creating a trust group for security information sharing
play

Creating a trust-group for security information sharing (in Asia - PowerPoint PPT Presentation

Feb 18, 2023 •149 likes •338 views

Creating a trust-group for security information sharing (in Asia Pacific?) Romain Wartel, ISGC 2018, Taipei, 20 March 2018 Indicators of compromise Examples of indicators: IP or domain names May be shared and used for legitimate

  1. Creating a trust-group for security information sharing (in Asia Pacific?) Romain Wartel, ISGC 2018, Taipei, 20 March 2018

  2. Indicators of compromise • Examples of indicators: – IP or domain names • May be shared and used for legitimate purposes or recycled • Easy to use – File names or file hashes • May be trivially changed • Easy to use – Yara rules, regular expression, etc. • Less chance of false positives • More costly to use – Email headers and fields 2

  3. Threat intelligence • Proposed definition — not universal • Threat intelligence includes: – Indicators of compromise (IP addresses, hashes, etc.) – Contextual information – Tactics, Technique and Procedures for a malicious actor • Goal: Enable the recipient to take action – As a preventive measure – As a remediation against ongoing or past attacks 3

  4. Sourcing intelligence • No shortage of sources! 
 • Public feeds, raw or filtered • Paid-for feeds from security vendors • Tailored blends of private and public feeds for sale • “Black box” appliances – Intelligence data not available for review – Data is analysed by the system or appliance – Alert is raised upon positive match of a proprietary indicator • But is this a good investment? – Catch more than low-risk threats and internet background noise? – How about the false positive rate? 4

  5. Relevance • Actors are continuously changing parameters – Change at least partially their infrastructure for each campaign – Fast-flux DNS infrastructures – Domain Name Generators for Command & Control – Randomised email content, mail headers (from field, subject. etc.) – Randomised malware payload (different filename and hash) • Relevance – Is it relevant to my sector, local configuration and location? – Is it actionable? – Reasonable to expect a low or manageable false positive rate? 5

  6. Quality • Key aspects of threat intelligence quality – Malicious • Often malware contacts “8.8.8.8” • Behavior requires careful analysis before flagging as indicator – Targeted • Full URLs are better than domains or IPs • Multiple customer may use the same domain • sharepoint.com or 
 https://supremeselfstorage-my.sharepoint.com/personal/andrew_supremeselfstorage_com_au/_layouts/15/guestaccess.aspx? guestaccesstoken=GTQPc%2brKLAsKHba4nXtvl0hXrBsUmCUxoYGuu9msk0U%3d&docid=0c4b96dfd3319496a8feb1a56d88de679&rev=1 – Timeliness • Bad actors also read the news and at least public feeds • Domains and IP addresses get re-assigned quickly (especially IPv4) • Infected hosts are being cleaned • Who can provide quality and relevant threat intelligence? 6

  7. Back to the basics • Research & Education is a viable market for cybercriminals – Ransomware, finance fraud, etc. • Offers a favorable cost/benefit ratio for many bad actors • Main attackers profile: – Cybercriminals (money) — less opportunistic, more targeted – Hacktivists (delay, disrupt, destroy) – Nation-states (data, strategy, tender info, technology, IP) 7

  8. Back to the basics • Most serious attack will be complex or sophisticated – Can your organisation or project defend against a nation-state or an international criminal gang with a multi-million dollars budget for both its malware and distributed attacking computing infrastructure ? – As individual organisations, it is not affordable – But as a community, we are much better positioned! • Sharing information, expertise… and threat intelligence is key 8

  9. Trust and threat intelligence • Threat intelligence in not necessarily a service • Threat intelligence is an expression of a trust relationship • Response to threats as a community – Best mean to fight sophisticated adversaries at acceptable costs 9

