Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach

Similar documents
How to Develop Key Performance Indicators for Security

Sneak Peak at CIS Critical Security Controls V 7 Release Date: March Presented by Kelli Tarala Principal Consultant Enclave Security

SECURITY TESTING. Towards a safer web world

CSWAE Certified Secure Web Application Engineer

Threat Hunting in Modern Networks. David Biser

Continuously Discover and Eliminate Security Risk in Production Apps

OWASP Top 10 The Ten Most Critical Web Application Security Risks

Application. Security. on line training. Academy. by Appsec Labs

Certified Secure Web Application Engineer

Security Solutions. Overview. Business Needs

OWASP Top David Caissy OWASP Los Angeles Chapter July 2017

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

The SANS Institute Top 20 Critical Security Controls. Compliance Guide

BEST PRACTICES FOR SELECTING A WEB APPLICATION SCANNING (WAS) SOLUTION

The Top 6 WAF Essentials to Achieve Application Security Efficacy

"Charting the Course to Your Success!" Securing.Net Web Applications Lifecycle Course Summary

WHITEPAPER ATTIVO NETWORKS THREATDEFEND PLATFORM AND THE MITRE ATT&CK MATRIX

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES

Securing Your Web Application against security vulnerabilities. Alvin Wong, Brand Manager IBM Rational Software

Aguascalientes Local Chapter. Kickoff

ShiftLeft. Real-World Runtime Protection Benchmarking

Web Application Security. Philippe Bogaerts

Application Security Approach

VULNERABILITIES IN 2017 CODE ANALYSIS WEB APPLICATION AUTOMATED

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Symantec Ransomware Protection

Kishin Fatnani. Founder & Director K-Secure. Workshop : Application Security: Latest Trends by Cert-In, 30 th Jan, 2009

RiskSense Attack Surface Validation for Web Applications

OWASP Review. Amherst Security Group June 14, 2017 Robert Hurlbut.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Development*Process*for*Secure* So2ware

PEACHTECH PEACH API SECURITY AUTOMATING API SECURITY TESTING. Peach.tech

Introductions. Jack Katie

Web Application Threats and Remediation. Terry Labach, IST Security Team

Penetration Testing following OWASP. Boyan Yanchev Chief Technology Ofcer Peter Dimkov IS Consultant

Copyright

Your Turn to Hack the OWASP Top 10!

TOP 10 IT SECURITY ACTIONS TO PROTECT INTERNET-CONNECTED NETWORKS AND INFORMATION

RiskSense Attack Surface Validation for IoT Systems

Defend Your Web Applications Against the OWASP Top 10 Security Risks. Speaker Name, Job Title

Security Communications and Awareness

Modern Realities of Securing Active Directory & the Need for AI

FIREWALL PROTECTION AND WHY DOES MY BUSINESS NEED IT?

How Breaches Really Happen

Simplifying Application Security and Compliance with the OWASP Top 10

Security Communications and Awareness

Students should have an understanding and a working knowledge in the following topics, or attend these courses as a pre-requisite:

90% of data breaches are caused by software vulnerabilities.

Hacker Academy Ltd COURSES CATALOGUE. Hacker Academy Ltd. LONDON UK

Dissecting Data Breaches. What Keeps Going Wrong?

The Value of Automated Penetration Testing White Paper

Transforming Security from Defense in Depth to Comprehensive Security Assurance

Meeting PCI DSS 3.2 Compliance with RiskSense Solutions

Managed Application Security trends and best practices in application security

THREAT MODELING IN SOCIAL NETWORKS. Molulaqhooa Maoyi Rotondwa Ratshidaho Sanele Macanda

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

Presentation Overview

Mitigating Security Breaches in Retail Applications WHITE PAPER

CLOUD COMPUTING SECURITY THE SOFT SPOT Security by Application Development Quality Assurance

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

Advanced Ethical Hacking & Penetration Testing. Ethical Hacking

K12 Cybersecurity Roadmap

C1: Define Security Requirements

Automating the Top 20 CIS Critical Security Controls

Surprisingly Successful: What Really Works in Cyber Defense. John Pescatore, SANS

