GF - What is Cyber Threat Intelligece? - John Stoner & Ronnie Obenhaus

good afternoon and welcome to besides Las Vegas this talk is entitled cyber threat Intel and apts 101 we'd like to thank our sponsors especially the inner circle sponsors critical snack and vanilla sorry valium ale and stellar sponsors Amazon blackberry and silence okie-dokie just a couple of other things if you could please put your phone on silent and at the end of the talk there'll be ten minutes for questions just please make an orderly line over here thank you and I'll leave it with you guys all right welcome everybody hopefully everybody can hear us so we're pretty excited to present here today I spoken at a couple other b-sides but never as officially a DOD representative

so this is pretty exciting for me so I'm John stoner I'm the chief of analytics in one of the directorates that we have at DC 3 which is dice which in the DoD parlance we put an acronym in an acronym that stands for DoD Dib collabora collaborative information sharing environment but that's not important and I am Ronnie open house I am actually his deputy so there's no one man in the shop right now we're all out here so I'm sure it's fine so this is a quick agenda today we have a couple introductory slides I'm going to go through them very fast but I had to include them into this deck and then we're gonna dive into cyber threat Intel

a little bit about some concepts related to that and this is this whole presentation is really geared for people who don't have a lot of background in cyber threat intelligence if you are an expert feel free to like nitpick and ask us really tough questions later at the end but that's really the audience is for somebody who this is probably not your your main area of expertise so again we're from the DoD cybercrime Center one of several seven federal cyber centers were probably the smallest we have about 520 people total it's an interesting organization we have about 75% contractors at the at dc-3 and we and across the whole organization there's a number of mission efforts so

there's quite a lot that's done in support of law enforcement le counterintelligence C I obviously cyber security or else it would be weird we're here document and media exploitation counterterrorism efforts and we'll talk a little bit about that but that's sort of like an overall there's a lot of very different types of missions that dc-3 contributes to so there's six directorates at dc-3 which is in Maryland which I forgot to say so we were training academy a lot of DoD military law enforcement have taken courses through cyber training academy we have TSD or technical solutions they're sort of like our DevOps people in-house they actually will post some of what they're able to on github as well

so there's some stuff out there from them that's open to anybody we have the DoD vulnerability disclosure program which came out at hacked the Pentagon that's the newest Directorate we have what we call AG which is our analytic group so they also do cyber analytics but they are mostly focused on providing support to law enforcement and counterintelligence specifically we have our forensics lab which we work with quite a bit I think our forensics lab is really good other DoD forensics labs send us their stuff which I think that probably says something about the other labs and then where the defense industrial base collaboration so our titles were actually dice but that's a little bit confusing so we work really

closely with cleared defense contractors CDC's to share cyber threat information between all of them and to and with the government as well yes so this is basically all the jargon that gives us that ability to do that I'm not going to go into all of it because it's it's just a much acronyms and a bunch of things that just give us for lack of better word the authority to actually be that entity right so there's a there's a few things I'll point out real quick without going over some of the DoD FAR's and DOD eyes so we have a voluntary program with over 650 companies and that's really the core that we've built up over the eleven

and a half years that dice has existed and you can see we published our reports we share IO sees those partners can submit you know forensics pcap malware into our lab at no cost so we think that this is a really a good partnership between the DoD and CDC's private companies that have contracts with the DoD to actually produces valuable cyber threat intelligence yes so the way it works actually is exactly how I said right so when we first formed dice formed about eleven years ago and at first it was very difficult to get the companies to actually submit anything to us so we were actually giving them government sourced indicators so we do that through

one of our products to threat information product but we recently got some analysis that said about 72% of the indicators that we provide out are ranked kind of like a seven or higher which is you know it's a scale of like seven through nine you know some proprietary scale so we actually think that we're actually sharing very good information with them but this this kind of wheel of optimism that I call a is we give them the the indicators they see them on their networks then they report that back in to us we scrub that of their information anonymize it put it back out to the rest of the partnership as john mentioned is about 650 companies

so none of them want any of the others to know that they got popped right so we have to anonymize that information and then put that the IOC s and stuff back out then we go into some longer form reports you know they'll kind of give them some thread activity that's going on so they know what's happening and then that might guide into some targeting stuff you know so we can kind of give them a longer form paper of what's actually happening who's targeting them and then maybe that leads into government scanning their networks and oh well they're targeting that we do business with them let's scan our networks and then more indicators come out of that so it gives us this kind of

