Top Banner
Cyber Threat Intelligence IRMA, June 13 th , 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole [email protected]
36

Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole [email protected]

May 21, 2018

Download

Documents

duongtruc
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Cyber Threat Intelligence IRMA, June 13th, 2017

Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole [email protected]

Page 2: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

3

• The Cyber Challenge

• Cyber Threat Intelligence

• Building Threat Intelligence

• Sharing Threat Intelligence

• Summary

Mike Small

KuppingerCole

Agenda

Page 3: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

THE CHALLENGE

On the average the time between an organization’s IT systems being infiltrated and them becoming aware of this

is 200 days.

Page 5: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Behind the Cyber Challenge

© KuppingerCole 6

The adversaries work together so should we!

6/13/2017

Cloutier Borderless Cyber Europe2016

Page 6: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Organization need Cyber-Intelligence

© KuppingerCole 7

Organizations are collecting massive

amounts of data but need intelligence to

exploit it.

6/13/2017

Page 7: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

OpenIOC VERIS CybOX

IODEF TAXII STIX

TLP OTX CIF

Sharing Cyber-Threat Intelligence

© KuppingerCole 8

Sharing needs standards.

There have been many initiatives

6/13/2017

Page 8: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

WHAT IS THREAT INTELLIGENCE

“Only through a balanced understanding of both the adversary and ourselves can we understand enough about the true nature of the threats we face to make intelligent

defensive decisions.” OASIS Cyber Threat Intelligence (CTI) Technical Committee | Charter

Page 9: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Knowing your adversary’s plans can help win battles

© KuppingerCole 10

In 480 BC Demaratus sent a message warning of the Persian plan to invade Sparta hidden behind the wax of a blank writing tablet • According to Herodotus

6/13/2017

Image digitally reproduced with the permission of the Papyrology Collection, University of Michigan Library.

Page 10: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Strategic

• Who are the adversaries?

• What are their objectives?

• What are their campaigns

Tactical

• Tools, Tactics and Procedures used

• Specific observables

Kinds of Cyber-Threat Intelligence

6/13/2017 © KuppingerCole 11

Page 11: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Strategic Cyber-Threat Intelligence

© KuppingerCole 12 6/13/2017

Adversary PRC Army

Objectives - to steal US Intellectual Property

Campaigns against US companies

US Dept. of Justice Indictment Chinese Hack

Page 12: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Intel Driven Defence – Lockheed Martin 2010

© KuppingerCole 13

“The evolution of advanced persistent threats necessitates an

intelligence-based model because in this model the

defenders mitigate not just vulnerability, but the threat

component of risk, too.”

13/06/2017

http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

Intelligence is based on Indicators:

• Observed

• Computed

• Shared

Page 13: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Timely

Relevant

Accurate

Specific

Actionable

Tactical Cyber-Threat Intelligence

© KuppingerCole 14

Information about threats, TTPs, and devices that adversaries

employ; the systems and information that they target; and any other threat-related

information that provides greater situational awareness

6/13/2017

Thomas Schreck | Siemens CERT Home | Borderless Cyber Europe

Page 14: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

IOE

• Indicators of Exposure (aka vulnerabilities)

• Common Vulnerabilities and Exposures

• Example - missing patch

IOC

• Indicators of Compromise

• Signatures of an attack in progress

• Example – file HASH

Types of Indicator

6/13/2017 © KuppingerCole 15

Page 15: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Reconnaissance Weaponization Delivery

Exploitation Installation Command &

Control

Actions on Objectives

Cyber Kill Chain

© KuppingerCole 16

Different indicators for different stages

in the adversary process.

6/13/2017

http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf

Page 16: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

BUILDING THREAT INTELLIGENCE

In order for a cyber attack to be economical, adversaries must re-use tools and infrastructure. By building

intelligence on these, defenders force adversaries to change their approach.

Page 17: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Diamond Model

© KuppingerCole 18

The basic atomic model of cyber intrusions • Center for cyber intelligence analysis and threat

research

• Caltagirone, Sergio ; Pendergast, Andrew ; Betz, Christopher

• July 2013

6/13/2017

Adversary

Victim

Events

Capabilities Infrastructure

http://www.dtic.mil/docs/citations/ADA586960

Page 18: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Grizzly Steppe – Kill Chain Model

© KuppingerCole

Reconnaissance Weaponize Delivery

Exploitation Installation C2C

Actions on Objectives

6/13/2017

https://www.us-cert.gov/sites/default/files/publications/JAR_16-20296A_GRIZZLY%20STEPPE-2016-1229.pdf

http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-

White-Paper-Intel-Driven-Defense.pdf

Page 19: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

A Model to Describe Indicators

© KuppingerCole 6/13/2017

Structured Threat Information Expression (STIX) Provides a machine readable interchange format.

•STIX Relationships | STIX Project Documentation

Page 20: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Analysis of several data breaches

An email with common subject line

Target Bank employees

as part of a campaign

Using specific tools

By a known group

Shared description of the Threat

And the action can you take

Building the Intelligence

6/13/2017 © KuppingerCole 22

Page 21: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Actionable Intelligence

© KuppingerCole 23

The information built from the previous incidents leads to

actionable intelligence

6/13/2017

Targeted Industry

Email With Subject line

Action

Known Threat

Tools Used

Page 22: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Detect Deny

Disrupt Degrade

Deceive Destroy

Courses of Action

© KuppingerCole 24

Understanding the kill chain allows you to take action to pre-

empt the next step.

