SlideShare uma empresa Scribd logo

From Threat Hunting to Crowd Defense

C4Media
C4Media

Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2AUaDwy. Richard Zhao talks about TI and AI in real practices, and crowd defense - a way to integrate defense measures against both targeted and untargeted attacks, avoiding being the low hanging fruit. He also talks about the best practices around TI based crowd defense and corresponding challenges that need collective efforts. Filmed at qconsf.com. Richard Zhao is the Chief Technology Officer, SVP Research of NSFOCUS. His research interests include threat intelligence, software defined security, security metrics, cyber insurance, etc. He is a network security veteran with over 20 years of professional experience. He has certifications of CISSP, ITIL, BS7799. He is an active contributor of Cloud Security Alliance.

Tecnologia
1 de 48
W W W. N S F O C U S . C O M FROM THREAT HUNTING TO CROWD DEFENSE Richard ZHAO CTO, SVP Research, NSFOCUS San Francisco, Nov.15 2017
InfoQ.com: News & Community Site • Over 1,000,000 software developers, architects and CTOs read the site world- wide every month • 250,000 senior developers subscribe to our weekly newsletter • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • 2 dedicated podcast channels: The InfoQ Podcast, with a focus on Architecture and The Engineering Culture Podcast, with a focus on building • 96 deep dives on innovative topics packed as downloadable emags and minibooks • Over 40 new content items per week Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ ti-ai-crowd-defense
Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
W W W. N S F O C U S . C O M In early March, the Department of Homeland Security sent Equifax and other companies an alert about a critical vulnerability in software that Equifax used in an online portal for recording customer disputes. The company sent out an internal email requesting that its technical staff fix the software, but “an individual did not ensure communication got to the right person to manually patch the application,” Mr. Smith told the subcommittee. That was compounded by a technical error: The scanning software that Equifax used to detect vulnerabilities failed to find the unpatched hole, he said. https://www.nytimes.com/2017/10/03/business/equifax-congress-data-breach.html Apache Struts CVE-2017-5638 (S02-045)
W W W. N S F O C U S . C O M TIMELINE OF EQUIFAX BREACH Credit: http://lists.immunityinc.com/pipermail/dailydave/2017-September/001421.html?utm_content=buffer728aa&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer 2017-03-06: Apache announces struts2 bug 2017-03-07: PoC exploit released to public 2017-03-10: Equifax compromised via struts exploit. 2017-03-13: 30 webshells installed 2017-04-xx: Oracle releases quarterly bundle of patches, including the Struts patch 2017-06-30: Equifax patched their struts installs 2017-07-30: Equifax evicts the elite hackers and their 30 webshells 2017-07-29: Equifax discovers they have been compromised
W W W. N S F O C U S . C O M WIN YOUR ADVERSARIES. IT’S A RACE Struts2 S2-045 Attack Numbers Detected during Mar.7 -Mar.9 09:53 14:46 Alert 20:03 Scanning/ Testing Attack Defense Ready 18:06 FirstAttack Detected 4AM-5AM DAY 1 1st Spike: 183 9PM-10PM DAY2 2nd Spike: 245 H M Attacks Detected H M Prevention Ready H M Vulnerability Detection Ready 10 10 8 13 4 53 Data Source: NSFOCUS Security Cloud and Threat Intelligence Center, covering websites under protection: 458
W W W. N S F O C U S . C O M ANYTHING BEYOND 35 IP ADDRESSES? https://arstechnica.com/information-technology/2017/09/massive-equifax-hack-reportedly-started-4-months-before-it-was-detected/ Mandiant, the FireEye unit that Equifax called in to investigate the breach, said it has detected about 35 IP addresses the attackers used to access the company's network. The hackers' identity remains unknown. Mandiant has been unable to attribute the breach to any hacking groups it currently tracks, and the tools, tactics, and procedures used in the hack don't overlap with those seen in previous Mandiant investigations.
W W W. N S F O C U S . C O M WHY HAPPENED AGAIN AFTER TARGET? Willingness? Resource/ Domain Knowledge? Intelligence/Prioritization? Data Source: A “Kill Chain” Analysis of the 2013 Target Data Breach Like the old joke about two guys running away from a deadly grizzly bear, you can’t outrun the security implications of a poorly designed financial transaction environment. What you can do is outrun your competitors, making it much more likely that they will be hacked by the security bear, before it ever gets close to your vulnerabilities. … The bear is hungry, and he knows where to find food. Source: https://blogs.gartner.com/jay-heiser/2017/10/05/outrunthebear/
W W W. N S F O C U S . C O M THE GAME OF OFFENSE AND DEFENSE  No 100% security, i.e. defense will always fail at some day, some points  Defense must be capable to  contain some local failures while keep the control of the whole  defend in depth, i.e. avoid “checkmate in one”  have visibility and “global” view  Timeliness, timeliness, timeless… PDR CKC Diamond Offense Defense … CKC: Cyber Kill Chain Diamond PDR: Protect, Detect, Respond
W W W. N S F O C U S . C O M STRATEGY FOR DIFFERENT BATTLEFIELDS DefenseOffense Targeted Untargeted B1 B2 B3 B4 Targeted Defense:: Some sort of ”dark tech” beyond offense’s radar >> Deception, Tokenization、Honey… >> Fight with dimensions… Untargeted Offense:: no special verticals and regions >> Focus on sea volume (huge N ) and automation (lower C) Untargeted Defense:: Commercial off the shelf products or open source stacks >> Focus on probability and statistics, weakening the automation and repeatability of offenders Targeted Offense:: Customized “evasion” against “detection” of the target, i.e. “unknown” threats >> Customization means higher cost >> Rapid assembly with some level reuse…
W W W. N S F O C U S . C O M SECURITY INSIDE THE LONG TAIL Attack surface/vectors Value of target / Magnitude of damage TH/TI/UEBA/MD R/…: Unknown attack types, unknown quantities, and mostly targeting internal core assets/business/pers onnel Traditional Detection: Known attack types, large quantities, and mostly targeting exposures of peripheral systems Average/Repeat Offenders Advanced/Targeted Offenders • TH: Threat Hunting • TI: Threat Intelligence • UEBA: User Entity Behavior Analytics • MDR: Managed Detection and Response
W W W. N S F O C U S . C O M THREAT HUNTING IS TO PURSUE UNKNOWN Credit: Dr. Anton Chuvakin, How to Hunt for Security Threats, April 2017 Threat Hunting:: the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. Typically, TH, starting from a hypothesis, is commissioned to search advanced, targeted, unknown threats, which may be analytics-driven, or situational- awareness driven, or intelligence-driven. Source: https://en.wikipedia.org/wiki/Cyber_threat_hunting
W W W. N S F O C U S . C O M BEFORE GOING DEEPER TH/TI/UEBA, LET’S LOOK INTO DETECTION IN PRACTICE TI/Reputation Shellcode/ Static Check Virtual Exec. Sandboxing • Lowest cost • Real time • Known files/IP/C2/URL (black or white) • Almost real time • Check attack payload (more IOCs) • Resource extensive • Time delay Signature Detection Enginesworkcollaboratively
W W W. N S F O C U S . C O M APPLICATION COST/EFFICIENCY MATTERS Items False Negative (7442 Entries) False Positive (1458625 Entries) FN Ratio Time (s) FP Ratio Time(s) ML-Rule 0.0268% 0.055028 0. 00075% 0.88 Tradition al Rule 0.6046% 0.055290 0. 34% 3.04 TI/Reputation Shellcode/ Static Check Virtual Exec. Sandboxing • Lowest cost • Real time • Known files/IP/C2/URL (black or white) • Almost real time • Check attack payload (more IOCs) • Resource extensive • Time delay Signature Detection