wheel of optimism and our the core focus for our operations are really on advanced persistent threats so we're gonna say apts quite a lot in this and so we're really interested in understanding what the advanced persistent threats are doing how they've evolved their tactics techniques and procedures they're TTP's so just keep that in mind that we do get cybercrime and ransomware reported in and we'll do some contextual analysis and supplemental analysis on that but the core product that we're focused on is ensuring that those partner companies have the TTP's of apts because that's the most significant threat to those companies that partner with us we offer a number of different services for our companies we have every six months a

technical conference which draws about 200 people we have analysts - analyst meetings where we can really get into the weeds about things that that company may be seeing on the network or questions they have about a particular apt or you know it may be it may not be that far in the weeds they may not really understand how they would perform analysis to understand which apts may be posing a risk so we can have that at a but as the in-depth the level conversation is they want we can also talk to their executives or senior leadership c-suite level personnel and we have a variety of threat products as well some of that's very quick turnaround our core product

is when we get an incident in we try to respond out with contextual information within 72 hours we have other product lines that can take us up to 30 days - right you know that's malware that's been submitted to the lab we get the lab malware report back and we try to ensure that that gets translated into something an analyst will understand and find useful so that's just sort of the introduction so you have some better idea of who we are and what we're focused on and we're gonna dive now into the cyber threat intelligence portion so I present this slide it's some of my other talks as well because we're really talking about a very specific field

within a fairly specific job category already so we have people on our team who may have some background in some other areas but at the end of the day everybody on our team which is about 35 analysts really is a cyber threat intelligence analysts like that's the the title that I use we're called different things there's not one you know you might be a security analyst somewhere and doing some of this kind of work well that's really what we're talking about is we're gonna go through this so we're not truly forensics people we might have some people on the team who do a little reversing but we really rely on our forensics lab to do full

malware reversing we don't have you know DevOps people on our team that's actually a whole nother to that does that for us so that just kind of gives you an idea of the makeup and where our focus is so this is where we really try to explain you know what is it that we mean with cyber threat intelligence a lot of people are going to describe cyber threat intelligence in a number of different ways so if you ask about six of us you're probably going to get ten answers so this is one way I like to kind of describe what it is that we're talking about with cyber threat intelligence so there's one aspect of

this which is mostly automated right it may be coming from some sort of whatever you have in your perimeter defense architecture you know logs heuristics your your firewall your sim alerts and that is information and data so in an intelligence background like a normal US intelligence background normally when you're talking about intelligence we won't call it intelligence until humans have synthesized and looked at that data so ml and AI or sometimes coming along to help with this but for me when I really talk about cyber threat intelligence I want humans to have looked at that ensure that it's accurate it's not there's not errors in there because it's the human that also understands the risk

it should be the human that understands is this information tied to requirements is this information that's relevant to this organization that I work for it's still hard for computers to do that human analysis aspect on the data that they're getting and really at the end of the day it's the human analyst in cyber threat intelligence that study attacker TTP's and should understand and be familiar with the current attacker TTP's and what the attacker is moving towards in the future so they can hopefully stay abreast of the changes in evolutions that's taking place with the attack of TTP's yeah I also don't want to take away from operational intelligence because there's a lot of companies out

there that they just want the indicators because they're maybe they're not big enough to have the context of it and they just want something - I just want to throw something my IDs and block it so we can't take away from operational intelligence but yeah right and a lot of organizations and companies are not going to be able to perform strategic district intelligence themselves right that's why like half of the vendors out here sell some version of cyberthreat intelligence because most of your medium to smaller organizations are not going to have human cyber intelligence personnel your security analysts are going to be consuming that from some other external provider so in my if I had to define

this this is what I came up with for the first bullet right it's that output of the analysis so when the human takes all these data points right what we're talking about is that synthesized analysis at the end of it from our perspective we're really focused on advanced persistent threats so this is coloured because of the organization like we you know when we talk about cyber intelligence we mean nation state associated actors so we're not really spending a lot of time doing cyber threat intelligence analysis on ransomware unless we think it's really tied to nation state actors and then even then we're not gonna spend a good deal of our time on that or and

somewhere as ransomware is mostly fixed with patching the the apts they represent that sophisticated threat to the clear defense contractors or where we spend most of our time so that's what I think of when I'm talking about cyber threat intelligence so one of the things that we also wanted to bring up in this and this has been discussed pretty extensively across the two days in the higher ground tracks have you been going is the type of people that work in cyber threat analysis is very we come from a lot of different backgrounds we're varied people and I just we don't need to spend a ton of time on this but we wanted to bring this up because I think

it's important to have that diversity in all of your teams that you have but it's true also in cyber threat intelligence so some of us come from an intelligence background and some of us don't and some of us are veterans and some of us aren't veterans and I think that that diversity is important to bring differing opinions when we're analyzing a problem yeah so that list that we have up there is actually because we know somebody in our shop that comes from each one of those fields right what I mean one of the best guys I know he's he's not in cyber threat Intel he's now a Penta he pivoted from being an EMT to being a

