how to turbo-charge incident response with threat intelligence
DESCRIPTION
Minutes, hours, days - each one counts when responding to a security incident. Yet most firms have a lot of room for improvement. According to the 2013 Verizon Data Breach Investigations Report, in 66% of cases (up from 56% last year), breaches remained undiscovered for years, and in 22% of cases, it took months to fully contain the incident. This webinar will review the challenges firms face in trying to create a rapid and decisive incident response (IR) process. It will then highlight the crucial role that timely, contextual threat intelligence can play in turbo-charging incident response, particularly when tightly integrated with the broader IR discipline. Our presenters will reveal the power of this approach by demonstrating Co3's integrated threat intelligence capabilities including intel from the cyber threat intelligence experts at iSIGHT Partners. Our featured speakers for this webinar will be: - Ted Julian, Chief Marketing Officer, Co3 Systems - Tim Armstrong, Security Incident Response Specialist, Co3 Systems - Matt Hartley, VP of Product Management, iSIGHT PartnersTRANSCRIPT
How To Turbo-Charge
Incident Response With
Threat Intelligence
Page 2
Agenda
• Introductions
• What is threat intelligence?
• Why does threat intelligence matter?
• How threat intelligence can turbo-charge IR
• Demo: IR management with integrated threat intelligence
Page 3
Introductions: Today’s Speakers
• Ted Julian, Chief Marketing Officer, Co3 Systems
• Matt Hartley, Vice President of Product Management,
iSIGHT Partners
• Tim Armstrong, Security Incident Response Specialist, Co3
Systems
Page 4
End-to-End IR: Before, During, and After
PREPARE
Improve Organizational
Readiness
• Appoint team members
• Fine-tune response SOPs
• Escalate from existing systems
• Run simulations (firedrills / table
tops)
MITIGATE
Document Results &
Improve Performance
• Generate reports for management,
auditors, and authorities
• Conduct post-mortem
• Update SOPs
• Track evidence
• Evaluate historical performance
• Educate the organization
ASSESS
Identify and Evaluate
Incidents
• Assign appropriate team members
• Evaluate precursors and indicators
• Correlate threat intelligence
• Track incidents, maintain logbook
• Prioritize activities based on criticality
• Generate assessment summaries
MANAGE
Contain, Eradicate, and
Recover
• Generate real-time IR plan
• Coordinate team response
• Choose appropriate containment
strategy
• Isolate and remediate cause
• Instruct evidence gathering and
handling
• Log evidence
Page 5
About iSIGHT Partners 200+ experts, 16 Countries, 24 Languages, 1 Mission
Global Reach ThreatScape® Products
Research: Identify threats, groups; determine/capture motivation and intent
Analysis: Fuse knowledge across methods, campaigns, affiliations, historical context
Dissemination: Deliver high-fidelity, high-impact, contextual, actionable insights
Proven Intelligence Methodology
Cyber Crime Cyber
Espionage
Denial-of-
Service
Enterprise
Hacktivism Industrial Control
Systems
Mobile Vulnerability
and Exploitation
Page 6
ThreatScape® Cyber Threat Intelligence Threat Data
• Bad IP Address • Bad IP Address
• Actor Group
• Motivation
• Primary Targets
• Ability to Execute
• Ranking
• Last Hop Geo
Location
• Additional IPs, Domains
• Malware Used
• Lures
Threat Intelligence VS. Threat Data Context Matters
• Vulnerabilities Targeted
• Historic Campaigns
• Successful Compromises
Page 7
What is Threat Intelligence?
Name: uxsue.exe Identifier: Gameover Zeus
Extension: exe Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Size: 329216 Packer: ['MinGW GCC 3.x'] MD5sum: 045b793b2a47fbea0d341424262c8c5b
Sha1: 5ca6943f557489b510bd0fe8825a7a68ef00af53 Sha256: 8a4036289762a4414382fee8463d2bc7892cd5cab8fb6995eb94706d47e781dd
Fuzzy: 6144:ka23d0lraSurrtt/xue1obsXD8J3Ej+rbC80tsX9GR:kFd0lWzrrtxdowT8U8hYR MIME: Compiled: 2012-10-10 17:33:25
Malware Payload Indicators:
Gameover Zeus is a frequently used Trojan in financial cybercrime
Basic Context:
Exploitation Vector:
hxxp://26.azofficemovers.com/links/persons_jobs.php
Unique Threat-focused Information:
We believe the following actors are either members of or are close
associates with the petr0vich group: …
Bottom Line:
Zeus Malware Author Probably Working with Gameover Zeus Operators,
but Current Level of Involvement Remains Uncertain
Contextual Analysis:
…the primary Zeus author partnered with the "petr0vich group,"
which most likely controls Gameover Zeus, to develop custom Zeus
versions…. his continued participation will probably help fuel further
innovative developments to Zeus.
