Upload
threatconnect
View
126
Download
1
Embed Size (px)
Citation preview
1All material confidential and proprietary
December 2015
OPERATIONALIZING THREAT INTELLIGENCE TO BATTLE
PERSISTENT ACTORS
© 2015 ThreatConnect, Inc. All Rights Reserved
2All material confidential and proprietary
Monzy Andy
© 2015 ThreatConnect, Inc. All Rights Reserved
INTROS
3All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved
AGENDA
• Threat intel: Brief definition and “Why the heck should I care?”
• How to develop threat intelligence using the Diamond Model
• Use case: How ThreatConnect investigated Chinese state-sponsored threats using the Diamond Model
• Demo: How to operationalize threat intelligence using Splunk and ThreatConnect
4All material confidential and proprietary
THREAT INTELLIGENCEWhat it should be.
© 2015 ThreatConnect, Inc. All Rights Reserved
5All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved
NO!AN INDICATOR FEED?
THREAT INTELLIGENCEis knowledge of your adversaries
that is useful for defense.
6All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved
THREAT INTELLIGENCE DEFINEDIn the slightly more verbose terms, threat intelligence is the applicable knowledge of a threat’s capabilities, infrastructure, motives, goals, and resources.
Why do I care?
Intelligence will drive security. Your knowledge of threats consistently translates into your organization’s ability to take action
KNOW YOUR ENEMY
KNOWLEDGE IS POWER
7All material confidential and proprietary
WHAT DOES INTELLIGENCE-DRIVEN SECURITY MEAN?
© 2015 ThreatConnect, Inc. All Rights Reserved
• You’re mitigating issues across teams and sensors
• Feedback loops: not just “red” feeding “blue”
• Security becomes more proactive
• Not an end state, but a modus operandi
Awesome, how do I start? … It’s easier than you think.
8All material confidential and proprietary
A METHODOLOGY IS NEEDED
© 2015 ThreatConnect, Inc. All Rights Reserved
• Simple framework
• Ask questions to move from reactive to proactive state
• Grow knowledge & understanding of relevant threats
• Drive decisions for mitigation
THE DIAMOND MODEL OF INTRUSION ANALYSIS:
9All material confidential and proprietary
PUTTING THE METHODOLOGY TO WORKA Use Case
© 2015 ThreatConnect, Inc. All Rights Reserved
10All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved
An md5sum discovered during investigation d19ba12127f48a4341ce643c819052f6
1
11All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved
An md5sum discovered during investigation
d19ba12127f48a4341ce643c819052f6
1
2Malware domains in C2 greensky27.vicp.net
12All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved
1
2 3
C2 contains IP addresses Clusters of IPs in ASNs in:Kunming, China;Bangkok, Thailand;Seoul, South Korea;etc.
Malware domains in C2 greensky27.vicp.net
An md5sum discovered during investigation
d19ba12127f48a4341ce643c819052f6
13All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved
An md5sum discovered during investigation
a2378fd84cebe4b58c372d1c9b923542
3
Malware domains in C2
greensky27[.]vicp[.]netaseannew[.]8866[.]orgmyanmartech[.]vicp[.]netphilnews[.]oicp[.]netthailand[.]vicp[.]net
4
C2 contains IP addresses
Clusters of IPs in ASNs in:Kunming, China;Bangkok, Thailand;Seoul, South Korea;etc.
14All material confidential and proprietary© 2015 ThreatConnect, Inc. All Rights Reserved
35
Domains all used bycommon malwarefamily NAIKON
An md5sum discovered during investigation
a2378fd84cebe4b58c372d1c9b923542
Malware domains in C2
greensky27[.]vicp[.]netaseannew[.]8866[.]orgmyanmartech[.]vicp[.]netphilnews[.]oicp[.]netthailand[.]vicp[.]net
4
C2 contains IP addresses
Clusters of IPs in ASNs in:Kunming, China;Bangkok, Thailand;Seoul, South Korea;etc.
15All material confidential and proprietary
3
Malware domains in C2 greensky27[.]vicp[.]netaseannew[.]8866[.]orgmyanmartech[.]vicp[.]netphilnews[.]oicp[.]netthailand[.]vicp[.]net
45
Common targeting themes Southeast Asian decoy docs, most likely delivered in spearphishing attempts
© 2015 ThreatConnect, Inc. All Rights Reserved
6
Domains all used bycommon malwarefamily NAIKON
An md5sum discovered during investigation
a2378fd84cebe4b58c372d1c9b923542
C2 contains IP addresses
Clusters of IPs in ASNs in:Kunming, China;Bangkok, Thailand;Seoul, South Korea;etc.
16All material confidential and proprietary
STACK UP YOUR DIAMONDS
C2 callbacks
© 2015 ThreatConnect, Inc. All Rights Reserved
17All material confidential and proprietary
INTELLIGENCE-DRIVEN SECURITY: BLOCK THE IPS?IPs are fleeting.Adversaries are
focused.Diamonds are forever.
