FireEye iSIGHT Intelligence

Robert Żelazo – Regional Director, Eastern Europe, FireEye

Prague, Sep 14, 2016

Copyright © 2015, FireEye,

Copyright
Inc. All©rights
2015,reserved.
FireEye,CONFIDENTIAL
Inc. All rights reserved. CONFIDENTIAL 1
Some false things you may have heard around…

§  “APT is just Advanced Malware, and you need

Advanced Malware Protection”

§  “Stop trying to Detect when you can Prevent”

§  “Our APT solution offers Remediation”

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 2

The real problem is the hacker, not the malware

THEY ARE
PROFESSIONAL, IF YOU KICK THEM
IT’S A “WHO,” ORGANIZED AND OUT THEY WILL
NOT A “WHAT” WELL FUNDED RETURN

THERE’S A HUMAN AT A KEYBOARD NATION-STATE SPONSORED THEY HAVE SPECIFIC OBJECTIVES

HIGHLY TAILORED AND ESCALATE SOPHISTICATION OF THEIR GOAL IS LONG-TERM

CUSTOMIZED ATTACKS TACTICS AS NEEDED OCCUPATION

TARGETED SPECIFICALLY AT YOU RELENTLESSLY FOCUSED ON PERSISTENCE TOOLS ENSURE

THEIR OBJECTIVE ONGOING ACCESS

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 3

What happens after Malware ?

§  Expand Access and obtain valid credentials

-  Credentials stolen by keyboard logging
-  Credentials stolen by network sniffing
-  Encrypted Credentials stolen from disk and brute forced

§  Strengthen foothold
-  Lateral movement using OS Tools
-  Further internal reconnaissance
-  Non malware based backdoors
-  Multiple backdoor fail-safes

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 4

 APT29 – ONE OF THE MOST ADVANCED CYBERGROUPS

Copyright © 2014, FireEye,

Copyright
Inc. All©rights
2015,reserved.
FireEye,CONFIDENTIAL
Inc. All rights reserved. CONFIDENTIAL 5
Russian Threat Groups

§  FireEye monitors various Russian threat groups – for example:

-  APT28
-  APT29

§  The groups frequently design innovative ways to cover their tracks

§  APT29 has been particularly active throughout 2015
-  new downloaders, payloads, and targets

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 6

APT29: Sponsored by the Russian Gov

§  Probable Russian threat actor supporting nation state missions

-  Espionage versus strategic European-related targets
-  interest in Russia-Ukraine issues
-  Work hours align with the UTC +3 time zone (Moscow, St. Petersburg)
-  Operations ceased on Russian holidays
§  Disciplined focus on operational security
-  Almost exclusive use of compromised servers, legitimate services, and similar
-  Anti forensics 2015 Toolset
§  Aggressive and advanced skills Initial Compromise Maintain Presence

-  Targeting both intelligence targets and defenders alike COZYCAR SEADADDY

-  Monitor remediation efforts SWIFTKICK / MINIDIONIS SAYWHAT
QUEENPIECE
-  Rapid tool development cycle to support new deployments HAMMERTOSS
Powershell

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 7

Generic Spearphishing

§  2014 – early 2015 Campaign used generic lures / decoys

Fax email
-  “You’ve got a fax”
-  “Office Monkeys”

§  Lure site very relevant

-  Compromised legitimate / prominent sites to deliver “fax”
•  International issues and diplomacy sites
•  European stock exchange
•  US state and local government Printer configuration page
•  Prominent US university

§  July’2015 campaign showed much more-targeted / topical lures...some generic

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 8

APT29’s HAMMERTOSS – Advanced persistent threat

§  Backdoor detected in early 2015

§  Designed to make it difficult for security professionals to detect and
characterize the extent of APT29’s activity.
§  Multiple layers of obfuscation
§  Mimicking the behavior of legitimate users:
-  Usage of commonly visited websites: Twitter, GitHub, and cloud storage services

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 9

 FireEye Threat Intelligence Sources
Generation Methods Detects Context Type
400,000 •  Botnets •  Malware family
unique daily •  Commodity name
malware samples malware •  Risk score
Collected 10,000 •  C2 callbacks
Malware Analysis malicious identifiers
Intelligence
Collection detected daily

•  Malware family
Tracked attack •  APT-style
Team of security 300 groups attacks
name
experts put •  Risk score
Curated intelligence into
•  Targeted
malware
•  Attack group name
context Industry-specific •  Attack group
40 threat profiles dossier

•  Vulnerability •  Malware family

Focused Advanced Detection Hunt
team monitors for current
•  Analytics
•  Authentication,
name
•  Risk score
Rule Sets threats and generate rule authorization, and
•  Threat impact level
packs & IOCs to assist with accounting
& IOCs detection •  Incident watchlist •  Insightful threat
•  Emerging threats details
Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 10
Using Cyber Threat Intelligence to Enhance Security

§  What is Intelligence?
§  Why is Cyber Threat Intelligence important?
§  Leveraging Cyber Threat Intelligence
-  Enhance security technologies
-  Streamline processes
-  Improve security programs

§  iSIGHT Offerings
§  Case study
§  Questions

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 11

WHAT IS INTELLIGENCE?