PCI DSS v3.2 Mapping 1.4. Kaspersky Endpoint Security. Kaspersky Enterprise Cybersecurity

Engineering Your Software For Attack

Top 20 Critical Security Controls (CSC) for Effective Cyber Defense. Christian Espinosa Alpine Security

Building Trust in the Internet of Things

Is Your Web Application Really Secure? Ken Graf, Watchfire

Guide to Network Defense and Countermeasures Second Edition. Chapter 2 Security Policy Design: Risk Analysis

OWASP TOP OWASP TOP

Un SOC avanzato per una efficace risposta al cybercrime

KEY FINDINGS INTERACTIVE GUIDE. Uncovering Hidden Threats within Encrypted Traffic

CloudSOC and Security.cloud for Microsoft Office 365

Copyright

OWASP Top David Johansson. Principal Consultant, Synopsys. Presentation material contributed by Andrew van der Stock

Will you be PCI DSS Compliant by September 2010?

CYBER SECURITY AND MITIGATING RISKS

W e b A p p l i c a t i o n S e c u r i t y : T h e D e v i l i s i n t h e D e t a i l s

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

6-Points Strategy to Get Your Application in Security Shape

Seth & Ken s Excellent Adventures in Secure Code Review. Training Course 17th & 18th of October. Table of Contents

Hacking by Numbers OWASP. The OWASP Foundation

Zero Trust on the Endpoint. Extending the Zero Trust Model from Network to Endpoint with Advanced Endpoint Protection


Designing and Building a Cybersecurity Program

Exploiting and Defending: Common Web Application Vulnerabilities

A Guide to Closing All Potential VDI Security Gaps

Application Security. Doug Ashbaugh CISSP, CISA, CSSLP. Solving the Software Quality Puzzle

You will discuss topics related to ethical hacking, information risks, and security techniques which hackers will seek to circumvent.

Garrison Technology HOW SECURE REMOTE BROWSING DELIVERS HIGH SECURITY EVEN FOR MAINSTREAM COMMERCIAL ORGANISATIONS

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 5 Host, Application, and Data Security

Large Scale Generation of Complex and Faulty PHP Test Cases

Web Applications Penetration Testing

RSA Enterprise Compromise Assessment Tool (ECAT) Date: January 2014 Authors: Jon Oltsik, Senior Principal Analyst and Tony Palmer, Senior Lab Analyst

Avoiding an Information Security Mismanagement Program through Fundamentals. Bill Curtis, SynerComm

Defense-in-Depth Against Malicious Software. Speaker name Title Group Microsoft Corporation

Transcription:

Using Open Tools to Convert Threat Intelligence into Practical Defenses A Practical Approach 2016 Presented by James Tarala (@isaudit) Principal Consultant Enclave Security

2 Historic Threat Hunting German U-boats

3 Historic Threat Hunting German U-boats (cont) Ships Attacked by German U-boats (1939-1945) 160 140 120 100 80 60 40 20 0

4 Historic Threat Hunting German U-boats (cont) Submarine threat hunters had access to defenses: Naval escorts / air cover Improved detection equipment Improved offensive weapons Improved training for hunters Submarine threat hunters had access to intelligence: RF traffic analysis Decrypted offensive communication https://www.quora.com/what-impact-did-the-breaking-of-the-enigma-code-have-on-german-submarine-warfare-in-the-atlantic?share=1

5 Historic vs. Modern Threat Hunting Successful organizations, regardless of the time period, combine the following for effective defense: An understanding of threat Layered preventive defenses Layered detective defenses Threat intelligence Intelligent hunters / operators

6 Problem Statements Unclear definitions of threat lead to unclear architectures for defense If we cannot agree what threats face our systems, how can we possibly agree on how best to defend ourselves? In information assurance today, there are no clear taxonomies for threat If we cannot understand threats, how can we possibly decide how best to defend ourselves?

