CTI SO

Data Security at Università degli Studi di Napoli Federico II

Page 4

  • Threat Intelligence Definition

    • Actionable intelligence is analyzed, contextualized, timely, accurate, relevant, and predictive.

    • Provides evidence-based knowledge about existing or emerging threats to assets.

  • Elements of Threat Intelligence

    • Identifying adversaries, their goals, attribution, motivation, tactics, techniques, and incidents.

  • Cyber Threat Intelligence Standards

    • Focus on understanding adversaries and their actions.

Page 5

  • Actionable Intelligence Process

    • Data filtering is crucial to distinguish between noise and relevant information.

    • Information must have a strategic purpose to be considered intelligence.

    • Actionable intelligence involves evidence-based assessments that can be acted upon.

Page 6

  • Cyber Threat Intelligence Lifecycle

    • Goals include identifying attackers, understanding motivations, methods, and characteristics.

    • Data is gathered from technical and human sources for analysis and production.

    • Feedback loop ensures continuous improvement in threat intelligence processes.

Page 7

  • Threat Data vs. Threat Intelligence

    • Threat Data is raw information, while Threat Intelligence is analyzed, contextualized, and predictive.

    • Example: Data dump related to ATM compromise vs. specific ATM versions and card references.

Page 8

  • IOCs and Threat Intelligence Feeds

    • IOCs are forensic artifacts of intrusions, while threat intelligence feeds provide indicators for threat awareness.

    • Sharing IOCs enhances incident detection and prevention across organizations.

Page 9

  • Pyramid of Pain

    • Represents indicators for detecting adversary activities and the level of difficulty for adversaries to adapt.

Page 10

  • Pyramid of Pain (Continued)

    • Hashes are accurate IOCs but can be easily changed.

    • Adversaries can change IP addresses effortlessly, while domain changes require more effort.

Page 11

  • Cyber Threat Intelligence - Pyramid of Pain

    • Light-yellow color signifies negative impact on adversaries

    • Analyst's increased effort leads to adversary's reconstruction of tools

    • Analyst's detection of tools forces adversaries to research and develop new tools

    • Analyst's knowledge of adversary's behavior causes high pain to adversary

    • Pyramid of pain helps detect adversary activities and their pain levels

Page 12

  • Open Source Intelligence - Gathering Cyber Information

    • OSINT useful for understanding malware operations

    • Information includes Command and Control servers, checksums of malicious files, infected IPs and URLs

Page 13

  • Open Source Intelligence - VirusTotal

    • VirusTotal analyzes files and URLs for viruses

    • Uses over 70 antivirus software for analysis

Page 14

  • Alien Vault OV

    • Provides endpoint scanning, sample submission, and API integration

    • Shares WannaCry hashes for analysis

Page 15

  • Alien Vault Indicators of Compromise

    • Lists various indicators like FileHash-MD5 and FileHash-SHA1

    • Helps in identifying malicious activities

Page 16

  • Passive Total

    • Involves gathering information without direct interaction

    • Includes resolution, certificates, host pain, and other data points

Page 17

  • Passive Total Information

    • Provides details on IP networks, WHOIS information, and entity handles

    • Records changes and updates for tracking purposes

Page 19

  • Reporting in Open Source Intelligence

    • Includes executive summary, threat description, analysis, conclusion, and recommendations

    • Lists indicators of compromise for threat identification

Page 20

  • Case Study - Bad Rabbit

    • Involves identifying IoC and metadata for Bad Rabbit

    • Steps include using OSINT engines and writing a report

Page 21

  • Tools - Maltego

    • Data mining and information-gathering tool

    • Maps gathered information for easy understanding and manipulation

Page 22

  • Maltego Features

    • Provides data visualization and manipulation tools

    • Helps in tasks like email harvesting and subdomain mapping

Page 23

  • Open Source Intelligence Data Security

    • Continuation of discussion on cybersecurity technologies and data security.