W W W. N S F O C U S . C O M THREAT INTELLIGENCE IS USED TO Hacker/Actors (skill, intention, goal, plan) TTP (Tactic, Technique, Procedure) Campaign (goal, loss) Attack Pattern Malware Infrastructure (ip, domain, url, botnet,…) Tool Vuln.Process Event IOC (Indicator of Compromise) COA (Course of Action) Situational DevelopmentStrategic TI Operational TI Tactical TI  Real Time Blocking  Security Operations  Threat Research & Hunting
W W W. N S F O C U S . C O M HOWEVER, THREAT INTEL IS HARD TO HARNESS  Intensive domain knowledge required  Too much or too little  Hard to automate  False positive/false negative
W W W. N S F O C U S . C O M CLOSE LOOP OPERATION IS CRITICAL TO REFINE THREAT INTEL TI Produce • TI with enrichment inside TI cloud Consume • Consumed by IPS/FW/SIEM/Attribution/etc. Triage • Identify, remove False Negatives, map, prioritize, etc. Enriched Profile • Enriched profiling of threat actors, campaigns, etc. TI Update • Push updated TI or release early warning,  Privacy & liability  Fear of revealing the breach incident(s)  No visible return value to share/feedback
W W W. N S F O C U S . C O M IN SHORT, THREAT INTEL IS NOT SILVER BULLET 1. Threat Intel is sort of ”middleware”, particularly for tactical TI. Maturity and service delivery are critical. 2. TI is not “silver bullet”. There is always imperfect with any Intelligence, therefore experts and “professional analytical operations are always needed to realize value. 3. Considering counter-intelligence, TI should be classified, e.g. Advanced Threat Intelligence(ATI), TI, won’t and should not be shared and distributed 100% openly. 4. For many organizations without a strong dedicated security operations team, TI/reputation-enhanced products/services are better choices. "Distrust and caution are the parents of security" - Benjamin Franklin CII and Giant organization Large Organization SME/SMB • ATI Enhanced Products • ATI Enhanced Services • ATI Enhanced Reports/Feeds • TI Enhanced Products • TI Enhanced Services • Reputation Enhanced Products • Reputation Enhanced Services
W W W. N S F O C U S . C O M UEBA AND PROFILING ARE OTHER IMPORTANT MEANS TO FIGHT UNKNOWNS UEBA:: User and Entity Behavior Analytics offers profiling and anomaly detection based on a range of analytics approaches, usually using a combination of basic analytics methods (e.g., rules that leverage signatures, pattern matching and simple statistics) and advanced analytics (e.g., supervised and unsupervised machine learning). a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud Source: https://en.wikipedia.org/wiki/User_behavior_analytics Network Entity Basic information Application information Threat information Industry information Correlation information Overall assessment
W W W. N S F O C U S . C O M THE WORLD IS CATEGORIZED INTO BLACK, WHITE AND GREY IN EYE OF UEBA/PROFILING ANALYST Black WhiteGrey • Alexa ranking • DNS access ranking • IP access ranking • Historical alerts • External reputation • Historical vulnerabilities • Historical threat levels • Associated entity reputation
W W W. N S F O C U S . C O M REPUTATION & PROFILING IN PRACTICE • IP addresses can be in more than one reputation category, such as being both Phishing and Spam Source. • Categorization of IP addresses can change over time based on behavior. - For example, as additional data is collected an IP address could move from DDoS (a more general category) to Botnets (a more specific behavior category). Jan Jul Aug Sep Type Count % Match Count % Match Count % Match Count % Match Botnets 11,366,418 86.4476% 11,703,662 66.6832% 14,997,560 63.7386% 15,553,771 62.3452% DDoS 1,116,979 8.4952% 1,382,291 7.8758% 3,500,212 14.8757% 3,998,571 16.0277% Other 27 0.0002% 2,937,700 16.7380% 3,409,392 14.4897% 3,305,714 13.2505% Scanners 424,930 3.2318% 1,036,679 5.9066% 1,150,699 4.8904% 1,319,770 5.2901% Spam Sources 81,013 0.6161% 192,114 1.0946% 155,088 0.6591% 344,310 1.3801% Exploits 107,753 0.8195% 205,188 1.1691% 215,490 0.9158% 330,684 1.3255% Malware 10,307 0.0784% 38,731 0.220675% 40,652 0.1728% 36,593 0.1467% Proxy 15,880 0.1208% 27,360 0.1559% 32,925 0.1399% 36,532 0.1464% Phishing 25,012 0.1902% 24,797 0.1413% 24,531 0.1043% 17,665 0.0708% Web Attacks 17 0.0001% 2,606 0.0148% 3,236 0.0138% 4,210 0.0169% Total 13,148,336 17,551,128 23,529,785 24,947,820
W W W. N S F O C U S . C O M IP‘S COUNTRY INFO MATTERS
W W W. N S F O C U S . C O M ASN HAS ITS REPUTATION AS WELL ASN Country/Region Introduce AS4134 China CHINANET-BACKBONE AS9829 India National Internet Backbone AS45899 Vietnam VNPT Corp AS4837 China CNCGROUP China169 Backbone AS9808 China China Mobile Communications Corporation AS24560 India Bharti Airtel Ltd., Telemedia Services AS45595 Pakistan Pakistan Telecom Company Limited AS203418 United Kingdom MARKETIGAMES_LLC AS7552 Vietnam Vietel Corporation AS12880 Iran Information Technology Company (ITC) AS8151 Mexico Uninet S.A. de C.V. AS3462 Taiwan Data Communication Business Group AS56046 China China Mobile Communications Corporation AS9737 Thailand TOT Public Company Limited AS18403 Vietnam The Corporation for Financing & Promoting Technology AS45609 India Bharti Airtel Ltd. AS for GPRS Service AS22927 Argentina Telefonica de Argentina AS23969 Thailand TOT Public Company Limited AS2609 Tunisia Tunisia BackBone AS Oops, something weird? Pay more attention for traffic with those ASNs above this bar
W W W. N S F O C U S . C O M ANOMALY DETECTION BASED ON PROFILING Source: https://www.youtube.com/watch?v=8gdtTiMt88w You must build and maintain profiles of: • Network access • User behavior • Event distribution • …
W W W. N S F O C U S . C O M Tactic, Technique, Procedure FIGHT WITH INFERENCE CROSSING DIMENSIONS Visibility TTP Behavior File Packets Flow Meta Info KNOWN KNOWN UNKNOWN/ To Be Trained/Hunted K U K
W W W. N S F O C U S . C O M TI/REPUTATION BASED THREAT HUNTING/ATTRIBUTION  Malware->C2->Bot… • Sandbox the malware to extract C2 (Command and Control) • Detect/hunt through DFI/DPI (Deep Flow Inspection/Deep Packet Inspection) • Verify the “bots” detected • Correlate with IP/domain reputation • Update the reputation database • Release to whole ecosystem
W W W. N S F O C U S . C O M CYBER KILL CHAIN CAN BE INTRODUCED TO AUTOMATE INFERENCE Inference Method Base Same-Source Inference Offense-Defense Tree Visualization of the Kill Chain Based on the attack target and the inference method base, make inferences after gaining insight into security events generated by the engine and correlate individual security events to generate complete kill chains. Based on the generated attack- defense tree, mine and visualize the information about the attack target and attacker. For cases where an attacker attacks one target by using various means, integrate kill chains to generate more accurate kill chain information. After the first two phases of inference regarding security events, generate a complete attack- defense tree and present information in the attack and defense angles. Offender Profiling Match the attacker with the intelligence provided by the attacker profile database to enrich the attacker profile and predict actions likely to be taken by the attacker. 侦察 IP空间扫描 网络钓鱼战役 web应用漏洞 扫描 社会工程学 定向攻击 SQL注入攻击 跨站脚本攻击 软件/网络漏 洞发现 鱼叉式网络钓 鱼攻击 攻陷+网络入 侵 密码个人身 份信息嗅探 DDOS 未认证的新 建账号 提权/特权提 升 横向移动 (跳板) 安装工具/ 程序 Root kit 安装 恶意软件安 装 后门建立 恶意活动 系统摧毁 数据泄露 网站篡改