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 12

Cyber Threat Intelligence - Definition

§  Intelligence is information that has been collected, processed and disseminated with the
purpose of:
-  Reducing the degree of uncertainty about an adversary, potential adversary, situation or threat, which
may be experienced by decision makers.
-  So they can make informed, reasoned, and timely decisions.

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 13

Cyber Threat Intelligence - Definition
Not to be confused with:

“Information is unprocessed data of every description that may be used in the production of
intelligence. It is normally collected by individual sensors, systems or capabilities.”

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 14

The Intelligence Cycle – Simple Version

Direction

Dissemination Collection

Processing

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 15

 Check
The Full Intelligence Cycle databases
Requests for
Intelligence Information
Collection
Requirements Plan Tasks
Requestor/ Task
(Standing and
User Collection
Priority)
Direction

Dissemination Collection

Intelligence Information
&
Processing Intelligence

(Time)
Critical
Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Intelligence 16
 FireEye iSIGHT
200+ intelligence Professionals, 29 Languages, 18 Countries
Global Insights Global Reach

ü ADVERSARY FOCUSED
Amsterdam, Netherlands

Canada United Kingdom

Kiev, Ukraine
ü GLOBAL COLLECTION Germany
Idaho Falls, ID Bucharest, Romania
Chantilly, VA Spain
Beijing, China Japan
Dallas, TX Cyprus
ü CONTEXTUAL Hawaii Pune, India
Taipei, Taiwan

Philippines
ü MULTIPLE DELIVERABLES Malaysia

ü PARTNERSHIP Brazil

Sydney, Australia
Argentina
ü ACTIONABLE New Zeala

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 17

 Cyber Threat Intelligence Production
Formal Process Yields Rich, Contextual Threat Intelligence

Direction and Collection Analysis Dissemination

Feedback &
Clarification

?
Intelligence
i Requirements Collection Requirements Processing Analysis of Fully fused, Client
Intelligence
Requirements Requirements prioritized planning and collected by and information corroborated, feedback,
requested created based by analysts, tasking of global exploitation and production cross- refinement of
from Client on Clients, matched to global research to standardize of reporting for referenced Intelligence
Sectors and current research teams and multiple clients and edited product
Adversaries holdings then teams returned to information multi-source
passed to Fusion Centre sources ready Intelligence
global for analysis reporting
research disseminated
teams to
clients

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 18

Cyber Threat Intelligence Process
Collection - Global Intelligence Gathering
Collection systems and research team create raw observables…

Malware Marketplace Human Vulnerability Internet

utilized to create
tagged, categorized
“wires” or research
Common Data Model (ensures consistency) elements…

Processing and
which flow to analytical
Analysis Attack tools to enrich, prioritize,
Campaigns Linked Methods
Actors Observables rate and synthesize our
knowledge into…

Dissemination
Deliverable Formats finished intelligence which is produced and
ü  HTML or plain-text via email Content Management delivered in many formats to the customer.
ü  Portal access with advanced search System
capability Coordination,
ü  XML delivery deduplication, topic
ü  Indicator CSVs linked to intelligence selection, production,
storage and retention
context
of sources
ü  API access
ü  Partner Integrations
Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 19
WHY IS CYBER THREAT
INTELLIGENCE
IMPORTANT?

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 20

Cyber Threat Joins the Risk List

Key Risks

Political Reputation Environmental

Cyber
Supply Chain Market Financial Natural Disasters
Regulatory Credit Ethics State Conflicts

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 21

How Can Cyber Threat Intelligence Help?

1.  Be Proactive
Actionable Intelligence is:
2.  Shrink the Problem •  Accurate
•  Aligned with your intelligence
requirements
3.  Improve Prioritization •  Integrated
•  Predictive
•  Relevant
4.  Enhance Executive Communications •  Tailored
•  Timely
Rick Holland
5.  Connect Security With Business Blog: Actionable Intelligence, Meet Terry Tate, Office
Linebacker
Published: 11 February 2014

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 22

LEVERAGING CYBER
THREAT INTELLIGENCE

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 23

Leveraging CTI to “Shrink the Problem”

Alarms Alarm Aggregation

(Summarization)
(Thousands to Millions)

Events Event Correlation

(Many Thousands)

