Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

Symantec Education Skills Assessment SESA 3.0 Feature Showcase

IT Analytics for Symantec Endpoint Protection

‘Changing environment – changing security’ - Cyber-threat challenges today – Budapest, September 17-18, Industry and the fight against cybercrime.

1 Online Self-Defense: Avoiding Scams Chau Mai December 5, 2013.

© 2013 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

Translation in the Community LRC Localisation in the Cloud Jason Rickard Principal Product Manager, Community.

Keystone Security A Symantec Perspective on Securing Keystone

Security for Today’s Threat Landscape Kat Pelak 1.

© 2012 Autodesk Design Thinking: A Pathway to Innovation in Education Dr. Brian Donnelly Lecturer UC Davis School of Education, K-12 Education Consultant.

1 Getting Beyond Standalone Antivirus to Advanced Threat Protection Eric Schwake Sr. Product Marketing

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

Symantec Tech Symposium Randy Cochran, Vice Present Channel Sales – Americas August 17, 2009.

Cassio Goldschmidt May 13 th, Introduction 2.

Lloyds 360 Risk Insight Dec 2010 Malcolm Harkins Malcolm Harkins Chief Information and Security Officer General Manager Intel Information Risk and Security.

Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.

Backup Modernization with NetBackup Appliances

1 Telstra in Confidence Managing Security for our Mobile Technology.

The Changing Face of Endpoint Security K Varadarajan Regional Manager, Enterprise Sales, Symantec Security Conference 2010_Bangalore.

Symantec De-Duplication Solutions Complete Protection for your Information Driven Enterprise Richard Hobkirk Sr. Pre-Sales Consultant.

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

Symantec Vision and Strategy for the Information-Centric Enterprise Muhamed Bavçiç Senior Technology Consultant SEE.

1 When Cloud Networking meets Cloud Computing: Software-Defined Networking (SDN) Customer Application Faan DeSwardt Infrastructure Architecture Manager.

GPS 2011 Slide - 1 COMPETITIVE STRATEGIES APAC Discussion.

Практические аспекты аутсорсинга ИБ Алексей Чередниченко Ведущий консультант, Symantec Services Group 28 апреля 2009.

NoVA ARMA February 2015 Tony Sager The Future of Cyberdefense is… Information Management.

President’s Forum and WSML 2012 INDSTRAT 02 Mobile Market Dynamics Brian Duckering, Deborah Clark, Evan Quinn “A Day in the Life of Mobile” 1.

SEC835 Database and Web application security Information Security Architecture.

Visual 3. 1 Lesson 3 Risk Assessment and Risk Mitigation.

Evaluation of a DAG with Intel® CnC Mark Hampton Software and Services Group CnC MIT July 27, 2010.

1© Copyright 2012 EMC Corporation. All rights reserved. Getting Ahead of Advanced Threats Advanced Security Solutions for Trusted IT Chezki Gil – Territory.

Adversary Defense: Past, Present, Future Presenter’s Name Here Presenter’s Title Here.

Symantec Managed Security Services The Power To Protect Duncan Evans Director, Cyber Security Services 1.

Cassio Goldschmidt June 29 th, Introduction 2.

1 Safely Using Shared Computers Amanda Grady December 2013.

Symantec Targeted Attack Protection 1 Stopping Tomorrow’s Targeted Attacks Today iPuzzlebiz

© 2009 Level 3 Communications, LLC. All Rights Reserved. Level 3 Communications, Level 3, the red 3D brackets, the (3) mark and the Level 3 Communications.

Corporate Information Reconnaissance Cell (CIRC).

Quick Thoughts on PGP Use Cases for KMIP 1 Michael Allen Sr. Technical Director.

The current state of Cybersecurity Targeted and In Your Pocket Dale “Dr. Z” Zabriskie CISSP CCSK Symantec Evangelist.

Ali Alhamdan, PhD National Information Center Ministry of Interior

President’s Forum and WSML 2012 SYMSTRAT 03: Enterprise Sales Conversations for Virtualization Todd Zambrovitz with guest appearance by Kevin Fiedler 1.

WLAN Auditing Tools and Techniques Todd Kendall, Principal Security Consultant September 2007.

Innovation From the Ground Up Fred Hollowood, Martin Roche.

Installation of Storage Foundation for Windows High Availability 5.1 SP2 1 Daniel Schnack Principle Technical Support Engineer.

Introduction and Overview of Information Security and Policy By: Hashem Alaidaros 4/10/2015 Lecture 1 IS 332.

Visit our Focus Rooms Evaluation of Implementation Proposals by Dynamics AX R&D Solution Architecture & Industry Experts Gain further insights on Dynamics.

1 APJ Curriculum Paths for Partners Specialization Accelerates Shirley Hoon APJ Partner Enablement Partner Enablement Oct

Information Security In the Corporate World. About Me Graduated from Utica College with a degree in Economic Crime Investigation (ECI) in Spring 2005.

