Operationalizing Cyber Risks and Threats: Power Context and Combat Attacks to Your Environment
After you have watched this Webinar, please feel free to contact us with any questions you may have at general@anomali.com.
This joint webinar from Digital Shadows and Anomali discusses how organizations can operationalize cyber risks and threats to improve context and proactively combat cyber attacks.
Transcript
.svg){kind=icon}
XUE YIN PEH: Thanks, Anissa.
Good morning to everyone, and thank you for joining.
I am Xue from Digital Shadows and today I'll be going to talk about operationalizing cyber risk and threat about both Digital Shadows an Anomali can help make threat intelligence work for your organization.
So by way of introduction, Digital Shadows is recognized as the market leader in digital risk management.
We are founded around 10 years ago and based in the UK and global headquartered in the UK and the US, with offices and customers around the world.
And we have a stellar reputation in the digital risk management space.
So let's have a look at the state of cyber threat intelligence today.
We're increasingly connected, that's for sure.
And for several years we've been talking about the fact that the perimeter doesn't exist anymore.
And you can no longer protect the castle walls.
So you can see here that your data, employee and brand, they're everywhere.
They're on social media, online code repository, pay sites, app stores, internet facing devices.
All of these things just means that it's not just one perimeter now, it's many perimeters we've got to think about protecting.
So at Digital Shadows, we try to shed light on these risks and show you how you can guard against them.
We provide security services to track these areas of exposure and eliminate any blind spots if any, and potentially provide resources and tools for further investigation so that you can enrich your intelligence.
And I know one of the typical outputs that we as security professionals usually get is, IOCs or alerts.
And don't get me wrong, IOCs are pretty good.
They're low hanging fruit in that action can quickly be taken when you get them or when you're being alerted to one.
But one of the fundamental problems I feel we face today, is that we're also quite inundated with data, and there really isn't a shortage of data, but rather we face the issue of not having this data be actionable enough or relevant enough.
So it may be the case of sure, I've been alerted to this misbehaving domain or IP address, but what is the context?
Does it affect me?
And if yes, what then do I do about it?
So essentially, what we're trying to achieve today is also to make these alerts even more relevant and actionable.
But before we talk about overcoming those challenges, I'd like to highlight the six core areas in which we focus on to help organizations with ensuring a more secure posture.
So first we've got data leakage protection.
We focus on any sensitive marked documents that belong to your business, and identifying those when they get leaked outside the networks.
You may already have a DLP tool, but how do you know that's already exposed beyond the network?
We also look at customer details and employee credentials and see if they have been exposed online.
For brand protection, anywhere where your domain, social media profile, mobile applications have been impersonated online can lead to phishing against customers or employees, causing brand damage.
For the devsecops developers, exposing code access keys, unauthorized code commits to repositories.
In dark web monitoring, look for these accounts, whether they are being put up for sale, whether there are mentions by threat actors and any phishing kits that are being created targeting your organization.
For attacks surface monitoring, we look for those exploitable surface vulnerabilities, certificate issues, open ports, including those misconfigured devices that can expose further information.
And for threat intelligence, finally you can see here that we try to understand the threat landscape and applying that to where you're operating in and where you're exposed online.
We tract threat actor profiles and tracking, we maintain a library of directors and the leaders activity and IOCs associated with them.
We provide intelligence updates.
So these cover the latest developments, as well as providing our take and assessment on the issue.
It includes industry news, as well as primary source research undertaken by a full-time research team that I am a part of.
So we look across criminal forums, dark websites, among others.
We also monitor for disclosure of vulnerability and exploit associated with the technology that you use.
So this can tie into your vulnerability management program.
So while we're trying to produce intelligence that is as relevant and as actionable as possible, how we do that is by using this asset-based approach to reduce the noise and giving you steps to, or helping you reduce it.
So a little about how such Searchlight works.
There are four key stages here.
There's configure, which is making it relevant on the outset and tailored to the assets of an organization.
With collection, we collect everything to do with an asset in the open deep and the dark web to get an idea of the footprint of an organization.
