Navigating The Maze of Cyber Security Intelligence and Analytics - Anything Connected

1/18/2015
NavigatingthemazeofCyberSecurityIntelligenceandAnalytics|AnythingConnected
AnythingConnected
Exploringconnectedtechnologies,trends,businessesandecosystems
POSTEDBY
BHUVANARAMACHANDRAN
POSTEDON
DECEMBER30,2014
POSTEDUNDER
SECURITY
COMMENTS
4COMMENTS
NavigatingthemazeofCyberSecurityIntelligenceandAnalytics
Quite recently, Mint reported that intelligence agencies of the three nations India, UK and US did not pull together all the
strands gathered by their hightech surveillance tools, which might have allowed them to disrupt the 2008 terror strike in
Mumbai.Woulddataminingofthetroveofrawinformation,alongthelinesofUSNationalSecurityAgencysPRISMelectronic
surveillanceprogram,havehelpedinconnectingthedotsforthebiggerpicturetoemerge?AsleakedbyEdwardSnowden,NSA
has been operating PRISM since 2007 to look for patterns across a wide range of data sources, spanning multiple gateways.
https://connectedtechnbiz.wordpress.com/2014/12/30/navigatingthemazeofcybersecurityintelligenceandanalytics/
1/23
1/18/2015
PRISMs Big Data framework aggregates structured and unstructured data including phone call records, voice and video chat
sessions,photographs,emails,documents,financialtransactions,internetsearches,socialmediaexchangesandsmartphonelogs,
togainrealtimeinsightsthatcouldhelpavertsecuritythreats.
Inthebusinessworld,informationcompiledinarelativelyrecentVerizonDataBreachInvestigationsReportpointsoutthatdata
isstolenwithinhoursin60%ofbreaches,butgoesundetectedformonthsin54%ofoverallbreaches.Withthemountingpaceof
attacks, and increasing IT attack surface due to constant influx of new technologies such as cloud computing, BYOD and
virtualization,CISOsarelookingforrealtimedataanalyticstoimprovethreatdefensethroughbettercontrols,reliablydetectan
incidentandquicklycontainthebreachbeforeitinflictsaninordinateamountofdamage,andalsoprovideinsightintoextentof
dataexfiltrationtoquantifydamagesandpotentiallyremediatethesituation,withoutaggravatingsecuritystaffshortagesalready
facedbymostorganizations.
(https://connectedtechnbiz.files.wordpress.com/2014/12/breachduration.jpg)
FigureTimespanofBreachDetection(Source:Verizon)
2/23
Theeraofbigdatasecurityanalyticsisalreadyuponuswithlargeorganizationscollectingandprocessingterabytesofinternal
1/18/2015
Theeraofbigdatasecurityanalyticsisalreadyuponuswithlargeorganizationscollectingandprocessingterabytesofinternal
and external security information. Internet businesses such as Amazon, Google, Netflix and Facebook who have been
experimenting with analytics since early 2000s might contend that Big Data is just an old technology in a new disguise. In the
past, ability to acquire and deploy highperformance computing systems was limited to large organizations with dire scaling
needs. However, technological advances in the last decade which have rapidly decreased the cost of compute and storage,
increased the flexibility and costeffectiveness of data centers and cloud computing for elastic computation and storage, and
developmentofnewBigDataframeworkswhichallowuserstotakeadvantageofdistributedcomputingsystemsstoringlarge
quantitiesofdatathroughflexibleparallelprocessingandmajorcatalystssuchasdatagrowthandlongerretentionneedshave
madeitattractiveandimperativeformanydifferenttypesoforganizationstoinvestinBigDataAnalytics.
HowdotraditionalSecurityAnalysistoolsfare?
Overthedecades,securityvendorshaveprogressivelyinnovatedonmultipleaspectsto(1)protectendpoints,networks,data
centers,databases,contentandotherassets,(2)provideriskandvulnerabilitymanagementthatmeetgovernancerequirements,
(3) ensure policy compliance with SOX, PCI, HIPAA, GLBA, DSS and other regulations, (4) offer identity/access/device
management, while aiming (5) to provide a unified security management solution that allows for configuration of its security
products, and offers visibility into Enterprise security through its reporting capability. While most individual security
technologieshavematuredtothepointofcommoditization,securityanalysisremainsaclumsyaffairthatrequiresmanydifferent
tools (even in SIEM deployments, that I will elaborate on below), most of which do not interoperate due to the piecemeal
approachofsecurityinnovationandmultivendorsecuritydeployments.
Today,securityanalystsoftenrelyontoolssuchasLogManagementsolutionsandSecurityInformationandEventManagement
(SIEM)systemsfornetworksecurityeventmonitoring,usermonitoringandcompliancereportingbothofwhichfocusprimarily
on the collection, aggregation and analysis of realtime logs from network devices, operating systems, and applications. These
toolsallowforparsingandsearchoflogdatafortrends,anomaliesandotherrelevantinformationforforensics,thoughSIEMsare
deemedtobemoreeffectiveforforensicsgivenitseventreductioncapability.
LogManagementsolutionsfromfewprominentvendorsareAlienVaultUSM,AlertLogicLogManager,McAfeeEnterpriseLog
Manager, LogRhythm, HP ArcSight ESM, Splunk, SolarWinds Log & Event Manager, Tenable Log Correlation Engine,
ElasticSearch ELK, SawMill, Assuria Log Manager, BlackStratus Log Storm and EiQNetworks SecureVue. Youll find a more
completelistalongwithdetailsontheseofferingshere(http://blog.profitbricks.com/top47logmanagementtools/).
3/23
1/18/2015
LetmenowelaborateonhowLogManagement&SIEMsolutionsdiffer,andpointoutfewmisgivingsofSIEMsolutions(apart
fromitsprice,ofcourse).
WhileaSIEMsolutionisaspecializedtoolforinformationsecurity,itiscertainlynotasubsetofLogManagement.Beyondlog
management, SIEMs use correlation for realtime analysis through event reduction, prioritization, and realtime alerting by
providingspecificworkflowstoaddresssecuritybreachesastheyoccur.AnotherkeyfeatureofSIEMistheincorporationofnon
eventbaseddata,suchasvulnerabilityscanningreports,forcorrelationanalysis.LetmedecipherthesefeaturesuniquetoSIEMs.
