Beruflich Dokumente
Kultur Dokumente
THEY ARE
PROFESSIONAL, IF YOU KICK THEM
IT’S A “WHO,” ORGANIZED AND OUT THEY WILL
NOT A “WHAT” WELL FUNDED RETURN
§ Strengthen foothold
- Lateral movement using OS Tools
- Further internal reconnaissance
- Non malware based backdoors
- Multiple backdoor fail-safes
• Malware family
Tracked attack • APT-style
Team of security 300 groups attacks
name
experts put • Risk score
Curated intelligence into
• Targeted
malware
• Attack group name
context Industry-specific • Attack group
40 threat profiles dossier
§ What is Intelligence?
§ Why is Cyber Threat Intelligence important?
§ Leveraging Cyber Threat Intelligence
- Enhance security technologies
- Streamline processes
- Improve security programs
§ iSIGHT Offerings
§ Case study
§ Questions
§ Intelligence is information that has been collected, processed and disseminated with the
purpose of:
- Reducing the degree of uncertainty about an adversary, potential adversary, situation or threat, which
may be experienced by decision makers.
- So they can make informed, reasoned, and timely decisions.
“Information is unprocessed data of every description that may be used in the production of
intelligence. It is normally collected by individual sensors, systems or capabilities.”
Direction
Dissemination Collection
Processing
Dissemination Collection
Intelligence Information
&
Processing Intelligence
(Time)
Critical
Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Intelligence 16
FireEye iSIGHT
200+ intelligence Professionals, 29 Languages, 18 Countries
Global Insights Global Reach
ü ADVERSARY FOCUSED
Amsterdam, Netherlands
Philippines
ü MULTIPLE DELIVERABLES Malaysia
ü PARTNERSHIP Brazil
Sydney, Australia
Argentina
ü ACTIONABLE New Zeala
?
Intelligence
i Requirements Collection Requirements Processing Analysis of Fully fused, Client
Intelligence
Requirements Requirements prioritized planning and collected by and information corroborated, feedback,
requested created based by analysts, tasking of global exploitation and production cross- refinement of
from Client on Clients, matched to global research to standardize of reporting for referenced Intelligence
Sectors and current research teams and multiple clients and edited product
Adversaries holdings then teams returned to information multi-source
passed to Fusion Centre sources ready Intelligence
global for analysis reporting
research disseminated
teams to
clients
Processing and
which flow to analytical
Analysis Attack tools to enrich, prioritize,
Campaigns Linked Methods
Actors Observables rate and synthesize our
knowledge into…
Dissemination
Deliverable Formats finished intelligence which is produced and
ü HTML or plain-text via email Content Management delivered in many formats to the customer.
ü Portal access with advanced search System
capability Coordination,
ü XML delivery deduplication, topic
ü Indicator CSVs linked to intelligence selection, production,
storage and retention
context
of sources
ü API access
ü Partner Integrations
Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 19
WHY IS CYBER THREAT
INTELLIGENCE
IMPORTANT?
Key Risks
1. Be Proactive
Actionable Intelligence is:
2. Shrink the Problem • Accurate
• Aligned with your intelligence
requirements
3. Improve Prioritization • Integrated
• Predictive
• Relevant
4. Enhance Executive Communications • Tailored
• Timely
Rick Holland
5. Connect Security With Business Blog: Actionable Intelligence, Meet Terry Tate, Office
Linebacker
Published: 11 February 2014
CISO Security
Network
& Operations Center
Operations
Executive (SOC)
Threat Incident
Systems/Endpoint
Intelligence Response
Operations
Team Team
ThreatScape® API
Threat IR/
SIEM/Log Endpoint Network
Intelligence Forensics Analytics/GRC
Management Protection Protection
Platform (TIP) Investigations
Event Threat Data, Protection for Visibility and Hunt for Issues Analyze Incidents
Prioritization Indicator Enterprise Protection Across Remediate (Who, Why)
ACTIVITY Aggregation, Endpoints Enterprise & Attribute Patch
Common Platform Networks Management
Shrink Manage All Stop Attacks at Alert and Block Improve Improve
VALUE The Problem Threat Data and the Point of Threats, Detect Decisions Decisions
Sources in a Entry Attacks in Who/Why Attack Prioritize Most
Single Interface Progress Brief Executives Critical Patches
Tor Intrusion
Credit Card Data A/V Anonymity Cyber Espionage
Teams
Access
Comms Organized
Documents Logs Cyber Crime
Scaling Crime
Intellectual Property IDS Malware
Activist Hacktivism
IPS Watering Hole Groups
Botnet Enterprise IT
PII
Insiders
SEIM
Direct Intrusion
C2
User Logins Phishers DDoS
DLP
Operational Control Exfil Exfiltration Mobile Computing
Spam Bot Herders
Filter
Drop Social Engineering
System Availability Black Industrial control sys
Insider Hats
Threat Exploit
§