red teamer so again I just wanted to kind of point this out in this briefing that even within an hour thirty five person team you know we have all of these types of people basically working with us so the other thing that I hear quite a lot is we need cyber threat intelligence well that's fantastic do you have a defensible architecture do you have you considered asset management do you patch systems because you need to start here at the bottom of this chart in architecture before you go buy a basically anything the vendors thank them for you know being here and helping make these events possible but before you go buy cyber threat intelligence you

may need to do some things prior to that to be ready to make use of cyber threat intelligence so we could give you AI OCS but if you don't have everything integrated to really make use of the I OCS and you're kind of just wasting money right so I also just recently went through sans four five seven eight and this is an this is adapted from from from some content that other people have created as well and I just want to call that out I basically changed the slide a little bit but I did not create this graphic so if you have a defensible IT infrastructure then you kind of move up to the next phase here right now we're

at passive defense now we're reacting to things that are alerting in our network operation center or sock right so now we're reactionary hey but but at least you know you're getting alerts and maybe doing something about them now this phase right and then you you move up this architecture chart right so now you may get to active defense so now we're being more proactive so this is probably the first phase where you're consuming some threats intelligent sources in order to be proactive you hopefully have also done some risk analysis as an organization to understand the types of cyber threats that it might affect you and that your organization cares about and wants to have information about

those particular threats and then after that you get to where you may actually have intelligence threat personnel on your team the other the other sort of variable here is that you may have cyber threat intelligence personnel that are mostly consuming outside cyber threat intelligence or you may also have some cyber threat intelligence personnel looking at all of the data on your network and synthesizing and analyzing that as well and that's really critical to do as well you cannot just read both sent reports and consider yourself you know fully at the Intelligence spectrum like you need to be analyzing your networks own data against the risks and possible threats as well in addition to consuming external cyber threat

information and then very few organizations private or DoD will be in that active hunting category so there are a few this is where you're really talking about red teaming but if you really want to use your cyber threat intelligence to inform the red team the term that's starting to be picked up is adversary emulation so that red team should be informed by what the adversaries are doing that we're most concerned about that we've determined we want to keep an eye on that pose a risk as opposed to the red team using whatever random hacking measures and ideas they have which may still be valid but that's two very different types of red team operations right there's one

that's informed by the adversary and what the adversary does and for instance might attack framework may be useful for this and there's also just getting a red team that tries to hack into your network which may have value as well those are two very different types of engagements right one thing that we always try to point out is if you're a company that makes rubber ducks right and there's an apt out there that only goes after wooden boats then why are you trying to protect against wooden boats you know you don't make wooden boats you make rubber ducks so you need to go and protect yourself from the apt that's after rubber ducks all right so I don't

know how many people are familiar with the don't be a one Pizza target has anybody ever heard that phrase before all right so what this actually alludes to is how fast an adversary can get into your network you know it's basically the consumption of one pizza and a moss or drink and they're in now as we slide up the scale as you start getting better in these things it's starting to take more pizzas and more energy drinks now if you'll notice at the end it's a lot of pizza and it's a lot of energy drink but I do want to stress that that is a finite amount there is no such thing as a completely protected network you are

just trying to make yourself so hard that they move to somebody else that's easier and I know that sounds very selfish but that's what we have to do right when we talk about the the advanced persistent threat tactics that are available even if you are active hunting there's no such thing as zero risk the zero risk doesn't work if you work for an organization or sizzurp the belief zero risk exists feel free to have us come talk to them and because maybe the government talking to them in that case would be useful and we can kind of talk through that threat and they can be oh well you know those guys also agree with you and you're like yeah

I know so this is the cyber kill chain so this is patented trademark whatever you call it from Lockheed Martin what most people don't know is it was developed by Lockheed Martin with analysts in dice so fun fact so we're gonna really explain in technical detail what this is all about Ray Ronnie no we are not alright so we thought it would be a little easier to consume it via is everyone familiar with the movie Ocean's eleven alright so that movie actually kind of lines up with the cyber kill chain pretty well so alright first stage is reconnaissance alright so in the movie Danny ocean he's got to find you know he's got to do recon right so he

gets the plans to the vault because that's what they're trying to get into right so just like an apt will run recon maybe they scan your server scan your network maybe they just look on the server to find email addresses things like that right they're just surfing for really easy information in this case they got the plans from I don't know city hall or something is where they got them from so that's recon right so I always explain recon to ways as well which may be helpful I will often say that there's technical and non-technical reconnaissance I'm not sure those are the best semantics to use but technical reconnaissance can someone scan your network you know do ping sweeps whatever