Copy to Tape TOI. 2 Copy to Tape TOI Agenda Overview1 Technical Feature Implementation2 Q&A3.

Shared Engineering Services APJ Ghostdetect ver 1.0 for SPC Donghyun Seo Dec 12, 2008.

© 2012 IBM Corporation IBM Security Systems 1 © 2012 IBM Corporation Cloud Security: Who do you trust? Martin Borrett Director of the IBM Institute for.

Optimized Synthetics 1 OpenStorage Optimized Synthetics.

Type presentation name here in slide master © 2007 SDL. Company Confidential. Forward-looking information is based upon multiple assumptions and uncertainties.

Partner Proctored Assessment Registration Process Ajit Jha 1 Partner Assessment.

OST Virtual Synthetics 1. Synthetics Overvier Definitions – Catalog – Image – Extent Process Overview (today) – Extent map derivation – Read agenda –

Cyber Security in the Post-AV Era Amit Mital Chief Technology Officer General Manager, Emerging Endpoints Business Unit.

How to Make Cyber Threat Intelligence Actionable

APIs related to NBU AIR Feature 1 OST APIs Related to NBU AIR Feature.

© 2013 IBM Corporation IBM Security Systems © 2012 IBM Corporation Offense Magnitude.

Maximize Profits Through Stronger Security Brook Chelmo Product Marketing

IDC Says, "Don't Move To The Cloud" Richard Whitehead Director, Intelligent Workload Management August, 2010 Ben Goodman Principal.

Proactive Incident Response

Deployment Planning Services

11/17/2018 9:32 PM © Microsoft Corporation. All rights reserved. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN.

Evolution Of Cybersecurity

Enhanced alerting and collaborative incident management

A quick glace at Intelligence Led Risk Management

Presentation transcript:

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1

Who am I? Infosec Professional for 16 years Former roles include: – Penetration tester – Consultant – Engineer – Policy manager – Product manager – People manager For the past 7 years I have been focusing on the problem of integrating intelligence into security The availability of Big Data science and tools has changed the nature of the game…

Historical Use of Threat intelligence Military/LEO – Used as part of the investigative process – Being used to prevent action and outflank attackers Commercial – Historical: Collection – Today: Correlation – Evolution: Prevention

What is Threat Intelligence? It’s not data It’s not artifacts or indicators It’s not logs or events or incidents … It’s a combination of all the things you know It is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.

Three Axioms of solving a security problem The optimal place to solve a security problem – Is never where you found it. – Corollary: And the information for the solution is never in the right form. If it’s happening to you today, – Then it happened to someone else yesterday, and will happen to someone else tomorrow – Corollary: And you probably don’t know them After you figure out what has happened – You’ll find plenty of signs that could have told you it was coming – Corollary: But not all of the signs are in cyberspace, nor available to cyberdefenders 5 Tony Sager, Chief technologist Council on Cyber Security How do you look at Security Problems

The Attack Chain

The Kill Chain

Easier said than done… We need to combine events to determine what is related first. For every intrusion event there is an adversary taking a step towards an intended goal by leveraging a particular capability over infrastructure against a victim to produce a result.

A Diamond Event Event AdversaryCapabilityVictimInfrastructure Meta Features Timestamp Phase Result Direction Methodology Resources

The Adversary Adversary Operator Adversary Customer There exists a set of adversaries (insiders, outsiders, individuals, groups, and organizations) which seek to compromise computer systems or networks to further their intent and satisfy their needs.

Capability Capability Capacity Adversary Arsenal Command and Control The capability feature describes the tools or techniques of the adversary used in the event and includes all means to affect the victim from the most manual “unsophisticated” methods (e.g., manual password guessing) to the most sophisticated automated techniques.

Infrastructure Type 1 Type 2 Service Provider The infrastructure feature describes the physical and/or logical communication structures the adversary uses to deliver a capability, maintain control of capabilities (e.g., command-and-control/C2), and effect results from the victim (e.g., exfiltrate data)..

Victim Victim Persona Victim Asset A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used.

Building a diamond event Typically you don’t have all of the items above You need to generate these items using analytic process. Traditionally we would use technical indicators to identify attack and exploitation By correlating that information to known infrastructure leveraged by adversaries you can pivot back to the typical victim and vulnerabilities exploited

Approach types Victim Centered Capability Centered Infrastructure Centered Adversary Centered Social-Political Centered Technology Centered

Activity Mapping

Storage of information Database of common intelligence terms and structures Use languages like STIX, TAXII, etc. to more easily share intelligence through community partnerships Create meta data tagging systems for your intelligence

Further Reading Gartner’s definition on Threat Intelligence Anything by Tony Sager (The three laws are his….) Lockheed Martin Paper on the Attack and Kill Chain in Cyberspace Harvard paper on Asymmetrical Attacks in Cyberspace

Thank you! Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Tim 19