W W W. N S F O C U S . C O M DEVELOP INFERENCE ENGINES INTO PRACTICABLE Revision Security Event Generation Understanding Engine Merging IOC Extraction Data Cube On-Premise Security Devices DataBehavior Inference Engine Target-Based Inference Same-Source Inference Profile Generation Profile Threat Event Audit Event Offense Scenario Reproduction Visualization of Original Logs KillChain Presentation Correlation with Cloud-side Intelligence Offender Profile Offender Group Profile Kill Chain Model Botnet Tracking Model Log •Multi-source logs Event •Event Gen •ML •Static Understanding Incident •Multi-source data deduplication •Incident Gen •Kill chain Inference Profile (reasoning) •Update offender/group •Update IOC Pre- Warning •IOC-based pre-warning
W W W. N S F O C U S . C O M DEVELOP INFERENCE ENGINES INTO PRACTICABLE (CON’T) Kill Chain reasoning Attacking Compromised
W W W. N S F O C U S . C O M BESIDES COMPLEXITY AND RESOURCES NEEDED, SCALABILITY IS VERY HARD 600,000 fps5.0 Tb/s 200 GB/h Bandwidth Traffic speed Storage
W W W. N S F O C U S . C O M The important things are always simple. The simple things are always hard. The easy way is always mined. -Murphy‘s Laws of Enterprise Information Security. Source: http://www.murphys-laws.com/murphy/murphy-war.html
W W W. N S F O C U S . C O M http://www.rogerknapp.com/inspire/rockssand.htm FIND OUT “BIG ROCKS” OF SECURITY OPERATIONS Credit: Rocks and Sand — Doing the Simple Things Well Has Never Been More Important, Craig Lawson, @craiglawson, 2016
W W W. N S F O C U S . C O M LONG TAIL FROM SECURITY OPERATIONS ANGLE Attack surface/vectors Number of Incidents per hour • TOP Exploitations • TOP Malwares • TOP Attackers • TOP Targets • TOP … Minor Events - Exploitations - Malwares - Attackers - Login Failure - Abnormal Behavior - …
W W W. N S F O C U S . C O M NOT JUST KNOWN, EVEN OLD Vulnerability Exploited Percentage Microsoft Windows ASP.NET DoS (CVE-2009-1536) 12.10% Microsoft SQL Server 2000 Resolution Remote DoS (CVE-2002-0649) 8.80% Microsoft Network Policy Server RADIUS DoS (CVE-2016-0050)(MS16-021) 8.30% Microsoft Internet Explorer ASLR Bypass (CVE-2015-0051)(MS15-009) 3.80% OpenSSl SSLv2 Vulnerable To DROWN Attacks (CVE-2016-0800) 3.50% Apache Struts Remote Execution (S2-008) 2012 3.40% Microsoft mshtml.dll GIF Processs Remote DoS (MS04-025) 2004 3.00% Struts2 Remote Command Execution (S2-045)(S2-046)(CVE-2017-5638) 2.70% Squid Proxy DNS Remote DoS (CVE-2005-0446) 2.70% GNU Bash Env Variable Remote Execution(CVE-2014-6271) 2.50% Top 10 vulnerability exploited detected by IPS in 2017H1 Data Source: NSFOCUS Security Labs. 2017
W W W. N S F O C U S . C O M WEB ATTACKS AS WELL Top 10 vulnerability exploited detected by WAF in 2017H1 Data Source: NSFOCUS Security Labs. 2017 Vulnerability Name Release Date Percentage Tomcat Directory Traversal Vulnerability (CVE-2008-2938) 2008 21.70% IIS File Upload Vulnerability (CVE-2009-4445, CVE-2009-4444) 2009 13.90% Lighttpd Source Code Exposure Vulnerability (CVE-2006-0814) 2006 6.00% Nginx File Traversal Vulnerability (CVE-2009-3898) 2009 5.40% IIS CGI Program Name Parsing Error Leading to File Execution Vulnerability (CVE-2000-0886) 2000 5.40% IIS File Extension Name Parsing Error Leading to ASP Code Disclosure (CVE-1999-0253) 1999 2.60% Tomcat Directory Traversal Vulnerability (CVE-2008-5515) 2008 2.40% Apache Header Data Length Anomaly Leading to Server Resource Consumption (CVE-2011-3192) 2011 2.10% IIS Script File Name Parsing Vulnerability (CVE-2009-4444) 2009 1.80% IIS Unicode Character Decoding Error Leading to Remote Command Execution (CVE-2000-0884) 2000 1.50%
W W W. N S F O C U S . C O M REPEAT OFFENDERS - TYPICALLY UNTARGETED Repeat Offenders :: an offender that attacked or is attacking more than one victim. A repeat offender is a person who has already been convicted for a crime, and who has been caught again for committing the crime and breaking the law for which he had been prosecuted earlier Credit: https://securityintelligence.com/fool-me-once-shame-on-you-fool-me-eight-times-shame- on-my-security-posture/ • Typically untargeted • Reuse of known infrastructure and weapons
W W W. N S F O C U S . C O M REPEAT OFFENDERS IN DIFFERENT VIEW Repeat Offenders, 31.7% Non-Repeat Offenders, 68.3% Repeat Offenders, 90.0% Local view of an enterprise, based on IPS logs in 15days Global view of a provider, based on IPS logs in 7days covering tens of enterprises
W W W. N S F O C U S . C O M FOLLOW THE OFFENDERS’ THINKING, AVOID BEING LOW- HANGING FRUIT MTotal Revenue NSize of Network Nodes BRevenue Per Node CCost Per Node
W W W. N S F O C U S . C O M NUMBERS MATTER TO BOTH SIDES ©NSFOCUS Security Labs, blog.nsfocusglobal.com Number of Routers Exposed at Internet October 21, 2016
W W W. N S F O C U S . C O M INTERNET OF THINGS OR THREATS OF THINGS The Haiku H Series -- a $1,045 smart ceiling fan. 3. https://www.cnet.com/news/connected-ceiling-fans-in-the-cnet-smart-home/ 2. https://www.cnet.com/pictures/neatos-new-robot-vacuum-adds-in-app-enabled-smarts-pictures/2/ the Botvac Connected, $700 (or £549 in the UK) 1. https://www.cnet.com/news/why-smart-coffee-makers-are-a-dumb-but-beautiful-dream/ 1 2 3
W W W. N S F O C U S . C O M OVERLAY OPERATIONS WITH MULTI-PURPOSE BOTS  Targeted tunneling  Targeted data  Targeted smoke screen  …
W W W. N S F O C U S . C O M WHY HEAT MATTERS TO UNDERSTAND THREAT Heat :: to measure the popularity of an ongoing attack, counting percentage of the attack incidents out of total incidents and number of victims in a certain time period. TOP-Ns are popular means to visualize “heat” threat intel. https://en.wikipedia.org/wiki/Mercalli_intensity_scale Intensity :: to measure the severity of the attacks that a victim suffered and is suffering, e.g. number of attackers, attack counts, strength of the attack method, etc. in a certain time period. Later means less! (CVE-2017-0144 / MS17-010)
W W W. N S F O C U S . C O M KNOW YOURSELF, KNOW YOUR ENEMY,… “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” ― Sun Tzu, The Art of War
W W W. N S F O C U S . C O M CROWD DEFENSE IN CYBER SECURITY Crowd Defense:: Multiple defenders mutually share threat situational intelligence and hunting results to enhance defense. Bi-directional intelligence, MDR are also some sorts of crowd defense. We can do more to organize in the face of an attack so that all defenders are on the same page to defend effectively. Courtesy: https://reloadone.com/crowd-defense-group-defense-in-response-to-attacks/
W W W. N S F O C U S . C O M COMBINE CROWD/GLOBAL AND LOCAL Crowd/Global Enterprise/Local Partner 1 Partner 2 Partner N Enterprise/Local Enterprise/Local…… • Know what happening/happened in neighbors • TOPNs matter, particular the Fast Growth, which betrays the dynamics of the threat frontline. • Better triage, better hunting • Once hunted, new threat intel turns the UNKOWN into KNOWN, immunizing the “crowd”
W W W. N S F O C U S . C O M TAKEAWAYS • Threat hunting, UEBA, threat intel are powerful, but complicated and expensive • Crowd defense helps know your enemy and peers. • Crowd defense leads to triage combining global and local, i.e. better usage of the scarcest resources - human experts.
W W W. N S F O C U S . C O M www.nsfocus.com Richard.zhao@nsfocusglobal.com https://www.linkedin.com/company/nsfocus https://www.linkedin.com/in/zhaol/ https://www.facebook.com/nsfocus/ https://twitter.com/NSFOCUS_Intl https://twitter.com/zhaol Endorsed and Approved Award Winning Researchers Global Customers Protecting Largest Telecos Protecting Largest Banks 5 YEARS
Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ ti-ai-crowd-defense