Quite plainly, correlation is to look for common attributes and link events together into meaningful categories. Data
correlationofrealtimeandhistoricaleventsallowsforidentificationofmeaningfulsecurityevents,amongmassiveamountof
raweventdatawithcontextinformationaboutusers,assets,threatsandvulnerabilities.Multipleformsofeventcorrelationare
availablee.g.aknownthreatdescribedbycorrelationrules,abnormalbehaviorincaseofdeviationfrombaseline,statistical
anomalies,andadvancedcorrelationalgorithmssuchascasebasedreasoning,graphbasedreasoningandclusteranalysisfor
predictive analytics. In the simplest case, rules in SIEM are represented as rule based reasoning (RBR) and contain a set of
conditions,triggers,countersandanactionscript.TheeffectivenessofSIEMsystemscanvarywidelybasedonthecorrelation
methodsthataresupported.WithSIEMsunlikeinIDSsitispossibletospecifygeneraldescriptionofsymptomsanduse
baselinestatisticstomonitordeviationsfromcommonbehaviorofsystemsandtraffic.
Prioritization involves highlighting important security events over less critical ones based on correlation rules, or through
inputsfromvulnerabilityscanningreportswhichidentifyassetswithknownvulnerabilitiesgiventheirsoftwareversionand
configurationparameters.Withinformationaboutanyvulnerabilityandassetseverity,SIEMscanidentifythevulnerability
thathasbeenexploitedincaseofabnormalbehavior,andprioritizeincidentsinaccordancewiththeirseverity,toreducefalse
positives.
Alertinginvolvesautomatedanalysisofcorrelatedeventsandproductionofalerts,basedonconfiguredeventthresholdsfor
incident management. This is usually seen as the primary task of a SIEM solution that differentiates it from a plain Log
Managementsolution.
ThebelowfigurecapturesthecompletelistofSIEMcapabilities.
4/23
1/18/2015
(https://connectedtechnbiz.files.wordpress.com/2014/12/siemimagewp.jpg)
FigureSIEMCapabilities(Source:ManageEngine.com)
SIEM solutions available in the market are IBM Securitys QRadar, HP ArcSight, McAfee ESM, Splunk Enterprise, EMC RSA
SecurityAnalytics,NetIQSentinel,AlientVaultUSM,SolarWindsLEM,TenableNetworkSecurityandOpenSourceSIMwhich
goes by the name of OSSIM. Here (http://www.gartner.com/technology/reprints.do?id=11W8AO4W&ct=140627&st=sb) is
probablythebestsourceofSIEMsolutionsoutinthemarket,andhowtheyrank.
RealworldchallengeswithSIEMs
SIEMsprovidetheframeworkforanalyzingdata,buttheydonotprovidetheintelligencetoanalyzethatdatasensiblyand
detect or prevent threats in realtime. The intelligence has to be fed to the system by human operators in the form of
correlationrules.
Thecorrelationruleslookforasequenceofeventsbasedonstaticruledefinitions.Thereisnodynamicrulegenerationbased
on current conditions. So, it takes immense effort to make and keep it useful. The need for qualified experts, who can
configureandupdatethesesystems,increasesthecostofitsmaintenanceeven ifweweretoassume thatsuch expertise is
5/23
1/18/2015
widelyavailableintheindustry.
SIEMsthrowupalotoffalsenotificationswhencorrelationrulesareusedinitially,whichpromptcustomerstoevendisable
thesedetectionmechanisms.SIEMsneedtorunadvancedcorrelationalgorithmsusingwellwrittenspecificcorrelationrules
to reduce false positives. The sophistication of these algorithms also determines the capability to detect zeroday threats,
whichhasntbeentheforteofSIEMsolutionsinthemarket.
Inspiteofthesechallenges,amarketdoesexistforthesetraditionaltools,asbothSIEMandLogManagementplayanimportant
role in addressing organizational governance and compliance requirements, related to data retention for extended periods or
incident reporting. So, these solutions are here to stay, and be in demand atleast by firms in specific industry verticals and
businessfunctions.Also,SIEMvendorshavebeenexploringadjacentproductcategoriestheonesIwillcoverbelowtotackle
theneedsoftheeversodynamicthreatlandscape.
IsSecurityAnalyticsapanaceaforsecuritywoes?
With the current threat landscape increasingly featuring Advanced Persistent Threats (APTs), security professionals need
intelligencedriventoolsthatarehighlyautomatedtodiscovermeaningfulpatternsanddeliverthehighestlevelofsecurity.And
therewehaveallthekeyingredientsthatmakeupaSecurityAnalyticssolution!
Firstoff,SecurityAnalytics(SA)isnotareplacementfortraditionalsecuritycontrolssuchasNGFW,IDS,IPS,AV,AMP,DLPor
even SIEMs and other existing solutions, but can make them work better, by reconfiguring security controls based on SA
outcome.ForallofittocometogetherandadeepertruthonpotentialthreatsandcurrentintrusionstoemergethroughSecurity
Analytics, threat intelligence needs to be fused from multiple internal and external sources. Various levels of Indicators of
Compromise(IOCs)needtobeunderstoodtocaptureearlierneglectedartifactsandcorrelatebehaviortodetectpotentialthreats
andzerodayattacks,astraditionalsignaturebasedapproachesarenolongersufficient.
WhileuseofBigDatatechnologiesmightbefundamentaltoanyimplementationofpredictiveanalyticsbasedondatascience,it
is not a sufficient condition to attain nirvana in the Security Analytics world. After wading through Big Data material, Ive
decidedtokeepitoutofthisdiscussion,asitdoesnthelpdefinetheessenceofSA.OnecouldaswellscaleupaSIEMorLog
ManagementsolutioninaBigDataframework.
6/23
Now that you have a rough idea about the scope of this blog post, let me deep dive into various SA technical approaches,
1/18/2015
Now that you have a rough idea about the scope of this blog post, let me deep dive into various SA technical approaches,
introduce the concepts of Threat Intelligence, IOCs and related standardization efforts, and finally present a Security
Analyticsarchitecturalframeworkthatcouldtieallofthesetogether.
HowhavevendorsimplementedSecurityAnalytics?
