Using Threat Intelligence to Improve Security Response Piers Wilson | Head of Product Management | Huntsman Security +44 (0) 7800 508517 | [email protected] www.huntsmansecurity.com | @tier3huntsman
Infosec 2015 - Using threat intelligence to improve security response
Aug 07, 2015
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Using Threat Intelligence to Improve Security ResponsePiers Wilson | Head of Product Management | Huntsman Security
+44 (0) 7800 508517 | [email protected] www.huntsmansecurity.com | @tier3huntsman
Setting the Scene
• Threat Intelligence is more than just data
• Examples and applications
• Summary / Benefits
A Threat Intelligence “eco-system” ...
Applied Security Intelligence
“Traditional” Log Sources
Vulnerability information
Geographic information
Cyber-security/malware/attack
context
External threat sources
Internal context databases
Locations, staff roles, HR systems,
physical controls
IP reputation, known bad URLs, phishing sources,
C&C sites, botnets, CERTs
Scan information, asset sensitivities, vulnerable platforms
Countries, sites that pose risk, political factors
Networks, systems, applications, devices
Malware details, network captures
Real Threat Intelligence Examples
Threat Intelligence derived alerts showing the nature of various connections
Traditional public sources / external “TI”
• Externally available threat data source lists– Botnets, C&C systems, known malware sites,
compromised URLs, DLP risks
• Regular updates / scheduled retrieval• Different sources/feeds used for
different purposes• Detection of :
– Communication with suspicious/risky hosts/domains
– Data exfiltration risks– Etc...
Traditional public sources / external “TI”
• Emerging Threats – Raw IP list– C&C servers (Shadowserver)– Spam nets (Spamhaus)– Top Attackers (Dshield)– Compromised IP addresses
• Abuse.ch– SSLBL IP Blacklist– ZeuS Tracker– Palevo Tracker– SpyEye Tracker
• Malc0de – IP blacklist• URLBlacklist.com• Malware domains• Threat Expert• NorsePlus various commercial sources
Geo-location is useful – both external (risky locations) and internal (sensitive sites)
Geo-location Visualisation
• Display or reference to GeoIP information
• Risk locations/attack sources used in security decisions
• Additionally WHOIS and DNS information useful
Getting to this information quickly in the decision making process is key
Defence sector – Real example
• Defence customers aremajor user of ThreatIntelligence
• Intelligence agenciesprovide threat informationto Defence networkadministrators
• Reference data used to raise real-time alerts of suspicious network traffic
• Information from alerts subsequently adds to their internal threat intelligence reference data– i.e. Observed incidents create “new” TI that automatically adds to the reference data set
Internal Security Intelligence
• Creation of bespoke/local Threat Intelligence– Manual or Automated
• Particular value in MSSPs– Leverage threat observations across customers
• Better decision making in context of “real”, observed threats
Government sector use case
• Suspicious network/IP addresses received from intelligence agency
• Post-analyse logs for traffic to/from those addresses1. Suspicious hosts data set (high risk destinations)2. Predefined reports use data for analysis
Threat intelligence MATCHED WITH Observed activity and traffic
• Minimal operational workload• Data automatically updated in the background• Scheduled, automated, pre-defined processes
Detection and Resolution
Apply Security Intelligence during resolution• When an attack occurs, specific information
relating to the threat is vital• More than just log/event/activity data
– System configurations/registry– Changes to affected systems files– Network traffic/connections– Other behaviour
• Malware - Specific example– Network sessions/connection patterns– Known effects of specific malware activity within file
system and registry
Summary
Applying Security Intelligence
• Meaningful threat intelligence involves all available security data – internal and external – to give context
• Automatic identification of known attacks and threats needs to happen in real-time
• Intelligence is vital for both detection AND during the diagnosis and investigation of cyber attacks
• Dealing with false positives efficiently means having processes and tools that rapidly provide understanding of threats and confident resolution
Speed and Accuracy are key to Cyber Resilience
Related Documents