Recomendados

Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 

Recomendados

Streaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoStreaming a Million Likes/Second: Real-Time Interactions on Live Video
Streaming a Million Likes/Second: Real-Time Interactions on Live VideoC4Media
 
Next Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileNext Generation Client APIs in Envoy Mobile
Next Generation Client APIs in Envoy MobileC4Media
 
Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020Software Teams and Teamwork Trends Report Q1 2020
Software Teams and Teamwork Trends Report Q1 2020C4Media
 
Understand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsUnderstand the Trade-offs Using Compilers for Java Applications
Understand the Trade-offs Using Compilers for Java ApplicationsC4Media
 
Kafka Needs No Keeper
Kafka Needs No KeeperKafka Needs No Keeper
Kafka Needs No KeeperC4Media
 
High Performing Teams Act Like Owners
High Performing Teams Act Like OwnersHigh Performing Teams Act Like Owners
High Performing Teams Act Like OwnersC4Media
 
Does Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaDoes Java Need Inline Types? What Project Valhalla Can Bring to Java
Does Java Need Inline Types? What Project Valhalla Can Bring to JavaC4Media
 
Service Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideService Meshes- The Ultimate Guide
Service Meshes- The Ultimate GuideC4Media
 
Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsC4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechC4Media
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/awaitC4Media
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaC4Media
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayC4Media
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?C4Media
 
CockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseCockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseC4Media
 
A Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with BrooklinA Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with BrooklinC4Media
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 

Mais conteúdo relacionado

Mais de C4Media

Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDC4Media
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine LearningC4Media
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at SpeedC4Media
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsC4Media
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsC4Media
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerC4Media
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleC4Media
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeC4Media
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereC4Media
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing ForC4Media
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data EngineeringC4Media
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreC4Media
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsC4Media
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechC4Media
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/awaitC4Media
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaC4Media
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayC4Media
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?C4Media
 
CockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseCockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseC4Media
 
A Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with BrooklinA Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with BrooklinC4Media
 

Mais de C4Media (20)

Shifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CDShifting Left with Cloud Native CI/CD
Shifting Left with Cloud Native CI/CD
 
CI/CD for Machine Learning
CI/CD for Machine LearningCI/CD for Machine Learning
CI/CD for Machine Learning
 
Fault Tolerance at Speed
Fault Tolerance at SpeedFault Tolerance at Speed
Fault Tolerance at Speed
 
Architectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep SystemsArchitectures That Scale Deep - Regaining Control in Deep Systems
Architectures That Scale Deep - Regaining Control in Deep Systems
 
ML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.jsML in the Browser: Interactive Experiences with Tensorflow.js
ML in the Browser: Interactive Experiences with Tensorflow.js
 
Build Your Own WebAssembly Compiler
Build Your Own WebAssembly CompilerBuild Your Own WebAssembly Compiler
Build Your Own WebAssembly Compiler
 
User & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix ScaleUser & Device Identity for Microservices @ Netflix Scale
User & Device Identity for Microservices @ Netflix Scale
 
Scaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's EdgeScaling Patterns for Netflix's Edge
Scaling Patterns for Netflix's Edge
 
Make Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home EverywhereMake Your Electron App Feel at Home Everywhere
Make Your Electron App Feel at Home Everywhere
 
The Talk You've Been Await-ing For
The Talk You've Been Await-ing ForThe Talk You've Been Await-ing For
The Talk You've Been Await-ing For
 
Future of Data Engineering
Future of Data EngineeringFuture of Data Engineering
Future of Data Engineering
 
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and MoreAutomated Testing for Terraform, Docker, Packer, Kubernetes, and More
Automated Testing for Terraform, Docker, Packer, Kubernetes, and More
 
Navigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery TeamsNavigating Complexity: High-performance Delivery and Discovery Teams
Navigating Complexity: High-performance Delivery and Discovery Teams
 
High Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in AdtechHigh Performance Cooperative Distributed Systems in Adtech
High Performance Cooperative Distributed Systems in Adtech
 
Rust's Journey to Async/await
Rust's Journey to Async/awaitRust's Journey to Async/await
Rust's Journey to Async/await
 
Opportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven UtopiaOpportunities and Pitfalls of Event-Driven Utopia
Opportunities and Pitfalls of Event-Driven Utopia
 
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/DayDatadog: a Real-Time Metrics Database for One Quadrillion Points/Day
Datadog: a Real-Time Metrics Database for One Quadrillion Points/Day
 
Are We Really Cloud-Native?
Are We Really Cloud-Native?Are We Really Cloud-Native?
Are We Really Cloud-Native?
 
CockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL DatabaseCockroachDB: Architecture of a Geo-Distributed SQL Database
CockroachDB: Architecture of a Geo-Distributed SQL Database
 
A Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with BrooklinA Dive into Streams @LinkedIn with Brooklin
A Dive into Streams @LinkedIn with Brooklin
 

Último

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 

Último (20)

Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 

From Threat Hunting to Crowd Defense

  • 1. W W W. N S F O C U S . C O M FROM THREAT HUNTING TO CROWD DEFENSE Richard ZHAO CTO, SVP Research, NSFOCUS San Francisco, Nov.15 2017
  • 2. InfoQ.com: News & Community Site • Over 1,000,000 software developers, architects and CTOs read the site world- wide every month • 250,000 senior developers subscribe to our weekly newsletter • Published in 4 languages (English, Chinese, Japanese and Brazilian Portuguese) • Post content from our QCon conferences • 2 dedicated podcast channels: The InfoQ Podcast, with a focus on Architecture and The Engineering Culture Podcast, with a focus on building • 96 deep dives on innovative topics packed as downloadable emags and minibooks • Over 40 new content items per week Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ ti-ai-crowd-defense
  • 3. Purpose of QCon - to empower software development by facilitating the spread of knowledge and innovation Strategy - practitioner-driven conference designed for YOU: influencers of change and innovation in your teams - speakers and topics driving the evolution and innovation - connecting and catalyzing the influencers and innovators Highlights - attended by more than 12,000 delegates since 2007 - held in 9 cities worldwide Presented at QCon San Francisco www.qconsf.com
  • 4. W W W. N S F O C U S . C O M In early March, the Department of Homeland Security sent Equifax and other companies an alert about a critical vulnerability in software that Equifax used in an online portal for recording customer disputes. The company sent out an internal email requesting that its technical staff fix the software, but “an individual did not ensure communication got to the right person to manually patch the application,” Mr. Smith told the subcommittee. That was compounded by a technical error: The scanning software that Equifax used to detect vulnerabilities failed to find the unpatched hole, he said. https://www.nytimes.com/2017/10/03/business/equifax-congress-data-breach.html Apache Struts CVE-2017-5638 (S02-045)
  • 5. W W W. N S F O C U S . C O M TIMELINE OF EQUIFAX BREACH Credit: http://lists.immunityinc.com/pipermail/dailydave/2017-September/001421.html?utm_content=buffer728aa&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer 2017-03-06: Apache announces struts2 bug 2017-03-07: PoC exploit released to public 2017-03-10: Equifax compromised via struts exploit. 2017-03-13: 30 webshells installed 2017-04-xx: Oracle releases quarterly bundle of patches, including the Struts patch 2017-06-30: Equifax patched their struts installs 2017-07-30: Equifax evicts the elite hackers and their 30 webshells 2017-07-29: Equifax discovers they have been compromised
  • 6. W W W. N S F O C U S . C O M WIN YOUR ADVERSARIES. IT’S A RACE Struts2 S2-045 Attack Numbers Detected during Mar.7 -Mar.9 09:53 14:46 Alert 20:03 Scanning/ Testing Attack Defense Ready 18:06 FirstAttack Detected 4AM-5AM DAY 1 1st Spike: 183 9PM-10PM DAY2 2nd Spike: 245 H M Attacks Detected H M Prevention Ready H M Vulnerability Detection Ready 10 10 8 13 4 53 Data Source: NSFOCUS Security Cloud and Threat Intelligence Center, covering websites under protection: 458
  • 7. W W W. N S F O C U S . C O M ANYTHING BEYOND 35 IP ADDRESSES? https://arstechnica.com/information-technology/2017/09/massive-equifax-hack-reportedly-started-4-months-before-it-was-detected/ Mandiant, the FireEye unit that Equifax called in to investigate the breach, said it has detected about 35 IP addresses the attackers used to access the company's network. The hackers' identity remains unknown. Mandiant has been unable to attribute the breach to any hacking groups it currently tracks, and the tools, tactics, and procedures used in the hack don't overlap with those seen in previous Mandiant investigations.
  • 8. W W W. N S F O C U S . C O M WHY HAPPENED AGAIN AFTER TARGET? Willingness? Resource/ Domain Knowledge? Intelligence/Prioritization? Data Source: A “Kill Chain” Analysis of the 2013 Target Data Breach Like the old joke about two guys running away from a deadly grizzly bear, you can’t outrun the security implications of a poorly designed financial transaction environment. What you can do is outrun your competitors, making it much more likely that they will be hacked by the security bear, before it ever gets close to your vulnerabilities. … The bear is hungry, and he knows where to find food. Source: https://blogs.gartner.com/jay-heiser/2017/10/05/outrunthebear/
  • 9. W W W. N S F O C U S . C O M THE GAME OF OFFENSE AND DEFENSE  No 100% security, i.e. defense will always fail at some day, some points  Defense must be capable to  contain some local failures while keep the control of the whole  defend in depth, i.e. avoid “checkmate in one”  have visibility and “global” view  Timeliness, timeliness, timeless… PDR CKC Diamond Offense Defense … CKC: Cyber Kill Chain Diamond PDR: Protect, Detect, Respond
  • 10. W W W. N S F O C U S . C O M STRATEGY FOR DIFFERENT BATTLEFIELDS DefenseOffense Targeted Untargeted B1 B2 B3 B4 Targeted Defense:: Some sort of ”dark tech” beyond offense’s radar >> Deception, Tokenization、Honey… >> Fight with dimensions… Untargeted Offense:: no special verticals and regions >> Focus on sea volume (huge N ) and automation (lower C) Untargeted Defense:: Commercial off the shelf products or open source stacks >> Focus on probability and statistics, weakening the automation and repeatability of offenders Targeted Offense:: Customized “evasion” against “detection” of the target, i.e. “unknown” threats >> Customization means higher cost >> Rapid assembly with some level reuse…
  • 11. W W W. N S F O C U S . C O M SECURITY INSIDE THE LONG TAIL Attack surface/vectors Value of target / Magnitude of damage TH/TI/UEBA/MD R/…: Unknown attack types, unknown quantities, and mostly targeting internal core assets/business/pers onnel Traditional Detection: Known attack types, large quantities, and mostly targeting exposures of peripheral systems Average/Repeat Offenders Advanced/Targeted Offenders • TH: Threat Hunting • TI: Threat Intelligence • UEBA: User Entity Behavior Analytics • MDR: Managed Detection and Response
  • 12. W W W. N S F O C U S . C O M THREAT HUNTING IS TO PURSUE UNKNOWN Credit: Dr. Anton Chuvakin, How to Hunt for Security Threats, April 2017 Threat Hunting:: the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions. Typically, TH, starting from a hypothesis, is commissioned to search advanced, targeted, unknown threats, which may be analytics-driven, or situational- awareness driven, or intelligence-driven. Source: https://en.wikipedia.org/wiki/Cyber_threat_hunting
  • 13. W W W. N S F O C U S . C O M BEFORE GOING DEEPER TH/TI/UEBA, LET’S LOOK INTO DETECTION IN PRACTICE TI/Reputation Shellcode/ Static Check Virtual Exec. Sandboxing • Lowest cost • Real time • Known files/IP/C2/URL (black or white) • Almost real time • Check attack payload (more IOCs) • Resource extensive • Time delay Signature Detection Enginesworkcollaboratively
  • 14. W W W. N S F O C U S . C O M APPLICATION COST/EFFICIENCY MATTERS Items False Negative (7442 Entries) False Positive (1458625 Entries) FN Ratio Time (s) FP Ratio Time(s) ML-Rule 0.0268% 0.055028 0. 00075% 0.88 Tradition al Rule 0.6046% 0.055290 0. 34% 3.04 TI/Reputation Shellcode/ Static Check Virtual Exec. Sandboxing • Lowest cost • Real time • Known files/IP/C2/URL (black or white) • Almost real time • Check attack payload (more IOCs) • Resource extensive • Time delay Signature Detection