it is that's effective against your network run a vulnerability scan against it right that's the technical side and then there's the non-technical side like do you list all of your VP's email on the page about who we are convenient for advanced spear phishing from an apt right so there's technical and non-technical recon at this stage right and that leads us into the next phase which is weaponization right that is where they are merely trying to find that vulnerability that they that they found by scanning right and they're trying to weaponize it they're getting a payload I don't know if many of you have heard of Metasploit you know they'll go to Metasploit with that vulnerability

and package something together you know so in this case you know maybe it's a PDF that they want to end up connecting to an email or something or maybe it's a resume that already exists out there that they put some malicious code in you know but that that's what we mean by weaponization and in this case in the movie they are actually trying to get a briefcase into the vault right so they're trying to weaponize this briefcase with a plastic explosive actually to blow up in the bulb and in terms of apts a couple of years ago we would see zero days that used to be the big thing all the talks were about zero

days it was super cool and now the apts are like if we just reuse all of our own malware to make it publicly available that makes attribution really hard which it does so you know less 0 days a lot more spearfishing same adversary threat groups now the spearfishing is really good because they went on your who we are page did some research perhaps found a document that your organization created downloaded that PDF put some malware in it then send it back to all of your VPS or maybe some individual VPS or HR people all right so again there's a lot of different examples of weaponization but this is really about you know the the malware in

most cases that's really what we're talking about that will they believe that the adversary believes will be effective against some weakness they found on your system that leads us into the next phase which is delivery so that is actually delivering that payload to their target right in this case the briefcase is inside that car and they're trying to get it to the vault right and another means it could be you know the email with a resume attached with a malicious link inside the email anything they can do to try to fool you into clicking it or opening it but this is merely the delivery phase right now normally the delivery phase involves them clicking on on the

document or the malicious link as well right I mean there's other types of technical delivery it could be like a redirect you know according to wire calm and completely unclassified information if you're familiar with Stuxnet or that delivery mechanism I'm just clarifying that delivery mechanism is believed to have come from malware which was on the Siemens technical control right and then that went into Natanz so again delivery can be you need you need to understand your risks right because delivery can could be spear phishing but it could be something more complicated that you haven't thought of yet either that the adversary is trying to figure out you know there was actually a cartoon we saw

the other day where there is a b-52 bomber flying over and it just dropped a USB stage is very I'm gonna work that into my next briefing under cyber war so the next phase the next phase we have is exploitation so you know the technical definition of this is that's where they are executing the code on the system here in this particular instance they are exploiting the security guards job or ability to do his job right so they're distracting him he can't do his job they're literally exploiting him right so but in the in the means this is the delivery has already happened you know the document has already been opened the link has already been clicked whatever

end the and exploitation is now that code is being executed on a machine which leads us into our next phase installation so as we see here cart is being escorted right into the vault it is being installed so same thing right code executed this is where the installation of the malware happens I mean there's right there you go right right so if you're at this stage from the victim perspective you have failed in all the detection up to that for whatever reason and that attacker has installed the first you know dropper the first set of malware you know it may be making calls out to download an install additional malware at this point it may be you know installing other or

using applications on the system that already exists on the victim network but at this point it's it at this point you're breached and it's not good because you haven't detected it up to this point and that leads it to the next phase of command and control so in here we see the wire he vampire taps the network can get into the the security camera feed what command and control usually refers to once they have installed the malware is it's now going to beacon back to something that they control whether it's you know that's where it stops or you know if it's calling additional files to download or additional malware to download you know like John said maybe the installation

phase just was a dropper and now they want to pull the the real malware onto the system so that's where command and control comes into play one thing I do want to mention is we do this in a linear scale but not all of these have to happen in this order sometimes attackers you know maybe they go to showdown and see you know maybe they scan your system they go to showdown oh this is already done or you know it was reported that you already had a vulnerability and they just look and say oh well you haven't patched it yet they can skip a lot of these steps and go right to it and so we do it linear

linearly because it's easy to digest but the steps do not have to happen in this order which is why I put this scene here because this scene happens way earlier in the movie right yeah so in a lot of cases there's there's a few things I'll note about command and control as that depending on the sophistication and and how that particular threat actor operates in a lot of cases they have some general command and control TTP in and of itself so a couple years ago it would have been easier because the adversaries would keep using the same infrastructure the same c2 they've determined that was bad so now they will use a lot of VPS