In contextualizing and analyzing, we identify the risk and remove the noise.
And finally, give you ways to mitigate and take action.
So a little bit more in-depth into these four stages.
With configuration, we consider the type of things that an organization would register.
There will be hundreds and thousands assets that we do not limit at all, so these could range from things like brand names, IP ranges, domains, company names, document markings, DLP identifiers, social media pages and mobile apps, and anything really that defines you as an organization.
We take those in and some cases, we can understand the asset value even further.
So not just that is a domain, but is a domain that's on your critical asset and does it whole custom PII.
Understanding this level of detail will help really greatly when we get to the third stage, when we are identifying and analyzing the risk.
We then collect across a really wide variety of sources across the open deep and the dark web.
And to give you an idea of just how much data, there are tens and thousands and millions of entries that we're looking at each week.
So you can see a sample of those; so we can see a sample of those that we collect in a typical week.
Huge number of new files are being identified across risk configured FTPs, S3 bucket, SMBs, including zip files.
Huge number of commits on GitHub every week.
We're scraping web pages, pulling in tweets, looking at pastes, domain name registration, and looking at IRC telegram channel, some criminal forum marketplaces.
So we cover a whole range of sources just to give you the confidence that when something is exposed online, we will find it.
And third, we need to analyze and identify the risk within all of these.
So to do this, we really try to distill the signal from that noise.
And how do we do that?
We use a combination of automated and human analysis, so that we can remove a lot more than 95% of that noise.
So put it through our risk engine, and then when necessary, in other instances, to avoid the noise occurring or reoccurring, we add a layer of our own analyst team triaging the alerts before it gets sent to you.
And then when you've received it in the Digital Shadows portal, you will have received an alert.
Each alert has playbooks built in, and there are workflow options.
You can either launch a self-service takedown or managed takedown.
And there's all of the context within the alert itself that can help make an informed decision about what you should do next.
You can access this via our customer portal or via API, or via our certified integrations with other solutions, such as threat intelligence platforms or ticketing platforms, remediation and enforcement platforms.
And to sum up this slide, I think the point here is to really see us as one of you and as an extension to your team.
In an ideal world, information threat and intelligence triaging should be smooth, and not so painful.
But the reality is, that isn't always so fuss-free.
For example, we tend to cast a very wide net when it comes to collecting information, because the more information, the better, right?
So that if we have to, we can weed out the useless ones and only look for those that applicable or relevant.
But in this situation, it would lead to a lot of false positive and being flooded by data, which I've said before that we have no shortage of.
So besides being overwhelmed by the amount of data, we might not know which one we should prioritize or when we get one, we're not really sure what the next steps are.
So here, how we can help, by being an extension to your team, is that these processes are already being automated for you and save you a huge amount of time from having to do it on your own.
So not only do we provide the information, we also provide the context, and that helps illuminate the noise.
You only get the relevant stuff in this case.
And with the context, you can't decide which is a false positive and remove that one, or pick out the false negative without missing it completely.
And from here, you can focus on human analysis and drive deeper investigation on only those that matter.
So I've talked about assessing information via customer portal or API or certified integrations and other solutions.
So here I'd like to make the case that having access to big data is only just half the battle won.
We're not just another technology that you have to open up and keep opening another tab.
We also want to help you operationalize threat intelligence in the best possible way with your existing technologies.
And Anomali is one of the excellent platforms that we integrate with.
So we currently feed alerts and intelligence into Anomali.
And with this integration, we hope to provide security practitioners with a more seamless way to investigate alerts further.
And we'll show you a quick and simple way of how this integration can come together to enhance your workflow.
And now I'd like to pass time on onto MJ, who will take you through such slide.
MJ KNUDSEN: Thank you, Xue.
I need one moment to start sharing.
Xue, thank you very much.
I'm going to walk you through the Digital Shadows platform, give you a view into the product platform and some of the incidents that we are able to detect and create for our customers before passing it over to go a little bit deeper into Anomali and how Digital Shadows can connect into Anomali.
