what happens before the kill chain

Download What Happens Before the Kill Chain

Post on 21-Feb-2017

2.376 views

Category:

Technology

0 download

Embed Size (px)

TRANSCRIPT

  • 1 CONFIDENTIAL

    Dan Hubbard, CTO, OpenDNS Rick Holland, Principal Analyst, Forrester

    What Happens Before the Kill Chain

  • 2 CONFIDENTIAL

    Speakers

    Dan Hubbard CTO

    OpenDNS

    Rick Holland Principle Analyst

    Forrester

  • 3 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 3

    Agenda

    The cyber kill chain Targeted Attack Hierarchy of Needs Making prevention work

    @rickhholland

  • 4 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 4

    STRESS

  • 5 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 5

    Time to discover is pathetic

  • 6 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 6

    asdf

    205 days to discover intrusions

  • 7 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 7

    Adversaries are on shopping sprees

  • 8 CONFIDENTIAL With no time limits

  • 9 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 9

    New Incident Response Metric: Mean Time Before CEO Apologizes

  • 10 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 10

    asdf

    asdf We need

    bright ideas

  • 11 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 11

    Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains

  • 12 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 12

    Agenda

    The cyber kill chain Targeted Attack Hierarchy of Needs Making prevention work

    @rickhholland

  • 13 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 13

    Targeted attack hierarchy of needs

    Source: May 15, 2014, Introducing Forrester's Targeted-Attack Hierarchy Of Needs, Part 1 Of 2 Forrester report

  • 14 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 14

    asdf

    asdf

  • 15 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 15

    asdf

    asdf

    Why should we give up on prevention?

  • 16 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 16

    asdf

    asdf

    Why should you settle for detection and response?

  • 17 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 17

    asdf

    asdf

    Can you imagine incident volume without prevention?

  • 18 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 18

    Prevention is dead?

    Be wary of anyone claiming that prevention is dead

    Especially if all the sell are detection tools or services

    You should lead with prevention and fall back to detection and response

    Be suspicious

  • 19 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 19

    Agenda

    The cyber kill chain Targeted Attack Hierarchy of Needs Making prevention work

    @rickhholland

  • 20 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 20

    Dont wait for reconnaissance

    Reconnaissance

    Weaponization

    Delivery

    Exploitation

    Installation

    Command & Control

    Action on objectives

    Source: http://cyber.lockheedmartin.com/cyber-kill-chain-lockheed-martin-poster

  • 21 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 21

    asdf

    asdf Napoleon: An army

    marches on its stomach

  • 22 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 22

    asdf

    asdf Attacks against your org rely upon infrastructure

  • 23 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 23

    Block enemy infrastructure

    The best way to get time to containment down is to reduce the overall number of security incidents Free up your limited resources to focus

    more on detection and response

    You can disrupt the adversary by blocking its ability to target you

    The military puts the kill in the kill chain, leave hack back to the government

  • 24 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 24

    Source: http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf

    The Diamond Model of Intrusion Analysis

  • 25 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 25

    Infrastructure that the adversary could reuse

    Domain names IP addresses Command and Control structure Internet Service Providers Domain registrars Web-mail providers

  • 26 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 26

    Lenny Zeltser: Report Template for Threat Intelligence and Incident Response

    Source: https://zeltser.com/cyber-threat-intel-and-ir-report-template/

  • 27 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 27

    Domain registration OPSEC fail

    Careful observation of DNS registrant contact information history has revealed an OPSEC failure by the attackers in one instance.

    For a brief period (possibly before the server was operational), WHOIS privacy was inactive, pointing at a real identity of the registrant. This e-mail address leads to social

    media accounts that show public and clear affinity with Lebanese political activism.

  • 28 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 28

  • 29 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 29

    Forrester definition: Predictive analytics

    Software and/or hardware solutions that allow firms to discover, evaluate, optimize, and deploy predictive models by analyzing big data sources to improve business performance or mitigate risk.

  • 30 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 30

    Predictive security analytics

    Uses Big Data analysis techniques to anticipate future attacker activity based on historical activity Leverages machine learning, statistical

    analysis, and visualization

    Unless you have a data science skills, navigating vendor marketing can be challenging Ask vendors to provide use cases

  • 31 CONFIDENTIAL 2015 Forrester Research, Inc. Reproduction Prohibited 31

    asdf

    asdf

  • 32 CONFIDENTIAL

    OpenDNS Research

    Applied Research Thought Leadership

    Response Customer / Prospect Engagements

  • 33 CONFIDENTIAL

    Requests Per Day

    70B Countries 160+

    Daily Active Users

    65M Enterprise Customers

    10K

    Our Perspective Diverse Set of Data & Global Internet Visibility

  • 34 CONFIDENTIAL

    Our view of the Internet providing visibility into global Internet activity (e.g. BGP, AS, DNS)

  • 35 CONFIDENTIAL

    Apply statistical models and

    human intelligence

    Identify probable

    malicious sites

    Ingest millions of data

    points per second

    How it works

    .com

    .cn

    .ru

    .net

    .com

  • 36 CONFIDENTIAL

    How we develop our statistical models

    3D Visualization

    Data Mining Security Research Expertise

  • 37 CONFIDENTIAL

    Single, correlated source of information

    Investigate

    Types of threat information provided

    WHOIS record data

    ASN attribution

    IP geolocation

    IP reputation scores

    Domain reputation scores

    Domain co-occurrences

    Anomaly detection (DGAs, FFNs)

    DNS request patterns/geo. distribution

    Passive DNS database

  • 38 CONFIDENTIAL

    Predictive Intelligence

    Inference Knowledge Learning

    Pre-Compromise

    Compromise

    Post-Compromise

  • 39 CONFIDENTIAL

    Predictive Intelligence

    Inference Knowledge Learning

    Reconnaissance

    Exploitation

    C & C

    Weaponization Delivery Installation

    Actions & Objectives

  • 40 CONFIDENTIAL

    Before the Kill Chain

    Reconnaissance Weaponization Delivery

    Plan Build Test / Iterate

  • 41 CONFIDENTIAL

    Predictive Intelligence

    Plan Build Test / Iterate

    Where will we host the infrastructure? How will it be fault tolerant? What domain / IP / Networks will I utilize? How will the backend scale? Reporting? Uptime? Private and public announcement and advertising? Testing and iteration of the solution

  • 42 CONFIDENTIAL

    We see where attacks are staged

  • 43 CONFIDENTIAL

    Examples

  • 44 CONFIDENTIAL

    Malaysia Airlines DNS Hijack January 25, 2015

  • 45 CONFIDENTIAL

    MALICIOUS ASN/IP IDENTIFIED Owned by Lizard Squad who hacked PS3 and Xbox Networks in December 2014

  • 46 CONFIDENTIAL

    OpenDNS recognized the domain hijacking on Jan 25th and blocked the DNS request, and hence any

    subsequent attack

  • 47 CONFIDENTIAL

    WHOIS: BEDEP Example

  • 48 CONFIDENTIAL

    WHOIS: Visualization of Inferences

  • 49 CONFIDENTIAL

    WHOIS: Visualization of Inferences

  • 50 CONFIDENTIAL

    WHOIS Registration date after first seen!

  • 51 CONFIDENTIAL

    Anomaly Detection: Identify DGAs Domain Generation Algorithms: technique for generating malware domains on-the-fly

    yfrscsddkkdl.com

    qgmcgoqeasgommee.org

    iyyxtyxdeypk.com

    diiqngijkpop.ru

    Does

Recommended

View more >