When it comes to intrusions and breaches, most security teams take a short-game view. This means that they look at events as discrete and individual and focus efforts on short-term goals. While not universally detrimental, this view does harm the overall security of an organization in the "long game”. Additionally, “active defense” has been hopelessly confused by marketing hype even though its meaning is powerful to security’s operational goals. This talk focuses on how enterprise security defenders can adjust their mindset, refocus, and beat adversaries by leveraging active defense over the long game. The basis of this talk is the extensive research done in support of the threat intelligence solution blueprint, a comprehensive guide to understanding, architecting, operationalizing and maturing a threat intelligence program.

1. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
Losing Battles,
Winning Wars
Frustrating adversaries using threat intelligence

2. AGENDA
Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.2
• 1st – Background and perspective
• 2nd – Understanding “winning” and “losing”
• 3rd – Playing the defensive long game

3. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.3
Background
• This is knowledge based on research
• Leading practices from world-­class (and not-­so-­world-­class)
security organizations
• Drawing from industry experts, leading minds
• YMMV, this is not a silver bullet (and there are no werewolves)
• Trident Research Methodology
• 60+ enterprise adopters
• 30+ leading industry experts
• 60+ solution providers

4. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.4
UNDERSTANDING
WINNING AND LOSING

5. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.5
Are we winning yet?

6. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.6
Have you beaten an adversary today?

7. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.7
How would you know?

8. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.8
We’ve been thinking about this wrong.

9. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.9
What does it mean to “lose”?

10. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.10
Any guesses?

11. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.11
If you’ve been hacked, is that losing?

12. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.12
The bar is set unrealistically
high.

13. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.13
As defenders – 3 key questions

14. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.14
Do you control the situation?

15. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.15
If no, you’re losing.

16. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.16
Have critical assets been exfiltrated?

17. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.17
If yes, you’re losing.

18. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.18
Is the situation recoverable?

19. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.19
If no, you’ve lost.

20. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.20
For perspective –

21. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.21
Malware on your systems
Distributed Denial of Service (DDoS)
Website defacement

22. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.22
versus

23. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.23
Stolen trade secret(s).

24. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.24
Defenders must understand difference.

25. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.25
As attackers – 1 key question.

26. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.26
Have you achieved your objective?

27. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.27
If no, you haven’t won.

28. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.28

29. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.29
With this new focus we shift the game

30. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.30
From short-­game (discrete incident)

31. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.31
To long-­game (campaign à objectives)

32. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.32
PLAYING THE
DEFENSIVE LONG
GAME

33. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.33
Fundamentals – live it, love it.

34. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.34
Asset
Classification
Configuration
Change

35. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.35
Know. Your. Battlefield.

36. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.36
“Home ice advantage.”

37. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.37
Defending the unknown is unpossible.

38. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.38
Actively map your protected space.

39. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.39
Collect data, build baselines.

40. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.40
Get some threat intelligence goodness.

41. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.41

42. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.42
Intelligently incorporate externalities.

43. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.43
More data is not necessarily good.

44. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.44
10,000 bad IP addresses.

45. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.45
and?

46. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.46
Where will you put this data?

47. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.47
What will you do with this new data?

48. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.48
Much harder question.

49. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.49
Your security tools are killing you.

50. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.50
How many alerts do you receive…
per day?

51. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.51
Typically 10x your capacity to respond.

52. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.52
Average: 24-­32 alerts /8hr shift
Realistic

53. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.53
Receive à Triage à Decision

54. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.54
You will drown chasing “incidents”.

55. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.55
STOP and FOCUS

56. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.56
What threats are relevant?

57. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.57
Malware. Malware. Adversary. Malware.

58. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.58
3 types of threats.

59. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.59
Keys to differentiating threat types:
• Targeting –whether the victim is one of opportunity, or specifically
tasked (individually, by industry, or in another manner)
• Persistence –whether the intent is a long-­term embedded or
short-­term infiltration;; generally speaking to a level of stealth and
extent of infiltration
Category Targeting Persistence Example
Generic no no ransomware
Targeted yes no credential thief
Persistent yes yes embedded RAT

60. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.60
Why does this matter?

61. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.61
Vastly different responses.

62. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.62
Generic: “Kill it with fire”
Tier 1 automated response

63. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.63
Destroy or re-­image. Move on.

64. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.64
Near-­zero human time expended.

65. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.65
Targeted: Focused, tier 2 response.

66. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.66
Contain. Analyze. Destroy.

67. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.67
Minimal human time expended.

68. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.68
Persistent: Focused, tier 3 response.

69. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.69
Contain. Analyze. Remove. Recover.

70. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.70
Necessary human time expended.

71. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.71
How do you tell the difference?

72. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.72
Your threat intelligence works here.

73. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.73
Atomic indicators need c o n t e x t .

74. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.74
The goal: intelligent prioritization.

75. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.75
Opportunistic malware vs. adversary.

76. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.76
Feeding an intelligence process loop.

77. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.77
core processes
strategy
acquisition triage executiondistribution
development
collaboration
enrichment
governance
feedback
measurement
Intialize
refinement
(finishing)
secondary development

78. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.78
Start with (external) indicators.

79. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.79
core processes
strategy
acquisition triage executiondistribution
development
collaboration
enrichment
governance
feedback
measurement
Intialize
refinement
(finishing)
secondary development

80. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.80
Enrich with context (internal & external).

81. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.81
core processes
strategy
acquisition triage executiondistribution
development
collaboration
enrichment
governance
feedback
measurement
Intialize
refinement
(finishing)
secondary development

82. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.82
Distribute and execute.

83. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.83
core processes
strategy
acquisition triage executiondistribution
development
collaboration
enrichment
governance
feedback
measurement
Intialize
refinement
(finishing)
secondary development

84. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.84
Which type of response does it warrant?

85. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.85
Tier 1 à 3 response type.

86. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.86
Can you learn from the incident?
Can you improve from the incident?

87. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.87
Now let’s figure out how to win.

88. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.88
Goal 1: Raise the cost for adversary.

89. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.89
Goal 2: Frustrate the adversary.

90. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.90
Goal 3: Keep from achieving objective.

91. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.91
An adversary will be persistent.

92. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.92
Malware won’t care.

93. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.93
Tie atomic indicators à adversary

94. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.94
Disrupt efforts to achieve objective.

95. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.95
Repeat as necessary.

96. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.96
This is winning.

97. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.97
Releasing our research at RSA Conf.
Comprehensive program guidance
on threat intelligence as a program.

98. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.98
Want it?

99. Proprietary and Confidential. Do Not Distribute. © 2014 Accuvant, Inc. All Rights Reserved.
1125 17th Street, Suite 1700, Denver, CO 80202
800.574.0896
SolutionsResearch@accuvant.com
www.accuvant.com