Here we're looking at our homepage, which is a great view into the data that we're collecting for all of our customers, and then delivering specifically to you, our customer.
So right now, we're looking at a 90-day view of our data.
And across all of our sources of the open, deep and dark web technical sources and documents, we've pulled in 3.9 billion documents or references.
The next step is information that may be related to you.
And between these two are hundreds of rules applied to every customer based on their assets.
Again, as Xue pointed out, those are the things that you've told us apply to you.
Like your social media profiles, your company names, brand names, domain names, critical assets and so on.
So these are the things that we found that may be applicable to you.
From here, there's two paths before they get to you in the portal.
The first is the automated path.
About 95% of our alerts are automated and go directly to our customers.
Those are the rules and the things that we have found we can make extremely actionable and accurate programmatically.
For the things that are harder to identify and make accurate for our customers, we have a human analyst team involved.
So for those alerts, they are reviewed by human analysts before they are passed on and published to your portal.
Some great examples of that are dark web mentions, some technical threats, and other types of indicators that really do benefit from having some human analysis.
So the past 90 days for this customer, we've had 48 events and incidents coming into the system.
So I'm going to head over to triage.
Triage is where you'll be able to look at the incidents that you're getting as a customer.
And I'm going to start directly by going into an impersonating domain.
So we take all of your assets, like your company names, brand names and domains, and we're able to find things like impersonating domains.
And we look for things like having your logo and content or having your assets and your information in the web page.
So here's a screenshot of the web page that was found based on the sample customer that we have.
And if we scroll down a little bit more, you'll see the matched assets and each of the reasons why we say that this has been triggered.
So it's been triggered because similarities to the domain, but also, your company and your brand name in the domain as well.
And then if I scroll down some more, we'll see that we've triggered because there is a logo match, but also because there's references to your assets, your brands, and your company, and the HTML.
If we want to scroll down a little bit more, we could see some other technical information, like WHOIS misinformation and DNS records.
We can also choose to see the history of the WHOIS.
The DNS records, the screenshots, the HTML, as well as the logos that were found.
All of this provides very useful evidence for requesting a takedown if that's something that you should decide to do.
For many of our incidents, you'll see a playbook section.
And the playbook provides you with step by step instructions on detection and analysis, containment, and what to do after the event has been addressed.
In this case, you may want to perform a takedown.
So we have the option to do a self-service takedown where we'll generate a PDF based on the content of this alert that you can then export and send directly to the registrar's abuse email address, which we provide right here in our interface.
A lot of our customers will start with a takedown self-service takedown first.
And if they are not successful with a self-service takedown, then they will use our managed takedown services to help with that takedown.
Much similar to an impersonating domain, we also have the ability to detect phishing web pages that are impersonating your domain and your company.
Here's an example of one.
Couple more examples for you really quickly.
The next thing that I'd like to show you is an exposed technical document.
So we look across open cloud storage buckets, FTP servers, file servers, and HTTP file servers as well, for documents that may match your document markings in your assets.
In this case, we have something that has multiple references to your technical assets, as well as your brand name.
So here are some details of that document.
Here's a copy of the document.
If we scroll down some more, we'll see the document repository, which we could explore for other information and related incidents in that same document repository.
And again, a playbook applies and you can request a takedown if that's what you'd like to do.
OK, and then moving on to the last incident that I'm going to show you guys.
Always of interest to customers are exposed credentials.
So our ability to look across the open, deep and dark web, as well as numerous password dumps that happen on a regular basis, and purchases from the dark web, we're able to identify username and password pairs that apply to your organization.
What's special about Digital Shadows, is our ability to take your password policy and tell you if the password does match your password policy.
We also have an integration with Microsoft Azure AD, as well as Okta, and we could hit either of those to make sure that this is an active user before passing this incident on to you or closing it automatically.
If we scroll down some more, we'll see that this same username in a password pair has been seen multiple times across multiple sources.
And we have some source information available as well.
So we could see the seed data.
So what we found or what we matched upon.