  • 15. W W W. N S F O C U S . C O M THREAT INTELLIGENCE IS USED TO Hacker/Actors (skill, intention, goal, plan) TTP (Tactic, Technique, Procedure) Campaign (goal, loss) Attack Pattern Malware Infrastructure (ip, domain, url, botnet,…) Tool Vuln.Process Event IOC (Indicator of Compromise) COA (Course of Action) Situational DevelopmentStrategic TI Operational TI Tactical TI  Real Time Blocking  Security Operations  Threat Research & Hunting
  • 16. W W W. N S F O C U S . C O M HOWEVER, THREAT INTEL IS HARD TO HARNESS  Intensive domain knowledge required  Too much or too little  Hard to automate  False positive/false negative
  • 17. W W W. N S F O C U S . C O M CLOSE LOOP OPERATION IS CRITICAL TO REFINE THREAT INTEL TI Produce • TI with enrichment inside TI cloud Consume • Consumed by IPS/FW/SIEM/Attribution/etc. Triage • Identify, remove False Negatives, map, prioritize, etc. Enriched Profile • Enriched profiling of threat actors, campaigns, etc. TI Update • Push updated TI or release early warning,  Privacy & liability  Fear of revealing the breach incident(s)  No visible return value to share/feedback
  • 18. W W W. N S F O C U S . C O M IN SHORT, THREAT INTEL IS NOT SILVER BULLET 1. Threat Intel is sort of ”middleware”, particularly for tactical TI. Maturity and service delivery are critical. 2. TI is not “silver bullet”. There is always imperfect with any Intelligence, therefore experts and “professional analytical operations are always needed to realize value. 3. Considering counter-intelligence, TI should be classified, e.g. Advanced Threat Intelligence(ATI), TI, won’t and should not be shared and distributed 100% openly. 4. For many organizations without a strong dedicated security operations team, TI/reputation-enhanced products/services are better choices. "Distrust and caution are the parents of security" - Benjamin Franklin CII and Giant organization Large Organization SME/SMB • ATI Enhanced Products • ATI Enhanced Services • ATI Enhanced Reports/Feeds • TI Enhanced Products • TI Enhanced Services • Reputation Enhanced Products • Reputation Enhanced Services
  • 19. W W W. N S F O C U S . C O M UEBA AND PROFILING ARE OTHER IMPORTANT MEANS TO FIGHT UNKNOWNS UEBA:: User and Entity Behavior Analytics offers profiling and anomaly detection based on a range of analytics approaches, usually using a combination of basic analytics methods (e.g., rules that leverage signatures, pattern matching and simple statistics) and advanced analytics (e.g., supervised and unsupervised machine learning). a cybersecurity process about detection of insider threats, targeted attacks, and financial fraud Source: https://en.wikipedia.org/wiki/User_behavior_analytics Network Entity Basic information Application information Threat information Industry information Correlation information Overall assessment
  • 20. W W W. N S F O C U S . C O M THE WORLD IS CATEGORIZED INTO BLACK, WHITE AND GREY IN EYE OF UEBA/PROFILING ANALYST Black WhiteGrey • Alexa ranking • DNS access ranking • IP access ranking • Historical alerts • External reputation • Historical vulnerabilities • Historical threat levels • Associated entity reputation
  • 21. W W W. N S F O C U S . C O M REPUTATION & PROFILING IN PRACTICE • IP addresses can be in more than one reputation category, such as being both Phishing and Spam Source. • Categorization of IP addresses can change over time based on behavior. - For example, as additional data is collected an IP address could move from DDoS (a more general category) to Botnets (a more specific behavior category). Jan Jul Aug Sep Type Count % Match Count % Match Count % Match Count % Match Botnets 11,366,418 86.4476% 11,703,662 66.6832% 14,997,560 63.7386% 15,553,771 62.3452% DDoS 1,116,979 8.4952% 1,382,291 7.8758% 3,500,212 14.8757% 3,998,571 16.0277% Other 27 0.0002% 2,937,700 16.7380% 3,409,392 14.4897% 3,305,714 13.2505% Scanners 424,930 3.2318% 1,036,679 5.9066% 1,150,699 4.8904% 1,319,770 5.2901% Spam Sources 81,013 0.6161% 192,114 1.0946% 155,088 0.6591% 344,310 1.3801% Exploits 107,753 0.8195% 205,188 1.1691% 215,490 0.9158% 330,684 1.3255% Malware 10,307 0.0784% 38,731 0.220675% 40,652 0.1728% 36,593 0.1467% Proxy 15,880 0.1208% 27,360 0.1559% 32,925 0.1399% 36,532 0.1464% Phishing 25,012 0.1902% 24,797 0.1413% 24,531 0.1043% 17,665 0.0708% Web Attacks 17 0.0001% 2,606 0.0148% 3,236 0.0138% 4,210 0.0169% Total 13,148,336 17,551,128 23,529,785 24,947,820
  • 22. W W W. N S F O C U S . C O M IP‘S COUNTRY INFO MATTERS
  • 23. W W W. N S F O C U S . C O M ASN HAS ITS REPUTATION AS WELL ASN Country/Region Introduce AS4134 China CHINANET-BACKBONE AS9829 India National Internet Backbone AS45899 Vietnam VNPT Corp AS4837 China CNCGROUP China169 Backbone AS9808 China China Mobile Communications Corporation AS24560 India Bharti Airtel Ltd., Telemedia Services AS45595 Pakistan Pakistan Telecom Company Limited AS203418 United Kingdom MARKETIGAMES_LLC AS7552 Vietnam Vietel Corporation AS12880 Iran Information Technology Company (ITC) AS8151 Mexico Uninet S.A. de C.V. AS3462 Taiwan Data Communication Business Group AS56046 China China Mobile Communications Corporation AS9737 Thailand TOT Public Company Limited AS18403 Vietnam The Corporation for Financing & Promoting Technology AS45609 India Bharti Airtel Ltd. AS for GPRS Service AS22927 Argentina Telefonica de Argentina AS23969 Thailand TOT Public Company Limited AS2609 Tunisia Tunisia BackBone AS Oops, something weird? Pay more attention for traffic with those ASNs above this bar
  • 24. W W W. N S F O C U S . C O M ANOMALY DETECTION BASED ON PROFILING Source: https://www.youtube.com/watch?v=8gdtTiMt88w You must build and maintain profiles of: • Network access • User behavior • Event distribution • …
  • 25. W W W. N S F O C U S . C O M Tactic, Technique, Procedure FIGHT WITH INFERENCE CROSSING DIMENSIONS Visibility TTP Behavior File Packets Flow Meta Info KNOWN KNOWN UNKNOWN/ To Be Trained/Hunted K U K
  • 26. W W W. N S F O C U S . C O M TI/REPUTATION BASED THREAT HUNTING/ATTRIBUTION  Malware->C2->Bot… • Sandbox the malware to extract C2 (Command and Control) • Detect/hunt through DFI/DPI (Deep Flow Inspection/Deep Packet Inspection) • Verify the “bots” detected • Correlate with IP/domain reputation • Update the reputation database • Release to whole ecosystem
  • 27. W W W. N S F O C U S . C O M CYBER KILL CHAIN CAN BE INTRODUCED TO AUTOMATE INFERENCE Inference Method Base Same-Source Inference Offense-Defense Tree Visualization of the Kill Chain Based on the attack target and the inference method base, make inferences after gaining insight into security events generated by the engine and correlate individual security events to generate complete kill chains. Based on the generated attack- defense tree, mine and visualize the information about the attack target and attacker. For cases where an attacker attacks one target by using various means, integrate kill chains to generate more accurate kill chain information. After the first two phases of inference regarding security events, generate a complete attack- defense tree and present information in the attack and defense angles. Offender Profiling Match the attacker with the intelligence provided by the attacker profile database to enrich the attacker profile and predict actions likely to be taken by the attacker. 侦察 IP空间扫描 网络钓鱼战役 web应用漏洞 扫描 社会工程学 定向攻击 SQL注入攻击 跨站脚本攻击 软件/网络漏 洞发现 鱼叉式网络钓 鱼攻击 攻陷+网络入 侵 密码个人身 份信息嗅探 DDOS 未认证的新 建账号 提权/特权提 升 横向移动 (跳板) 安装工具/ 程序 Root kit 安装 恶意软件安 装 后门建立 恶意活动 系统摧毁 数据泄露 网站篡改
