330 likes | 489 Views
Threat Intel Sharing: Deciphering the APTs secret handshakes. Adam Lange Mark Manglicmot. Adam Lange & Mark Manglicmot. Senior Consultant at Delta Risk LLC CISM, GCIA, GSEC, GCIH, CEH, Sec +,
E N D
Threat Intel Sharing: Deciphering the APTs secret handshakes Adam Lange Mark Manglicmot
Adam Lange & Mark Manglicmot • Senior Consultant at Delta Risk LLC • CISM, GCIA, GSEC, GCIH, CEH, Sec+, • Advanced threat consulting & counter APT team building for Fortune 500’s, federal gov, and allied governments • Senior Consultant in Ernst & Young’s Advanced Security Center • CISSP, GCIH, CEH, Sec+, • Advanced threat, Incident Response, & SOC consulting @LangeSecurity @MGManglicmot
The Data Doesn’t lie! • Past habits can help predict future behavior By analyzing data-trends over time, Target could tell a 15 yr old girl was pregnant before her family knew
The Problems Defenders Face There is no delineation between routine incidents and incidents that may be APT activity Advanced Adversaries evolve faster than we can Industry improvements are being made all the time and integration into government operations tends to lag behind We don’t have all the processes, tools and understanding to take on APT actors
Demystifying Threat Intel Everyone has it!
The Role of Intel • Major driver to catch the top tier of threat • Detection • Prevention • Response • Types of Intel • Behavioral • Indicators
APT is bad stuff • APT makes up 20% of workload • 80% is “garbage” • What is the difference? • There is no “APT differentiation analyst” • Targets industries whose intellectual property provides a strategic advantage for the attacker • Intelligence on APT actors comes from three major areas: • Internally derived • Commercially purchased • Sharing partners
A Quick Look at the Adversaries APT Strategic Gains Top 20% -- High impact The good news is that because they tend to repeat attacks with recycled tactics, organizations can trend their behavior over time Cyber Crime Financial Gains Hacktivists Sociopolitical Gains Bottom 80% -- Lower impact They don’t trend well, so mitigate and move on Script kiddies, college kids, others Thrill of the exploit, Learning the system Generic mayhem
Binary Encryption Advanced Scanning Tools DDoS and Distributed Attack tools THESE ATTACKS REQUIRE MORE SOPHISTICATED, BEHAVIORAL, EVENT, AND INFORMATION BASED TOOLS TO DETECT Stealth and Anti-Audit Technologies Session Hijacking Sniffers And Spoofing Vulnerability Exploitation Backdoors Password Cracking MOST OF THESE ATTACKS CAN BE IDENTIFIED USING TRADITIONAL RULE-BASED TECHNOLOGIES Password Guessing Sophistication vs Intel HIGH No intel – Actors have OPSEC Behavior/Event Capture/Analysis DDOS Mitigation Plenty of intel – attackers talk too much Attacker Knowledge and Technology Deception Operations Firewalls HIPS Honeynets IDS/IPS Network Traffic Analysis Patching High Quality Forensics and Incident Reporting No intel – Hacks of opportunity LOW Defense Sophistication
Lockheed Martin Perspective This paper was published back in 2011 and was the cornerstone of many advances in the DIB. This model and its implications can be studied in depth to understand how to counter advanced adversaries
Mandiant: APT1 The first major civilian expose on a state sponsored group. It reveals APT1 TTPs and C2 infrastructure. It provided actionable intelligence for every organization to leverage. It is likely that APT1 is going to start over in several organizations, however for some orgs it appears that APT1 is conducting business as usual. NOTE: What we really liked about this report was the appendices – they contained all the TECHNICAL INDICATORS needed to actually do something about the threat.
Malware.lu based in Luxembourg, was able to do some additional deep dives into APT1 Activity. Much of this may be illegal to do in the US. The report is worth taking a look at.
Who? What do they want? How do they attack? Cultural Threat Industry Competitor Innovator Strategic Interest
An Advanced Adversary Model • Full spectrum cyber operations • More targeted & tactical indicators • Ability to correlate seemingly disparate activities • Metrics and strategic trends
How most defenses work • Detection is somewhere in the middle of an attackers operation • Look for one or so indicators to stop discrete attack, but the campaign continues
Defensive Campaigns • Two types of Defensive Campaigning • Adversary-Based Campaign • Event-Driven Campaign • What do each of these have in common? An event begins and ends at some point An adversary operation begins at ends at some point Now, I suddenly realize that the initial attack is NOT success for them, so it’s not failure for me. I have TIME to do something about it…
Elements of ‘Good’ Intel • Tactical • Timeliness <48hrs • IP • FQDN • File Hash • Strategic • Trends • Vectors • Patches/Updates • Profiles
The Government • Common complaint: “Its all classified” • The good news: It doesn’t really matter • Look at intel from a SIGINT perspective • Tries to share as it can • http://en.wikipedia.org/wiki/List_of_intelligence_gathering_disciplines
Industry Methods SOCK Puppets Collective Intelligence Framework
How reliable is it? Analysis of Competing Hypothesis
Intel & SOC/CERT Integration RTA Countermeasures Investigation ATA Digital Forensics Threat Intel
Learning & sharing: Where to start • Start small • Look in the mirror • Friends (Real, not imaginary) • Read! • Get involved • ISAC’s • Local FBI office (InfraGard) • Join the online communities
What are the next steps? • Try to understand who is interested in you • Not always necessary to get 100% attribution • Understand that once your are targeted by APT, you will forever be on their target cycle list • Continue to iterate: That’s what the APT does • Shorten the Kill Chain
What You’ll Gain • Ask the right questions…generate the right metrics • “We had 27 ‘incidents’ this month” • Trends • These guys only attack us when we do some conference • Group X only attacks when specific 0-days are published • Group Y is only active between these hours • Group Z never attacks during “insert country” holidays • (i.eCinco de Mayo)
Impacts • Work smarter, not harder • Improves efficiency • Drives targeted investment • Ultimately improves security, and protects the business “By leveraging threat intelligence, you can tactically and strategically campaign against the APT and defend your business.”
Thanks for you time Questions? Follow us on Twitter! @LangeSecurity @MGManglicmot