or other exploited BOTS essentially to do some of the command and control but in a lot of cases that's gonna be set up and that adversary has some idea ahead of time of how they're gonna handle the command and control you know for this particular intrusion or this particular attempted intrusion and then you know a lot of that malware is gonna be come back out as Ronnie said so that may be something that's detectable you know it depends on that normally the sophistication and the means that that threat actor takes to try to hide the command and control beaconing in the first place like there are some threat actors who don't care if eventually you

find out and then there are some who go to great pains to obfuscate the fact that they're on your system so there's there's a lot of variables that can happen at this stage as well then we get to the final stage which is actions on objectives so for this one the action is on objective was exfiltration of money right that's what they wanted so and you know if you've seen the movie they succeeded spoiler alert for somebody has have seen a 17 year old movie but normally actions on objectives so it can vary on what they want right is it information they want to exfil is it just persistence that they want to establish like John says some people

don't care if you knew they were there they just wanted information it's a smash and grab and they're out some people will off to skate that's a hard word they will hide and yes so this is really the one so ransomware right action zone objective would be just the encryption of all of your files so it really depends on what their goal is depends on what their actions on object right and the cyber kill chain comes from the military community because it was just a kill chain before it was the cyber kill chain so when we describe actions on objective I mean it's basically anything the adversary wants to do deny disrupt degrade destroy delay you know all sort

of standard military terminology so in some cases you know with a very advanced adversary whose goal is to maintain you know the ability to get into that network later then their action on objective is to remain undetected that may be the only action on objective right if it's ransomware its you know we want you to pay the ransom if it's a disgruntled former IT guy I might just want to burn your system down because I hate you people right so again at this point that attacker whoever it is can do pretty much whatever they want on your system so the other important thing about the cyber kill chain is I like this because it's simple right so

for for an organization or people that are sort of new to cyber threat intelligence I don't necessarily recommend starting with mitre attack because it's very complicated in death and it might not be where you want individual your organization to try to start understanding cyber threat intelligence I love it for the level of in-depth detailed analysis it can do but that might not be the best place to necessarily start a cyber threat Intel team or sort of you know individually begin to understand so as you go through as a network defender as well the earlier your detect the activity the better right so if I can detect recon attempts that's better than if I'm detecting installation right if I'm

detecting insulation there's you have been breached right that is now an incident and you probably need to go through incident response so that's just another note I want to point out when we talk about the adversary actions in terms of the kill chain as well from a defender view point so this is another big one as well so you got all these Intel people we hired them we got them sitting somewhere there reading firing reports and working with the DoD right they don't know what to do no one has given them any direction so I'm gonna analyze some apts I find to be interesting then right so this is another really critical piece it doesn't

get talked about so if you have defensible architecture and now you have a sock and you've got cyber threat Intel people they need to work with your risk personnel to understand what threats are we looking for are you getting the right kinds of data from our network to allow you to also do cyber threat intelligence analysis on our network artifacts on our sis logs are you are we detecting heuristic or anomalous on our network that looks like a potential adversary or insider threat right so they your Intel team your cyber threat Intel team has to have some requirements and it can't be 50 right because you can't work against 50 requirements normally each individual CTI analyst can work somewhere between

three to five requirements at most that's generally a realistic amount of requirements for you know a mid-level cyber threat Intel person depending you know on what other duties you have them assigned or doing as well yeah and this goes back to that rubber duck wooden boat analogy right you know why waste time on a priority that's not a priority right you know I think 10-15 years ago the military was all about stop everything and now they're finally waking up to okay we don't have to stop everything we just have to stop the ones that are actively trying to get in right and you really need to understand you know what that organization or entity you work with or the company you know

are you an aerospace company or you're an energy company are you in finance right as those generally have some different types of cyber threat actors right well everybody faces ransomware but again ransomware isn't necessarily a cyber threat Intel problem because you probably should just patch stuff and back it up that's an IT requirement right so again moving beyond ransomware you know if there are certain apts in the financial sector that are you know doing certainty TPS that are highly effective in advance then you should probably be focusing on that apt and what the newest attacks are so that you can ensure you have visibility to cover the risk that your organization faces so that's really what we're trying to

stress here a lot is you can go by all the cool stuff out there and go hire a bunch of people but you also need to have some policy direction and some requirements as well all right Bianco's pyramid of pain how many people are familiar okay so we have a couple out in the audience all right so this really I want you to see you know we have hash values IP addresses domain names yeah I'm not going to read the other three then on the right side we have trivial easy simple annoying challenging and tough so what that is actually saying is as we go up that's what we are doing for the adversary right so you know hash values you know

how many how many of you familiar with what a hash is okay so alright so when you plug hashes into your system and you're blocking it well that's trivial right it's trivial for the adversary to but we don't want to not do it you know just because we are talking about apt but there's a ton of people trying to get into your network at all times and they're not as sophisticated so they are using this name so let me jump in and throw you're completely off to do it all right so also when we talk about advanced persistent threats there's like a playing field of how good they are I like to use the Olympic analogy

everybody at the Olympics is really good but not everyone is actually in gold medal contention right so there is like a small percentage of like really bad scary apts and then there's some other ones that are bad and then there's some other ones and then I guess we'll call those apts too because they're associated with nation states right but they're not really gold medal apts there really is a sliding scale in terms of sophistication for certain a PT's so yes you should still block hash values because that may still even for an apt be more difficult for them to figure out that you've done that in change right so as we move from hash values we get the