And then if we want, we could see snippets of the actual file.
And with that, I will pass it on.
Give me one moment to stop sharing.
And with that, I'll pass it over to Scott.
Thank you.
SCOTT DOWSETT: All right.
Am I sharing properly?
Looks good.
SCOTT DOWSETT: Thank you, everyone.
I'm Scott Dowsett, Vice President of Sales Engineering here for Anomali.
And a little bit about Anomali.
So we were founded back in intelligence leader.
We've got over 1,500 customers worldwide.
We're trusted by many of the-- [COUGHS] --Excuse me, ISACs and intelligence sharing organizations.
We do have local support in APJ, and we were cloud from day one.
You can see some of our awards down here on the bottom.
We have actually security sweep.
Today, I'm going to focus on Threatstream, but just want to point out, we also have Lens and Match, so if you have some interest in some additional offerings we have, happy to talk about that.
Today I'm going to focus around Threatstream.
Threatstream is our threat intelligence platform.
It collects information from many different sources, including we have a marketplace called our APP store.
Digital Shadows is both a partner and part of our APP store in the actual platform.
We also can normalize IOCs across all these sources.
We actually enrich them with additional data to include actor, campaign, TTP and additional information.
I'll talk about that more as I get in the presentation.
As well, we have the ability also to integrate.
We can actually integrate with SOAR technologies, End Point technologies, Firewall.
We can utilize our API extensively, as well as SIEM technology.
So let's get into a scenario.
So phishing analysis, the daily grind for intelligence-driven SOC.
So I've worked with many companies around the world, and phishing is probably the number one entry point for getting into networks and causing major problems.
And we see this time and time again as far as the SOC gets overburdened with all this information, I've seen thousands of emails coming into organizations and they just, it's the ones that get through that matter.
And you have to address them.
So how do we do that?
So in the platform of Threatstream, so for example, say a suspicious email comes in.
So the email looks to be OK, but there's possibly challenges with it.
What do you do with it?
How do you triage the actual email?
So step one, we actually have a phishing mailbox that we can set up within Threatstream to identify basically phishing emails and do quite a bit of actions against them.
So if you look at my screen here, you'll see we can create an import session investigation, a bulletin.
We can even detonate information on a sandbox.
As well, we also in the right-hand side here, we can add additional tags.
Tags allow us to then take the information that we've extracted from this email and do some additional functions with it.
As well, in the middle of the screen there, confidence.
In the Threatstream platform, we have the ability actually to score indicators of compromise when they're new when they come in the platform.
So something new that we've never seen before, we're actually going to score and give a confidence value of basically a 0 through 100 and tell you how confident that it's bad based on what we see.
So email comes in the platform, hits our phishing mailbox, we then create a threat bulletin.
In our threat bulletin, we're going to extract information from the actual email.
So that could be the body of the email, basically the header or the footer, anything associated within that email, we're going to extract.
What happens is, we pull that out, we push that into observable.
So we're actually pulling out IOCs or indicators of compromise.
From there, we also then can communicate with our platform and associate with threat models.
So threat models basically are expansion.
So we look at all the attribution around the actual information of the actual indicator.
So furthermore, we can then triage this.
So now I've brought this information in, I can then create an investigation.
So I want to know more.
I want to understand what's going on.
So from here, we then also, we expand it.
So therefore, when we triage or bring the data into investigations, it's going to expand the data for me.
A couple of things happen here.
I can search information around that, as well, I can also detonate on the sandbox.
So in our platform, we actually have addressable in the platform Joe Security and VMRay where you can execute against the actual onboard sandbox.
And you can do this on an automated fashion.
So hence, like I talked earlier about the fact that all these emails are flowing in, what if you could automate the process and just get the results and choose the ones that you want to then take further action against or triage.
So what do we have so far?
So we've got email that came in, we've got information.
We've got TTPs, we have hashes, we see associations against our finance department on our payment systems because it came in as basically, hey, you've paid a bill, but we would like you to double check.
So we take this a little further.
So now external context to enrichments.
