© 2014 Tier-3 Pty Ltd, All rights reserved 1 Intelligent Security. We deliver it.

Intelligence-based Computer Network

DefencePiers Wilson

Tier-3 Huntsman® - Head of Product Management

© 2014 Tier-3 Pty Ltd, All rights reserved 2 Intelligent Security. We deliver it.

• Cyber attacks continue to increase

• Even closed networks are vulnerable

• Both External and Internal attacks

• Increasing sophistication

• Every organisation is at risk

Setting the Scene

© 2014 Tier-3 Pty Ltd, All rights reserved 3 Intelligent Security. We deliver it.

The Cyber security “kill chain” concept

Reconnaissance

Weaponisation

Delivery

Exploitation

Installation

Com

mand &

Control

Actions on

Intent

Cyber Kill Chain – sequential chain of events for successful attack

© Lockheed Martin

Increasing risk / cost to contain and remediate

Pre-Compromise Post-CompromiseCompromise

© 2014 Tier-3 Pty Ltd, All rights reserved 4 Intelligent Security. We deliver it.

Considering Attack Cycles

•Harvesting email addresses, conference information, staff bios, Press coverage

Reconnaissance

•Coupling exploit with backdoor into a deliverable payload

Weaponisation

•Getting the payload to the victim via email, web drive-by, USBDelivery

•Exploiting the vulnerability to execute codeExploitation

•Installing the malware/payload on the systemInstallation

•Establishing channel back to the attack source

Command & Control

•Undertaking the automatic and attacker-driven activity desired

Actions on Objectives

• “Thinking like an attacker”• The likelihood of being caught & ROI ?• What's the best way to test the attack method ?• Enumeration of the organisation• Identify valuable/vulnerable assets• Establish how to get the information out

• Acceptance that defences may not be sufficient and thus detection and diagnosis are key• Rapid detection means less cost, more chance to mitigate,

better chance of recovery• Dealing with both external and insider threats

• Need to consider the “indicators of compromise” at each stage• Anomalies detected• Events on boundary egress points• Critical documents / information silos• System performance and health• Activity levels, session lengths, traffic and flow patterns

© 2014 Tier-3 Pty Ltd, All rights reserved 5 Intelligent Security. We deliver it.

Leverage Threat Intelligence

Consider ‘Indicators of Compromise’

Optimise and Automate

Incident response

Agenda - Three Components

© 2014 Tier-3 Pty Ltd, All rights reserved 6 Intelligent Security. We deliver it.

Threat Intelligence

Integration of externalTI feeds for detection

AND analysis purposesto aid efficient operations

Capture of static ordynamic internalinformation andintelligence on threatsand risks

Operational incident detection and analysis process generate real-time, interpreted Threat Intelligence

Automation and confidence in alerting, detection and escalation processes

© 2014 Tier-3 Pty Ltd, All rights reserved 7 Intelligent Security. We deliver it.

Internal & Contextual

• Import and cross-reference to (internal) state databases• E.g. users of different types, physical/location status, risk levels, system sensitivities,

even self-created lists of systems that are the subject of incidents and investigations• Recent use case was a list of users who are “under increased vigilance”

• Integration of vulnerability assessment tools• Network capture to derive asset information, deduce port usage,

flow statistics in real time• Provides understanding of likely vulnerability/threat

• Understanding of ongoing incidents and system statuses/risks

• Integrated information from specific security/capture solutions• Active response to capture real-time alert data

• Camera images• System configuration, process, network sessions, file system snapshot

Internal Intelligence Databases

Contextual Vulnerability, Incident and Asset Data

Internal Security, Malware and

Attack Context

© 2014 Tier-3 Pty Ltd, All rights reserved 8 Intelligent Security. We deliver it.

• Import of external data for use in detection, correlation and alerting• Compromised sites, malicious URLs, phishing sources, IP reputations

• Ensure you “know what everyone else knows” – throughout the kill chain (diagnosis and response)

• Open source and/or commercial feeds

• Mapping from IP addressto world location

• Make decisionsbased on risk profiles orknown operationallocations

External Threat Intelligence

External Geographic Information

External Threat Intelligence

Sources

© 2014 Tier-3 Pty Ltd, All rights reserved 9 Intelligent Security. We deliver it.