First Cut Prioritized Events

(Thousands/Hundreds) Machine-Based Event Prioritization

Human-Prioritized Alerts Human Event

(Hundreds/Tens)
Prioritization

Impact of Context Rich Cyber Threat Intelligence

24 COPYRIGHT © 2016, FIREEYE, INC. ALL RIGHTS RESERVED.
Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 24
Benefit to Multiple Intelligence Consumers

Strategic Operational Tactical

CISO Security
Network
& Operations Center
Operations
Executive (SOC)

Threat Incident
Systems/Endpoint
Intelligence Response
Operations
Team Team

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 25

 Actionable Threat Intelligence
ACROSS THE INFRASTRUCTURE

ThreatScape® API
Threat IR/
SIEM/Log Endpoint Network
Intelligence Forensics Analytics/GRC
Management Protection Protection
Platform (TIP) Investigations

Event Threat Data, Protection for Visibility and Hunt for Issues Analyze Incidents
Prioritization Indicator Enterprise Protection Across Remediate (Who, Why)
ACTIVITY Aggregation, Endpoints Enterprise & Attribute Patch
Common Platform Networks Management

Shrink Manage All Stop Attacks at Alert and Block Improve Improve
VALUE The Problem Threat Data and the Point of Threats, Detect Decisions Decisions
Sources in a Entry Attacks in Who/Why Attack Prioritize Most
Single Interface Progress Brief Executives Critical Patches

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 26

Intelligence-Led Security – From the Outside In

Attack Surface Attack Methodology Indicators,

Threat Sources
Indicators Tags, Actors

Tor Intrusion
Credit Card Data A/V Anonymity Cyber Espionage
Teams
Access
Comms Organized
Documents Logs Cyber Crime
Scaling Crime
Intellectual Property IDS Malware
Activist Hacktivism
IPS Watering Hole Groups
Botnet Enterprise IT
PII
Insiders
SEIM
Direct Intrusion
C2
User Logins Phishers DDoS
DLP
Operational Control Exfil Exfiltration Mobile Computing
Spam Bot Herders
Filter
Drop Social Engineering
System Availability Black Industrial control sys
Insider Hats
Threat Exploit

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 27

 Cyber Threat Intelligence
Indicators/IOCs Context
Malicious Files Motivation/Intent
(hashes/signatures) Actors
Cyber Crime
(Money)
Bad Domain Attribution
Espionage
Bad IP Address Targets (Information)
Hacktivism
Phishing Lures Campaigns (Influence)
Registry Settings TTPs, Methods/Playbooks Destruction
(Kinetic Impact)

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 28

Relevant to the Organisation

Report to the CEO, version 1 Report to the CEO, version 2

Last month we detected and blocked two
Last month we: cybercrime attacks linked to a criminal organization
in Eastern Europe that has been targeting POS
•  Reviewed 1,452,134 log entries
systems at mid-sized retailers. Our actions:
•  Detected 423,132 viruses
• Prevented the theft of 10 million customer credit
•  Blocked 2,028,43 connections card numbers
•  Closed 3,095 incident tickets • Avoided $78 million in lost revenue and the costs
that would have been incurred for notifying
customers of the data breach, cleaning up infected
systems, and paying regulatory fines and legal fees.

Information v Cyber Threat Intelligence

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 29
Aims of Cyber Threat Intelligence

§  Enable proactive, risk-based resource

allocation
§  Shrink the problem
§  Improve prioritization
§  Enhance executive communications
§  Connect security with business

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 30

CASE STUDIES

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 31

 Cyber Threat Intelligence in Action
§  Sample Sandworm open source reports 13 – 16 October
2014.

§ 

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 32

Cyber Threat Intelligence in Action

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 33

 Cyber Threat Intelligence in Action
§  And it continues…
-  18 Nov 15, Sandworm Team tied to broader operation targeting ICS Networks using
BlackEnergy
-  25 Nov 15, US academic research and development community targeted with
repurposed Sandworm Team exploit
-  30 Mar 15, Changes to BlackEnergy demonstrate EU focus
-  12 Jun 15, BlackEnergy 3 malware used by Sandworm Team is capable of leveraging
RPC over SMB1 for both local and remote connections.
-  30 Dec 15, Cyber Espionage activity in Ukraine resembles sandworm team and
nation-wide power outages in Ukraine caused by cyber attacks.
-  24 Jan 16, Spear phishing targeting Ukrainian energy sector distributed GCat
Malware; May indicate sandworm team operators are shifting tools
-  29 Feb 16 and 17 Apr 16, Sandworm Team campaign leveraged searchable sensitive
documents to target Ukrainian media, Boryspil Airport prior to destructive attacks
1Remote Procedure Call over Server Message Block
 Questions
iSIGHT Partners
The Cyber Threat Intelligence Experts

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 35

 Please take
a copy
Available to download at: http://
info.isightpartners.com/definitive-guide

Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 36