With Gartner yet to acknowledge that a market exists for Security Analytics its consultants seem to be good with Threat
Intelligence Management Platforms (TIMP) I chose to be guided by the list of Companies Mentioned here
(http://www.researchandmarkets.com/reports/2629347/security_analytics_market_by_types_network) by ResearchAndMarkets,
andadditionallyexploredominantsecurityplayers(PaloAltoNetworks,Fortinet)whoweremissinginthislist,tocheckifthere
isanythingpromisingcookinginthisspace.And,hereiswhatIfound.Lessthanahandfulofthesevendorshaveventuredinto
predictiveanalyticsandselflearningsystems,usingadvanceddatascience.MostothersinthemarketofferenhancedSIEMand
unified cyber forensic solutions that can consume threat intelligence feeds and/or operate on L2L7 captures as a Security
Analytics package, though it is certainly a step forward. The intent of this section is to offer a glimpse into technology
developmentsintheSecurityAnalyticsspace.Idoubtthatmyresearchwasexhaustive[asImostlyfoundproductpitchesonline
thatpromisetheworldtopotentialundiscerningcustomers],andwouldbegladtomakethepicturealittlemorecomplete,ifyou
couldeducatemeonwhatisgoingoninyourfirminthisspace,ifIvemissedanygamechanger!
All SA products consume and manage data in some manner, be they log data, file data, full network packet captures, and/or
behavioraldatafromsystemsornetworks,byintegratingwithothersecuritydevicesandsolutionsinthedeployment.However,
there must be intelligence in the system that helps render those data into something useful. Vendors have implemented this
intelligence into SA via deep inspection of L2L7 exchanges, anomaly sensors to spot behavior deviations, diamond model of
intrusion analysis, game theory and/or advanced machine learning algorithms, potentially based on Campaigns which is a
collection of data, intelligence, incidents, events or attacks that all share some common criteria and can be used to track the
attackerorattacktactic[sic][Imgoingtowaitforthisconcepttoevolveandbecomecommonplace,beforeIremarkonthis].Ive
usedsamplevendorofferingstoelaborateoneachoftheseSAimplementationapproaches.IvecomeacrosscategorizationofSA
offeringsasdataanalyzersvs.behavioranalyzers,butIviewtheseasbuildingblocksforSAandnotalternativesolutions.
Deep data inspection Solera Networks DeepSee platform (now acquired by BlueCoat) offers an advanced cyber forensics
solutionthatreconstructsandanalyzesL2L7datastreams(capturedbyintegratingwithindustrystandardandleadingsecurity
vendorofferingsforrouters,switches,nextgenfirewalls,IPSs,SIEMsetal)forapplicationclassificationandmetadataextraction,
indexedstorageandanalysistoprovideaccuratevisibilityintoactivities,applicationsandpersonasonthenetwork.Itisbuilton
7/23
1/18/2015
thepremisethatfullvisibility,contextandcontentarecriticaltoreacttosecurityincidentsinrealtimeorbackintime.Iscoured
thenettounderstandhowitdetectsabreach(beyondwhatascaledupSIEMcandowithsimilarstreamcapturesandbatchdata
stores)andthusgoesbeyondCyberForensics,butdidntfindanymaterial.CyberTapSecuritys(acquiredbyIBM)Reconboasts
of a similar solution with ability to reassemble captured network data to its original form, be they documents, web pages,
pictures,mails,chatsessions,VOIPsessionsorsocialmediaexchanges.
BehavioralanomalysensorsWithAPTattacksconsistingofmultiplestagesintrusion,commandandcontrolcommunication,
lateralmovement,dataexfiltration,covertracksandpersist[belowfigurehasfurtherdetailsonAPTlifecycle]eachactionbythe
attackerprovidesanopportunitytodetectbehavioraldeviationsfromthenorm.Correlatingtheseseeminglyindependentevents
canrevealevidenceoftheintrusion,exposingstealthyattacksthatcouldnotbeidentifiedthroughothermethods.Thesedetectors
of behavioral deviations are referred to as anomaly sensors, with each sensor examining one aspect of the hosts or users
activities within an enterprises network. Interset and PFP Cybersecurity are among the limited vendors whove built threat
detection
systems
based
on
behavioral
analytics,
as
reported
here
(http://www.businesswire.com/news/home/20141103005989/en/SecurityInnovationNetworkSINETAnnounces2014
Top#.VKKNdF4AKA).
8/23
1/18/2015
(https://connectedtechnbiz.files.wordpress.com/2014/12/sophosaptlifecycle1.png)
FigureLifecycleofAdvancedPersistentThreats(Source:Sophos)
Cognitive
Security
(http://gdusil.files.wordpress.com/2013/03/portfoliocognitivesecuritycorporateintroduction121.pptx)
(researchfirmfundedbyUSArmy,NavyandAirForcenowacquiredbyCisco)standsoutasitreliesonadvancedstatistical
modelingandmachinelearningtoindependentlyidentifynewthreats,continuouslylearnwhatitsees,andadaptovertime.This
isagoodsolutiontodeepdiveinto,tounderstandhowfaranyvendorhasventuredintoSecurityAnalytics.Itoffersasuiteof
solutions that offer protection through the use of Network Behavior Analysis (NBA) and multistage Anomaly Detection (AD)
methodology by implementing Cooperative Adaptive Mechanism for Network Protection (CAMNEP) algorithm for trust
modelingandreputationhandling.ItemploysGameTheoryprinciplestoensurethathackerscannotpredictormanipulatethe
systemsoutcome,andcomparescurrentdatawithhistoricalassessmentscalledtrustmodelstomaintainahighlysensitiveand
lowfalsepositivedetectionengine.ThisplatformutilizesstandardNetFlow/IPFIXdataandissaidtodeployalgorithmssuchas
MINDS, Xu et al., Volume prediction, Entropy prediction and TAPS. It does not require supplementary information such as
applicationdataorusercontentandsoensuresuserdataprivacyanddataprotectionthroughoutthesecuritymonitoringprocess.
9/23
1/18/2015
Toreiterate,thisisapassiveselfmonitoringandselfadaptingsystemthatcomplementsexistingsecurityinfrastructure.Cylance,
among
SINETs
Top
16
emerging
Cybersecurity
companies
of
2014
as
reported
here
(http://www.businesswire.com/news/home/20141103005989/en/SecurityInnovationNetworkSINETAnnounces2014
Top#.VKKNdF4AKA),seemstohavealsomadesomeheadwayinthisartificialintelligencebasedSAapproach.