7 Problem Statements (cont) Threat intelligence is great, but many, many organizations don t have the tools to utilize it effectively How can you block malicious hashes without a whitelisting tool? How can you detect IDS signatures without an IDS? How can you analyze network malware without packet captures? Knowledge of threat should lead to control selection Control selection provides an architecture for utilizing threat intelligence

8 Case Study: Mandiant APT1 Report In 2013 Mandiant released their APT1 report outlining the activities of a Chinese hacking team The report s appendix describes: 3,000 specific indicators of compromise Certificates (13) used during compromises Detailed descriptions of 40 malware families At the time of the report s release, the report was extremely popular in infosec circles But who used this information for defense? How?

9 A Model for Threat Intelligence Detecting Evil Threat Intelligence Implementing Controls Selecting Controls

10 Threat Definition Leads to Control Definition By defining threats we can understand those agents with the potential to cause harm to an organization By necessity, threat definition leads to control (countermeasure) definition If we can understand those things that can harm an organization (threats), we can identify controls to protect the organization from those threats becoming reality Therefore a better understanding of threat leads to the selection of better defenses for our organizations

11 Control Selection Example: Whitelisting Threat: Control: Consequence: TROJ_POSHCODER.A (Powershell Ransomware) Microsoft AppLocker (Whitelisting) Data Encryption / Loss Scenario: An organization is fearful that PowerShell ransomware will execute on their workstations and encrypt data on their systems The threat (malware) must be allowed to execute in order for the consequence to become reality Therefore the organization deploys application whitelisting to block the execution of unknown software code

12 Questions to Consider About Threat However, is there a point of diminishing returns when it comes to the knowledge of specific threats? Is more information truly useful when defending ourselves? Organizations should consider therefore: Does a taxonomy of threat agents influence control selection? Do we need to know specific threat agents? Does threat intelligence change control selection? Is a relatively comprehensive list of threats sufficient for control selection?

13 Case Study: Web Server Attacks OWASP Top Ten Web Threats 2013 A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards

14 Case Study: Web Server Attacks (cont) 18,000 16,000 14,000 12,000 10,000 8,000 6,000 4,000 2,000 0 OWASP Top Ten Web Threats 2013 Observed Attacks A1-Injection A3-Cross-Site Scripting (XSS) A5-Security Misconfiguration A7-Missing Function Level Access Control A9-Using Components with Known Vulnerabilities A2-Broken Authentication and Session Management A4-Insecure Direct Object References A6-Sensitive Data Exposure A8-Cross-Site Request Forgery (CSRF) A10-Unvalidated Redirects and Forwards

15 Case Study: Web Server Attacks (cont) OWASP Top Ten Web Threats 2013 0 2,000 4,000 6,000 8,000 10,000 12,000 14,000 16,000 18,000 20,000 A1-Injection A2-Broken Authentication and Session Management A3-Cross-Site Scripting (XSS) A4-Insecure Direct Object References A5-Security Misconfiguration A6-Sensitive Data Exposure A7-Missing Function Level Access Control A8-Cross-Site Request Forgery (CSRF) A9-Using Components with Known Vulnerabilities A10-Unvalidated Redirects and Forwards ACME Corp 2014 Observed Attacks ACME Corp 2015 Observed Attacks

16 Case Study: Web Server Attacks (cont) In light of the data observed, let s answer the following questions: Should this organization implement a web application firewall? Should this organization scan their applications for vulnerabilities? Do you believe the organization s defenses should change in light of what has been observed? Is the threat data useful when determining which controls to implement? How heavily should an organization value likelihood scores when measuring risk?

17 Case Study: Web Server Attacks (cont) So what can we learn in light of this discussion? Although attack frequencies may vary, if an attack exists controls need to be considered to defend against the attack Not implementing controls for known threats represent risk Just because a risk is lower, it does not mean an organization is safe if they choose not to implement sufficient controls Documented prioritizations are not a valid defense

18 What s Really Our Goal? http://threatbutt.com/map

19 A Proposed Solution 1. Organizations who understand threat should share what they know 2. The community should work together to classify threats to information systems 3. A comprehensive threat taxonomy should be agreed upon 4. The threat taxonomy should be used to define & prioritize defensive controls 5. Organizations should implement those prioritized controls 6. Implemented controls paired with threat intelligence can be used to detect specific attacks But what if most organizations could simply skip to step five? What if organizations aren t special snowflakes?