  • 28. W W W. N S F O C U S . C O M DEVELOP INFERENCE ENGINES INTO PRACTICABLE Revision Security Event Generation Understanding Engine Merging IOC Extraction Data Cube On-Premise Security Devices DataBehavior Inference Engine Target-Based Inference Same-Source Inference Profile Generation Profile Threat Event Audit Event Offense Scenario Reproduction Visualization of Original Logs KillChain Presentation Correlation with Cloud-side Intelligence Offender Profile Offender Group Profile Kill Chain Model Botnet Tracking Model Log •Multi-source logs Event •Event Gen •ML •Static Understanding Incident •Multi-source data deduplication •Incident Gen •Kill chain Inference Profile (reasoning) •Update offender/group •Update IOC Pre- Warning •IOC-based pre-warning
  • 29. W W W. N S F O C U S . C O M DEVELOP INFERENCE ENGINES INTO PRACTICABLE (CON’T) Kill Chain reasoning Attacking Compromised
  • 30. W W W. N S F O C U S . C O M BESIDES COMPLEXITY AND RESOURCES NEEDED, SCALABILITY IS VERY HARD 600,000 fps5.0 Tb/s 200 GB/h Bandwidth Traffic speed Storage
  • 31. W W W. N S F O C U S . C O M The important things are always simple. The simple things are always hard. The easy way is always mined. -Murphy‘s Laws of Enterprise Information Security. Source: http://www.murphys-laws.com/murphy/murphy-war.html
  • 32. W W W. N S F O C U S . C O M http://www.rogerknapp.com/inspire/rockssand.htm FIND OUT “BIG ROCKS” OF SECURITY OPERATIONS Credit: Rocks and Sand — Doing the Simple Things Well Has Never Been More Important, Craig Lawson, @craiglawson, 2016
  • 33. W W W. N S F O C U S . C O M LONG TAIL FROM SECURITY OPERATIONS ANGLE Attack surface/vectors Number of Incidents per hour • TOP Exploitations • TOP Malwares • TOP Attackers • TOP Targets • TOP … Minor Events - Exploitations - Malwares - Attackers - Login Failure - Abnormal Behavior - …
  • 34. W W W. N S F O C U S . C O M NOT JUST KNOWN, EVEN OLD Vulnerability Exploited Percentage Microsoft Windows ASP.NET DoS (CVE-2009-1536) 12.10% Microsoft SQL Server 2000 Resolution Remote DoS (CVE-2002-0649) 8.80% Microsoft Network Policy Server RADIUS DoS (CVE-2016-0050)(MS16-021) 8.30% Microsoft Internet Explorer ASLR Bypass (CVE-2015-0051)(MS15-009) 3.80% OpenSSl SSLv2 Vulnerable To DROWN Attacks (CVE-2016-0800) 3.50% Apache Struts Remote Execution (S2-008) 2012 3.40% Microsoft mshtml.dll GIF Processs Remote DoS (MS04-025) 2004 3.00% Struts2 Remote Command Execution (S2-045)(S2-046)(CVE-2017-5638) 2.70% Squid Proxy DNS Remote DoS (CVE-2005-0446) 2.70% GNU Bash Env Variable Remote Execution(CVE-2014-6271) 2.50% Top 10 vulnerability exploited detected by IPS in 2017H1 Data Source: NSFOCUS Security Labs. 2017
  • 35. W W W. N S F O C U S . C O M WEB ATTACKS AS WELL Top 10 vulnerability exploited detected by WAF in 2017H1 Data Source: NSFOCUS Security Labs. 2017 Vulnerability Name Release Date Percentage Tomcat Directory Traversal Vulnerability (CVE-2008-2938) 2008 21.70% IIS File Upload Vulnerability (CVE-2009-4445, CVE-2009-4444) 2009 13.90% Lighttpd Source Code Exposure Vulnerability (CVE-2006-0814) 2006 6.00% Nginx File Traversal Vulnerability (CVE-2009-3898) 2009 5.40% IIS CGI Program Name Parsing Error Leading to File Execution Vulnerability (CVE-2000-0886) 2000 5.40% IIS File Extension Name Parsing Error Leading to ASP Code Disclosure (CVE-1999-0253) 1999 2.60% Tomcat Directory Traversal Vulnerability (CVE-2008-5515) 2008 2.40% Apache Header Data Length Anomaly Leading to Server Resource Consumption (CVE-2011-3192) 2011 2.10% IIS Script File Name Parsing Vulnerability (CVE-2009-4444) 2009 1.80% IIS Unicode Character Decoding Error Leading to Remote Command Execution (CVE-2000-0884) 2000 1.50%
  • 36. W W W. N S F O C U S . C O M REPEAT OFFENDERS - TYPICALLY UNTARGETED Repeat Offenders :: an offender that attacked or is attacking more than one victim. A repeat offender is a person who has already been convicted for a crime, and who has been caught again for committing the crime and breaking the law for which he had been prosecuted earlier Credit: https://securityintelligence.com/fool-me-once-shame-on-you-fool-me-eight-times-shame- on-my-security-posture/ • Typically untargeted • Reuse of known infrastructure and weapons
  • 37. W W W. N S F O C U S . C O M REPEAT OFFENDERS IN DIFFERENT VIEW Repeat Offenders, 31.7% Non-Repeat Offenders, 68.3% Repeat Offenders, 90.0% Local view of an enterprise, based on IPS logs in 15days Global view of a provider, based on IPS logs in 7days covering tens of enterprises
  • 38. W W W. N S F O C U S . C O M FOLLOW THE OFFENDERS’ THINKING, AVOID BEING LOW- HANGING FRUIT MTotal Revenue NSize of Network Nodes BRevenue Per Node CCost Per Node
  • 39. W W W. N S F O C U S . C O M NUMBERS MATTER TO BOTH SIDES ©NSFOCUS Security Labs, blog.nsfocusglobal.com Number of Routers Exposed at Internet October 21, 2016
  • 40. W W W. N S F O C U S . C O M INTERNET OF THINGS OR THREATS OF THINGS The Haiku H Series -- a $1,045 smart ceiling fan. 3. https://www.cnet.com/news/connected-ceiling-fans-in-the-cnet-smart-home/ 2. https://www.cnet.com/pictures/neatos-new-robot-vacuum-adds-in-app-enabled-smarts-pictures/2/ the Botvac Connected, $700 (or £549 in the UK) 1. https://www.cnet.com/news/why-smart-coffee-makers-are-a-dumb-but-beautiful-dream/ 1 2 3
  • 41. W W W. N S F O C U S . C O M OVERLAY OPERATIONS WITH MULTI-PURPOSE BOTS  Targeted tunneling  Targeted data  Targeted smoke screen  …
  • 42. W W W. N S F O C U S . C O M WHY HEAT MATTERS TO UNDERSTAND THREAT Heat :: to measure the popularity of an ongoing attack, counting percentage of the attack incidents out of total incidents and number of victims in a certain time period. TOP-Ns are popular means to visualize “heat” threat intel. https://en.wikipedia.org/wiki/Mercalli_intensity_scale Intensity :: to measure the severity of the attacks that a victim suffered and is suffering, e.g. number of attackers, attack counts, strength of the attack method, etc. in a certain time period. Later means less! (CVE-2017-0144 / MS17-010)
  • 43. W W W. N S F O C U S . C O M KNOW YOURSELF, KNOW YOUR ENEMY,… “If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.” ― Sun Tzu, The Art of War
  • 44. W W W. N S F O C U S . C O M CROWD DEFENSE IN CYBER SECURITY Crowd Defense:: Multiple defenders mutually share threat situational intelligence and hunting results to enhance defense. Bi-directional intelligence, MDR are also some sorts of crowd defense. We can do more to organize in the face of an attack so that all defenders are on the same page to defend effectively. Courtesy: https://reloadone.com/crowd-defense-group-defense-in-response-to-attacks/
  • 45. W W W. N S F O C U S . C O M COMBINE CROWD/GLOBAL AND LOCAL Crowd/Global Enterprise/Local Partner 1 Partner 2 Partner N Enterprise/Local Enterprise/Local…… • Know what happening/happened in neighbors • TOPNs matter, particular the Fast Growth, which betrays the dynamics of the threat frontline. • Better triage, better hunting • Once hunted, new threat intel turns the UNKOWN into KNOWN, immunizing the “crowd”
  • 46. W W W. N S F O C U S . C O M TAKEAWAYS • Threat hunting, UEBA, threat intel are powerful, but complicated and expensive • Crowd defense helps know your enemy and peers. • Crowd defense leads to triage combining global and local, i.e. better usage of the scarcest resources - human experts.
  • 47. W W W. N S F O C U S . C O M www.nsfocus.com Richard.zhao@nsfocusglobal.com https://www.linkedin.com/company/nsfocus https://www.linkedin.com/in/zhaol/ https://www.facebook.com/nsfocus/ https://twitter.com/NSFOCUS_Intl https://twitter.com/zhaol Endorsed and Approved Award Winning Researchers Global Customers Protecting Largest Telecos Protecting Largest Banks 5 YEARS
  • 48. Watch the video with slide synchronization on InfoQ.com! https://www.infoq.com/presentations/ ti-ai-crowd-defense