Supercharging Your Security Analyst with a TIP: Detect ‘19 Series
Transcript
.svg){kind=icon}
ANDRAS BORBELY: All right, thank you so much for joining us this morning.
It's been a great conference so far.
I hope you enjoyed yourself.
There were lots of great sessions, and I had the privilege to meet lots of amazing people over the past couple of days.
My name is Andras Borbely.
I came over from the nice and glorious cloudy and rainy island of Great Britain.
I've been working in the cyber security industry for the past a number of different industries with consulting in SIEM and threat intelligence building solutions, designing solutions, and helping with programs to take it to the next level, pretty much in most areas, from Europe to America to Singapore.
So been covering lots of travel in my life so far.
What I'm trying to do is to visit what are the main challenges I believe we face today or threat analysts face today in their daily activities and their programs, trying to understand what benefits a strategy and a platform can bring to these people, to this team, to these businesses to enhance their activities and programs, and learn a bit about how a threat intel platform can contribute and enhance your threat hunting capabilities.
So one of the main questions I normally like to see-- now look, how many of the organizations out there have clearly defined CTI requirements?
As we all guess, the answer will be 100%, as we all have a program, which is not the case, unfortunately.
Only about 30% of the companies admit that they have a clearly defined CTI program, CTI requirement, and they try to tackle it.
About 37% say they don't have an official one, they just do it ad hoc basis, and they're trying to tackle activities and requirements as they go.
About 26% has nothing at the moment, but they have plans to implement them in the future.
And there's still a small percentage who have no plans or no programs.
The numbers are improving over the years, but they're not where I would like to see them.
The stats are from the Cyber CTI intelligence evolution 2019 survey from SANS, so the numbers are from those presentations.
So what is holding us back?
Why are we not having a proper program?
Why are we not trying to work towards it?
There's a couple of options here.
The biggest issue that normally comes back is the lack of trained staff, the usual excuse of the cyber skills shortage, which is happening for the past decade, if not longer.
In my eyes, the biggest issue is a lack of funding.
Because as long as there is funding, you can get people, you can get the training together, and you can build your program.
But there are still lots of people who believe they don't have the funding, they don't have the time to implement these processes, they can't find the right people.
They believe they have issues with the lack of automation, which is changing nowadays.
Because lots of platforms out there now that are trying to address this.
But as mentioned, in my eyes, I think the biggest issue is more the funding and the lack of management buy in.
Companies [INAUDIBLE] CTI teams and CTI programs where the members of these organizations bring their team members in.
The biggest contribution to CTI teams are still coming from the security operations centers or SOCs.
There's a good combination now between different parties.
There are still companies who only have a standalone dedicated CTI team, which may sound great from the outset.
In my personal opinion, I like seeing a bit of mix nowadays.
I like seeing that they drove members into the CTI program from all the different parts of the business.
Because they produce and give you a different set of skills, so kind of just can give you more background on the operations.
And you have to include additional people.
There's still a small percentage from the business side.
I would like to see that number increase in the future.
I believe it's important to get people involved from the business from the project side to understand how the overall process, an overall program works so they can contribute and add value to this program.
I've got lots of charts.
I've got about 50 more, but I won't show them, because I don't want to bore you to death with charts.
So I promise there will be no more.
Just want to summarize, as mentioned, what the biggest issues and challenges I see.
You may find some of this yourself in your organization inside your teams.
But as mentioned, I see just the lack, lack, lack.
Lack of clear intelligence requirements, lack of staffing, lack of head count, lack of skills, lack of training, lack of funding for the project, lack of time to implement or spend time.
Plus most of these things still have additional tasks, additional hats wearing inside their day.
And at the end, it's lack of will, because people give up as too cumbersome, I don't like it.
In my personal opinion, as long as we can change the will and the founding, I think we are on the good path.
Where there's will, there's a way, and where there's more to found said way that works for the best.
