1 / 33

Threat Intel Sharing: Deciphering the APTs secret handshakes

Threat Intel Sharing: Deciphering the APTs secret handshakes. Adam Lange Mark Manglicmot. Adam Lange & Mark Manglicmot. Senior Consultant at Delta Risk LLC CISM, GCIA, GSEC, GCIH, CEH, Sec +,

takoda
Télécharger la présentation

Threat Intel Sharing: Deciphering the APTs secret handshakes

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Threat Intel Sharing: Deciphering the APTs secret handshakes Adam Lange Mark Manglicmot

  2. Adam Lange & Mark Manglicmot • Senior Consultant at Delta Risk LLC • CISM, GCIA, GSEC, GCIH, CEH, Sec+, • Advanced threat consulting & counter APT team building for Fortune 500’s, federal gov, and allied governments • Senior Consultant in Ernst & Young’s Advanced Security Center • CISSP, GCIH, CEH, Sec+, • Advanced threat, Incident Response, & SOC consulting @LangeSecurity @MGManglicmot

  3. The Data Doesn’t lie! • Past habits can help predict future behavior By analyzing data-trends over time, Target could tell a 15 yr old girl was pregnant before her family knew

  4. The Problems Defenders Face There is no delineation between routine incidents and incidents that may be APT activity Advanced Adversaries evolve faster than we can Industry improvements are being made all the time and integration into government operations tends to lag behind We don’t have all the processes, tools and understanding to take on APT actors

  5. Demystifying Threat Intel Everyone has it!

  6. The Role of Intel • Major driver to catch the top tier of threat • Detection • Prevention • Response • Types of Intel • Behavioral • Indicators

  7. APT is bad stuff • APT makes up 20% of workload • 80% is “garbage” • What is the difference? • There is no “APT differentiation analyst” • Targets industries whose intellectual property provides a strategic advantage for the attacker • Intelligence on APT actors comes from three major areas: • Internally derived • Commercially purchased • Sharing partners

  8. A Quick Look at the Adversaries APT Strategic Gains Top 20% -- High impact The good news is that because they tend to repeat attacks with recycled tactics, organizations can trend their behavior over time Cyber Crime Financial Gains Hacktivists Sociopolitical Gains Bottom 80% -- Lower impact They don’t trend well, so mitigate and move on Script kiddies, college kids, others Thrill of the exploit, Learning the system Generic mayhem

  9. Binary Encryption Advanced Scanning Tools DDoS and Distributed Attack tools THESE ATTACKS REQUIRE MORE SOPHISTICATED, BEHAVIORAL, EVENT, AND INFORMATION BASED TOOLS TO DETECT Stealth and Anti-Audit Technologies Session Hijacking Sniffers And Spoofing Vulnerability Exploitation Backdoors Password Cracking MOST OF THESE ATTACKS CAN BE IDENTIFIED USING TRADITIONAL RULE-BASED TECHNOLOGIES Password Guessing Sophistication vs Intel HIGH No intel – Actors have OPSEC Behavior/Event Capture/Analysis DDOS Mitigation Plenty of intel – attackers talk too much Attacker Knowledge and Technology Deception Operations Firewalls HIPS Honeynets IDS/IPS Network Traffic Analysis Patching High Quality Forensics and Incident Reporting No intel – Hacks of opportunity LOW Defense Sophistication

  10. Lockheed Martin Perspective This paper was published back in 2011 and was the cornerstone of many advances in the DIB. This model and its implications can be studied in depth to understand how to counter advanced adversaries

  11. Mandiant: APT1 The first major civilian expose on a state sponsored group. It reveals APT1 TTPs and C2 infrastructure. It provided actionable intelligence for every organization to leverage. It is likely that APT1 is going to start over in several organizations, however for some orgs it appears that APT1 is conducting business as usual. NOTE: What we really liked about this report was the appendices – they contained all the TECHNICAL INDICATORS needed to actually do something about the threat.

  12. Malware.lu based in Luxembourg, was able to do some additional deep dives into APT1 Activity. Much of this may be illegal to do in the US. The report is worth taking a look at.

  13. Who? What do they want? How do they attack? Cultural Threat Industry Competitor Innovator Strategic Interest

  14. Various Ways to Model Adversaries

  15. An Advanced Adversary Model • Full spectrum cyber operations • More targeted & tactical indicators • Ability to correlate seemingly disparate activities • Metrics and strategic trends

  16. How most defenses work • Detection is somewhere in the middle of an attackers operation • Look for one or so indicators to stop discrete attack, but the campaign continues

  17. Defensive Campaigns • Two types of Defensive Campaigning • Adversary-Based Campaign • Event-Driven Campaign • What do each of these have in common? An event begins and ends at some point An adversary operation begins at ends at some point Now, I suddenly realize that the initial attack is NOT success for them, so it’s not failure for me. I have TIME to do something about it…

  18. Elements of ‘Good’ Intel • Tactical • Timeliness <48hrs • IP • FQDN • File Hash • Strategic • Trends • Vectors • Patches/Updates • Profiles

  19. The Government • Common complaint: “Its all classified” • The good news: It doesn’t really matter • Look at intel from a SIGINT perspective • Tries to share as it can • http://en.wikipedia.org/wiki/List_of_intelligence_gathering_disciplines

  20. Industry Methods SOCK Puppets Collective Intelligence Framework

  21. OpenIOC

  22. How reliable is it? Analysis of Competing Hypothesis

  23. Intel & SOC/CERT Integration RTA Countermeasures Investigation ATA Digital Forensics Threat Intel

  24. Learning & sharing: Where to start • Start small • Look in the mirror • Friends (Real, not imaginary) • Read! • Get involved • ISAC’s • Local FBI office (InfraGard) • Join the online communities

  25. What are the next steps? • Try to understand who is interested in you • Not always necessary to get 100% attribution • Understand that once your are targeted by APT, you will forever be on their target cycle list • Continue to iterate: That’s what the APT does • Shorten the Kill Chain

  26. What You’ll Gain • Ask the right questions…generate the right metrics • “We had 27 ‘incidents’ this month” • Trends • These guys only attack us when we do some conference • Group X only attacks when specific 0-days are published • Group Y is only active between these hours • Group Z never attacks during “insert country” holidays • (i.eCinco de Mayo)

  27. Impacts • Work smarter, not harder • Improves efficiency • Drives targeted investment • Ultimately improves security, and protects the business “By leveraging threat intelligence, you can tactically and strategically campaign against the APT and defend your business.”

  28. Thanks for you time Questions? Follow us on Twitter! @LangeSecurity @MGManglicmot

More Related