ZippingpastAtoZofThreatIntelligence
Definition Here is how Gartner defines Cyber Threat Intelligence (CTI) or Threat Intelligence (TI) Evidencebased
knowledge,includingcontext,mechanisms,indicators,implicationsandactionableadviceaboutanexistingoremergingmenace
orhazardtoassetsthatcanbeusedtoinformdecisionsregardingthesubjectsresponsetothatmenaceorhazard.
HowdoesTIhelp?Clearly,TIisjustnotindicators,andcanbegatheredbyhumananalystsorautomatedsystems,andfrom
internalorexternalsources.SuchTIcouldhelpidentifymisuseofanycorporateassets(sayasbotnets),detectdataexfiltration
andpreventleakageoffurthersensitiveinformation,spotcompromisedsystemsthatcommunicatewithC2(i.e.Commandand
Control aka CnC) servers hosted by malicious actors, detect targeted and persistent threats missed by other defenses and
ultimatelyinitiateremediationsteps,ormostoptimisticallystoptheattackerinhistracks.
HowtogatherTI?AreliablesourceofTIisonesownnetworkinformationfromsecuritytoolssuchasfirewalls,IPSetal,
networkmonitoringandforensicstools,malwareanalysisthroughsandboxingandotherdetailedmanualinvestigationsofactual
attacks.Additionally,itcanbegleanedthroughserverandclienthoneypots,spamandphishingemailtraps,monitoringhacker
forums and social networks, Tor usage monitoring, crawling for malware and exploit code, open collaboration with research
communitiesandwithintheindustryforhistoricalinformationandpredictionbasedonknownvulnerabilities.
TIexternalsourcescouldeitherbe(a)opensourceorcommercial,and(b)serviceorfeedproviders.Theseproviderscouldalso
differonhowtheygleanrawsecuritydataorthreatintelligenceascategorizedbelow:
Those who have a large installed base of security or networking tools and can collect data directly from customers,
anonymize it, and deliver it as threat intelligence based on real attack data. E.g. Blue Coat, McAfee Threat Intelligence,
SymantecDeepsight,DellSecureWorks,PaloAltoWildfire,AlienVaultOTX
Thosewhorelyheavilyonnetworkmonitoringtounderstandattackdata.Theseprovidershaveaccesstomonitoringtools
that sit directly on the largest internet backbones or in the busiest data centers, and so they are able to see a wide range of
attackdataasitflowsfromsourcetodestination.E.g.VerisigniDefense,NorseIPViking/Darklist,Verizon
10/23
1/18/2015
Few intelligence providers focus on the adversary, track what different attack groups are doing and closely monitor their
campaigns and infrastructure. This type of intelligence can be invaluable because adversary focused intelligence can be
proactive,knowingthatagroupisabouttolaunchanattackallowstheircustomerstopreparebeforetheattackislaunched.
E.g. of these TI service providers who focus on manual intelligence gathering by employing human security
expertsareiSIGHTPartners,FireEyeMandiant,CrowdStrike
Opensourceintelligenceproviderswhotypicallycrowdsource.ThebestopensourceTIproviderstypicallyfocusonagiven
threattypeormalwarefamily.E.g.Abuse.chwhichtracksC2serversforZeus,SpyEyeandPalevomalwarewhilecombining
domain name blocklists. Other best open sources of TI are Blocklist.de, Emerging Threats, Spamhaus. ThreatStream OPTIC
intelligenceiscommunityvettedbutnotopensource.
Academic/research communities such as Information Sharing and Analysis Centers (ISACs), Research and Education
Networking(REN)ISAC,DefenseIndustrialBaseCollaborativeInformationSharingEnvironment(DCSIE)
Other TI sources of manual/cloud feeds include malware data from VirusTotal, Malwr.com, VirusShare.com, ThreatExpert;
NationalVulnerabilityDatabase;TorwhichprovidesalistofTor(http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29)
nodeIPaddresses;andotherssuchasOSINT,SANS,CVEs,CWEs,OSVDB,OpenDNS.Fewothercommercialvendorsinclude
Vorstack,CyberUnited,TeamCymruandRecordedFuture.
IndicatorsofCompromiseTheBasics
Indicators of Compromise aka IOC denote any forensic artifact or remnant of an intrusion that can be identified on a host or
network,withthetermartifactinthedefinitionallowingforobservationalerror.IndicatorscouldtaketheformofIPaddresses
ofC2servers,domainnames,URLs,registrysettings,emailaddresses,HTTPuseragent,filemutex,filehashes,compiletimes,file
size, name, path locations etc. Different types of indicators can be combined together in one IOC [as illustrated in the below
figure].
11/23
1/18/2015
(https://connectedtechnbiz.files.wordpress.com/2014/12/whatsanindicatorcopy_11.png)
FigureIndicatorsofCompromiseakaIOC(Source:Mandiant.com)
Thebelowpyramidstacksupthevariousindicatorsonecanusetodetectanadversarysactivitiesandhowmucheffortitwould
takefortheadversarytopivotandcontinuewiththeplannedattack,whenindicatorsateachoftheselevelsaredenied.
12/23
1/18/2015
(https://connectedtechnbiz.files.wordpress.com/2014/12/threat_intelligence_pyramid_of_pain.png)
FigurePyramidofPainwithIOCs(ImageSource:AlienVault)
Startingatthebaseofthepyramidwheretheadversaryspainisthelowestifdetectedanddenied,wehaveHashValuessuchas
SHA1 or MD5 which are often used to uniquely identify specific malwares or malicious files involved in an intrusion. The
adversary could potentially change an insignificant bit and cause a different hash to be generated, thus making our earlier
detectedhashIOCineffective,unlesswemovetofuzzyhashes.
NextupinthepyramidareIPaddresses.Theseagainmightnottakelongfortheadversariestorecoverfrom,astheycanchange
theIPaddresswithlittleeffort.IftheyweretouseananonymousproxyservicelikeTor,thenthisindicatorhasnoeffectonthe
adversary.Incomparison,DomainNamesareslightlyhardertochangethanIPaddressesastheymustberegisteredandvisible
intheInternet,butstilldoablethoughitmighttakeadayortwoforanyadversary.