So what can we do to tackle why the industry is fixing-- why the businesses are fixing the problems of the staff, the skills, the training?
What can we do to ensure that the few people you have-- the small teams you have-- get the best value out from your program, and they can become a CTI ninja, hopefully.
I want you to imagine a sample scenario in this situation.
You are a CTI analyst who is working for a UK-based investment company.
Your company is traditionally invested in the local and the European market.
And your company's only investing in real estate in normal circumstances.
You spend a couple of days on a conference in Washington.
You go back to work after a small short break, and your CISO comes to you with a request.
He's asking you to produce a report to cover the following items.
Who are the adversaries associated with the group Fancy Bear?
Could we be a target for them in the past?
Is there any way they may target us in the future?
Could you produce a list of indicators, IPs, domains, or indicators which you would like us to implement in our monitoring environment to give our engineering teams to look at for them in the future.
Gathering this data as a standard CTI analyst would take days or weeks, possibly more in the course of weeks.
To give an example, myself as an odd analyst-- the steps I would normally achieve-- I would [INAUDIBLE] the intelligence lifecycle, as we're all aware of it.
First up would be defining what the intelligence requirements are, which we have.
Our CISO has mentioned what the requirements were.
We understand what needs to be done.
We now have to come up with a collection plan as well, which will be the response for these PIRs.
And then we jump into the middle, we start collecting the information.
And then once we collected all the information, we're still not finished.
We still have to sit down, convert this raw data into readable, relevant data.
We have to ensure it relates to us.
We also have to ensure that this was assessed and processed on our end, and we had a good feedback and we have peer reviews.
It takes ages, especially if you want to do this on your own without use of [INAUDIBLE].
Because what I would normally do-- you got multiple options.
The first step you can take, you can start collecting information from the web, open source intelligence collection preparations.
For this, your, analysts have to set up a new VM, a new machine.
I personally like to have a blank machine for each specific intelligence collection.
You also have to ensure you understand that you are collecting information from Russia.
So whatever search data you find, your results will depend on your source location.
If you're searching from the States, from the UK, you will not find the same information, or some information maybe blocked because they block access to certain locations based on your source IP address.
So for that point, you have to either use some sort of private VPN access or find some open source proxies or paid proxies.
But certainly, you have to spend some time just to ensure you set up your access properly before you even start collecting the data.
Then next, depending on which way you continue, it's also worth setting up some fake personal profiles for online which you can use for the open source collection.
You can come up with a profile yourself, or you can use one of my tools.
I like to use the fake name generator online, which basically can create you a profile.
You want to set which nationality, which country, gender, age.
It will auto-produce you with a profile you can then use to register for different applications.
This includes date of birth, favorite color, even potential bank card details you can use for registrations.
You also have to come up with potentially enrolling on some social media.
If you're collecting from Russia, you will be more going for vk.com, not Facebook, because that's the main preferred one they're using.
And you will be facing lots of challenges on the way.
When you start searching-- once you've done your preparations, which on its own can take hours and days, depending on how advanced your collection people are, you analysts are.
And then once it's all set up, you're still going to have to start the search.
Normally, you start searching in Google.
In Russia, I would start with Yandex.
But again, you're going to find lots of information, lots of data there.
You will also face challenges with the language.
They have a different alphabet with the Cyrillic one.
So results will be in a different language and different alphabet.
Google translators and plugins are handy.
[INAUDIBLE] at the websites.
But if you want to engage with people as well to try to gather personal intel from local people, you almost also need somebody in your team who speaks the language, or understands Russian in this case.
Not to mention that this is just the beginning.
Then you continue with your collection.
The data out there is, as you know, is hundreds, thousands of pages.
It's impossible to easily find the information fast.
I try to maintain Excel sheets with collection addresses, based on different countries, depending on which countries I'm collecting from, which indexes I'm collecting from.
But again, if your CTI analyst has not got these details or they are not skilled, for them it's almost impossible to produce this data, not to mention the time it would take to collect.