Page 24: Cybersecurity Technologies - Open Source Intelligence

  • Case study on Bad Rabbit

  • Identify information on Bad Rabbit, including IoC and metadata

    • Steps:

      • Use data from previous analysis to create a Maltego case

      • Enrich data to find more information

Page 25: Cybersecurity Technologies - Critical Success Points for Cyber Threat Intelligence

  • Implementing a Cyber Threat Intelligence program requires analyzing critical success points

  • No single source can identify all threats, vulnerabilities, and attacker techniques

  • Choice of technology and feeds can impact internal processes

    • Know yourself:

      • Plan budget

      • Assess internal staff skills

      • Ensure security technologies are configured correctly

Page 26: Cybersecurity Technologies - CTI Approach

  • Three approaches related to cyber threat hunting: IoC driven, Analytics driven, Hypothesis driven

  • Hypothesis-driven approach involves analyzing attacks based on hypotheses and information

  • Techniques include data analysis, visual analysis, and machine learning algorithms

Page 27: Cybersecurity Technologies - CTI Approach and Intelligence Types

  • Different types of Cyber Threat Intelligence: Strategic, Technical, Tactical & Operational

  • Provides information on risk factors, new threats, and ongoing threats

  • Includes data for quick threat identification and technical details on attacks

Page 28: Cybersecurity Technologies - CTI Use Cases

  • Use cases for Security Operation Center, Anti-Fraud, AML, and Reputation Information

  • Involves monitoring, warning, and custom reports for security and fraud incidents

Page 29-36: Cybersecurity Technologies - Cyber Threat Intelligence Sharing and Data Classification

  • Goal of Cyber Threat Intelligence Sharing is to enable real-time defense against cyber threats

  • Includes aspects like what, when, and how to share information

  • Data classification and information value are crucial for effective threat intelligence

Page 37-38: Cybersecurity Technologies - CTI Elements and Threat Actors

  • Understanding Tactics, Techniques, and Procedures (TTP) of attackers is crucial

  • Threat Actors include Cyber Criminals and Hacktivists with different motives and approaches

  • Cyber Criminals focus on money, while Hacktivists aim for cyber vandalism or causing embarrassment.

Page 39: Cyber Threat Intelligence - CTI Elements

  • State-sponsored attackers target data, not money, to gain sustained access to IT infrastructure.

    • Organizations in sensitive markets like technology, pharmaceuticals, or finance are at higher risk.

  • Insider threats vary from well-meaning employees to malicious actors compromising user accounts.

  • Distinguishing insider threats from legitimate activity is challenging.

Page 40: Cyber Threat Intelligence - Cyber Kill Chain Model

  • The Cyber Kill Chain model by Lockheed Martin outlines seven steps attackers use to compromise organizations.

  • Steps include Reconnaissance, Weaponization, Exploitation, Installation, Command-and-Control, Actions on Objective, and Unauthorized Access.

  • The model enhances visibility into attacks and helps understand adversary tactics.

Page 42: MITRE ATT&CK

  • MITRE ATT&CK is a knowledge base of adversary tactics and techniques used in threat modeling.

  • It serves as a foundation for threat models in various sectors like government and cybersecurity.

Page 43: Diamond Model

  • The Diamond Model analyzes cyber intrusions by focusing on the adversary, capabilities, infrastructure, and victims.

  • It emphasizes relationships and characteristics to understand intrusion events.

Page 46: Diamond Model - Pivoting Scenario & Demo

  • Demonstrates leaving the victim space to discover more about the adversary, capabilities, and infrastructure.

  • Utilizes information like C2 domains, malware, and victim discoveries to track the adversary.

Page 47: Diamond Model - WannaCry Ransomware Case

  • Describes a Diamond model scenario for the WannaCry Ransomware attack in May 2017.

  • Details the phases, results, direction, methodology, and resources used in the attack.

Page 49: CTI Maturity Model

  • Deepcyber's Cyber Threat Intelligence maturity model covers tools, people, and sources.

  • Includes components like Security Threat Intelligence Analytics, Threat Data Analyst teams, and feeds for threat intelligence.

(Note: The content has been summarized into bullet points with main ideas and supporting details for each section.)