Let's talk about our friends at Digital Shadows here, how they can help.
So first of all, let's check our system internally and associate all the hashes around what we have within our platform.
So therefore, we're going to spend all the hashes and look all the rest of the associate.
From there, we're also going to look at all of our URLs and say, OK, URLs and domains, how do they associate?
Over here, we'll take it one step further and talk about all the association of IP addresses.
So now suddenly, this email has a lot more information that is of interest.
Enrichments.
Enrichments search WHOIS as far as, and find out additional data around it, and search actors.
Actors can leverage our friends at Digital Shadows and pull in information that they have.
So we don't have the information.
Let's leverage the folks that do in the environment.
So from there, we then see the actor expansion.
And there's additional data that we were not aware of because we tapped our partner and pulled that information into the platform.
So now we have additional relevance that's very powerful.
Let's take it one step further.
So now let's take it and look against the MITRE ATT&CK framework.
So actors leverage TTPs.
TTPs are utilized, and we also map them to the MITRE ATT&CK framework.
But there's a key here, the security coverage.
What coverage do you have in your environment to say, OK, what do I have, what are the areas, where are my gaps that I need to shore up based on the fact that this actor has targeted me with an email that got into the platform as far as that we triaged, but we now have additional information around this actor to include the TTPs that they use, as well, we're mapping them against the MITRE ATT&CK framework?
So let's overlay our controls against that and understand more.
So let's talk about that.
So we'll overlay the security coverage.
So what happens here, we're going to turn that coverage on, and now we're going to see where our high risk areas are in our environment.
So the areas that the TTPs could expose and possibly penetrate our environment or get into our network.
So now the result of this is going to show me all the areas basically that have no coverage.
You can see here none on phishing, boot or login, and then over on the right-hand side of the page there.
As well, I highlight here as far as none.
Therefore, we know.
[COUGHS] That we have, excuse me, issues in this area that we must address in the environment.
Operationalization.
So let's take it to the final step here.
So we have all this ingestion of information that's come into the platform.
We've leveraged our tag, our, basically our tagging.
We've got 75 not imported observables.
So we expanded all this data like we did earlier, but we have these additional ones.
Let's import those in the platform.
As well, let's export them to a threat model.
As well, let's put a tag on each one of those items.
So when we export that data out into the platform, let's tag each one of them.
So what happens here is now when I tag these as far as, for example, say I have Splunk, I can add a filter in Splunk with the tags, or say a filter in Blue Coats, as far as add the tags right here that say, OK, anytime you see this data that comes in the platform with a particular tag of monitor or block, so monitor for Splunk or block for Blue Coat, let's take that action.
So therefore, now we're being not only proactive, we're also being reactive if we see it occur in the environment.
Here's a result of what that looks like.
So in the final stage here, this is Splunk.
You can see here APP28 and we have a match in the environment.
So this would be based on the fact that we tagged the information and associated it against that actor in the environment.
But there's more.
So beyond this, we can take this to the next step.
So Anomali DS Alerts with a pivot.
So in the platform of basically Searchlight, as far as you can pass alerts over from Digital Shadows into Threatstream.
They will basically be presented as incidents.
So as incidents occur in the environment, you can actually expand on these incidents, and also expand further back into Digital Shadows right here.
So we'll pivot back over into Digital Shadows and get the rest of the story and all the information from Digital Shadows.
We literally never had, we left Threatstream and jumped right into the portal directly, grabbing all the information automatically.
As well, we can also track actor details.
So published into the Threatstream platform from the feed from Digital Shadows is also actor detail.
So actor detail flows into the platform.
As well, within actor detail, we also have associations.
You can see 70 items here.
So in all of the actor information, we'll associate all of the Digital Shadow information, as well as any other appropriate data that flows in with it.
They will be seen as observables that action can be taken on in the environment.
In closing, Anomali plus Digital Shadows, a powerful combination.
So a little bit more about Anomali here.
So we are the market leader in the TIP space.
Also over 120 vetted intelligence feeds in the platform.