IP addresses right so the same thing you know it's easy for them to change because they're burning their infrastructure like crazy you know they're using virtual private server versus prime networks you know whatever same thing with domain names they'll just sit there and just create domains like crazy but you don't want to not block them you know if you find malicious stuff just because you don't want to be the guy that that didn't block bad comm right so a good example that can we get into then we get into Network and host artifacts right so is everyone familiar with what network and host artifacts are so okay so for those of you who are not familiar that stuff

that's like left behind right so if an actor has gone into your network so if they're in the work stuff they leave behind you know maybe code from our that they used that's going to be a network artifact host artifacts are going to be stuff like registry keys that were created or maybe files that were created after they ran something so if you start detecting that stuff that's going to make it annoying for them because now they have to go change some of the stuff that they use because you're detecting it and you're not allowing those register values to be created not allowing those files to be created you know and then we move up into tools because they're all

just using tools you know so when you start actually seeing the tools that they're using it can detect those tools now they have to go change the tools well that's challenging because so we have we have our differing opinions on sophistication versus non sophistication there are some apt that are very sophisticated that I would consider very sophisticated but they're not writing their own stuff they're just using it in a very sophisticated way right so we're just reusing other developed tools or that core apt team may be sharing a dev set up malware guy across multiple nation-state actors yeah so if you start seeing that now they have to go and either pay somebody to write a new tool

or write their own tools again you know so now you're making a challenging now the top level TTP's their tactics their techniques and their procedures when you know what they are doing to get into your network or get into your computers and you start blocking that stuff well now they have to change everything about themselves or with the one pizza a target thing they just move to somebody else who hasn't gone on to that and that's really what we're trying to get to so that's that's where that pyramid of pain is doing it sounds funny because it's a pyramid of pain and and as it goes up it's harder for us to do because you know you have to track TTP's you

have to track their tools and ask where you get cyber threat Intel from but it's also making it annoying challenging and tough for the adversary as well and that's that's really what that pyramid of pain is trying to tell you is is as you move up the scale it's beneficial for you to move up the scale and when you're when we're really talking about the more sophisticated adversaries and they're TTP's there's a ton of information that is available that is of generally pretty good quality so again mitre attack was the briefing before I was like two hours ago but the mitre attack where they have you know very technical level mapped against certain nation-state actors or apts is a

good resource and there's a lot of other commercial cyber threat Intel that's really good as well and you know you may be eligible to join certain federal or USG programs to get some of the TTP's as well so again you'll if you don't have a cyber threat Intel team I mean that's where the focus is so a part of this is make sure you're ready to have an include cyber threat Intel as well right so not every organization is is at the level where they probably should be making that investment but even if you're not your security people can still have a better understanding of apt from those from those same sources as well so we have a couple examples here

we could like go over every you know hundreds of apts that have ever existed and/or may possibly exist we just highlighted a couple today again this is for people that this that are not cyber threat Intel people so these are two I like to highlight so there's a number of different names open-source intelligence dosent names that tend to get associated with each other so there is some interesting debate on whether that's good or not to do that because when you start associating activity clusters over a really long time period some some people will start to argue we shouldn't associate that because that may not really be the same adversary anymore and it really depends on what your

definition of attribution is so just keep that in mind we if you really want to have that discussion later and buy me alcohol that's fine so apt 28 often goes by the name stuff AC and fancy bear they that group has probably been active since about 2007 they're Russian just for example one clue that helped us you know help the community determine this is probably Russian affiliated is the malware compiled times line up nicely with UTC +4 which is the time zone in Moscow st. Petersburg right so there's there's a lot of other things that go into that but I I found that to be particularly interesting because even the most sophisticated adversary it's still someone behind a computer who

hadn't thought man I better compile this North Korea time zone to throw them off right I mean it just didn't occur to these people to do that yet now it will cuz it's on the Internet so this group also used to use probably use a number of zero day vulnerabilities but actually they've just gone back to spearfishing because God we haven't figured out how to stop that yet and they're really good at spearfishing too right because it's not the congratulations you've won an Amazon gift card and you know even Gmail can figure out that spam right it's really sophisticated really targeted spearfishing right so apt 29 is sort of like their their brother their sister

