intelligence-based computer network defence: understanding the cyber kill chain (royal holloway...
DESCRIPTION
An overview of the cyber-security kill chain concept and the implications for computer security and network defence using real-time anomaly detection, threat intelligence and intelligence response.TRANSCRIPT
© 2014 Tier-3 Pty Ltd, All rights reserved 1 Intelligent Security. We deliver it.
Intelligence-based Computer Network
DefencePiers Wilson
Tier-3 Huntsman® - Head of Product Management
© 2014 Tier-3 Pty Ltd, All rights reserved 2 Intelligent Security. We deliver it.
• Cyber attacks continue to increase
• Even closed networks are vulnerable
• Both External and Internal attacks
• Increasing sophistication
• Every organisation is at risk
Setting the Scene
© 2014 Tier-3 Pty Ltd, All rights reserved 3 Intelligent Security. We deliver it.
The Cyber security “kill chain” concept
Reconnaissance
Weaponisation
Delivery
Exploitation
Installation
Com
mand &
Control
Actions on
Intent
Cyber Kill Chain – sequential chain of events for successful attack
© Lockheed Martin
Increasing risk / cost to contain and remediate
Pre-Compromise Post-CompromiseCompromise
© 2014 Tier-3 Pty Ltd, All rights reserved 4 Intelligent Security. We deliver it.
Considering Attack Cycles
•Harvesting email addresses, conference information, staff bios, Press coverage
Reconnaissance
•Coupling exploit with backdoor into a deliverable payload
Weaponisation
•Getting the payload to the victim via email, web drive-by, USBDelivery
•Exploiting the vulnerability to execute codeExploitation
•Installing the malware/payload on the systemInstallation
•Establishing channel back to the attack source
Command & Control
•Undertaking the automatic and attacker-driven activity desired
Actions on Objectives
• “Thinking like an attacker”• The likelihood of being caught & ROI ?• What's the best way to test the attack method ?• Enumeration of the organisation• Identify valuable/vulnerable assets• Establish how to get the information out
• Acceptance that defences may not be sufficient and thus detection and diagnosis are key• Rapid detection means less cost, more chance to mitigate,
better chance of recovery• Dealing with both external and insider threats
• Need to consider the “indicators of compromise” at each stage• Anomalies detected• Events on boundary egress points• Critical documents / information silos• System performance and health• Activity levels, session lengths, traffic and flow patterns
© 2014 Tier-3 Pty Ltd, All rights reserved 5 Intelligent Security. We deliver it.
Leverage Threat Intelligence
Consider ‘Indicators of Compromise’
Optimise and Automate
Incident response
Agenda - Three Components
© 2014 Tier-3 Pty Ltd, All rights reserved 6 Intelligent Security. We deliver it.
Threat Intelligence
Integration of externalTI feeds for detection
AND analysis purposesto aid efficient operations
Capture of static ordynamic internalinformation andintelligence on threatsand risks
Operational incident detection and analysis process generate real-time, interpreted Threat Intelligence
Automation and confidence in alerting, detection and escalation processes
© 2014 Tier-3 Pty Ltd, All rights reserved 7 Intelligent Security. We deliver it.
Internal & Contextual
• Import and cross-reference to (internal) state databases• E.g. users of different types, physical/location status, risk levels, system sensitivities,
even self-created lists of systems that are the subject of incidents and investigations• Recent use case was a list of users who are “under increased vigilance”
• Integration of vulnerability assessment tools• Network capture to derive asset information, deduce port usage,
flow statistics in real time• Provides understanding of likely vulnerability/threat
• Understanding of ongoing incidents and system statuses/risks
• Integrated information from specific security/capture solutions• Active response to capture real-time alert data
• Camera images• System configuration, process, network sessions, file system snapshot
Internal Intelligence Databases
Contextual Vulnerability, Incident and Asset Data
Internal Security, Malware and
Attack Context
© 2014 Tier-3 Pty Ltd, All rights reserved 8 Intelligent Security. We deliver it.
• Import of external data for use in detection, correlation and alerting• Compromised sites, malicious URLs, phishing sources, IP reputations
• Ensure you “know what everyone else knows” – throughout the kill chain (diagnosis and response)
• Open source and/or commercial feeds
• Mapping from IP addressto world location
• Make decisionsbased on risk profiles orknown operationallocations
External Threat Intelligence
External Geographic Information
External Threat Intelligence
Sources
© 2014 Tier-3 Pty Ltd, All rights reserved 9 Intelligent Security. We deliver it.