6/13/2017

Page 23: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

SHARING THREAT INTELLIGENCE

We need a system where actionable Cyber Threat Information is shared among private and public organizations.

Page 24: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Trust

• Building trust between groups to enable sharing

Legal

• Liability and privacy issues related to sharing

Technical

• Standards and trusted communications

Barriers to Sharing Threat Intelligence

6/13/2017 © KuppingerCole 26

Page 25: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Communities of Trust

© KuppingerCole 27 6/13/2017

CERT ISAC NIST

ENISA Black hat FIRST

Vendors Law

enforcement …

Your organization cannot create threat intelligence

on its own.

Sharing is essential to meet the challenges.

CERT UK

Page 26: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Legal Challenges to sharing

© KuppingerCole 28

Many different privacy laws

Bilateral sharing

agreements

Liability for shared data

Control over intellectual

property

6/13/2017

Page 27: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Colour How may be shared

Red Recipients may not share TLP:RED information with any parties outside of the specific exchange, in which it was originally disclosed

Amber Recipients may only share TLP:AMBER information with members of their own organization, and with others who need to know to protect themselves or prevent further harm.

Green Recipients may share TLP:GREEN information with peers and partner organizations but not via publicly accessible channels.

White Subject to standard copyright rules, TLP:WHITE information may be distributed without restriction

Traffic Light Protocol

© KuppingerCole 29

The Traffic Light Protocol (TLP) was created in order to facilitate greater sharing of information.

•Traffic Light Protocol (TLP)

It is NOT an access control mechanism. Source must trust

recipient.

6/13/2017

Page 28: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

HANDLING

• Defines obligations or controls on information received, to ensure the confidentiality

ACTION

• Defines the permitted actions or uses of the information a recipient

SHARING

• Defines any permitted redistribution of information that is received

LICENSING

• Defines any applicable agreements, licenses, or terms of use for the information being shared

Information Exchange Policy Framework

6/13/2017 © KuppingerCole 30 FIRST.org / Global Initiatives / Standards / Information Exchange Policy (IEP)

Intended to facilitate controlled automated sharing

Page 29: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Automated Sharing - TAXII

© KuppingerCole

Trusted Automated eXchange of Indicator Information (TAXII™).

Enables Secure, Authenticated Sharing of

Threat Information

6/13/2017

TAXII Server TAXII Client TAXII Client

Query Response

TAXII Client

Publish

Subscribe

http://docs.oasis-open.org/cti/taxii/v1.1.1/cs01/part1-overview/taxii-v1.1.1-cs01-part1-overview.pdf

Page 30: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Financial Services – Cyber Threat Sharing

© KuppingerCole 32 6/13/2017

Belgian bank Crelan hit by a 70 million Euro fraud.

•(reportedly Business Email Compromise)

•The Brussels Times - Belgian bank Crelan hit by a 70 million Eur fraud

Head of Austrian aerospace parts maker FACC fired after a cyber fraud that cost 42 million euros.

•Austria's FACC, hit by cyber fraud, fires CEO | Reuters

https://www.oasis-open.org/events/sites/oasis-open.org.events/files/Carlson.pdf

FS-ISAC Using STIX and TAXII for CTI Sharing

Page 31: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Automated, near real-time indicator sharing

ecosystem built on STIX/TAXII

Designed to foster widespread sharing of

CTI – specifically indicators

Launched in 2014. Updated as a result of

the Cybersecurity Information Sharing Act

of 2015 (CISA)

US Department of Homeland Security

6/13/2017 © KuppingerCole 33

https://www.oasis-open.org/events/sites/oasis-open.org.events/files/Strusev2.pdf

Page 32: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

SUMMARY

Shared Cyber Threat Intelligence is essential to effectively protect against Cyber Threats.

Page 33: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Summary

6/13/2017 © KuppingerCole 35

Shared Cyber Threat Intelligence is

essential to protect against Cyber Threats.

Standards make automated sharing

more practical.

Your organization needs to share and

exploit CTI.

Page 34: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

QUESTIONS

Page 35: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Kuppinger Cole Ltd. Headquarters

Am Schloßpark 129 65203 Wiesbaden | Germany Tel +49 (211) 23 70 77 – 0 Fax +49 (211) 23 70 77 – 11

www.kuppingercole.com

The Future of Information Security – Today. KuppingerCole supports IT professionals with outstanding expertise in defining IT strategies and in relevant decisions making processes. As a leading analyst company KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

6/13/2017 © KuppingerCole

Page 36: Cyber Threat Intelligence - bcs.org · Cyber Threat Intelligence IRMA, June 13th, 2017 Mike Small CEng, FBCS, CITP Senior Analyst Kuppinger Cole Mike.Small@kuppingercole.com

Related Research

© KuppingerCole 38

No. Type Title L.

72528 Executive View Emerging Threat Intelligence Standards

71033 Advisory Note Real Time Security Intelligence

74001 Survey KuppingerCole and BARC Joint Study: Big Data and Information Security

72025 Advisory Note Sustainable Infrastructures through IT Compliance