group if you will they also will be known by cosmic Dukes or cozy bear if you believe that it's all the same activity historically so I would say that this is one of the most sophisticated one that these guys are both sort of like gold medal contenders if you will but I would say this guy's probably like the Michael Phelps of of apts so they patch their malware I can't even get Network defenders to patch the servers and this apt will literally patch their malware awesome so that's what we're up against with some of these guys they're also really good at obfuscation they make heavy use of encryption as well they make detection once once you are a victim they make

detecting them very difficult when they're on the network so the other example we have up here is a probable Chinese associated one and again a number of ocean names that most likely refer to the same activity group deep panda apt 19 shell crew or Pink Panther so they've been active for many years if you believe press articles and a lot of other Osen out there they were probably behind the anthem hack they were probably behind the OPM hack as well and they target health care aerospace and energy the most the three areas that this particular apt has been associated with attacking and their core focus is cyber espionage right so again they're exfiltrating sensitive data like the OPM hack which

we were part of not that we hacked it but like victims just just to be clear victims of that I've pretty much been a victim of anthem OPM Home Depot pretty much everybody so I assume they have a very large dossier on me so that leads us to what is the future and what does it look like so if it was a military it would look like that guy on the left right so you know they think if we can just throw money and guns at it you know that's gonna do it but they're slowly coming around to the guy on the right you know that we need this intelligence driven analysis we need to

know their TTP's and then even then you still have two camps that we find frustrating you have the camp that's all about counterintelligence and then you have the camp that's all about network defense and those are competing ideologies you know counterintelligence just wants to watch all of it so they know what's happening Network defense is like no just stop it you know we don't want it to happen I didn't know we were gonna have this discussion but just while we're on the topic let me just explain a little bit more about this concept so there's obviously a lot of US government or DoD entities so you have FBI all the MDC oh so like Army

counterintelligence AF OSI NCS the real people not to TV show but they have a very broad mission and cyber is a part of their counter intelligence and law enforcement missions so again you get into situations where if an advanced persistent threat actor you know has compromised the victim you know they can open up a law enforcement or counterintelligence investigation basically and that doesn't necessarily lend itself to sharing information with network defenders to block the adversary right those are competing requirements in most cases so there's a lot of effort across DoD and USG but even so there's sometimes it's hard to sometimes sin energize efforts because those core missions are not really in alignment with each other in a lot of cases right

they may want to make sure we understand the adversary and as you guys have seen you know within the last you know couple months the amount of indictments that come out from the Department of Justice is probably increased a little bit and there's some debate as to the effectiveness of indicted people who probably never set foot in a country where we can extradite them but I mean I certainly would not want to see you know an adversary nation indict me so like I think perhaps there's some there's some right there to indict particular hackers or threat actors but back to the intelligence driven Network defense portion right that's you know even if you get to this point there's still not

zero risk right and that's so you can even have very sophisticated cyber threat intelligence operations with priorities you know analyzing data proactively you know informing the occasional Red Team adversary emulation and you still won't have no risk so this is just a quick overview everything that we covered today so we are happy to take questions for a few minutes and you know we if we don't know the answer we'll make something up so what I do then if you ask a really tough question that will require alcohol [Music]

where do you see network traffic behavior analysis type products in your pain points diagram probably in probably like in that host artifact slash tools level so how your organization is dealing with that either heuristic analysis detection it may also be tied into whether or not you have like an insider team and insider threat team right every entity in organization is gonna be structured a little bit differently but your cyber threat Intel team should you know be tied into the sock and knock and be tied in like if you have insider threat teams they should be tied into that as well because there are not very clear delineation here in some of the information and and

who may detect what so you would want those teams to have really good relationships with each other as well but I would say like heuristic or anomalous activity if I've understood the question right I mean if you're if you're at that level that you're detecting that you're pretty high up on that Bianco's pyramid of pain can you talk about your no touch policy about the what about a no touch policy no touch policy limitations on interacting with apt infrastructure so talk about our policy with it like DoD so okay so at dc-3 we are not part of the US intelligence community so we are cyber security that is the entirety of our mission so you're really asking me about

other DoD entities a little bit and I think some of the missions that you or you're referring to are really being highlighted by other agencies including Cyber Command I think individual DoD policies would say like if I have some other random you know like like the VA their network defenders should not be more proactive I think is that kind of what you're asking about