Leverage Threat Intelligence
Consider ‘Indicators of Compromise’
Optimise and AutomateIncident response
Agenda - Three Components
© 2014 Tier-3 Pty Ltd, All rights reserved 10 Intelligent Security. We deliver it.
Activity to/from risky or strange locations
Personal sensitivities (role, seniority, access)
Patterns of traffic between IP address pairs
Session durations
Data flow volumes and directions
Activity on sensitive internal hosts
Number of files open(ed)
Number of pages or documents printed
Query/search results (numbers)
User account group membership activity
Use of media like USB/CD
Connections to cloud-based storage
Indicators of Compromise
Think how an Insider
might behave,
what they might do, how they
would steal data
What might be the early signs of an external attack or
Trojan, APT, spear
phishing activity
© 2014 Tier-3 Pty Ltd, All rights reserved 11 Intelligent Security. We deliver it.
Monitor / learn behavioural profile automatically to create a dynamic baseline of system behaviour
Continuously updated as the environment changes
Correlating with other events, detections for any deviations from the “normal” baseline to alert operators
Detecting Anomalous Behaviour
Hard in complex systems for analysts:To know the networkTo estimate thresholdsHave to constantly re-write rulesMake safe/reliable assumptions
Attack nature can be more easily predictable
Start from the Indicator of Compromise – or IoC - for APTs, zero-day & insider threats
Indicators and behaviours play a role at different stages of the kill chain
© 2014 Tier-3 Pty Ltd, All rights reserved 12 Intelligent Security. We deliver it.
Leverage Threat Intelligence
Consider ‘Indicators of Compromise’
Optimise and AutomateIncident response
Agenda - Three Components
© 2014 Tier-3 Pty Ltd, All rights reserved 13 Intelligent Security. We deliver it.
Automating Responses
Manual analysis and triage
Automatic response(can be risky)
Suspicion / DetectionAutomatic
information/context gathering
Making changes, turning things off, closing sessions can help, but may impact normal business
System, user, process, network information is transient – needs to be gathered at the time (later is no use)
Manual response
Making sense of the data to understand the incident and effect appropriate containment/investigation/remediation
© 2014 Tier-3 Pty Ltd, All rights reserved 14 Intelligent Security. We deliver it.
Process efficiency:Automating as much as possible and streamlining everything elseMore than just purely “actively responding”
closing sessions, disrupting attacker, disabling user accounts...
Key use case:Gather data/context “at the time of an alert” ...
Webcam photo, screen shotSystem configuration, running processes, network sessions
... and from “just before”i.e. caching a rolling data set (e.g. network traffic) and freezing it when an alert occurs
Note:Only really works with real-time analysis and detection systemsYou have a way to work with the dataset that is collected
Automatic Response
© 2014 Tier-3 Pty Ltd, All rights reserved 15 Intelligent Security. We deliver it.
To close ...
© 2014 Tier-3 Pty Ltd, All rights reserved 16 Intelligent Security. We deliver it.
Remember the “kill chain” concept
Reconnaissance
Weaponisation
Delivery
Exploitation
Installation
Com
mand &
Control
Actions on
Intent
Cyber Kill Chain – sequential chain of events for successful attack
© Lockheed Martin
Monitor, detect and respond throughout attack lifecycle
Pre-Compromise Post-CompromiseCompromise
© 2014 Tier-3 Pty Ltd, All rights reserved 17 Intelligent Security. We deliver it.
What will “good” look like?
More Confident/Reliable Detection
• Given that “something” has been detected have to decide if it is significant (with confidence)
• “Potential incident” investigated based on the surrounding or associated contextual data
• Maximise use of established data sources and automation:
• Swifter “confirmed detection”• Fewer false positives/negatives• Single view of information across sources
• Throughout the kill chain, and as early as possible
Earlier Understanding/Faster Analysis
• Anticipate obvious questions for triage, analysis, escalation process
• Predictable requests dealt with automatically
• Pre-emptive information gathering• Leverage data available from at / before
the time of incident:• Screen shots, systems’ configurations, file
contents, network sessions, open files ...
• Focus staff concentration on decision making rather than manual information gathering
© 2014 Tier-3 Pty Ltd, All rights reserved 18 Intelligent Security. We deliver it.
Thank you
Piers [email protected] +44 (0) 7800 508517
[email protected]+44 (0) 118 900 1550
www.tier-3.com twitter.com/Tier3huntsman