© 2015 ThreatConnect, Inc. All Rights Reserved
18All material confidential and proprietary
CONFLICT WITHIN THE SOUTH CHINA SEAWHO’S BEHIND NAIKON?
Background
• ⅓ of the world's oil / $5 trillion in global trade, energy-rich area
• Multi-national dispute over territorial claims
• China claims the most of the region; has been the most assertive
• China’s cyber efforts support a robust political, economic, and military effort
© 2015 ThreatConnect, Inc. All Rights Reserved
19All material confidential and proprietary
THE PURPOSE OF INTELLIGENCE IS TO DRIVE DECISION ADVANTAGE
© 2015 ThreatConnect, Inc. All Rights Reserved
● What kind of decisions are you trying to make?
● Who is making those decisions?
● What processes need to be in place to support those decisions?
● How does the intelligence need to be delivered to be actionable?
20All material confidential and proprietary
TI Team
SOC Team
IR Team
ISAC/ISAO
SIEM
IPS/IDS
End-Point Protection
Firewalls/UTMIntelligence Feeds
Network Controls
Vulnerability Scanner
Web Proxy
Public Community
Private Community
CISO/CIO
C-Suite/Board
CONNECTED ON ONE PLATFORM
Copyright © 2015 Splunk Inc.
Operationalizing Threat intelligence
Demo
COLLECT DATA FROM ANYWHERE
SEARCHAND ANALYZE EVERYTHING
GAIN REAL-TIME OPERATIONAL INTELLIGENCE
The Power of Splunk
22
Why Splunk?
FAST TIME-TO-VALUE
ONE PLATFORM, MULTIPLE USE CASES
VISIBILITY ACROSS STACK, NOT JUST SILOS
ASK ANY QUESTION OF DATA
ANY DATA, SOURCE OR DEPLOYMENT MODEL
23
Turning Machine Data into Operational Intelligence
INDEX ANY MACHINE DATA: ANY SOURCE, TYPE, VOLUME
Online Services Web
Services
ServersSecurity GPS
Location
StorageDesktops
Networks
Packaged Applications
CustomApplicationsMessaging
TelecomsOnline
Shopping Cart
Web Clickstreams
Databases
Energy Meters
Call Detail Records
Smartphones and Devices
RFID
On-Premises
Private Cloud
Public Cloud
GAIN REAL-TIME VISIBILITY
Application Delivery
Security and Compliance
IT Operations
Business Analytics
Internet of Things
24
ITOperations
Application Delivery
Developer Platform (REST API, SDKs)
Business Analytics
Industrial Data and Internet of
Things
Delivers Value Across IT and the Business
Business Analytics
Industrial Data and Internet of
Things
Security, Compliance,
and Fraud
ITOperations
Application Delivery
Developer Platform (REST API, SDKs)
Business Analytics
Industrial Data and Internet of
Things
Delivers Value Across IT and the Business
Security, Compliance,
and Fraud
26
Splunk for Security
27
SECURITY APPS & ADD-ONS SPLUNK ENTERPRISE SECURITY
SIEM Security Analytics Fraud Platform for Security Services
SPLUNK USER BEHAVIOR ANALYTICS
Wire data
Windows = SIEM integration
RDBMS (any) data
28
Developing Threat Intelligence - 3 Take Aways
Disruptive Security
Operations
Track your adversary – not just alerts
Enrich event data to develop context
Develop your own threat intelligence
28
29
Demo Scenarios
Enrich alerts with intel from
ThreatConnect
Execute the Diamond Model in Splunk Enterprise
Security
Create new threat intel using Splunk
Enterprise Security
30
Demo
31
Backup Demo Slides
32
33
34
35
36
37
Demo Review
Enrich alerts with intel from
ThreatConnect
Execute the Diamond Model in Splunk Enterprise
Security
Create new threat intel using Splunk
Enterprise Security
Developing Threat Intelligence - 3 Take Aways
Disruptive Security
Operations
Track your adversary – not just alerts
Enrich event data to develop context
Develop your own threat intelligence
38
39
Traditional SIEMSplunkNext Steps
• https://www.splunk.com
Download Splunk
• https://splunkbase.splunk.com/app/1893/
Splunk app for ThreatConnect
• http://docs.splunk.com• https://answers.splunk.com/
Getting started and help
41All material confidential and proprietary
• Download the full CAMERASHY report for free on www.threatconnect.com
• Indicators shared in the common community & available to all Splunk users
THANK YOU! The following incidents are associated to the Naikon Threat:
20150730A: Satanserv Naikon Related APT20150619A: cmcsan Naikon APT20150617D: battale307 Naikon APT20150619A: cmcsan Naikon APT
© 2015 ThreatConnect, Inc. All Rights Reserved