Threat Intelligence AKA

Why you need “good” threat analysis Kevin Lackey Sr. Security Analyst

http://www.dailyplunge.com/wp-content/uploads/2011/03/oil-refinery.jpg

What threats do we face?

• Constantly evolving in terms of: – Technologies – Threat methodologies – Vulnerabilities – Tools – Actors http://thesocietypages.org/cyborgology/2012/02/01/there-is-no-cyberspace/hackers/

What intelligence is available? • Various types and “quality” of threat data available • Un correlated/analyzed data (the free stuff) – Bad actor lists – C&C receptor sites – Vulnerability feeds

• VS correlated/analyzed feeds (you pay for these)

Why correlated/contextualized threat intelligence matters • Data without context is of less value than data with context – Like random newspaper clippings vs. correlated data

• More specific to your infrastructure • More actionable *We will discuss sources for correlated data in a bit http://images.defensetech.org/wp-content/uploads//2010/06/Computer-Hackers.jpg

Approaches for securing infrastructure

• Internally focused – Little intelligence or internal intelligence driven

• External threat integration – Correlated intelligence driven – Proactive evolves with the threatspace – Driven by intelligence http://automation.isa.org/wp-content/uploads/2012/08/CyberSecurity1.jpeg

Typical internally focused threat approach

• Limited intelligence sources and feeds • DEFENSE IN DEPTH – Compliance – Policies & Procedure – Technology

http://1.bp.blogspot.com/-2XRFlSfV52E/Tcn5zGvPT7I/AAAAAAAAAB0/icAMpvDC-3s/s1600/TheOnionApp.jpg

External threat environment

• • • •

Threat actors Techniques Tools Targets

Intelligence enabled proactive defense

• Combines the internal approach with correlated and actionable intelligence – Actor data and feeds – Tools and trends analysis – Resources (what can I leverage to protect myself?) data and feeds http://www.net-security.org/images/articles/cyberwar.jpg

Role of threat intelligence • Understand the threatscape • Drive: – Technology/mitigations • Monitoring • Vulnerability management

– Policy/procedures – Compliance Bryan Hatton ICS –CERT http://images.politico.com/global/news/111109_cybersecurity_ap_328.jpg

Not all feeds are equal • Available threat intelligence runs a variety of “quality” • Most of what is available freely is raw data • The analyzed correlated intelligence is generally a commercial product

http://cdn.ttgtmedia.com/rms/computerweekly/security%20threat.jpg

Third party products? • The rapid emergence of third-party threat intelligence services has created more options for the asset owner. • Why would you consider a third party solution? • How do you select the best provider based on your needs? http://www.premiersolutionsintl.com/wp-content/uploads/financial-security.png

Considerations • Do you subscribe to all the data available or just the intelligence that is specific to your operations? • How do you get : – The right actionable data? – In time? – In a format you can use? Photo: Robot arms assemble truck bodies in the fully automated Ford Motor Company truck plant in Dearborn, Michigan, in 2009. Car Culture/Corbis

Importance of context • Un correlated data lacks the situational context that makes the data of import and useful to your infrastructure • The right analysis is directly and easily applicable to your infrastructure • The right product will also contain general IT analysis and detail how it (general IT) can impact your sector http://cdn.ttgtmedia.com/rms/computerweekly/security%20threat.jpg

Example of a free vulnerability feed TITLE: DeltaV Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA49210 . . . http://secunia.com/ad visories/49210/

. . . ONLY AVAILABLE IN CUSTOMER AREA: * Authentication Level * Report Reliability * Secunia PoC * Secunia Analysis * Systems Affected * Approve Distribution * Remediation Status * Secunia CVSS Score * CVSS . . .

http://csmres.co.uk/cs.public.upd/article-images/Cyberterrorism-refers-to-the-act-of-attempting-todamage-or-exploit-cyber-networks-and-their-connected-computers.jpg

Free feed continued DESCRIPTION: Multiple vulnerabilities have been reported in DeltaV products, which can be exploited by malicious people to conduct crosssite scripting attacks, SQL injection attacks, cause a DoS (Denial of Service), and compromise a vulnerable system. 1) Certain unspecified input is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. 2) Certain unspecified input is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 3) An error within PORTSERV.exe can be exploited to cause a crash via a specially crafted packet sent to TCP or UDP port 111.

4) An error within the processing of certain fields in project files can be exploited to cause a buffer overflow via a specially crafted project file. 5) An insecure method within an ActiveX control can be exploited to overwrite arbitrary files. Successful exploitation of vulnerabilities #4 and #5 may allow execution of arbitrary code. The vulnerabilities are reported in the following applications: * DeltaV and DeltaV Workstations versions 9.3.1, 10.3.1, 11.3, and 11.3.1 * DeltaV ProEssentials Scientific Graph version 5.0.0.6 SOLUTION: Apply hotfix (please contact the vendor for more information).

http://www.intellectualtakeout.org/sites/www.intellectualtakeout.org/files/Cyberwarfare%20Internal%20Threats.jpeg

Without the subscription • You lack the context – Analysis of the malware – Systems affected – Remediation status – Ease of exploit – Typical topology – Number of systems deployed – Etc etc etc http://cdn.ttgtmedia.com/rms/computerweekly/security%20threat.jpg