So what other options they have in this case?
Your options are-- if you don't want to go down the orphan's way, or if you want to complement them-- you can get premium paid intel sources.
Lots of companies out there.
Lots of companies are helping with this.
I'm not going to decide which one to go.
It's depending on your requirements.
Each company covers a different area, a different type of collection.
Some companies are collecting deep and dark web.
Some companies collecting nation-state actors.
It's really a combination of everything.
So that's something you have to decide yourself which one works best.
But even then, if you got your paid sources, you're still going to have to look into multiple sources, look into multiple portals, trying to find orphan data.
It's just a big chaos in my mind.
That's the example I can bring, this amazing creation.
Back in Swindon, UK, not too far of my place, so I have the unfortunate-- I have to drive through this multiple times a week.
But it's a special-- they call it magic roundabout, which has like a huge in the middle with satellite roundabouts.
It's rather confusing.
So this is how I feel when I think about collecting data.
It's lots of things.
I don't know which way to turn.
It's just crazy.
It's fun, so if you have the time, I do recommend trying to engage yourself in open source intelligence.
I love doing this in my spare time, which is a bit bad.
But if you want to get the value for a customer for a CISO, your CISO has no time to wait for this, basically.
So how can a threap platform help you?
The example is from Anomali, because we are at the Anomali conference.
I work for Anomali.
But in essence, you can use any other threat platform.
There's additional tools out there.
There's open source and paid ones.
You can decide whichever works best.
The biggest value I found in them is they give you a central aggregated point for all the information and data you can find.
You can collect data from-- you can ingest data from open source sources.
They should [INAUDIBLE].
You can ingest data from premium sources.
You can ingest data from your manual process you find internally in your company.
You can basically ingest anything you want which you consider as a potential guide for [INAUDIBLE] intelligence.
There is also the place I like in this one that we are not taking an indicator-based solution anymore.
And the policy industry was really around indicators, indicators IP address without giving too much context behind.
So it was impossible to then associate easily which indicators belong to which actors.
The future and what we are aiming for now with most platforms is a threat model-based approach.
So we not just define the indicator, we match them.
We attach them to an attacker, a campaign, an actor, so you have an easy way to match or an easy way to search your intelligence data.
The example here-- I just typed in Fancy Bear in the search bar, and it gave me back these results by default.
Again, there is still work to be done.
This one, you still have to review the results.
But you got contextualized data in one place, which you got much easier way to review, and there's much more context around.
We also produce some [INAUDIBLE] platform also, match actors, match aliases, match attack types, attack campaigns.
So it's an easy way to attribute additional indicators, additional campaigns in the past as a good connection in between.
Most data has come, and each actor has details around which companies they target, which industries they target.
And we also try to help-- and most threat platforms try to help-- with the fact we're not just giving you this data, we are also categorizing it for you.
We can tell you that this indicator may be a potential malware IP.
This one's an APT, or a command and control IP.
We'll not just tell you that we believe it's this.
We also try to find a [INAUDIBLE] threat platform start to use our scoring mechanisms to tell you how confident we are.
Because one of the biggest issues with open source intelligence as well, when you collect your data, you have to define and do your reasoning and track how confident you are that the data is correct.
Threat platforms like this and others help you to define how confident they are based on machine learning, based on historical data, on finding out if there's associations with that IP address in the past, if there's an unusually large amount of domain registrations with the IP address.
So we have lots of additional contexts which get behind this one.
And we're just trying to have the confidence in threat platform, but there is also the additional of potential defining of severity.
Again, low, high, very high.
Again, these are things you can collect yourself.
These are things you can do yourself.
But it will take weeks, if not months.
Here you got the readily accessible data from all your open source and premium feeds in one place, just an easy way to gather everything as a one-stop shop.
Mostly, platforms also has some visualization skills and visualization applications, so you don't just have the data, you can also visualize this data.
I like using normally Maltigo as well for such situations.