Cybersecurity Technologies

Cyber Threat Intelligence - Feed Data Security

  • Feeds in Threat Intelligence

    • Basic information available in raw or structured format

    • Includes network infrastructure, brand reputation, physical security, social networks, system & mobile malware, fraud analysis, bad actors & AML

  • Types of Threat Feeds

    • System and Mobile Malware: Provides IoCs like IP sources, Command and Control (C&C), hashes of malicious code

    • Bad Actor Threat Feeds: Tracks cyber criminals, hacktivist groups, and cyber espionage teams

    • Brand Reputation: Identifies targets of attacks through OSINT sources

    • Fraud Analysis and Prevention & AML: Provides Phishing URLs, stolen credentials, compromised email addresses, etc.

    • Network Infrastructure & ICS / SCADA: Includes IoCs, details on domains, IP addresses, vulnerabilities on ICS and SCADA systems

    • Social Networks: Provides aggregate information on organizations, groups, or individuals on social networks

    • Physical Security: Offers information on physical threats from geo-political conflicts to ATM security

Vendor Feed Cyber Security

  • Key Vendors

    • FireEye, GIB South, CrowdStrike, Alian 235, Recorded FC, RiskIQ, Future TS, Digital DomainTools, etc.

Feed Digital Shadow

  • Incident Summary

    • Lists incidents with CVE numbers, exploits detected, severity levels, and affected IPs

  • Data Breaches

    • Reports data breaches and leaks from various sources and domains

  • Marketplace & Forum

    • Describes the location on the Deep and Dark Web for cyber activities

Operations Activity

  • Description

    • Provides a summary of operations activity, timeline, and location

Most Active Threats

  • Events

    • Lists recent events, including Equifax data breach, HBO breach, Equation Group techniques, CIA Center for Cyber Target, etc.

Marketplace & Forum

  • Location on Deep and Dark Web

    • Describes the marketplace and forum location on the Deep and Dark Web for cyber activities

UNIVERSITA DEGLISTUDIDI NAPOLI FEDERICO II DATA SECURITY - A.A.2023/2024

Page 60

  • Cybersecurity Technologies - CTI Standard

    • CAPEC: Comprehensive dictionary and classification taxonomy of known attacks used by analysts, developers, testers, and educators.

    • CybOX: Common structure for representing cyber observables to enhance community understanding and defenses.

    • IODEF: Data representation framework for sharing information about computer security incidents.

    • MAEC: Standardized language for sharing structured information about malware attributes.

    • STIX: Standardized construct to represent cyber threat information with tool-agnostic fields and test mechanisms.

    • TAXII: Set of services enabling sharing of actionable cyber threat information across organizations.

    • VERIS: Set of metrics for describing security incidents in a structured manner.

Page 61

  • Cybersecurity Technologies - Cyber Threat Intelligence

    • Feed Data Security: Mentioned for the academic year 2023/2024.

Page 62

  • Cybersecurity Technologies - CTI Standard

    • STIX: Edge-and-node based graph data model for capturing cyber threat information.

    • TAXII: Standardizes the trusted, automated exchange of cyber threat information.

Page 63

  • Cybersecurity Technologies - STIX/TAXII Standard

    • STIX: Specifies, characterizes, and captures cyber threat information for various use cases.

    • STIX Common Data Model: Defines object classes shared across various STIX data models.

    • STIX Core Data Model: Provides base package for bundling information classes and relationship-oriented classes.

    • STIX Data Marking Data Model: Enables flexible specification of date markings on content.

    • STIX Architecture: Avoids duplicating data models by leveraging other structured languages and identifiers.

Page 64

  • Cybersecurity Technologies - STIX/TAXII Standard

    • STIX Goals: Enable timely and secure sharing of threat information, support various use cases, and minimize operational changes.

    • TAXII: Enables sharing of actionable cyber threat information across communities.

