, and share intelligence exist, but

there's room for improvement

Conclusion

http://sroberts.github.io http://direct.tomchop.me/slides http://frodehommedal.no/presentations/first-tc-oslo-

2015 https://www.mwrinfosecurity.com/system/assets/

909/original/Threat_Intelligence_Whitepaper.pdf Google

References:

Thank you,Sandeep Singh – Chapter Leader, OWASP Delhi & null Delhisandeep.singh@owasp.orgsan@null.co.in@Sandy1sm

Q & A