Recently, NTT published the Global Threat Intelligence Report 2016 (GTIR). This year’s report focused both on the changes in threat trends and on how security organizations around the world can use the kill chain to help defend the enterprise.
Turning threat intelligence data from multiple sources into actionable, contextual information is a challenge faced by many organizations today. The Global Threat Intelligence Platform provides increased efficiency, reduces risks and focuses on global coverage with accurate and up-to-date threat intelligence.
This presentation was given at Carnegie Mellon University by Kenji Takahashi, VP of Product Management, Security at NTT Innovation Institute.
1. Global Cyber Threat Intelligence
Kenji Takahashi
NTT Innovation Institute, Inc.
2016 Copyright NTT Innovation Institute, Inc. All rights reserved.
2. 2
NTT i3
ACCELERATING THE
TRANSFORMATION OF
IDEAS FROM LAB TO
MARKET
Full Lifecycle
Innovation
FOCUS
NTT Global
Strategic Assets
LEVERAGE
Leading Companies
and Startups
ENGAGE
INNOVATION
Internet of Things
Wearables
Machine Learning
MARKET-READY PLATFORMS
Elastic Services Infrastructure
Global Threat Intelligence Platform
Cloud Service OrchestrationPlatform
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
3. 3
THE EVOLVING GLOBAL SECURITY LANDSCAPE
Cybercriminals
• Large and sophisticated
global crime groups
• Black markets for stolen
data, tool, and hacker talent
• Detailed knowledge on
targets (vulnerabilities,
businesses, organizations
and people)
Enterprise Security
Team
• Technology vulnerability
of IT
• Largely reactive security
practices
• Limited data sources and
analytic capabilities
• Security skills gaps
Threats and attacks generated by criminals
outpace security team capabilities
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
4. 4
THE GLOBAL THREATS LANDSCAPE IN 2016
Global Threat Intelligence Report 2016 (GTIR 2016)
www.nttgroupsecurity.com
Top 10 External Vulnerabilities
Outdated PHP Version 8%
Cross-Site Scripting (CSS/XSS) 7%
Outdated Apache Web Server 7%
SSL/TLS Information Disclosure 6%
Web Clear Text Username/Password 5%
Weak SSL/TLS Ciphers/Certificate 5%
Outdated Apache Tomcat Server 4%
Weak/No HTTPS cache policy 4%
Cookie without HTTPOnly attribute set 3%
SSL Certificate Signed using Weak
Hashing Algorithm
3%
Top 10 Internal Vulnerabilities
Outdated Java Version 51%
Outdated Adobe Flash Player 11%
Outdated Adobe Reader and Acrobat 5%
Outdated Microsoft Windows 3%
Outdated Microsoft Internet Explorer 3%
Outdated Mozilla Firefox 2%
Outdated Microsoft Office 1%
Outdated Linux Kernel 1%
Outdated Novell Client 1%
Outdated OpenSSH Version 1%
The data presented is based on information gathered through 2015
Vulnerabilities
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
5. 5
THE GLOBAL THREATS LANDSCAPE IN 2016
Attacks
The data presented is based on information gathered through 2015
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
6. 6
THE GLOBAL THREATS LANDSCAPE IN 2016
Incidents
The data presented is based on information gathered through 2015
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
7. 7
HACKING FOR PROFIT – THE JP MORGAN CYBERATTACK
100 million customers
of 12 companies in the US
8 years of operation
2007-2015
$100Ms
in illicit proceeds
Global cybercrime network
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
8. 8
RANSOM32: RANSOMWARE AS A SERVICE
(source: http://blog.emsisoft.com/2016/01/01/meet-ransom32-the-first-javascript-ransomware/)
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
9. 9
THE CYBERCRIME INFRASTRUCTURE OF BOTNETS
• Consists of thousands of
victimized computers
(”nodes”)
• Buy or rent tools, data,
services, and talents on
the cyber black market
using bitcoins
• Recycled in 30 – 90 day
cycle
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
10. 10
CYBER KILL CHAIN
THE SEVEN PHASES OF A CYBER ATTACK
*1: “Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains” by E. Hutchins, M. Cloppert, R. Amin, Lockheed Martin
Corporation, 2011. http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf
Cyber Kill Chain is a registered trademark of Lockheed Martin Corporation.
RECONNAISSANCE
WEAPONIZATION
DELIVERY
EXPLOITATION
INSTALLATION
COMMAND & CONTROL
ACTIONS & OBJECTIVES
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
11. 11
CYBER KILL CHAIN: CASE STUDY
RECONNAISSANCE
Recon, PHP and SQL
fingerprinting
0
DELIVERY
&
Delivery of SQL
injection via Havij tool
&
Exploitation of
injection attack
Command & Control
Establish and maintain
C2
WEAPONIZATION
Recon data analyzed
and Havij tool selected
and configured for
attack
Creation of accounts
and installation of RAT
EXPLOITATION
46 53 58
51 55
ACTIONS &
OBJECTIVES
0 6059
65
First
Identified
Log
Public
Disclosure
Observed
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
Data
exfiltration
INSTALLATION
12. 12
CKC AS A GUIDELINE FOR THREAT INTELLIGENCE
• Analysis of earlier phase provides threat intelligence for later phases
• Attribution underpins the analysis of CKC phases
§ Victims
§ Capabilities
§ Resources
§ Objectives
• Strategic priority and focus are essential
§ Systems, services, data, and people of importance
13. 13
WHAT CONSTITUTE THREAT INTELLIGENCE
Threat intelligence is gathered from
disparate sources and synthesized
by human analysts to identify a
specific threat and its target in
advance of an incident.