Examples • Following examples are excerpted from an Industrial Control Systems sector specific threat analysis report provided by: Critical Intelligence • Subscription based product • Specific to industry *With thanks to Bob Huber and Sean McBride at Critical Intelligence http://1.bp.blogspot.com/-3DfIWuxhx10/TsKeK_CVrwI/AAAAAAAADnw/DuNbjWW3VLQ/s640/stuxnet-can-double-as-scada-sabotage-tool-2.jpg

Actionable, timely, and relevant Description: An insecure method within an ActiveX control can be exploited to overwrite arbitrary files [1]. Exposure to attack: Low Successful exploitation of this vulnerability requires and attacker to interact with attacker-controlled content (visiting a malicious Web page). Simplicity of Exploitation: Low Details of this vulnerability are not publicly available. Difficulty of mitigation: Low The vendor has reportedly released a hotfix for this vulnerability [1]. Estimated deployment: High Emerson is a global company, headquartered in St. Louis, Missouri [2], that provides products in “Process Management, Industrial Automation, Network Power, Climate Technologies, and Commercial & Residential Solutions businesses” [3]. DeltaV is a digital automation system from Emerson's Process Management line [5]. DeltaV is used in several sectors, including chemical, food and beverage, gas and oil, life sciences, pulp and paper, metals and mining, and other industries [6]. http://cdn4.digitaltrends.com/wp-content/uploads/2011/02/url24.jpg

Topology intelligence The following diagram shows where the vulnerable software would reside (highlighted in red) in a simplified network diagram based on the ISA 99 reference architecture. Machine impact: High Possible process impact: High As successful exploitation may allow for arbitrary code execution against an HMI machine, a successful attacker would be able to interact with the controlled process at will. Additional analysis: Port number (s) of affected service: 80 . . . .

http://blogs.softchoice.com/itgrok/files/2011/06/5265503___network1.jpg

Malware analysis • Detailed malware analysis should include data points like: – Filenames – Hashes – Files written – Processes and functions called/ Call stack – Registry entries – URL and sites communicated with http://images.wikia.com/fallout/images/d/de/Bionothin_special_biohazard_desktop_1280x960_wallpaper-200783.jpeg

Emerging threat analysis Attack Tools that Potentially Affect ICS This section describes attack tools that potentially affect control systems that were identified during the reporting period.

Tool name: telnet_ruggedcom Metasploit module Date identified: 05/17/12 Tool availability: Open Source Description: telnet_ruggedcom is an exploit module [1-2] for the hardcoded backdoor password that exists in Siemens RuggedCom switches [3]. Analysis: Proof of concept code was released when this vulnerability was made public on the Full Disclosure mail list. This exploit code takes that code to the next level and puts it in the popular Metasploit toolkit. http://2.bp.blogspot.com/_oA8GbGEjx98/TSkhC8j_l8I/AAAAAAAAAWo/N-wy3ClxehM/s1600/metasploit-unleashed2.jpg

APT Analysis • Apt receptor sites – Analysis of the attack campaigns – Descriptions of the traffic – Analysis of the malware – Signatures – Apt trends

http://community.websense.com/cfsfilesystemfile.ashx/__key/CommunityServer.Components.ImageFileViewer/CommunityServer.Blogs.Com ponents.WeblogFiles.websense-insights/5314.APT.bmp_2D00_550x300.jpg

How do IT threats impact your sub sector? •

If your analysis product is not just a general It space report then in it should contain analysis of how the new threats in IT space can impact your segment

http://www.continuitycompliance.org/wp-content/uploads/2011/04/cybersecurity-dallas-cloud.jpg

IT threats continued

http://3564020356.org/skull0a.jpg

Threat traffic analysis ICS Network Activity This section presents network port activity for commonly used control system ports. This activity may represent legitimate control systems traffic. It may also represent other traffic using these ports. Spikes in targets may represent attempts to locate or attack services using these ports. Spikes in sources may represent distributed scanning. Spikes in records may represent repeated connection attempts. Analysis is based on data provided by the SANS Internet Storm Center. Highly Significant Spikes • Port 102: Spike in records May 15 - ICCP • Port 1089: Spike in records May 14 - Foundation Fieldbus HSE • Port 1090: Spike in records & targets May 14 - Foundation Fieldbus HSE • Port 1091: Spike in records May 14 - Foundation Fieldbus HSE • Port 1541: Spike in records May 14 - Foxboro/Invensys Foxboro DCS Informix . . . dn.tradebit.org/usr/justas696661/pub/9002/8757800_skull-code-thumb6748171.

Traffic analysis continued

http://www.sypris.com/FileManager/Library/cyber-security-solutions.jpg

What is available product wise? * Examples not a comprehensive list, nor an endorsement of any product ;)

• Correlated, contextual reports with actionable infrastructure feeds – General IT • • • • •

Lockheed McAfee Global Threat Intelligence Verisign iDefense TrendMicro Web Threat Analysis Check Point Threat Cloud

– Industry specific • Banking/Financials – FS-ISAC

• Healthcare – HITRUST C-TAS

• ICS – Critical Intelligence dn.tradebit.org/usr/justas696661/pub/9002/8757800_skull-code-thumb6748171.

Conclusions • • • •

Relevant Actionable Timely Usable

http://www.naivejar.org/wp-content/uploads/2011/08/Stay-on-Target.jpg

Questions?

Kevin Lackey [email protected] 512-248-4532

http://t3.gstatic.com/images?q=tbn:ANd9GcRT3ax-p0yHCSafSIn4GuasW31GsFiCeMI_lu4OKKGuLmhH7Vcx7DxBVetg