  10. Building a cohesive community 1. Identify like-minded organisations 2. Identify security or technical experts within them, or anyone willing to collaborate 3. Build trust relationships between participants 
 (physical meeting, sharing war stories, etc.) 4. Establish common goals, needs and issues 5. Enable participants to share sensitive information (tools, mailing list) 6. Enable participants to act on intelligence… and share back! 7. Add value by pooling resources/effort (extra expertise for forensics, tools, etc.) 8. Establish strong external links with the of the security community 
 (cross-membership, etc.) 10

  11. How to encourage new members to join? • The community can provide: – Free expertise, help, tools, tutorials, etc. – Indicators of compromise, experience from attacks • New members can provide with no security expertise: – Contact points – Access to compromised machines – Data, log files • As a new member, the bar is very low. But the benefits are high! • Similar strategy when small trust groups aim at participating in global groups – Be pro-active, share what you have/can, build trust relationship, profit. 11

  12. Conclusion • Best way to defend is to do it as a community • Threat intelligence is an output of a community response 
 • Essential to support communities in: – Building trust – Creating and sharing value – Provide support on technical issues – Connect to other Internet security trust groups • How can we (WLCG) help? • Maybe a new operational security trust group could emerge from: – Asia Tier Forum? APGRIDPMA? APAN Security Working Group? PRAGMA? 12

  13. Confidentiality Don’t Share Share only with your team Share with community but not public Share with anyone 13

  14. Mattermost or Slack 14

  15. MISP 15 https://www.circl.lu/services/misp-training-materials/

  16. MISP 16 https://www.circl.lu/services/misp-training-materials/

  17. MISP 17 https://www.circl.lu/services/misp-training-materials/

  18. Acting on threat intelligence • Sadly, sharing great threat intelligence is not sufficient • Acting on indicators is a significant challenge! 
 • Each participant must: 1. Collect enough information locally • Network flows, local logs, emails headers, etc. 2. Accumulate, parse and incorporate incoming threat intelligence 3. Correlate local information and indicators 4. Take appropriate action & manage false positives • Not only a technical challenge – Security teams “already busy” with other things – Not all data (step 1) may be within (legal, technical) reach – Need cooperation between different teams 18

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

UPDATE Crisis and Situational Awareness Work Group (CASAWG) Creating An Information Sharing

UPDATE Crisis and Situational Awareness Work Group (CASAWG) Creating An Information Sharing

UPDATE Crisis and Situational Awareness Work Group (CASAWG) Creating An Information Sharing Environment A Federated Approach to Information Sharing May 6 SCP meeting CASAWG presented a plan of action to incorporate information sharing

159 views • 11 slides
Center for Genomic Gastronomy Hacker Culture Creating and sharing with each other Placing

Center for Genomic Gastronomy Hacker Culture Creating and sharing with each other Placing

Center for Genomic Gastronomy Hacker Culture Creating and sharing with each other Placing a high value on freedom of inquiry; hostility to secrecy Information-sharing as both an ideal and a practical strategy Upholding the right to

549 views • 15 slides
UTSA Information Sharing and Coordination Initiatives collaboration and coordination to

UTSA Information Sharing and Coordination Initiatives collaboration and coordination to

Secure Information and Resource Sharing in Cloud Infrastructure as a Service Cyber Incident Response Models for Information and Resource Sharing Amy(Yun) Zhang, Ram Krishnan, Ravi Sandhu Institute for Cyber Security University of Texas at San

219 views • 17 slides
CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom

CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom

CS 166: Information Security Secret Sharing, Random Numbers, and Information Hiding Prof. Tom Austin San Jos State University Secret Sharing: Motivation Goal: make secret available, but make it hard to peek. Divide secret among

731 views • 48 slides
Biovigilance Component Hemovigilance Module Data Sharing in NHSN Creating and Maintaining a

Biovigilance Component Hemovigilance Module Data Sharing in NHSN Creating and Maintaining a

Biovigilance Component Hemovigilance Module Data Sharing in NHSN Creating and Maintaining a Group National Center for Emerging and Zoonotic Infectious Diseases Division of Healthcare Quality Promotion 1 Objectives Describe the Group