I can call API in response from additional sources.
And the more I enrich, the more I visualize data, I got better chances to find potential things which I may not have found otherwise, because there may be connections coming up which I could not have anticipated otherwise.
So eventually, there's just-- this is a small sample.
Obviously, I like going a bit more crazy.
But putting it in a slide would be a bit impossible to read.
But they're just a great way to visualize.
I said one main thing is this one.
It gives you visibility.
And the second [INAUDIBLE] one as well.
It's a nice eye candy for the XX as well.
So when your CISO asking for something, even just putting a picture in there-- they don't know what it's about.
They don't need to.
But it looks nice and fancy, so they will like it.
And I like them versus pie charts.
It's a bit nicer.
The other good thing with this one as well-- if you've got multiple parties in your team and you want to collaborate, it's an easy way to give them a platform where they can collaborate, and they can work on each other's investigations.
You may have to work on this threat intel 24 by 7.
When the next person comes on, they can pick it up where you left off and they can continue.
There is no need to start the investigation from scratch.
They can share data.
They can collaborate.
And they can produce their data into report as well at the end.
So I'm going back, circling back to the cycle of threat intelligence a bit in this one.
So I wanted to go back to each item and just to try to match up which items relatively can help you, basically.
The planning and direction parts-- it was the part where you define your requirements, define what you want to look for while you're doing it, and define your collection requirements.
So on a TIP platform, you can enable rules.
So you can say that if you're interested in seeing indicators or actors who are targeting the UK, you can enable a rule.
And if an intel comes into the platform, either from a premium feed, open source feed, or your own, the system can flag that there's a new indicator, there's a new campaign which is showing an activity which you wanted to be looking at, namely a new actor name came up, which is a UK target market.
You can apply your targeting.
You can apply [INAUDIBLE].
If you get specific investigations, specific frameworks, you can apply them.
You can define them.
You can whitelist, so if there's data you don't want to see you trust, you don't need to be alerted or pinged upon.
You can create trusted circles in preparations.
One of the big things I try to push for and recommend, not just Anomali [INAUDIBLE] but everything else, sharing, sharing.
I love sharing.
Because attacks on open source and data is there, but if you've got people or peer you can work with-- which you share information before they send you an email and Twitter feed.
But this gives you a centralized way as well how you can ingest that data into one place.
We can also set up potential automations how to ingest observeables.
So if you want to ingest indicators or inboxes, you can [INAUDIBLE] where you can forward indicators for the system to parse.
So again, it just helps you with automating some of the activities, help you in doing some of the processes which you would do as part of [INAUDIBLE] manual process, like looking for new stuff.
Those will help, and this just processes everything.
The collection part as well as the next one-- this is the point, the TIP will help you.
As we mentioned before, you can configure all the different feeds you have.
You got 50 different feeds, You can ingest them in one place.
You can create your own intel streams.
So if you want to share, if you want to supply information, you can do so.
You can do it for the community, or you can do it with just as partners.
If you work in the financial industry, you can share with financial companies.
So if you've got your connections, you can collect and join.
You can also join open source sharing circles, like the Department of Homeland Security have their trusted circle they expose for most threat platforms.
They supply data indicators they recommend to look at.
It just gives you more additional visibility.
You can enroll with ISACs.
Again, there's multiple ISACs out there for FSI [INAUDIBLE],, all the different ones if that is your preference.
I do recommend trying to engage.
And you can also use your own internal observables.
So if you find attacks on your networks in your same two firewalls, you can then import the data into your TIP platform, and then you can contextualize it.
And then when your analyst comes in next time, or when they have a ticket or they have a support issue next time, they can then come back for the information, find the information easily in one centralized plain view.
The third part of the threat cycle was the processing and the exploitation.
Again, this is where the machine learning part helps as well.
We help with the scoring.
We help with the categorizations.
We help with the contextualization.
And most TIP platform will apply the tagging, and you can just find an easy way to apply some additional intelligence on the data you have.