20 But What is a Threat? In 2015-2016, security vendors listed each of the following as a threat: Iranian Hackers Linked to the Islamic Revolutionary Guard Corps Chinese Hackers Linked to the People s Liberation Army Crimeware Exploit Toolkits Ransomware Point of Sale Systems The Internet of Things Encrypted Data Communications Lost or Stolen Laptops

21 The Behavior of Threat Threat agents perform threat actions against threat targets in order to cause threat consequences.

22 Components of Threats Agents Actions Targets Consequences

23 Proposed Solutions An Open Source Threat Taxonomy & Control Definition Organizations need to benefit of community knowledge of threats to help them determine how best to defend themselves The community should be able to create: A common list of identified threats Rankings of identified threats based on industry wide research This should naturally lead to a common control model for defense Organizations are not that special, threats are more common than we think

24 The Open Threat Taxonomy (OTT) Maintained by a community group of volunteers, 150+ organizations have contributed so far One of the latest efforts is the release of a community threat model, the Open Threat Taxonomy (v1.2), which will be used to document and prioritize threats OTT will be used to define threats to define controls Will help standardize risk assessments, make one less paperwork step for organizations to complete

25 Goals of the Project To maintain an open-source taxonomy of threats to information systems. Specifically we will define: Categories of Threats A Hierarchy of Threats Specific Threat Inventory / Taxonomy Provide documentation to promote a common language The project will focus on threat only not vulnerability or risk Practicality, not academics, is driving the effort

26 Relevant Industry Research Numerous Industry Threat Reports (Verizon, Microsoft, Symantec, Sophos, etc.) MITRE CAPECs OWASP WASCs ENISA Threat Taxonomy NIST 800-30 (rev1) CMUSEI Taxonomy of Operational Risk Cambridge Centre for Risk Studies General Motors Concentric Vulnerability Map Treasury Board of Canada - Guide to Risk Taxonomies

27 Threat Agent Catalog Nation States Criminal Groups Corporate Competitors Hacktivists Mischievous Individuals Malicious Insiders Unintentional Humans Well-intentioned Insiders Mother Nature

28 High Level Threats Defined Physical Resource Threats Personnel Technical

29 Mappings to Threat Reports With the definition of a common model / taxonomy, we can create mappings to both control models and threat reports that are released Threat reports can fuel the threat taxonomy and map to the taxonomy Most reports are not all that different, and are poor at defining terms By mapping threat reports to a taxonomy we can bring clarity By mapping the taxonomy to control models, we can identify gaps in control models and places where additional controls make sense

30 Community Based Risk Assessment Community based threat taxonomies lead to community based risk assessment methodologies The creation of a practical threat taxonomy is the first step in the creation of a practical risk assessment methodology There is no reason every organization should have to develop a methodology on their own Let s collaborate on the entire process and begin to build consensus This will leave us free to focus on what is important actually trying to stop the threat from becoming a reality

31 Future of the Critical Security Controls The next version of the Critical Security Controls is being collaborated on as we speak (an upcoming release is in development) The Critical Security Controls (vnext) we hope will be based upon a common threat model such as this By agreeing on threats we can ensure: We have consensus on the problem We have a common language for discussion We don t have glaring gaps in the control model

32 Freely Available Tools Free, open tools are available to help any organization defend itself: Threat models / taxonomies Preventive defenses Detective defenses Threat intelligence The research is done, it s time for us to act Quit whining, act like a man, defend yourself. Ret. Gen. Michael Hayden, Blackhat 2010

33 Next Steps - How Can You Help? We are still looking for people willing to contribute to these projects Although the skeleton has been created, this will be an ongoing effort We are currently updating the OTT: Finalizing categories of threat agents Finalizing categories of threat consequences Reviewing weights / likelihoods for each threat Continuing to refine the lists of threat actions Interested in helping? Drop me a note.

34 Further Questions James Tarala Principal Consultant & Founder, Enclave Security E-mail: james.tarala@enclavesecurity.com Twitter: @isaudit Website: http://www.auditscripts.com/ Resources for further study: AuditScripts.com Audit Resources SANS SEC 566: Implementing and Auditing the Critical Security Controls Center for Internet Security (CIS) Resources

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback