Contenu connexe
Similaire à Information Security Intelligence (20)
Information Security Intelligence
- 2. Content
Information Security Intelligence
Basic concepts
Changing threat landscape
Security Intelligence
Intelligence methodology
• Direction
• Collection
• Processing
• Dissemination
The Intelligence Organization
Metrics and effectiveness
Automation of intelligence processes
Conclusion: what to take home
©2007 Cybertrust. All rights reserved. www.cybertrust.com 2
- 3. 1. Basic concepts of security and information
Robust systems and incident response
- 4. Basic concepts of security
Robust systems
Information Security Professionals strive to build robust systems that are
reliable, fail in predictable ways and resist attack.
Also known as the Ross Anderson school of thought, being the main undertone in his
book ‘Security Engineering’
Time-based security
In reality, systems do still fail and we introduce controls to make succesful
attacks more difficult, increasing the time between attack and compromise.
This time allows for detection and incident response.
Coined by Winn Schwartau in his book ‘Time Based Security’
©2007 Cybertrust. All rights reserved. www.cybertrust.com 4
- 5. Basic concept of information
Data: Unordered events, facts or figures.
Information: Collected facts and data on a subject,
ordered data.
Knowledge: Awareness or possession of information,
facts, truth, principles.
Wisdom: Knowledge and experience required to make
sensible decisions and judgments.
Intelligence: The required input for getting to wisdom
in a structured manner, and the process of
establishing this input.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 5
- 7. Virus and malware evolution
Computer viruses used to pose an availability threat to end user data. In 1991, Tequila
infected local executable files, and transferred through infected floppies.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 7
- 8. Virus and malware evolution
Change in methodology:
Malicious code is now spread through compromised sites
Change in target:
This same code now gathers authentication credentials for internet banking
sites or on-line games.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 8
- 9. Format rendering vulnerabilities
Vulnerabilities in network-exposed services have always been
popularly exploited.
Our response has been to minimize attack surface by disabling services
where not necessary.
The increased popularity of fuzzers has now exposed a new
class of vulnerabilities
• Attacking indirectly by exploiting vulnerabilities in file format parsers such as
Microsoft Office and Ichitaro word processor
• Recently used in targeted attacks against organizations
• UK Government institutions (2005)
• US Department of State (2006)
©2007 Cybertrust. All rights reserved. www.cybertrust.com 9
- 10. Just last week
Organizations are being targeted with e-mails from a valid
‘business partner’ with an RTF attachment.
• RTF : Rich Text Format, but is able to contain OLE embedded objects, such
as executables;
• Plenty of anti virus solutions generally scan the RTF file but do not unpack the
embedded object;
• Issue first identified in 2005, re-identified in 2007.
Many risks:
• What if you are the ‘business partner’ ?
• Is your team aware of these types of attacks and is there a plan on how to
respond to them?
©2007 Cybertrust. All rights reserved. www.cybertrust.com 10
- 11. Conclusion
A much more complex threat environment has drastically
increased the scope of ‘residual risk’.
Do we fully understand these and other emerging threats or threat
facilitators?
Did we see them coming or did we ‘respond’?
How can our information security program deal with these events
more proactively, saving resources?
©2007 Cybertrust. All rights reserved. www.cybertrust.com 11
- 13. Security Intelligence
As a product, intelligence is information that has the ability to
reduce uncertainty in decisionmaking.
Intelligence is also the process of gathering, evaluating,
correlating and interpreting of information, and disseminating
it to decision makers.
Everyone in the organization performs the intelligence role, but
it is only rarely formalized.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 13
- 14. The Intelligence Cycle
Direction
Collection
and Planning
Dissemination Processing
©2007 Cybertrust. All rights reserved. www.cybertrust.com 14
- 15. Direction
Security intelligence is gathered in response to management
requirements. Such requirements can originate both with
business management as information security management.
The intelligence process is generally started by defining:
Key Intelligence Topics
• Threats towards our information assets;
• Threats towards our reputation;
Key Intelligence Questions
“To what degree are incidents reported that could be instigated by our
competitors”;
“There has been an increase in the number of succesful security
incidents. Are we missing a trend, or not seeing the wider picture?”
©2007 Cybertrust. All rights reserved. www.cybertrust.com 15
- 16. Direction: current intelligence
Aims to provide up-to-date intelligence to enable day-to-day
intelligent decision-making:
New vulnerabilities;
Exploits being released;
Important new talks at security conferences.
Aims to answer:
Should we patch ?
Should we install new software ?
©2007 Cybertrust. All rights reserved. www.cybertrust.com 16
- 17. Direction: warning intelligence
Warning intelligence prepares the organization for new and
emerging threats, and serves as input to the risk management
processes already in place.