521 views • 34 slides
Data Sharing in NHSN: Creating a Group June 2011 National Center for Emerging and Zoonotic

Data Sharing in NHSN: Creating a Group June 2011 National Center for Emerging and Zoonotic

Data Sharing in NHSN: Creating a Group June 2011 National Center for Emerging and Zoonotic Infectious Diseases Division of Healthcare Quality Promotion Objectives Objectives Describe the Group function in NHSN Outline the steps in

281 views • 25 slides
Mobile Trust Telecommunications AG (MTT AG) presents Stealthphone Information Security System

Mobile Trust Telecommunications AG (MTT AG) presents Stealthphone Information Security System

Cyber security is a National Security Priority Bara k Obama Mobile Trust Telecommunications AG (MTT AG) presents Stealthphone Information Security System Stay invisible in the digital world ABOUT THE COMPANY MTT AG Company

593 views • 21 slides
TrustNeighborhoods: Visualizing Trust in Distributed File Sharing Trust in Distributed File

TrustNeighborhoods: Visualizing Trust in Distributed File Sharing Trust in Distributed File

3D Trust Visualization TrustNeighborhoods: Visualizing Trust in Distributed File Sharing Trust in Distributed File Sharing Systems Niklas Elmqvist [elm@lri.fr] Philippas Tsigas [tsigas@chalmers.se] Chalmers University of Technology Chalmers

531 views • 21 slides
Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security

Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security

Cyber Security and Smart Infrastructure: Research Dr. Stacy Prowell Chief Cyber Security Research Scientist Oak Ridge National Laboratory Main Points Information Sharing Enable discovering and sharing information about real threats to

216 views • 6 slides
OSS is changing the Security information sharing landscape. Focus on the MISP objects and other

OSS is changing the Security information sharing landscape. Focus on the MISP objects and other

OSS is changing the Security information sharing landscape. Focus on the MISP objects and other recent improvements on the platform Rapha el Vinot - TLP:WHITE info@circl.lu RMLL 2017 TL;DR Started in 2012 by Christophe Vandeplas (Belgian

793 views • 31 slides
Cyber Security Information Sharing Oscar Serrano NCI Agency Cyber Security Service Line

Cyber Security Information Sharing Oscar Serrano NCI Agency Cyber Security Service Line

Cyber Security Information Sharing Oscar Serrano NCI Agency Cyber Security Service Line DeepSec 2014, Vienna, 21 November 2014 NATO UNCLASSIFIED Cyber Security In NATO NATO in a nutshell: Collective defence Interoperable

666 views • 42 slides
Investor Presentation Creating the largest Singapore infrastructure-focused business trust

Investor Presentation Creating the largest Singapore infrastructure-focused business trust

Investor Presentation Creating the largest Singapore infrastructure-focused business trust February 2015 Disclaimer The information contained in this presentation is for information purposes only and does not constitute or form part of, and

678 views • 33 slides
Management Integration Management Integration with Chuo Mitsui Trust Group with Chuo Mitsui

Management Integration Management Integration with Chuo Mitsui Trust Group with Chuo Mitsui

Management Integration Management Integration with Chuo Mitsui Trust Group with Chuo Mitsui Trust Group ith Ch ith Ch Mit Mit i T i T t G t G - Creating The Trust Bank with a Combination of Expertise - Creating The Trust Bank

394 views • 16 slides
Proposal for a new model for information sharing between CSIRTs Ir. David Durvaux - Security

Proposal for a new model for information sharing between CSIRTs Ir. David Durvaux - Security

Proposal for a new model for information sharing between CSIRTs Ir. David Durvaux - Security Analyst Christian Van Heurck Coordinator 24 th annual FIRST conference Malta - 17-22 June 2012 Knowledge is power . Knowledge shared is

404 views • 39 slides
I have a chromebook. NOW WHAT!?! Deb Marsh Megan Young Kim Koehn Creating Groups Creating

I have a chromebook. NOW WHAT!?! Deb Marsh Megan Young Kim Koehn Creating Groups Creating

I have a chromebook. NOW WHAT!?! Deb Marsh Megan Young Kim Koehn Creating Groups Creating groups can be used Contact Video for emailing or sharing documents for your class. Students can be in more than one group. Create a new Document

604 views • 28 slides
Stay invisible in the digital world 1 Mobile Trust Telecommunications About us We provide a

Stay invisible in the digital world 1 Mobile Trust Telecommunications About us We provide a

Cyber security is a National Security Priority Barack Obama Mobile Trust Telecommunications (MTT) presents Stealthphone Information Security System Stay invisible in the digital world 1 Mobile Trust Telecommunications About us We

501 views • 21 slides
Outline Bloom filters Applications of Bloom filters Our replacement for Bloom filters

Outline Bloom filters Applications of Bloom filters Our replacement for Bloom filters

An Optimal Bloom Filter Replacement a Rasmus Pagh, IT University of Copenhagen Joint work with Anna Pagh, IT University of Copenhagen S. Srinivasa Rao, University of Waterloo a To appear in SODA 2005 1 Outline Bloom filters

405 views • 18 slides
CS 473: Algorithms Chandra Chekuri Ruta Mehta University of Illinois, Urbana-Champaign Fall

CS 473: Algorithms Chandra Chekuri Ruta Mehta University of Illinois, Urbana-Champaign Fall

CS 473: Algorithms Chandra Chekuri Ruta Mehta University of Illinois, Urbana-Champaign Fall 2016 Chandra & Ruta (UIUC) CS473 1 Fall 2016 1 / 22 CS 473: Algorithms, Fall 2016 Fingerprinting Lecture 11 September 28, 2016 Chandra

960 views • 81 slides
Estimating the false positive percentage of Kepler single systems

Estimating the false positive percentage of Kepler single systems

Estimating the false positive percentage of Kepler single systems from the multi systems Brandon Tingley, Aarhus University Ewan Cameron, Oxford University

364 views • 19 slides
Classification Image Classification Set of predefined categories [eg: table, apple, dog, giraffe]

Classification Image Classification Set of predefined categories [eg: table, apple, dog, giraffe]

Day 1 Lecture 2 Classification Image Classification Set of predefined categories [eg: table, apple, dog, giraffe] Binary classification [1, 0] DOG 2 Image Classification 3 Image Classification pipeline Dog 4 Slide credit: Jose M lvarez

339 views • 23 slides
Christian Folini / @ChrFolini Introducing the OWASP ModSecurity Core Rule Set 3.0 Seat Belts

Christian Folini / @ChrFolini Introducing the OWASP ModSecurity Core Rule Set 3.0 Seat Belts

Christian Folini / @ChrFolini Introducing the OWASP ModSecurity Core Rule Set 3.0 Seat Belts Defense in Depth 1 st Line of Defense The Plan for Today What is a WAF / what is ModSecurity? What is the Core Rule Set 3.0 (CRS3)

635 views • 21 slides
THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e ,

THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e ,

THE MILLERRABIN PRIMALITY TEST 1. Fast Modular Exponentiation Given positive integers a , e , and n , the following algorithm quickly computes the reduced power a e % n . ( Initialize ) Set ( x, y, f ) = (1 , a, e ). ( Loop ) While f >

175 views • 5 slides
Category-level localization Cordelia Schmid Recognition Classification Object

Category-level localization Cordelia Schmid Recognition Classification Object

Category-level localization Cordelia Schmid Recognition Classification Object present/absent in an image Often presence of a significant amount of background clutter Localization / Detection Localize object within the

712 views • 56 slides
Bloom Filters and their Applications These slides were developed by -- and used with permission

Bloom Filters and their Applications These slides were developed by -- and used with permission

Bloom Filters and their Applications These slides were developed by -- and used with permission from -- Shengquan Wang. CPSC 662 Introduction Membership Query Given a set S={x 1 , x 2 , , x n } on a universe U , want to answer the query

304 views • 12 slides

More recommend