Threat or Not? Actionable Threat Intel and Informed Decision Making: Detect ‘18 Presentation Series

I am Frank Lange.

I am part of the German team from Anomali.

I'm very proud to present the European part of the company, and I want to talk about actionable intelligence today and how you make very smart decisions.

And for that, I want to start with a quote from Einstein, who said that it makes only sense to use intelligence if you really can apply it somewhere.

And so in the next few minutes, you will learn about how you can make use of context, use of threat data to get the bigger picture and to make an informed decision.

And before I do that, I'd like to go through some history.

So I will tell you about my experience the last decade, how we could mitigate or block a threat, compared to now.

I talk about today, of course, how we use intelligence to mitigate certain threats based on a very informed decision, of course.

But also, I have a real life example, WannaCry, as everybody knows, which we had last year, which is still active, and how we saw something in our platform where you could use that information to make a proper decision.

And I will explain why.

All right, so I'm talking to a lot of customers in Europe.

And very often, I have SOC teams, SIEM teams in the room and they ask me, OK, I have done this correlation, I've got these threats coming in.

I need to block this, right? I just want to get [INAUDIBLE].

So there's always need for blocking, whether it's on the firewall on the IPS, on the proxy level, even SIEM-triggered.

So you have some correlation, and based on the correlation, you trigger an action on the SIEM side.

But also, maybe 10 years ago, roughly, you heard about self-defending networks, self-healing networks.

So in the infrastructure, the network found there is an attack and it tries to stop the attack by itself.

Pretty marketing buzzwords, if you ask me, and I'll tell you why.

But now, of course we have intelligence, and we can use the information much better, because we have certain ways of ensuring its high confidence, its relevance, its timeliness.

And so here's a picture of one of my first so-called mitigation response systems, which was based on the concept of the big red button.

So you have your network, you have your switches, your routers, your IDS firewalls.

And if something happens you either have predefined not playbooks, but rules, what you do if something happens.

Or it gives you some semi-automated advice what you should do, like shut down the switchboard on the office switch, for example, so very aggressive methods.

Of course this never was applied, the theory was very good but it was never applied because if you blocked the switchboard then you blocked everything else, right, so it didn't really make it into the customers.

Now today if you block a threat there are certain things we have to consider.

I have customers in the small and medium range, they rely on the firewall block lists, so they fully block the threat, whatever the firewall owner gives them, and the block list will just block it.

They don't think about it, they just block it.

I have a lot of customers, they are more sensitive, they don't block because they know, if I block that communication the attacker may know I'm reacting to that, so expose some reaction back to the attacker, so they watch and they maybe want to see what is going on and then do something else.

Now sometimes you can't even block because you have that oil platform, that ship that comes in every 10 years for updating/upgrading, you can't just block that Windows, it's impossible, it's running for years.

So there you have the so-called virtual patching, Have anybody heard of this before? Yes? Very good, so you block something around that vulnerability, if you have Windows [INAUDIBLE] that's vulnerable so you have like, a firewall around that block that specific complication to that vulnerability, that's virtual patching, which is also a way to do some blocking indirectly.

Or also I had a big investment bank and they ought to use block lists, and they were blocking a customer of theirs because they were bidding for some company and they couldn't trade and buy that company because it was-- the trading platform was blocked so that's all about trust and control not to block the wrong things, and it's also important to understand that whole context here.

Now if it goes more into the practical part, how you could block, then you have to think about certain things.

So in the past, everybody knows about blacklists, so just a list of [INAUDIBLE] and domain names, but what's the context?

How do you know if this applies to you here in the US or maybe in Asia or maybe in Europe? How do you know it's still a current threat, not a very old list from last week, because the domain could already be green again today?

We also saw [INAUDIBLE] some reputation lists that give you some kind of probability, yeah, it's 90% a threat, it's 70% a threat, it's a little improvement there but still no context around if this a threat targeting you specifically, is it maybe something that is passively targeting everybody in the world, things like that.

And then, very important, again, the false positives, I think that's a major problem intelligence can solve and tips can solve.

If you can spot wrong information that is being sent to you which would be used potentially [INAUDIBLE] to block the wrong things.

And so we here have to keep in mind that information might expire like a DGA domain, for example, like it never-- it usually lives for one day and then you have a new one and it's also problematic in terms of the big data problem.

You get hundreds of thousands of new domains every day.

How do you deal with it? Which firewall can take It's impossible, right? Or it's on the [INAUDIBLE] side, which [INAUDIBLE] can take 5 million IOCs? Impossible.

Now there is a solution, obviously, and a solution can be that you use threat intelligence, and if I [INAUDIBLE] not just the technical level, the IOCs, but the context around it, so we have strategic unique intelligence about the actors which are using this domain name to perform certain activities, and the actor has certain motivations which you can track, and for example, this actor might use this domain name to install ransomware because it's a cybercrime actor and the motivation is to make money.

And of course if you understand the context, then it's also very important to have data because if you don't have data you cannot actionable anything, you cannot block anything, cannot detect anything.

So you have to have the IOC or [? TTP, ?] and then the question is, again, how do you push all of this into your firewall or email gateway or whatever prevention control and not overflow it with too much information?

Again, there is a solution like a threat in the platform that can ask questions about, OK, is this information still valid today?

Is this intelligence still applying to the threat today, or is it maybe old information?

Is it relevant to my geography, my industry vertical, or is it some kind of threat far away that doesn't apply to me so why I should block this here?

I have to keep in mind I can only block certain number of things, I should maybe not block this because there might be something that's more important to me.

So different questions and of course there's a solution for that, like a platform for threat intelligence where we collect from a number of sources to get, as much as possible, the context about the threat, and different sources have different views of information, and in the platform we see the entire picture so we are more aware of the context of the threat and if it applies maybe to us or not, or maybe is there anything else [INAUDIBLE] does and doesn't tell me in this block list?