LookingatitfromanIoCusageperspectiveinsecuritydeployments,theTTLofanIPaddresscanbeverylow.Compromised
hostsinlegitimatenetworkscouldgetpatched,illicitlyacquiredhostingspacemightbeturnedoff,malicioushostsarequickly
identifiedandblocked,orthetrafficmightbeblackholedbytheISP.AnIPaddressmayhaveaTTLof2weeks,whiledomains
andfilehasheswouldhavesignificantlylongerTTLs.
13/23
TypicalexamplesofNetworkArtifactsareURIpatterns,C2informationembeddedinnetworkprotocols,distinctiveHTTPUser
1/18/2015
TypicalexamplesofNetworkArtifactsareURIpatterns,C2informationembeddedinnetworkprotocols,distinctiveHTTPUser
AgentorSMTPMailervalues.HostArtifactscouldberegistrykeysorvaluesknowntobecreatedbyspecificpiecesofmalware,
files or directories dropped in certain places or using certain names, names or descriptions or malicious services or almost
anythingelsethatisdistinctive.Detectinganattackusingnetwork/hostartifactscanhavesomenegativeimpactontheadversary,
asitrequiresthemtoexpendeffortandidentifywhichartifacthasrevealedtheirapproach,fixandrelaunchit.
Further up in the pyramid, we have Tools which would include utilities designed say to create malicious documents for
spearphishing, backdoors used to establish C2 communication, or password crackers and other hostbased utilities they
might want to use post their successful intrusion. Some examples of tool indicators include AV or YARA signatures, network
awaretoolswithadistinctivecommunicationprotocolandfuzzyhashes.Ifthetoolusedbyadversarieshasbeendetectedandthe
holehasbeenplugged,theyhavetofindorcreateanewtoolforthesamepurposewhichhaltstheirstride.
WhenwedetectandrespondtoTactics,TechniquesandProcedures(TTPs),weoperateattheleveloftheadversariessbehavior
andtendencies.BydenyingthemanyTTP,weforcethemtodothemosttimeconsumingthingpossiblelearnnewbehaviors.To
quoteacoupleofexamplesSpearphishingwithatrojanedPDFfileorwithalinktoamalicious.SCRfiledisguisedasaZIP,
anddumpingcachedauthenticationcredentialsandreusingtheminPasstheHashattacksareTTPs.
There are a variety of ways of representing indicators e.g. YARA signatures are usually used for identifying malicious
executables, and Snort is used for identifying suspicious signatures in network traffic. Usually these formats specify not only
waystodescribebasicnotionsbutalsologicalcombinationsusingbooleanoperators.YARAisanopensourcetoolusedtocreate
freeformsignaturesthatcanbeusedtotieindicatorstoactors,andallowssecurityanalyststogobeyondthesimpleindicatorsof
IPaddresses,domainsandfilehashes.YARAalsohelpsidentifycommandsgeneratedbytheC2infrastructure.
SharingIOCsacrossorganizationalboundarieswillprovideaccesstoactionablesecurityinformationthatisoftenpeergroupor
industryrelevant,supportanintelligencedrivensecuritymodelinorganizations,andforcethreatactorstochangeinfrastructure
morefrequentlyandpotentiallyslowthemdown.
ExchangingThreatIntelligenceStandards&Tools
EffectiveuseofCTIiscrucialtodefendagainstmaliciousactorsandthusimportanttoensureanorganizationssecurity.Togain
realvaluefromthisintelligence,ithastobedeliveredandusedfairlyquicklyifnotinrealtime,asithasafiniteshelflifewith
threat actors migrating to new attack resources and methods on an ongoing basis. In the last couple of years, there has been
14/23
1/18/2015
increased effort to enable CTI management and sharing within trusted communities, through standards for encoding and
transportingCTI.
Generally,indicatorbasedintelligenceincludesIPaddresses,domains,URLsandfilehashes.Thesearedeliveredasindividual
black lists or aggregated reports via emails or online portals, which are then manually examined and fed by analysts into the
recipient organizations security infrastructure. In certain cases, scripts are written to bring in data from VirusTotal and other
OSINTplatformsdirectlyintoheuristicnetworkmonitorssuchasBro.
Let me touch upon various CTI sharing standards OpenIOC, Mitre package (CybOX, STIX, TAXII), MILE package (IODEF,
IODEFSCI,RID)andVERISthatareaimedatdoingawaywiththeaboveTIsharinginefficiencies.
OpenIOC(http://www.openioc.org/)isanopensource,extensibleandmachinedigestibleformattostoreIOCdefinitionsasXML
schema and share threat information within or across organizations. This standard provides the richest set of technical terms
(over 500) for defining indicators and allows for nested logical structures, but is focused on tactical CTI. The standard was
introduced and primarily used in Mandiant products, but can be extended by other organizations by creating and hosting an
IndicatorTermDocument.TherehasbeenlimitedcommercialadoptionoutsideofMandiant,withMcAfeeamongtheminority
vendorswithproductsthatcanconsumeOpenIOCfiles.MANDIANTIOCEditor,MandiantIOCFinderandRedlinearetools
thatcanbeusedtoworkwithOpenIOC.
MitrehasdevelopedthreestandardsthataredesignedtoworktogetherandenableCTIsharingCyberObservableeXpression
(CybOX),StructuredThreatInformationExpression(STIX)andTrustedAutomatedeXchangeofIndicatorInformation(TAXII).
With STIX being accepted by industry leaders, STIX and TAXII are starting to see wide adoption. Common Attack Pattern
Enumeration and Classification (CAPEC) and Malware Attribute Enumeration and Characterization (MAEC) are focused on
attackpatternsandmalwareanalysisrespectively.
15/23
1/18/2015
(https://connectedtechnbiz.files.wordpress.com/2014/12/mitrethreatformats.png)
FigureThreatIntelligenceFormatsinMitreFamily(Source:Bit9.com)
CybOX(http://cybox.mitre.org/) provides the ability to automate sharing of security intelligence by defining 70 objects (e.g.
file,mutex,HTTPsession,networkflow)thatcanbeusedtodefinemeasurableeventsorstatefulproperties(e.g.filehashes,
IPs,HTTPGET,registrykeys).ObjectsdefinedinCybOXcanbeusedinhigherlevelschemaslikeSTIX.WhileOpenIOCcan
effectively represent only CybOX objects, CybOX also understands the notion of events which enables it to specify event
orderorelapsedtime,andbringinthenotionofbehaviors.