normally normally with the DoD that requires very specific very specified authorizations to do that right because really at that point that very easily crosses into what most policies and directives will consider offensive so that is not true for like private cyber threat intelligence companies which is why sometimes they have really excellent information in in an assent format certainly there would be DoD organizations that do perform that type of that type of pulldown and information I don't I don't know if I have a better way to answer your question you've asked a tough one you definitely owe me alcohol any other easier questions no good how does a CDI program extends to third party environments to the your

company's third party providers yeah yeah I mean I think that's really going to depend on on your policies and the way you want to have it set up so I mean for most private companies you don't have to worry about like a classification issue it does depend if you're getting some DoD information perhaps but for the most part of you're really working off a commercial cyber threat Intel and what's available open source is completely unclassified then I think you would just want to ensure that the third party is getting information that's relevant to them right so your organization may have a broader risk picture than that third party supplier for instance like they may not face all

of the same risks that you do so you may not want to pass them all of your cyber threat intelligence you'll want to do some analysis first because if you know if you make airplanes and your third party provider is just making the tires for they they're probably not going to face every single threat necessarily you need to do some analysis proactively to see now in some cases the adversary is well aware of who you work with so they may face more sophisticated threats than they than they think they face but that's why you have to do that sort of proactive analysis based on you know vertical you're in you know are you in healthcare you an aerospace you and you

know space so that would kind of also depend I think it also may depend on the size of the third pump that third party that how sophisticated they are right so a lot of the third party companies may not be a defensible architecture yet right so you might pass them cyber threat information and that goes into a special inbox that they call trash because what am i doing what's in the IOC right so again I think you should be proactive with that but you want to make sure that you're at least it you know a defensible level that that third party has and it's going to depend a lot on like what your organization like what

kind of risk so you're probably gonna involve like c-suite and lawyers maybe to help decide some of that and if that company is part of your supply chain that's a whole other brief that's going to take us another hour right which we're not allowed to have we have a few more minutes if anybody has any other questions

would it be too early to speculate on the Baltimore ransomware attack is that something so the Baltimore ransom attack was was probably they probably used eternal blue which is I mean anybody can get that but also its patchable so there's a patch for eternal blue so I mean again a lot of this stuff is do you have a defensible architecture and the answer is no so the answer to Baltimore is no the answer to every hospital will get sacked is no so they don't have policies that are not patching systems I mean some of the apts that are like you know Bronze level apts are still using exploits that we've had patches for four years people just aren't patching their

systems and then it's like oh my god these apts are so sophisticated no no some of them yes the one that hit you know like what I need you to do is patch Apache struts or just not use it and figure out something else right I mean that's that's what I need you to do all right so it and it's that have you done some of the core cybersecurity basics on your system and and actually have patch policies so so anyway Baltimore there was a sophisticated sophisticated tool we turn on blue who it sounds awesome yeah there's a patch for that another question how do you I know this isn't your area of patch management and all

that fine what are your thoughts on the windows patches that come out and how bad they are and how many problems they cause when you install immediately versus waiting a little bit for them to fix their own problems and then patch and what are your thoughts on balancing that I think if everyone switched to UNIX or Linux flavor system for six months the adversaries would have no idea what's happened so that's my that's my best solution my mom has an alienware computer that runs Zorin so she's good she doesn't really understand it but she knows it works better than Windows so I think first of all really to answer your question is do you have legitimate real

asset management of what is publicly facing on the Internet right that's the first question because those are the things that you need to patch first right if the adversary can touch something then that's the thing that's most important that you patch whether it's Windows or whatever you know software you have on those externally available systems so that's really the first answer to your question because if the adversaries already in the network then you you're already fighting a losing battle regardless of what you're patching or what version of Windows you're on all right to be completely honest if you're worried about patching everyone's computers and I'm in a ten thousand person organization when the adversary is

already in your system like that's your concern so we can't always keep them out so yes patching is important but patch that externally facing stuff first and look at all the policies you have for how people remote into your network right that would be my core focus first is let's make sure that the defense perimeter is defensible and that we we are following our policies and patching the things that and that a threat actor can easily touch and then yes you should patch as soon as you can but I understand you don't to break things right so I don't have the magic bullet for that but that would be you know the best answer I have the biggest

thing is what's going to cost you more right and that's a risk analysis that you're running I agree with John patch your outside stuff first to give them the hardest way to get in and then you can worry about everything inside the network later and you may have a strategy right you might not simultaneously patch everything concurrently but I mean that would be what I would focus on first and maybe depending on the size realization or how it's set up you do some first to see oh that we right but patch whatever is externally facing first would be my cord advice there we got a few more minutes if there's any other questions at this

point we're busy anything cybersecurity related is game I think all right thank you guys for coming and sticking around [Applause]