I have an example in a few minutes.

And so for example, here I have a domain name, that domain was used by this certain actor, and I notice actor is active in Asia or in Europe, so I may not use this for blocking right now because it doesn't really apply to me.

If yes, if I want block, of course we have a lot of integrations.

We can automate or semi-automate an action, and I'll talk about that as well.

Let me talk about a specific example.

I think everybody heard about WannaCry, right? It's an old malware from last year but it's still very active and on a high level.

So this WannaCry malware was a malware consisting of two modules, one was the encrypting module, that's the ransomware part, and the second part was the worm part, the propagation part, so it spread it around the entire world.

Now it also used very well-known vulnerabilities, and there was some guy doing research around this malware and he found a domain name, and a so-called killswitch domain name, and if the [INAUDIBLE] could reach out to that domain name then this ransomware would stop propagating itself.

But what I saw at the time it broke out is that I saw a lot of Windows putting this into the block lists, so all the firewalls, they blocked this killswitch domain which made the malware spread around.

So there was good intention to block it but the opposite behavior was triggered so the malware could spread around even more.

Now, in comparison, when we use intelligence-- so this is the guy, the "accidental hero" who found the domain, the killswitch domain, and this is from last month so one of the Apple suppliers was affected by WannaCry but luckily it didn't affect the new iPhone production.

But so if it takes ThreatStream as a platform and I watched the intelligence that came in at the time, I could see, wow, there is a lot of context, the vulnerabilities, the background, to see these things like that, so I had awareness of what is going on right now, but also on the IOC level I had some context, and I even had information that they should not block this.

So we had commercial providers like EyeSight from FireEye, for example, they already said at the beginning, do not block, and based on this context, yes, [INAUDIBLE] I definitely could say I don't block this on the firewall because it would make the propagation stop.

And how could this be automized-- or automated? Let me first talk about the different sources in the platform at the time of the outbreak.

So this was the day when the worm break out, May 12th, 2017, and first trackings we got from a commercial provider.

A few hours later there was an ISAC doing information sharing between peers very rapidly, so I was sitting live and watching the communication, and then later in that day we saw also the open source streams reporting about it, but between the commercial and the open source it was like 10, 12 hours, so for a worm that spreads around the world, that's a long time.

So it's good to have the right sources to get the best context and the platform, and then over time you saw other sources picking up.

And it's still running, like last month, there's still WannaCry activity around the world.

Now the question is, of course I don't want to sit in front of the screen all the time and read every bulletin and read every bits and bytes.

There is a way of automation in the platform.

Is anyone using ThreatStream and Integrator? Two, three, four, five, good, very good, and of course, you can use [? Integrator ?] as a module talking to like, your firewall, it's talking to your [? TIDSs, ?] your proxy servers, your [INAUDIBLE] system for detection, and one way is also to do filter and Integrator, like confidence score is but it can also do filter based on tags.

For example I block based on confidence scoring but I don't want to block if there is a certain tag in it, like do not block, so if I have a source telling me don't block this then even though I block things in the firewall there will be an exception if this tag is being seen on this IOC.

So in that way you can automize and block the right things, not the wrong things.

That's one way.

There is a way also to do like, human-based enrichment, so basically analysts can use the platform and can also add their own tags, they don't have to wait for a source to report attack with the IOC, you can also add your own tag, and usually it's being used for enrichment of the IOC, like actor names or report IDs, things like that, but you can also use like, block firewall or block IDS, you can pre-define attack, and you can then use it to trigger an action.

That's a very basic use case of automating something using the tip.

And so here is block on proxy, I can make it a private tag just for myself.

I add it.

In the grid I will do a query, see the tag, and put this domain name on the block list on the firewall, or proxy, in this case, right?

So instead of just trusting what is coming through from the block list provider you just add a tag manually based on the context you can read and see and understand, and then block this in the environment and ensure there is a real threat behind it, not just something that shouldn't be blocked.

OK.

Of course there is, in terms of integrations, there is a lot of firewalls we support, [? IDSs ?] I mentioned, [INAUDIBLE] I mentioned, but also we just launched the integrated SDK so we can now build your own integrations if you want, so I have customers that have maybe a device that is very special and they want to integrate with that device, so the SDK allows you to flexibly customize the integration and build your own.

Otherwise there is a lot of integrations also in the orchestration area, source, a big topic this year where you can have playbooks and [? automization ?] and so on, and of course, we always had the API for some time, so I have customers that use the API, directly query the tags from the IOCs through some blocking as well.

And to sum up, if you leave the room I want to take you one [INAUDIBLE] TIME.

Because intel is all about time, whether it's the early-stage information you get from the sources but also if you do countermeasures in the better and faster time, and if you say "TIME" then "TIME" stands for Threat Intelligence Makes Efficient, and we ask the tip provider can help you with that goal.

And with that I'm opening up for questions.

Yes, please.

Just a comment more than a question.

Last night I found that there is a "suppress alerts" [? i-type ?] on the anomaly platform, so as an alternative to tagging you could use that [? i-type ?] type to stop IOC [? flow.

?] Good.

Very good, thanks.

Is that [INAUDIBLE] or is that just-- ThreatStream-- That was on the ThreatStream [INAUDIBLE]..

[INAUDIBLE] [? Eric? ?] Can the [? Integrator ?] remove blocks as well? Like, what if your first source that we have high confidence in this domain name and then you got the next source said, do not block? Yes.

You can reverse the tag, so you can just remove it, and during the next refresh of Integrator it would just remove this IOC from the list and push it down to the proxy or firewall that's being removed.

Any more questions? Thank you very much.