Presented at the Minneapolis Chapter Palo Alto Networks Fuel Users Group Meeting on May 7, 2015, this talk opens with a frank assessment: it could be worse, but breaches are inevitable against a motivated attacker with time and resources. The presentation moves from sobering breach data through the imperative of threat intelligence sharing, and closes with practical tools and vendor solutions for operationalizing that intelligence.
Breaches Are Inevitable
The opening frames the problem with vivid examples. Against a motivated attacker with time and resources, breaches are inevitable. But it doesn’t always take a super genius – sometimes credentials are published on post-it notes visible during interview segments, or sensitive information appears on big sheets of paper in the background of photos. Human error remains the simplest attack vector.
2014 By the Numbers
Drawing on the Verizon 2015 Data Breach Investigations Report, the presentation reviewed 2014’s incidents across several dimensions: incidents and data loss volume, threat sources, attack vectors, and the persistent gap between time to compromise versus time to discover.
The year’s headline breaches included:
- Neiman Marcus – 350,000 records
- Hilton, Marriott, Westin and Sheraton – 168 hotels
- Michaels – 2.6 million cards
- Affinity Gaming – 11 casinos
- New York Attorney General – 22.8 million records
- PF Chang – 33 restaurants
- Community Health Systems – 4.5 million patient records
- Home Depot – 56 million cards
- Jimmy Johns – 216 stores (PoS system)
- JP Morgan Chase – 76 million households + 7 million businesses
- …and many, many more.
The message was clear: we really need to get better at this, and we need to change our approach.
Information Sharing and ISAOs
Change is good, and sharing is good. The presentation highlighted the founding of the NorSec ISAO (Information Sharing and Analysis Organization), established under Executive Order “Feb 13, 2015” – Promoting Private Sector Cybersecurity Information Sharing, per EO 13636 and PPD-21. Palo Alto Networks was listed as a founding member.
By sharing what we have an abundance of – LOGS – organizations can collectively improve their defensive posture.
What Is Threat Intelligence?
Threat intelligence is built from the combination of Indicators of Compromise (IoCs) and relevant threat activity:
Indicators of Compromise (IoCs):
- DNS Hosts
- IP Addresses
- E-Mail Addresses
- URLs
- Files (hashes)
Relevant Threat Activity:
- Campaigns
- Malware
- Known Adversaries
Together these yield crowd-sourced actionable cyber threat intelligence, vetted by experts.
The NorSec ISAO platform provided views into known adversaries, indicators of compromise, threats, threat actor overviews, and threat actor associations.
Open Sources of Threat Data
- APTnotes reports: https://github.com/kbandla/APTnotes
- ShadowServer: https://www.shadowserver.org/
- REN-ISAC’s Collective Intelligence Framework: http://csirtgadgets.org/ (#CIF on FreeNode)
- Vocabulary for Event Recording and Incident Sharing (VERIS): http://veriscommunity.net
Operationalizing Threat Intelligence
What do you do with all this data?
- Integrate ThreatConnect with Splunk: https://splunkbase.splunk.com/app/1893/
- Block known hostiles at the system level using host-based firewalls, email filtering, and IDS alerts
- Discover hashes with HIDS (Tripwire, OSSEC, et al.)
- Bro-IDS for network-level detection
Palo Alto Networks Solutions
- APT Detection with WildFire: Sandbox threats and automatic signature generation
- Endpoint protection with Traps: Kills 27 exploit techniques
- High confidence IoCs automatically blocked
Upcoming Events
- BSidesMSP Unconference – Tue May 12 at 11a-3p, Eagle Street Grill, St Paul
- CryptoParty MN – Sat May 9 at 1300, Hack Factory
- Security B-Sides MSP 2015 – Sat & Sun June 13-14, Theme “Threat Intelligence,” RSVP at BSidesMSP.org, Target Commons, Downtown Minneapolis
This presentation can be found at http://github.com/itriskltd.