STIX (https://stix.mitre.org/) was designed to additionally provide context for the threat being defined through observable
patterns,andthuscoversthefullrangeofcyberthreatinformationthatcanbeshared.ItusesXMLtodefinethreatrelated
constructs such as campaign, exploit target, incident, indicator, threat actor and TTP. In addition, extensions have been
definedwithotherstandardssuchasTLP,OpenIOC,SnortandYARA.ThestructurednatureoftheSTIXarchitectureallowsit
todefinerelationshipbetweenconstructs.E.g.theTTPusedcanberelatedtoaspecificthreatactor.
TAXII(http://taxii.mitre.org/)providesatransportmechanismtoexchangeCTIinasecureandautomatedmanner,through
itssupportforconfidentiality,integrityandattribution.ItusesXMLandHTTPformessagecontentandtransport,andallows
forcustomformatsandprotocols.Itsupportsmultiplesharingmodelsincludingvariationsofhubandspokeorpeertopeer,
andpushorpullmethodsforCTItransfer.
16/23
ManagedIncidentLightweightExchange(MILE),anIETFgroup,worksonthedataformattodefineindicatorsandincidents,and
1/18/2015
ManagedIncidentLightweightExchange(MILE),anIETFgroup,worksonthedataformattodefineindicatorsandincidents,and
on standards for exchanging data. This group has defined a package of standards for CTI which includes Incident Object
DescriptionandExchangeFormat(IODEF),IODEFforStructuredCyberSecurityInformation(IODEFSCI),andRealtimeInter
networkDefense(RID)whichisusedforcommunicatingCTIoverHTTP/TLS.IODEFisanXMLbasedstandardusedtoshare
incidentinformationbyComputerSecurityIncidentResponseTeams(CSIRTs)andhasseensomecommercialadoptione.g.from
HP ArcSight. IODEFSCI is an extension to the IODEF standard that adds support for attack pattern, platform information,
vulnerability,weakness,countermeasureinstruction,computereventlog,andseverity.
Vocabulary for Event Recording and Incident Sharing (VERIS) VERIS framework from Verizon has been designed for sharing
strategicinformationandanaggregateviewofincidents,butisnotconsideredtobeagoodfitforsharingtacticaldata.
Many vendors and open source communities have launched platforms to share TI. e.g. AlienVaults Open Threat Exchange
(OTX),CollectiveIntelligenceFramework(CIF),IIDsActiveTrust.OTXisapubliclyavailablesharingserviceofTIgleanedfrom
OSSIMandAlienVaultdeployments.CIFisaclient/serversystemforsharingTIwhichisinternallystoredinIODEFformat,and
provides feeds or allows searches via CLI and RESTFUL APIs. CIF is capable of exporting CTI for specific security tools. IID
ActiveTrustplatformisleveragedbygovernmentagenciesandenterprisestoconfidentlyexchangeTIandcoordinateresponses
betweenorganizations.
UnifyingSecurityIntelligence&AnalyticsTheOpenSOCframework
So, how do organizations use Threat Intelligence that Ive talked about at length? With Threat Intelligence coming in from a
varietyofsourcesandinmultipleformats(evenifeachofthesearestandardized),anewsolutionbeingfloatedinthemarketis
theThreatIntelligenceManagementplatform(TIMP)orThreatManagementPlatform(TMP)whichhasbeentaskedtoparse
incoming intelligence and translate it into formats as understood by various security solutions (e.g. malware IPs into NIDS
signatures,emailsubjectsintoDLPrules,filehashesintoETDR/EPP/AVrules,SnortrulesforIPS,blocklistsandwatchlistsfor
SIEMs/AS,signaturesforAV/AMetc.),tomakeitsuitablefordissemination.TIcanalsobeuploadedintoaSIEMformonitoring,
correlationandalerting,ortoaugmentanyanalysiswithadditionalcontextdata.
NowthatIvetieduponedanglingthread,whataboutSecurityAnalytics?Havingzoomedinearlyoninthisblogpostonwhat
any SA operates on and how its output could better security controls in a deployment, Ill provide a 30,00040,000ft view (at
cruising altitude?) this time around, by introducing the OpenSOC (http://opensoc.github.io/), an unified datadriven security
platformthatcombinesdataingestion,storageandanalytics.
17/23
1/18/2015
(https://connectedtechnbiz.files.wordpress.com/2014/12/opensocframework.jpg)
FigureOpenSOCframework
TheOpenSOC(OpenSecurityOperationsCenter)frameworkprovidesthebuildingblocksforSecurityAnalyticsto(1)capture,
store,normalizeandlinkvariousinternalsecuritydatainrealtimeforforensicsandremediation,(2)enrich,relate,validateand
contextualize earlier processed data with threat intelligence and geolocation to create situational awareness and discover new
threats in a timely manner, and (3) provide contextual realtime alerts, advanced search capabilities and full packet extraction
tools,forasecurityenginethatimplementsPredictiveModelingandInteractiveAnalytics.
Thekeytoincreasingtheabilitytodetect,respondandcontaintargetedattacksisaworkflowandsetoftoolsthatallowsthreat
information to be communicated across the enterprise at machine speed. With OpenSOC being an open source solution, any
organizationcancustomizethesourcesandamountofsecuritytelemetryinformationtobeingestedfromwithinoroutsidethe
enterprise,andalsoaddincidentdetectiontoolstosuititstailoredIncidentManagementandResponseworkflow.
Ive treaded on uncertain ground in navigating the productmarket for Security Analytics, given that it is still nascent and the
productcategoryisntwelldelineated.Wouldwelcomeanyviewsonthispost,betheyvalidatingorcontradictingmine.
18/23
1/18/2015
Occasionally,
some
of your visitors may see an advertisement here.