Knowledge and context, not just data
Technical Threat
Page 8
ThreatScape API
Threat Fusion Center
Security Operations Center
Incident Response
Process Integration Technology Integration
Analytics
GRC
SIEM/IDS
Network/Host Protection
Configuration/Patch Management
ThreatScape® Intelligence
ThreatScape®
API
Page 9
IR Suffers From A Lack Of Intelligence
• “75% said they conduct forensic investigations to ‘find and investigate incidents
after the fact.’”
- SANS Survey of Digital Forensics and Incident Response, July 2013
• “60% … agree that their company at some point in time failed to stop a material
security exploit because of insufficient or outdated threat intelligence.”
• “49% said it can take within a week to more than a month to identify a compromise.”
- Ponemon Institute Live Threat Intelligence Impact Report 2013
• Forty percent of respondents say their security products do not support the import
of threat intelligence from other sources.
- Ponemon Institute Threat Intelligence & Incident Response Report, February 2014
• “In 66% of cases (up from 56% last year), breaches remained undiscovered for
years, and in 22% of cases, it took months to fully contain the incident.”
- 2013 Verizon Data Breach Investigations Report
Page 10
Incident Response Needs Threat Intel
PREPARE • Who has attacked you in
the past?
• How have they attacked
you?
• What are those attackers
known to be interested
in?
Ensure alignment
with real threats and
actors
MITIGATE • How are threats
evolving?
• How should you update
your preventive and
detective controls?
• Can you eliminate the
target?
• Should you add some
new partners /
resources?
• Should you update /
expand training?
Inform mitigation
and preparation
based on real threats
and actors
ASSESS • Who is behind the attack?
• How are they attacking?
• What might they ultimately
be after?
• Time is of the essence
Prioritize an informed
response
MANAGE • What items in the IR
plan are most
important?
• Law enforcement? The
FBI? Who do you need
to call?
Accelerate a decisive
response
POLL
Page 12
Data Capture Analysis Link Analysis Case Prep / Resolution
Detect
Respond Recover
Prepare
Traditional approaches: where does intelligence fit?
Incident
Report
Notification
Event Driven Basic Investigative Framework
Basic
IR
Framework
Intelligence enhances every stage of IR by providing
situational awareness,
context, and attribution
- where does it fit?
Page 13
Investigations enhanced by intelligence
Intelligence
Proactive
Informed by knowledge of threat sources, activities, methods, and historical context
Look for:
• different
indicators
• other activity
Look in different
places
Consider:
• adversary
intent
• previous
activity
• alternative
targeting
• additional
information
Fusion of sources
Consider:
• affiliations
• adversary
intent
• previous
activity
• alternative
targeting
Historical links
Proactive,
detective, and
preventative
measures
Training and
exercises
Business impact
analysis
Reporting
Data Capture Analysis Link Analysis Case Prep / Resolution
Incident
Report
Notification
Event Driven Enhanced Investigative Framework
POLL
Page 15
Connecting People and Technology at a Time of Crisis
Page 16
Threat Intel With Incident Artifacts in Co3
• Artifacts are attributes of an incident that can indicate the presence
and nature of a threat.
• Artifacts can be anything from a suspected malware file, to the IP
address of a foreign server.
• Co3 supports multiple artifact types:
• URL’s
• IP addresses
• Malware hashes
• DNS names
• Log files
• Emails
• Malware samples
• Registry keys
• Username
• Port
• Process name
Page 17
Threat Intelligence
• Actionable context about the nature of the incident based
on its associated artifacts. This insight can include:
• Actor(s)
• Means
• Methods
• Initial threat intelligence feeds include:
• iSIGHT Partners
• Abuse.ch
• AlienVault
• SANS
• Campaign
• Historical context
• Impacts
• MalwarePatrol
Page 18
Enabling Actionable, Intelligent, Efficient Response
Co Investigate
Incident Artifacts
Threat Intel
Detailed Threat Info
• Which actors
• What methods
• What impacts
Correlated Threat Context
• Who else
• How else
• Why you
Accelerated Response
• Automatic discovery
• Enhanced collaboration
• Workforce enablement,
enhancement
DEMO
QUESTIONS
One Alewife Center, Suite 450
Cambridge, MA 02140
PHONE 617.206.3900
WWW.CO3SYS.COM
“We’re doing IR in one-tenth of the time.”
DIRECTOR OF SECURITY & RISK, USA FUNDS
“It’s the best purchase we ever made.”
CSO, F500 HEATHCARE PROVIDER
Matt Hartley
Vice President of Product Management
571.287.7700
“One of the hottest products at RSA…”
NETWORK WORLD
“Co3 has done better than a home-run...it has
knocked one out of the park.”
SC MAGAZINE