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
14. 14
THREAT INTELLIGENCE
EVOLVING SECURITY FROM REACTION TO PREDICTION
A new approach to addressing global threats requires:
1
Creation of potential
victim/target profiles
2
Prediction of threats
based on the
real-time analysis
of a variety of data
sources
3
Deployment of
security control to
monitor and block
both predicted and
existing threats
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
15. 15
GLOBAL THREAT INTELLIGENCE PLATFORM
• Single holistic view of the real-time evolution
of the dynamic threat landscape
• Global dataset of more than 18 million
attacks gathered from a wide variety of
sources, across geographical and
organizational boundaries
• Advanced analytics driven by machine
learning (including malware taint analysis)
• API for seamless integration into applications,
services and systems
• Support led by managed security service
professionals
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
17. CONTEXTUALIZATION
Provide the “right” information best fit to user
context
• Context can be expressed by vertical industry,
geographical region, CKC phases, attack type,
victim profile, used resources (IP addresses,
URLs/domains, malware, etc.)
Enable users to formulate contextualized queries
• Users can save and manage queries
The information is further enriched
• Gathering the data from multiple non threat
sources
• Put them into consistent format
• Pivoting
Facilitate collaboration among security experts
• Annotation, Labeling
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved. 17
18. 18
GTIP – MALWARE TAINT ANALYSIS ENGINE
Dynamic data flow analysis by
tracking down every movement of
every bit of data by malware on a
computer.
Keep track of the trace of “tags”
• Tags are identifiers placed on
data, and are propagated as
data moves inside computer,
automatically tracking and
identifying data provenance.
BLACKLIST
ANALYTICS
ENGINE
MALWARE
BINARIES
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
19. 19
IMPORTANT ISSUES FOR THE FUTURE OF CYBERSECURITY
• Information Sharing
• Big Data and Machine Learning for Malware
and Traffic Analysis
• Software Defined Security Orchestration
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
21. 21
MALWARE CLASSIFICATION BY MACHINE LEARNING
Applying Machine Learning to both dynamic and static analysis
• Features from execution in GTIP Malware Taint Analysis Engine (dynamic analysis)
• Features extracted from raw files (static analysis)
Preliminary experiments result in promising 98% accuracy
• 4,000 malware files and 3,000 benign files
• Windows binaries
Same approach can be applied to other types of malware
• Mobile (.apk), PDF, JavaScript, MS Office, etc.
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
22. TEMPORAL VISUALIZATION AND ANALYSIS
• Different types of attacks and CKC phases show distinguishing temporal
patterns.
• By visualizing and analyzing the patterns, we are exploring a way of taking
actions in an earlier, quicker and effective manner.
SSH attacks access many targets in Reconnaissance phase A malware attacks accesses only one target in Exploitation phase
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved. 22
23. 23
TRAFFIC ANALYSIS: BOTNET INFRASTRUCTURE DETECTION
Network providers, vendors,
and law enforcements could
detect bot masters and their
infrastructures by working
together
Information sharing and
massively scalable analytics are
the key
• Streaming analytics
• Machine learning
ML outlier detection
Black lists, DNS sink
holes, Passive DNS,
DNS Cache, Domain
Generation Algorithm
(DGA), Domain
profiling, ML
clustering
Netflow analysis,
Behavior analysis
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.
24. 24
BENDABLE NETWORKS: SOFTWARE DEFINED SECURITY ORCHESTRATION
The integration of ESI and GTIP
takes security operation integrity
and agility to a new level.
DEVICES
GTIP
+
ESI
SOURCES
FW, IPS, IDS, SIEM…
On-demand installation
On-demand policy and
configuration
Detect
Install and update
SDN
+
NFV
+
Threat
Intelligence
BENDABLE
NETWORKS
25. 25
ACCELERATING THE
TRANSFORMATION OF IDEAS
FROM LAB TO MARKET
h t t p : / / www. n t t i3 . co m
h t t p s: / / t wit t e r. co m / n t t i3
h t t p s: / / www. lin ke d in . c o m / co m p a n y / n t t in n o va t io n i n st it u t e
h t t p s: / / www. f a ce b o o k. co m / n t t in n o va t io n
h t t p s: / / www. yo u t u b e . co m / u se r / NT Ti3 Ch a n n e l
2016 CopyrightNTT Innovation Institute, Inc. All rights reserved.