About these ads
(http://wordpress.com/about-these-ads/)
Tell me more (http://wordpress.com/about-these-ads/) | Dismiss this message
abuse.ch(https://connectedtechnbiz.wordpress.com/tag/abusech/)
ActiveTrust(https://connectedtechnbiz.wordpress.com/tag/activetrust/)
AdvancedPersistentThreats(https://connectedtechnbiz.wordpress.com/tag/advancedpersistentthreats/)
AlertLogicLogManager(https://connectedtechnbiz.wordpress.com/tag/alertlogiclogmanager/)
AlientVaultUSM(https://connectedtechnbiz.wordpress.com/tag/alientvaultusm/)
AlienVaultOTX(https://connectedtechnbiz.wordpress.com/tag/alienvaultotx/)
AlienVaultUSM(https://connectedtechnbiz.wordpress.com/tag/alienvaultusm/)
anomalysensors(https://connectedtechnbiz.wordpress.com/tag/anomalysensors/)
APTs(https://connectedtechnbiz.wordpress.com/tag/apts/)
artificialintelligence(https://connectedtechnbiz.wordpress.com/tag/artificialintelligence/)
AssuriaLogManager(https://connectedtechnbiz.wordpress.com/tag/assurialogmanager/)
behavioranalyzers(https://connectedtechnbiz.wordpress.com/tag/behavioranalyzers/)
behavioraldetection(https://connectedtechnbiz.wordpress.com/tag/behavioraldetection/)
behavioraldeviations(https://connectedtechnbiz.wordpress.com/tag/behavioraldeviations/)
bigdatasecurityanalytics(https://connectedtechnbiz.wordpress.com/tag/bigdatasecurityanalytics/)
BlackStratusLogStorm(https://connectedtechnbiz.wordpress.com/tag/blackstratuslogstorm/)
Blocklist.de(https://connectedtechnbiz.wordpress.com/tag/blocklistde/)
BlueCoat(https://connectedtechnbiz.wordpress.com/tag/bluecoat/)
CAMNEP(https://connectedtechnbiz.wordpress.com/tag/camnep/)
campaigns(https://connectedtechnbiz.wordpress.com/tag/campaigns/)
CIF(https://connectedtechnbiz.wordpress.com/tag/cif/)
CognitiveSecurity(https://connectedtechnbiz.wordpress.com/tag/cognitivesecurity/)
CollectiveIntelligenceFramework(https://connectedtechnbiz.wordpress.com/tag/collectiveintelligenceframework/)
COSE(https://connectedtechnbiz.wordpress.com/tag/cose/)
CrowdStrike(https://connectedtechnbiz.wordpress.com/tag/crowdstrike/)
CTI(https://connectedtechnbiz.wordpress.com/tag/cti/)
CyberSecurityIntelligence(https://connectedtechnbiz.wordpress.com/tag/cybersecurityintelligence/)
CyberTap(https://connectedtechnbiz.wordpress.com/tag/cybertap/)
CyberUnited(https://connectedtechnbiz.wordpress.com/tag/cyberunited/)
CybOX(https://connectedtechnbiz.wordpress.com/tag/cybox/)
Cylance(https://connectedtechnbiz.wordpress.com/tag/cylance/)
dataanalyzers(https://connectedtechnbiz.wordpress.com/tag/dataanalyzers/)
19/23
1/18/2015
datascience(https://connectedtechnbiz.wordpress.com/tag/datascience/)
DataSecurity(https://connectedtechnbiz.wordpress.com/tag/datasecurity/)
deeppacketinspection(https://connectedtechnbiz.wordpress.com/tag/deeppacketinspection/)
DeepSee(https://connectedtechnbiz.wordpress.com/tag/deepsee/)
DellSecureWorks(https://connectedtechnbiz.wordpress.com/tag/dellsecureworks/)
DSS(https://connectedtechnbiz.wordpress.com/tag/dss/)
EiQNetworksSecureVue(https://connectedtechnbiz.wordpress.com/tag/eiqnetworkssecurevue/)
ElasticSearchELK(https://connectedtechnbiz.wordpress.com/tag/elasticsearchelk/)
EMCRSASecurityAnalytics(https://connectedtechnbiz.wordpress.com/tag/emcrsasecurityanalytics/)
EmergingThreats(https://connectedtechnbiz.wordpress.com/tag/emergingthreats/)
FireEyeMandiant(https://connectedtechnbiz.wordpress.com/tag/fireeyemandiant/)
GLBA(https://connectedtechnbiz.wordpress.com/tag/glba/)
HIPAA(https://connectedtechnbiz.wordpress.com/tag/hipaa/)
HPArcSight(https://connectedtechnbiz.wordpress.com/tag/hparcsight/)
HPArcSightESM(https://connectedtechnbiz.wordpress.com/tag/hparcsightesm/)
IBM(https://connectedtechnbiz.wordpress.com/tag/ibm/)
IBMSecuritysQRadar(https://connectedtechnbiz.wordpress.com/tag/ibmsecuritysqradar/)
IID(https://connectedtechnbiz.wordpress.com/tag/iid/)
indicator(https://connectedtechnbiz.wordpress.com/tag/indicator/)
IndicatorsofCompromise(https://connectedtechnbiz.wordpress.com/tag/indicatorsofcompromise/)
interactiveanalytics(https://connectedtechnbiz.wordpress.com/tag/interactiveanalytics/)
Interset(https://connectedtechnbiz.wordpress.com/tag/interset/)
IOC(https://connectedtechnbiz.wordpress.com/tag/ioc/)
IOCs(https://connectedtechnbiz.wordpress.com/tag/iocs/)
iodef(https://connectedtechnbiz.wordpress.com/tag/iodef/)
iodefsci(https://connectedtechnbiz.wordpress.com/tag/iodefsci/)
iSIGHTPartners(https://connectedtechnbiz.wordpress.com/tag/isightpartners/)
LogManagement(https://connectedtechnbiz.wordpress.com/tag/logmanagement/)
LogRhythm(https://connectedtechnbiz.wordpress.com/tag/logrhythm/)
machinelearning(https://connectedtechnbiz.wordpress.com/tag/machinelearning/)
McAfeeEnterpriseLogManager(https://connectedtechnbiz.wordpress.com/tag/mcafeeenterpriselogmanager/)
McAfeeESM(https://connectedtechnbiz.wordpress.com/tag/mcafeeesm/)
McAfeeThreatIntelligence(https://connectedtechnbiz.wordpress.com/tag/mcafeethreatintelligence/)
mile(https://connectedtechnbiz.wordpress.com/tag/mile/)
20/23
1/18/2015