•Warning intelligence monitors trends over a longer period of time
and identifies emerging threats;
•Aims to prevent being ‘surprised’
• WMF file format vulnerability in 2005;
• Targeted attacks in 2005-2007.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 17
- 18. Collection targets
Intelligence exists both internally as externally
If you know the enemy and know yourself, you need not fear the
result of a hundred battles. If you know yourself but not your enemy,
for every victory gained you will also suffer a defeat. If you know
neither the enemy nor yourself, you will succumb in every battle
- Sun Tzu
Internal sources
- Intrusion Detection Systems
- Security Event Manager
- Individual logs
- Personnel
©2007 Cybertrust. All rights reserved. www.cybertrust.com 18
- 19. Collection targets
External sources
- Vendors
- Microsoft, Verisign, Symantec each publish security intelligence reports
- iDefense, Secunia, IBM, Cisco sell security intelligence information
- Sharing of information
- FS-ISAC, Water ISAC, IT ISAC, Electricity Sector ISAC
- NSP & threat related mailing lists
- SANS Internet Storm Center
- Law enforcement contacts
©2007 Cybertrust. All rights reserved. www.cybertrust.com 19
- 20. Collection sources
Closed sources
- Some information is not publically available, and someone else’s
intellectual property;
- Usually not ethical nor lawful to access, but may be shared by the
organization while remaining closed to others.
Grey sources
- Sources that have a significant barrier of entry (cost to access a
database) while open to everyone who is interested.
Open sources
- Information that is generally available to everyone;
- May not be on the internet, or may not be in English.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 20
- 22. Processing: collation
When received, information needs to be ordered based on a
characteristic of interest to the process. This may be:
• Time of occurence of certain events;
• Region of occurence;
• Size of business impact.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 22
- 23. Processing: evaluation
Evaluating information prior to accepting it
Is the information:
•Accurate;
•Complete;
•Timely;
•Potentially fabricated?
We also try to establish with what purpose the information was
provided to us.
Is there any way it can be verified using existing information
(information triangulation)?
©2007 Cybertrust. All rights reserved. www.cybertrust.com 23
- 24. Processing: synthesis/analysis
The analysis phase consists of two subsets:
Synthesis
In the synthesis phase, a model is generated of the threat at hand or
the intelligence question. This model consists of a systems-centered
replica of the question at hand, including all its inputs, outputs,
processes and algorithms. Models can be physical and conceptual.
Analysis
Extracting knowledge from a model by:
• changing an input parameter and monitoring the model’s output;
• identifying and studying forces that have an impact on any parameter
and measuring their impact on the final output.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 24
- 25. Processing: synthesis
Generic models
Timelines, maps, process models.
Sample applied models
Broken Windows Model
Field Anomaly Relaxation
Threat assessment models
Ballistic Threat Model
Some models are better placed to function in warning analysis,
others are ideal for current analysis.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 25
- 26. Processing: integration
Integrate information within existing frameworks
•Dominant use of databases;
•Web 2.0 technology for specific purposes:
• Wiki for collaboration on topics;
• Blogs for inter-group communication of ‘prime time’ issues;
• Forums for generic Q&A;
• Social networking for location of subject matter experts.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 26
- 27. Processing: interpretation
Information is interpreted by:
- Formulating hypotheses;
- Testing hypotheses;
When the hypotheses is not supported by most, or proved unreasonable by
even a single item of trusted information, it is proven false and new
hypotheses need to be generated.
Unfortunately, cognitive limitations apply:
Information that has personal influence is likely to be ranked higher than
unpersonal, but perhaps more important data (your ex-department’s assets
at risk ?);
Most people believe other cultures, other organizations think and act in
similar ways as they do.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 27
- 28. Processing: interpretation
Methodology to reduce impact of bias:
Analysis of Competing Hypotheses
• Prepare a matrix of hypotheses;
• Refine this matrix by deleting evidence with little diagnostic value;
• Draw preliminary conclusions of likelihood. Attempt to disprove hypotheses;
• Analyze sensitivity of the conclusion to the items of evidence;
• Report conclusions. Include relative likelihood of all hypotheses;
• Identify milestones for future observation.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 28
- 30. Processing: interpretation
Decision making support tool by PARC
• As with all intelligence analysis, merely a supportive measure
• It doesn’t make decisions for you
• Formalizes the process and forces the analyst
to employ competing hypotheses
• Instills trust in recipient of intelligence information
• Free of charge at:
• http://www2.parc.com/istl/projects/ach/ach.html
©2007 Cybertrust. All rights reserved. www.cybertrust.com 30
- 31. Dissemination
Perhaps the most important phase of the intelligence process
Making decisions should be separated from the intelligence gathering
process, however this may not always be possible;
In smaller organizations, intelligence gathering may be performed by
operational teams, upon which they may make decisions themselves;
Presentation of evidence may impact decisions:
Representation of numbers;
Risk is low, medium, “slam dunk”;
Cost of collection often over-appreciates importance.
