Building an Efficient Incident Response Process Using Threat Intelligence A Global Enterprise Perspective

Transcription

1 Building an Efficient Incident Response Process Using Threat Intelligence A Global Enterprise Perspective Thomas Schreck Borderless Cyber Europe 2016

2 Principal Engineer at Director of FIRST.org Seite 2

3 How we think Cyber Threat Intelligence is working Seite 3

4 and here is the reality! PDF Reports Empty File Hash 4741a7df46e c647a401e94f7 Seite 4

5 What is Cyber Threat Intelligence? Threat intelligence is a vital part of network defense and incident response, including information about threats, TTPs, and devices that adversaries employ; the systems and information that they target; and any other threat-related information that provides greater situational awareness with the following characteristics: Timely Relevant Accurate Specific Actionable Strategic Tactical TTPs IoCs Seite 5

6 What can it be used for? Situational Awareness CTI Hardening Detection Response Seite 6

7 Capabilities and Tasks Intel Sourcing Other CERTs & TI communities, Open source intelligence Subscriptions to Intel companies Internal sources, like Malware Analysis and Investigations Intel Usage Integrate Intel in our existing TI platform Make Intel actionable for our consumers Aggregate strategic Intel to build Threat Landscape The 4 pillars of Threat Intelligence Intel Management Manual Vet incoming Intel Store Intel in a structured way Integrate other forms of QA in Intel lifecycle (e.g., rating) Link Intel to respective IOCs Intel Sharing Share Intel with different communities Fast sharing using open standards Contribute in development of sharing platforms Seite 7

8 Managing and Utilizing Threat Intellingence Seite 8

9 Managing Cyber Threat Intelligence Collection Planing Processing Dissemination Analysis & Production Seite 9

10 Utilizing Threat Intelligence Scripts for Automation Analysis Firewall Proxies Shadowserver Monitoring Solution pdns Malware Analysis Forensic various scripts DNS DHCP various data sources etc. Lessons Learned Analyst Threat Intelligence Platform Internal & External Intelligence Sharing Indicators Threat Intelligence Cleaning up Ticketing Abuse Reporting etc. Seite 10 Incident Handling Ticketsytem (RT, OTRS, Jira) Wiki (Mediawiki, Confluence) ing (PGP, SMIME)

11 Sourcing and Sharing Threat Intelligence Seite 11

12 Sharing Communities Trusted Groups FIRST Trusted Introducer/ TF-CSIRT CERT-Verbund AkSiGro German Cyber Security Alliance CSSA e.v. Various OpSec Groups Law Enforcement Europol FBI German State Police Governance BSI / BMI / Verfassungsschutz CERT-EU Various European GOV- CERTs (e.g., NCSC.NL, UK-CERT, CERT.at) US CERT ICS-CERT CN-CERT Active TI Sharing DoD CRADA Program DHS: CISCP ICS Microsoft MAPP for Responder German APT WG Siemens CERT/ ProductCERT OSINT Sec. Mailinglists (full-disc.) Sec. Blogs Twitter Pastebin SANS Various websites, e.g. XSSed, Zone-h, DNS and Malware Blacklists (about 110 different blacklists in total) Sec. Companies Trend Micro Kaspersky Symantec BFK CSIS Security Group Team Cymru Crowdstrike Farsight Vendors Google Microsoft CISCO Amazon Juniper SAP ORACLE SuSE/Red Hat Intel IBM Science University of California, Santa Barbara Northeastern University Boston iseclab Ruhr-Universität Bochum Friedrich-Alexander- Universität Erlangen Fraunhofer AISEC/SIT/FKIE Technische Universität München Seite 12

13 Seite 13

14 Seite 14

15 Sharing Standards and Tools OpenIOC IETF MILE Mailinglists Chatrooms MANTIS JSON, CSV, PDF, Seite 15

16 Sharing 101 Use a common standard like Traffic Light Protocol: Define the standard how to exchange information Share as early with others as possible Evaluate commercial vendors carefully and re-evaluate them Seite 16

17 Activites you should joing OASIS Cyber Threat Intelligence (CTI) TC FIRST Information Exchange Policy SIG FIRST Traffic Light Protocol (TLP) SIG MISP Summit 02 Seite 17

18 Thomas Schreck Contact Details Siemens AG Thomas Schreck Principal Engineer Internet Seite 18