Whitelisting is still part of this one as well.
As well, in some platforms, you can submit sandbox submissions.
So if you have a malware code or if you have some piece of link you want to track, or a phishing game email which came in with a link, you can then submit from a TIP platform using API access out to third party sources like Joe Sandbox or VirusTotal.
And you can submit those samples, and they will give you a result.
And again, at this part as well, if your rules from the first phase trigger, you can investigate them further.
Number step four of the cycle was the analysis and production.
This is where you actually try to review the results, trying to process and contextualize the data further, produce them into an intel report, which then you can send to your CISO or your management, your teams.
So this part-- with the threat models, with the investigations, with the Maltigo type drafts, it gives you an easy way to summarize the data you found, and to put them into a PDF or CSV or whatever method of distribution you want to put them in, basically.
You can also include your sandbox analysis results.
So it's really just a good way to produce the information.
One additional thing which I like with this one as well with most TIP platforms is the option to enrich data.
So in lots of situations, you're going to have the IP address, and you're going to have additional subscriptions for, let's say, large recorded feature or VirusTotal, where if you want to look up the IP address, you want to find more information where the IP may belong, [INAUDIBLE] those portals, you would have to log into VirusTotal, RecordedFuture.
You copy and paste the address or such.
It's possible.
I don't like extra steps.
I'm a bit lazy.
I want to make sure I got the most efficient way as fast as possible.
So again, API integration makes this possible.
You can [INAUDIBLE] on the IP address domain inside your TIP platform, and you can call these enrichments down from the RecordedFuture VirusTotal, and there's lots of additional ones.
We pretty much-- most TIP platforms try to get more and more out.
And if there's no support, there is also a way to build your own support, and you can [INAUDIBLE] build an API integration with these platforms.
And the last step for the dissemination and feedback.
As you said, once you've got your threat report ready, your investigation ready, you've got multiple options.
You can publish a new threat model of the new actor you found on your network.
You can create new contextualize it yourself.
And then you can share it.
As I keep saying, sharing, sharing, sharing is my main biggest recommendation to take away from this session, possibly, is that there's a huge community out there.
You find something, if the data is not sensitive, if you can share it with the community, do it, please.
The more you share, the more they will share with you, and the better connections [INAUDIBLE] you can establish.
Also, as I mentioned, you can export reports in PDF, CSV, STIX, or in essence, any form what you want to, as long as you [INAUDIBLE].
And also, once you've found indicators, as I mentioned-- to circle back to the whole scenario we imagined at the beginning with the CISO-- using a TIP platform, we can fairly certainly state that possibly, we would not be at risk from Fancy Bear, because they normally target state actors.
But we can still produce a list of indicators for our CISO and our team to monitor.
And what they can do then-- they can push these indicators down into a sim tool so they can do reporting on them.
They can push it down [INAUDIBLE] reports to see if it's something which was found in the past.
They can push it down the firewalls, proxies for blocking or whitelisting, or just additional monitoring, and pretty much integrate with anything downstream.
I normally recommend to try to push indicators to your firewalls.
So what you can do-- you can set up a simple automation workflow saying that if you find something on the intel platform, you [INAUDIBLE] saying that push this down to the firewall, or apply it [INAUDIBLE] Apple.
And then you can write an integration with your firewall that if any thread indicator is found on the threat platform which has this tag, push it down to the firewall.
So you can almost partially automate a bit of your blocking process, or you can have your CTI team also have the process of what data being pushed down to these downstreams.
I understand most companies are against it because of [INAUDIBLE] control and processes.
But there are situations where this could save attacks in the future personally.
And yeah, try to get to an integration with anything you have in your network, from a ticketing system to the coffee machine, anything, really.
So try to pull the indicators in and share, share, share, really.
That is my last slide.
So I will thank you for the attention.
It's been great to have you as an audience.
And I wish you a pleasant journey for the rest of the day, and have a great week.
Thank you.