Sample deliverables
Threat reports
Statistical information
©2007 Cybertrust. All rights reserved. www.cybertrust.com 31
- 33. Intelligence as a CERT function
CERT teams often also carry a partial intelligence function
Track vendor bulletins and re-issue those that may affect the organization;
CERTS have defined matrix team liaisons across the organization;
Advantages
Usually an existing, skilled team;
Awareness of threats can be used in incident response.
Makes the CERT realize the value of maintaining a good inventory of
security incidents;
Greater visibility of the CERT to management.
Disadvantages
Less appropriate for warning analysis;
Intelligence function may suffer during high-incident timeframes.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 33
- 34. Intelligence as a research group
A specific research team is assigned to perform ongoing intelligence efforts. It
usually delivers input to the risk analysis process, or supports it as mediators
and subject matter experts.
Advantages
Dedicated team;
Team members can be selected more accurately;
Intelligence function remains independent from decision makers.
Disadvantages
Less visibility and experience with company assets than a CERT.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 34
- 35. A quote
“Intelligence is best done by a minimum number of men and women of
the greatest possible ability”
- RV Jones, UK Military Intelligence Expert
(1911-1997)
©2007 Cybertrust. All rights reserved. www.cybertrust.com 35
- 37. Measuring intelligence results
Security Intelligence is primarily a support function to risk
management. It enables
Better measurement in support of risk management;
Better measurement of risk management efforts;
Some measurement of intelligence product.
Some examples:
Measuring the threat level against the organization: how many of
the vulnerability exploitations observed against the network were
not actively translated into a worm but had a high complexity of
exploitation according to the NVD;
How many new threats out of the total that required change
management was the team informed of well advance;
©2007 Cybertrust. All rights reserved. www.cybertrust.com 37
- 39. Automating intelligence
Most software currently available is aimed at:
Intelligence/Law Enforcement clients;
• Uses industry-developed checklists and data-mining tools;
• Allows interaction with various closed databases, but mainly collaboration tools;
• Inxight, Interquest, ...
Competitive intelligence;
• Market research, competitor analysis, internet discussion tracking
• Digimind, Factiva, Trellian, Attentio...
Information Security threat management (event management)
•Automate the collection process by crawling open, grey and closed databases.
•They store and make searchable key concepts.
•Some apply automate translation.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 39
- 40. Automating intelligence
In 2004, the RAND Institute published a major study in the
automization of intelligence structures.
• Introduces ASAP: Atypical Signal and Analysis Processing Schema
• Interceptor agents: test data and gather information;
• Detection agents: filter the dots for events matching and violating criteria;
• Agents to identify relationships and sweep back using these for further information;
• Hypotheses agents: create and test;
• Prioritize hypotheses and forward to analysts for manual review
• Also introduces a framework for short-term implementation:
• Use Delphi technique to obtain expert opinion on ‘status quo’ in monitored threats;
• Define ‘items of note’ that may impact the expression of these threats;
• Design systems to monitor these ‘items of note’;
• Establish virtual communities amongst experts to track these items and use modelling for
forecasting.
• Future tools will most likely be based on similar frameworks
©2007 Cybertrust. All rights reserved. www.cybertrust.com 40
- 42. Intelligence
It is
• A support tool that enables better risk management;
• A formalized way of dealing with ‘current’ and ‘warning’ research
questions and forecasting;
• Consists of collection that occurs both within the organization (know
yourself) and outside the organization (know thy enemy);
It is not:
• Something you purchase in itself, though it can consist of
purchased ‘current’ intelligence with in-house research;
• Yet fully standardized: many concepts, ideas and models linger, but
many are only published in journals.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 42
- 43. Combine strengths
Vendors are best placed to:
•Provide information (‘intelligence’) on what is happening on the
internet and in the business, and who is likely to be targeted;
•Provide detail on current incidents and attacks;
•Help with the definition of relevant models.
Organizations themselves should:
•Consider the use of intelligence concepts in their research and risk
management processes;
•Better understand their own networks, systems and people;
•Make use of public information where available to enable better
decision making.
©2007 Cybertrust. All rights reserved. www.cybertrust.com 43
- 44. 5. Any Questions ? maarten.vanhorenbeeck@cybertrust.com
Tel. +32 (016)28 73 92
.