More Related Content Similar to Threat intelligence at the cloud (20) Threat intelligence at the cloud3. ©2015 AKAMAI | FASTER FORWARDTM
Hide and Seek
Akamai Cloud
The Playground? Who is Hiding?
Who is Seeking? The Goal of the Game?
Threat Actors
Find malicious activity and
create actionable threat
intelligence
5. ©2015 AKAMAI | FASTER FORWARDTM
Seek: Akamai Threat Research Team
Akamai’s State of The Internet Report
Research Publication
Thought Leadership
6. ©2015 AKAMAI | FASTER FORWARDTM
The Platform
• 167,000+ Servers
• 750+ Cities
• 92 Countries
The Data
• 2 trillion hits per day
• 260+ terabytes of
compressed daily
logs
Playground: Akamai’s Content Delivery Network (CDN)
Data
Centers
End User
7. ©2015 AKAMAI | FASTER FORWARDTM
The Goal: Threat Intelligence
Highlights of threat intelligence:
• New insights
• Forecast future threats
• Digested output
• Actionable
According to Gartner:
“Threat intelligence is evidence-based knowledge, including context,
mechanisms, indicators, implications and actionable advice, about an existing or
emerging menace or hazard”
8. ©2015 AKAMAI | FASTER FORWARDTM
Why Threat Intelligence At the Cloud?
Volume, Velocity and Variety
Leading to better:
• visibility to threat landscape
• Insights
• Future threats forecasting
• Security level
9. ©2015 AKAMAI | FASTER FORWARDTM
Case Study – Slow & Low
Customer: “Some of the Web site
accounts had been taken over, I
suspect that it was a brute force
attack”
10. ©2015 AKAMAI | FASTER FORWARDTM
Web Brute Force
Also known as: Password guessing attack
User: Ezra
Password: 123456
Brute Forcer
Web Application
11. ©2015 AKAMAI | FASTER FORWARDTM
Brute Force - Common vs. Advanced
Common
• Attack method – Brute force flood
• Attacking resources – single/few
• Detection technique – Noisy logs
• Protection - Rate control
Advanced
• Attack method – Brute force slow and low
• Attacking resources – multiple/Botnet
• Detection technique – ?
• Protection - ?
12. ©2015 AKAMAI | FASTER FORWARDTM
Slow & Low – On Site Threat Intelligence
Step 1 (on-site)
Analyzing each IP address
activity per Web application
Step 2 (on-site)
Analyzing aggregated Web
application login attempts per
hour
Resource Application
5 ~ 12 login attempts per hour ~50 login attempts per hour
13. ©2015 AKAMAI | FASTER FORWARDTM
Slow and Low – At Cloud
Step 3 (cloud)
Tracking brute forcer across the cloud!
Monitoring all IP addresses activity on all targeted Web application
1. Each Botnet member target 100 ~ 300 Web applications
2. Botnet execute ~10,000 login attempts per hour over Cloud
network
3. Botnet is running over the same virtual hosting service provider
4. The Botnet was active at least few months before detected
BINGO
17. ©2015 AKAMAI | FASTER FORWARDTM
Actionable Insight
• Tactical controls - Block any login attempts initiated from detected Botnet
• Strategic controls - Adjust security control brute force rate mitigations
• GEO intelligence - Restrict GEO login
• Present threat Intel. - Detection based on cross targeted correlation
• Future threat Intel. - Forecasting based on industry intelligence
18. ©2015 AKAMAI | FASTER FORWARDTM
Summary
• Cloud platform can yield unique actionable threat intelligence
• Cloud threat intelligence introduce the ability to use cross targets, cross
industry and evasive techniques in order to produce unique threat
intelligence
• Using gaming techniques while at work is fun!
• When you are 195cm tall it is hard to find good hiding places
19. ©2015 AKAMAI | FASTER FORWARDTM
Ezra Caltum - @aCaltum
Or Katz - @or_katz