Page 65

  • Cyber Threat Intelligence

    • Campaign, Course of Action, Exploit Target, Amount Incident, Observable Indicator

    • Threat Actor, TTP (Tactics Techniques Procedures)

  • STIX Data Objects (SDO)

    • STIX Relationship Objects (SRO)

Page 66

  • STIX Relationship Object(SRO)

    • Special Cases

    • Examples of STIX Data Objects: Cyber Observables, Autocon System, Email Address, MAC Address, Malware, Network Process, Software, URL, User Account, Windows Registry

  • Threat-actor Relationship Object(SRO)

    • Attributes: Campaign, Attack-pattern, Identity

Page 70

  • Victim Targeting

    • TTP data model for victim targeting

    • Identity field in VictimTargetingType

  • Exploit Target

    • Represents potential targets of cyber threat activity

    • Describes using exploit target to represent disclosed vulnerabilities

Page 75

  • Example STIX Types Description

    • Threat Actor Profile, Campaigns vs. Intrusion Intrusion Sets, Indicator for Malicious URL, Malware Indicator for File Hash, Sighting of an Indicator

  • STIX Visualizer

    • Tool for visualizing STIX 2.0 data

Page 76

  • STIX Visualizer

    • Allows dropping STIX 2.0 data or fetching from a URL

The transcript discusses Cyber Threat Intelligence concepts, STIX Data Objects, Relationship Objects, Victim Targeting, Exploit Targets, and provides examples of STIX Types and a STIX Visualizer tool.

Cyber

Page 88

  • MISP core functionality is sharing

    • Users can be consumers and/or contributors/producers

    • Functionalities include flexible sharing groups, automatic correlation, free-text import helper, event distribution & proposals

  • Supports many export formats for IDSes/IPSes, SIEMs, host scanners, analysis tools, DNS policies

  • Offers a rich set of modules for expansion, import, and export

  • Provides quick benefits without the obligation to contribute, allowing low barrier access to the system

Page 90

  • MISP events encapsulate contextually linked information

  • Attributes in MISP can be network indicators, system indicators, or other details

    • Attributes have types (e.g., MD5, URL) and categories (e.g., Payload delivery)

  • IDS flag on an attribute determines its use for automatic detection

Page 91

  • MISP Tagging allows attaching a classification to events or attributes

  • Users can choose from over 42 existing taxonomies for tagging

Page 95

  • SOAR platforms collect security threats, data, and alerts from various sources

  • Analyze data using human and machine learning to prioritize incident response activities

Page 97

  • SOAR solutions enhance detection and response processes by context enrichment and downstream prioritization

  • Flexible tools applicable to various security operations use cases, mainly incident response and workflow automation

Page 100

  • Orchestration integrates various technologies and security tools for improved incident response time

  • SOAR solutions can analyze alerts from UEBA, threat intelligence platforms, incident response platforms, IDPS

Page 101

  • Automation in SOAR involves machine-driven execution of security operations tasks

  • Standardizes tasks like automation steps, decision-making workflows, enforcement actions, status checking, auditing

Page 102

  • Response in security orchestration involves analyzing alerts across IT infrastructure

  • Automates repetitive manual tasks, allowing security teams to focus on actual security incidents and resolutions

Page 103

  • SOAR elements include alert triage and prioritization, automation, case management, and collaboration

  • Enables rationalizing and prioritizing incidents, coordinating workflows with manual and automated steps, and providing canned resolutions to activities.

Page 104: SOAR Elements

  • Dashboard and Reporting:

    • Aggregates SOC data for understanding the SOC's situation and performance results.

  • TI and Investigation:

    • Provides evidence-based knowledge about existing or emerging threats to inform response decisions.

Page 105: Complexity of Security Operation

  • Discusses the complexity involved in security operations.

Page 106: SOAR Use Cases

  • Creative Utilization:

    • Security teams use SOAR tools creatively to achieve more in less time.

  • Common Use Cases:

    • Phishing emails, malicious network traffic, vulnerability management, etc.

  • Incident Response Playbook:

    • Set of rules triggered by security events for executing pre-defined actions.

Page 107: Security Processes Approach

  • Describes the approach to security processes.

Page 108: Ecosystem Analytics and SIEM

  • Lists various cybersecurity technologies and tools:

    • Ecosystem Analytics: Cortex, Devo, Exabeam, etc.

    • SIEM: Splunk, Elastic SIEM, Sumo Logic