INTELLIGENCE INTELLIGENCEIMT 553 - FINAL PROJECT

Presented by:

DIVYA KOTHARI karthik Krishnamurthy

Nausheen JawedNavin Hegde

Sandeep Bhat

(For educational purposes only)

SOURCES OF THREATS/RISKS

1. People

2. Process

3. External events

4. Technology

From an Information Assurance perspective, we chose to concentrate on Technology related risks.

Scope: Since Uber is driven through network, the scope of our project is Network Security

CRITICAL ASSETS

1. Software - Uber Application

2. Database server

3. Public facing servers

4. Internal servers

5. Directory (Access Management System)

6. Customer base

Observable TypesAccording to Kaspersky, the main two sources of threats penetration are

- Internet

- Email

In this context, the observable types we chose are:

1. IP address

2. Domain names

3. Email and email artifacts

IP Address - Desired State

1. Prevent access to dangerous hosts

2. Prevent dangerous hosts from accessing external facing systems

Integrating IP Address in a Risk Management Program

Risk:

1. Unauthorized access to confidential company information

2. Unauthorized access to customer database

3. Systems unavailability

Major Risk Driver:

Compromise of network security

Methods for IP compromise:

1. Eavesdropping

2. IP Spoofing

3. Data Modification

4. Man in the middle attack

Mitigation Plan:

IP Blacklisting

Integrating IP Address in a Risk Management Program

IP Address - Validating Sources

Factors used to validate the source:

1. No. of entries in the source

2. Diversity in the Geo-location of the IP address

3. False positive (to verify integrity of sources)

IP Address- Validating Sources

Step 1: Take three IP address sources

Step 2: Count the number of entries in each source

Step 3: By random sampling, we chose 5% of IP’s from each list

Step 4: Find the geo-location of the chosen IP’s using mxtoolbox

Step 5: Group the geo-location of the IP’s by continents

Step 6: Check for False positive for the samples chosen

Step 7: Assign a weighted score to the factors that have been used to validate the source

Step 8: Give a relative total score to each source based on the weight of the metrics

IP Address - Demo

IP Address - Demo Result

Metrics

Source 1 Source 2 Source 3

Score Weighted Score Score Weighted

Score Score Weighted Score

No of entries (0.5) 3 (3*0.5)1.5 2 (2*0.5)1 1 (1*0.5)0.5

Diversity (geolocation) (0.3) 3 (3*0.3)0.9 2 (2*0.3)0.6 1 1(1*0.3)0.3

False positive (0.2) 2 (2*0.2)0.4 2 (2*0.2)0.4 2 (2*0.2)0.4

Total score 2.8 2 1.2

Domain Names - Desired State

1. Prevent access to malicious domains

2. Prevent spam emails originating from malicious domains

3. Prevent emails that have phishing links

Integrating Domain Names in a Risk Management Program

Risk:

1. Unauthorized access to confidential company information

2. Unauthorized access to customer database

3. Systems unavailability

Risk Drivers:

4. Inbound Compromise - Could be through phishing emails sent from malicious domains.

5. Outbound - Could occur through employees trying to access these domains

Mitigation Plan: Domain Name Blacklisting

Domain Names - Validating Sources

Factors used to validate the source:

1. No of entries in the source

2. False positive (to verify integrity of sources)

Domain Names: Validating Sources

Step 1: Take three domain name sources

Step 2: Count the number of entries in each source

Step 3: By random sampling, we chose 5% of domain names from each list

Step 4: Check the validity of the domain names using mxtoolbox

Step 5: Assign a weighted score to the factors that have been used to validate the source

Step 6: Give a relative total score to each source based on the weight of the metrics

Domain names - Sample Toolbox

Domain NAMES - DEMO Result

MetricsSource 1 Source 2 Source 3

Score Weighted Score Score Weighted

Score Score Weighted Score

No of entries (0.6) 2 (2*0.6)1.2 3 (3*0.6)1.8 1 (1*0.6)0.6

False positive (0.4) 2 (2*0.4)0.8 1 (1*0.4)0.4 3 (3*0.4)1.2

Total score 2 2.2 1.8

Email artifacts - Desired State

1. Prevent emails that have phishing links (move to spam)

2. Prevent emails with malicious attachments

Email Artifacts - Validating Sources

It's helpful to validate as many aspects of the email address as possible:

the syntax

the email against a list of bad email addresses

the domain against a list of bad domains

a list of mailbox domains

whether or not the domain exists

whether there are MX records for the domain

and finally through SMTP whether or not a mailbox exists

Priority list of observable types

1. IP Address

2. Domain Names

3. Email and email artifacts

Limitations

1. Random Sampling

2. Not enough factors considered

3. Not taking subnets into IP consideration

Recommendations

1. Periodic assessment of effectiveness of sources

2. Intelligence framework should be complementary

3. Update sources based on newly identified threats

4. Employee awareness programs

5. Incident Response Team

APPENDIXFollowing are the primary six cyber intelligence resources we used to test our methodology:

FOR DOMAIN NAME:

● http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt

● https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist

● http://malc0de.com/bl/BOOT

FOR IP ADDRESSES:

● http://www.blocklist.de/lists/apache.txt

● http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

● http://rules.emergingthreats.net/open/suricata/rules/compromised-ips.txt

BIBLIOGRAPHYContent:

● Juzenaite, R. 5th August, 2015, “The Most Hacker-Active Countries” Infosecinstitute. Accessed on 10th May, 2016. Retrieved from: http://resources.infosecinstitute.com/the-most-hacker-active-countries-part-i/

● Kaspersky Lab Support “Safety 101: Main sources of threats penetration” Kaspersky Lab. Accessed on 16th May, 2016. Retrieved from: http://support.kaspersky.com/us/viruses/general/789#block2

● Lam, James (2003) “Enterprise Risk Management: From Incentives to Controls” Hoboken, NJ: Wiley. 2003 (Print) Accessed on 2nd May, 2016.

● Microsoft TechNet, 21st January 2005 “Security Issues with IP” Microsoft TechNet. Accessed on 7th May, 2016. Retrieved from:

https://technet.microsoft.com/en-us/library/cc783463(v=ws.10).aspx

Image Credits:

● https://play.google.com/store/apps/details?id=com.ubercab

● http://www.technobuffalo.com/2014/08/12/uber-is-about-expand-to-other-apps/

● http://thenextweb.com/insider/2015/07/15/why-uber-is-buying-map-companies/

● http://techcrunch.com/2014/01/09/big-uberx-price-cuts/

● http://www.post-gazette.com/business/legal/2015/03/18/Uber-and-Lyft-face-independent-contractor-challenge/stories/201503170013

● https://newsroom.uber.com/app-updates-for-deaf-and-hard-of-hearing-partners/

● http://www.grossingerhyundainorth.com/uber/

Thank youQuestions?