Our scoring prioritization leverages our machine learning, so we scrub the IOCs before they come in the platform.
Our integrator, as I just showed, as far as allows you to present data to, for example, a Splunk.
Or Blue Coat or other system of your choice.
We also have sandbox and brand protection with the leveraging of Digital Shadows, as well as the APP Store as far as we give you additional data.
We also have additional platforms if there is of interest of Anomali Match and Anomali Lens.
Lens, I'll point out, is a browser plugin that plugs into your browser and allows you to easily scrape web pages, PDFs, Word documents, anything of interest to expose intelligence and determine if it's in your network or in your repository of intelligence of Threatstream.
Very powerful.
And as well, we have the Anomali customer success team behind your team, behind us, that helps complement the actual mission of stopping these threats.
With that, I will open up for questions.
All right, I'm going to jump in here and read some of the questions that have come in.
If at any time you guys want to still submit questions, please do to the chat or through the Q&A and we'll get to as many of them as we can.
The first one I have here is, how can I ensure as few false positives come through as possible?
Um, do you want me to assign it to one of you?
SCOTT DOWSETT: I can take that.
Would one of you like to take it?
SCOTT DOWSETT: Yeah, sorry about that.
This is Scott, I can that.
So false positives, so we actually identify with our machine learning indicators of compromise and we rank them based on a 0 to 100 confidence value.
So false positives are automatically flagged in the platform.
We actually keep them in the platform as a false positive, because in some cases, they can turn into a positive.
But we will flag them accordingly.
As well, you don't deliver those to your downstream systems, but they can be there for your review in the platform.
So we flag that through our machine learning.
MJ KNUDSEN: Also, with Digital Shadows, you have the ability to tune through the assets.
But on top of that, we have the ability to tune and customize all of the rules that are running to help eliminate false positives.
So an example is that we were working with a customer who administers tests and there were a lot of false ads for test answers and questions.
We were able to work with them to understand what true positives looks like for them versus false positives, and modify our rules on the back end very specifically for them to deliver only the best and most actionable results.
So lots of options for tuning in Digital Shadows.
Great.
XUE YIN PEH: And when our own analyst team is triaging these alerts, they also, an additional layer of their understanding of your environment vis a vis whatever is going on out there.
So for example, if there is an alert informing you that a certain vulnerability has been disclosed, but because our analysts already understand that you don't use this software or this program, and this vulnerability will almost certainly not affect you at all, this false positive gets flexed out immediately.
All right, thank you.
Let's see.
Can users customize the scoring of threat data based on their team's knowledge and capabilities and the risk?
SCOTT DOWSETT: So, I'll take it first here.
So Scott Dowsett.
With Anomali, you can clone the actual indicator.
So you can clone the indicator and then re-score it to your liking in the platform.
As well, if you import indicators, there's the opportunity to change the score so basically set your own initial score and not have the system score on your behalf.
MJ KNUDSEN: And same for, similar for Digital Shadows.
The ability to define what your asset criticality is for all the assets that you import that ultimately drives the scoring that we use for all of the alerts.
All right, looks like we have time for one more.
How are threats or alerts evaluated?
MJ KNUDSEN: I'll take that one to start.
We have a number of methods for detecting and evaluating threats, starting with applying them to the assets that you've provided.
So the things that are important to you in your environment.
Your domains, your brands, your companies.
But on top of that, we have automated ways for delivering those alerts through rules that we've tuned over time to make very effective, as well as what Xue mentioned earlier, which is our analyst-driven alerts, making sure that the most actionable results are being delivered to you.
SCOTT DOWSETT: In the case of Anomali, so we actually break down indicators into I types.
So we determine what the actual indicator type is.
And then from that point, we apply a severity score to it.
So it's a low, medium, high or very high.
In addition to that, we add the [INAUDIBLE] score.
So for us to determine, so we're going to determine based on I types, as far as we have over 130 types.
So we're looking at, is it an APT IP versus an APT URL versus a malware URL?
So we're going to determine that based on our machine learning, and then apply the appropriate identification to it.