Leverage Threat Intelligence

Consider ‘Indicators of Compromise’

Optimise and AutomateIncident response

Agenda - Three Components

© 2014 Tier-3 Pty Ltd, All rights reserved 10 Intelligent Security. We deliver it.

Activity to/from risky or strange locations

Personal sensitivities (role, seniority, access)

Patterns of traffic between IP address pairs

Session durations

Data flow volumes and directions

Activity on sensitive internal hosts

Number of files open(ed)

Number of pages or documents printed

Query/search results (numbers)

User account group membership activity

Use of media like USB/CD

Connections to cloud-based storage

Indicators of Compromise

Think how an Insider

might behave,

what they might do, how they

would steal data

What might be the early signs of an external attack or

Trojan, APT, spear

phishing activity

© 2014 Tier-3 Pty Ltd, All rights reserved 11 Intelligent Security. We deliver it.

Monitor / learn behavioural profile automatically to create a dynamic baseline of system behaviour

Continuously updated as the environment changes

Correlating with other events, detections for any deviations from the “normal” baseline to alert operators

Detecting Anomalous Behaviour

Hard in complex systems for analysts:To know the networkTo estimate thresholdsHave to constantly re-write rulesMake safe/reliable assumptions

Attack nature can be more easily predictable

Start from the Indicator of Compromise – or IoC - for APTs, zero-day & insider threats

Indicators and behaviours play a role at different stages of the kill chain

© 2014 Tier-3 Pty Ltd, All rights reserved 12 Intelligent Security. We deliver it.

Leverage Threat Intelligence

Consider ‘Indicators of Compromise’

Optimise and AutomateIncident response

Agenda - Three Components

© 2014 Tier-3 Pty Ltd, All rights reserved 13 Intelligent Security. We deliver it.

Automating Responses

Manual analysis and triage

Automatic response(can be risky)

Suspicion / DetectionAutomatic

information/context gathering

Making changes, turning things off, closing sessions can help, but may impact normal business

System, user, process, network information is transient – needs to be gathered at the time (later is no use)

Manual response

Making sense of the data to understand the incident and effect appropriate containment/investigation/remediation

© 2014 Tier-3 Pty Ltd, All rights reserved 14 Intelligent Security. We deliver it.

Process efficiency:Automating as much as possible and streamlining everything elseMore than just purely “actively responding”

closing sessions, disrupting attacker, disabling user accounts...

Key use case:Gather data/context “at the time of an alert” ...

Webcam photo, screen shotSystem configuration, running processes, network sessions

... and from “just before”i.e. caching a rolling data set (e.g. network traffic) and freezing it when an alert occurs

Note:Only really works with real-time analysis and detection systemsYou have a way to work with the dataset that is collected

Automatic Response

© 2014 Tier-3 Pty Ltd, All rights reserved 15 Intelligent Security. We deliver it.

To close ...

© 2014 Tier-3 Pty Ltd, All rights reserved 16 Intelligent Security. We deliver it.

Remember the “kill chain” concept

Reconnaissance

Weaponisation

Delivery

Exploitation

Installation

Com

mand &

Control

Actions on

Intent

Cyber Kill Chain – sequential chain of events for successful attack

© Lockheed Martin

Monitor, detect and respond throughout attack lifecycle

Pre-Compromise Post-CompromiseCompromise

© 2014 Tier-3 Pty Ltd, All rights reserved 17 Intelligent Security. We deliver it.

What will “good” look like?

More Confident/Reliable Detection

• Given that “something” has been detected have to decide if it is significant (with confidence)

• “Potential incident” investigated based on the surrounding or associated contextual data

• Maximise use of established data sources and automation:

• Swifter “confirmed detection”• Fewer false positives/negatives• Single view of information across sources

• Throughout the kill chain, and as early as possible

Earlier Understanding/Faster Analysis

• Anticipate obvious questions for triage, analysis, escalation process

• Predictable requests dealt with automatically

• Pre-emptive information gathering• Leverage data available from at / before

the time of incident:• Screen shots, systems’ configurations, file

contents, network sessions, open files ...

• Focus staff concentration on decision making rather than manual information gathering

© 2014 Tier-3 Pty Ltd, All rights reserved 18 Intelligent Security. We deliver it.

Thank you

Piers Wilsonpiers.wilson@tier-3.com +44 (0) 7800 508517

info@tier-3.com+44 (0) 118 900 1550

www.tier-3.com twitter.com/Tier3huntsman