Mitre(https://connectedtechnbiz.wordpress.com/tag/mitre/)
NetIQSentinel(https://connectedtechnbiz.wordpress.com/tag/netiqsentinel/)
NorseIPViking/Darklist(https://connectedtechnbiz.wordpress.com/tag/norseipvikingdarklist/)
opensecurityoperationscenter(https://connectedtechnbiz.wordpress.com/tag/opensecurityoperationscenter/)
OpenSourceSIM(https://connectedtechnbiz.wordpress.com/tag/opensourcesim/)
OpenThreatExchange(https://connectedtechnbiz.wordpress.com/tag/openthreatexchange/)
OpenIOC(https://connectedtechnbiz.wordpress.com/tag/openioc/)
OpenSOC(https://connectedtechnbiz.wordpress.com/tag/opensoc/)
OSSIM(https://connectedtechnbiz.wordpress.com/tag/ossim/)
OTX(https://connectedtechnbiz.wordpress.com/tag/otx/)
PaloAltoWildfire(https://connectedtechnbiz.wordpress.com/tag/paloaltowildfire/)
PCI(https://connectedtechnbiz.wordpress.com/tag/pci/)
PFPCybersecurity(https://connectedtechnbiz.wordpress.com/tag/pfpcybersecurity/)
predictiveanalytics(https://connectedtechnbiz.wordpress.com/tag/predictiveanalytics/)
pyramidofpain(https://connectedtechnbiz.wordpress.com/tag/pyramidofpain/)
rdi(https://connectedtechnbiz.wordpress.com/tag/rdi/)
Recon(https://connectedtechnbiz.wordpress.com/tag/recon/)
RecordedFuture(https://connectedtechnbiz.wordpress.com/tag/recordedfuture/)
SA(https://connectedtechnbiz.wordpress.com/tag/sa/)
SawMill(https://connectedtechnbiz.wordpress.com/tag/sawmill/)
Security(https://connectedtechnbiz.wordpress.com/tag/security/)
SecurityAnalysis(https://connectedtechnbiz.wordpress.com/tag/securityanalysis/)
SecurityAnalytics(https://connectedtechnbiz.wordpress.com/tag/securityanalytics/)
SecurityInformationandEventManagement(https://connectedtechnbiz.wordpress.com/tag/securityinformationandevent
management/)
SecurityIntelligence(https://connectedtechnbiz.wordpress.com/tag/securityintelligence/)
securityregulations(https://connectedtechnbiz.wordpress.com/tag/securityregulations/)
SIEM(https://connectedtechnbiz.wordpress.com/tag/siem/)
SolarWindsLEM(https://connectedtechnbiz.wordpress.com/tag/solarwindslem/)
SolarWindsLog&EventManager(https://connectedtechnbiz.wordpress.com/tag/solarwindslogeventmanager/)
SoleraNetworks(https://connectedtechnbiz.wordpress.com/tag/soleranetworks/)
SOX(https://connectedtechnbiz.wordpress.com/tag/sox/)
Spamhaus.ThreatStreamOPTIC(https://connectedtechnbiz.wordpress.com/tag/spamhausthreatstreamoptic/)
Splunk(https://connectedtechnbiz.wordpress.com/tag/splunk/)
21/23
1/18/2015
SplunkEnterprise(https://connectedtechnbiz.wordpress.com/tag/splunkenterprise/)
STIX(https://connectedtechnbiz.wordpress.com/tag/stix/)
SymantecDeepsight(https://connectedtechnbiz.wordpress.com/tag/symantecdeepsight/)
TacticsTechniquesandProcedures(https://connectedtechnbiz.wordpress.com/tag/tacticstechniquesandprocedures/)
TAXII(https://connectedtechnbiz.wordpress.com/tag/taxii/)
TeamCymru(https://connectedtechnbiz.wordpress.com/tag/teamcymru/)
TenableLogCorrelationEngine(https://connectedtechnbiz.wordpress.com/tag/tenablelogcorrelationengine/)
TenableNetworkSecurity(https://connectedtechnbiz.wordpress.com/tag/tenablenetworksecurity/)
ThreatIntelligence(https://connectedtechnbiz.wordpress.com/tag/threatintelligence/)
ThreatIntelligenceManagementplatform(https://connectedtechnbiz.wordpress.com/tag/threatintelligencemanagement
platform/)
ThreatManagementPlatform(https://connectedtechnbiz.wordpress.com/tag/threatmanagementplatform/)
ThreatStream(https://connectedtechnbiz.wordpress.com/tag/threatstream/)
TI(https://connectedtechnbiz.wordpress.com/tag/ti/)
TIMP(https://connectedtechnbiz.wordpress.com/tag/timp/)
TMP(https://connectedtechnbiz.wordpress.com/tag/tmp/)
TTPs(https://connectedtechnbiz.wordpress.com/tag/ttps/)
veris(https://connectedtechnbiz.wordpress.com/tag/veris/)
VerisigniDefense(https://connectedtechnbiz.wordpress.com/tag/verisignidefense/)
Verizon(https://connectedtechnbiz.wordpress.com/tag/verizon/)
Vorstack(https://connectedtechnbiz.wordpress.com/tag/vorstack/)
4thoughtsonNavigatingthemazeofCyberSecurityIntelligence
andAnalytics
1.
RonBrobergsays:
January10,2015at1:14amEdit
Greatoverview,muchappreciated.Ivejustbegunexploringthisspaceandthisisaveryusefulintroduction.
22/23
1/18/2015
2.
3.
4.
Reply
Pankajsays:
January8,2015at4:34pmEdit
Itsagoodrepresentationofintelligenceandhowitconnectswithothersecurityinfrastructure.Asthisisagreyareaandvery
immature,sotypicallymajorityofvendorshaveasayinthreatintelligencebutapplicationandeffectiveusageismissingand
providingnotoverylessprotectionfromcyberattacks.
Reply
rweteringssays:
December31,2014at4:49pmEdit
Greatread!
Reply
SashankDarasays:
December31,2014at11:06amEdit
Fantastic!younaileditreallywell
Reply
CreateafreewebsiteorblogatWordPress.com.|TheZorenTheme.
23/23

Navigating The Maze of Cyber Security Intelligence and Analytics - Anything Connected

Enviado por

Dados do documento

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Navigating The Maze of Cyber Security Intelligence and Analytics - Anything Connected

Enviado por

Direitos autorais:

Formatos disponíveis

1/18/2015

Você também pode gostar