1、安全威胁情报体系的建设与应用,什么是安全威胁情报,当前信息安全防护体系面临困境,难以从海量的安全事件发现真正的攻击行为,IDS、SOC等传统安全产品使用效率低下,某一点确认的安全事件不能及时在组织内及时有效地进行共享,组织内部难以有效协同,不同类型、不同厂商的安全设备之间的漏洞、威胁信息不通用,不利于大型网络的维护管理,斯诺登等事件揭示的NSA对我国的攻击手段,目前的手段难以有效识别发现,亟需对现有安全体系进行升级,应用安全威胁情报技术 建设安全威胁情报平台,攻防速度之争!,速度!速度!还是速度!,Attack Begins,System Intrusion,Attacker Surveill
2、ance,Cover-up Complete,Access Probe,Leap Frog Attacks Complete,TargetAnalysis,TIME,Attack Set-up,Discovery/ Persistence,Maintain foothold,Cover-up Starts,Attack Forecast,Physical Security,Containment & Eradication,System Reaction,Damage Identification,Recovery,Defender Discovery,Monitoring & Control
3、s,Impact Analysis,Response,Threat Analysis,Attack Identified,Incident Reporting,Need to collapse free time,ATTACKER FREE TIME,TIME,Source: NERC HILF Report, June 2010 (http:/ Security Intelligence 安全,安全情报 Threat Intelligence 威胁情报 Security Threat Intelligence 安全威胁情报 Cyber Threat Information Sharing 网
4、络威胁信息共享 Intelligence Aware 情报感知 Intelligence Driven 情报驱动 Intelligence-Aware Security Control 基于情报感知的安全控制 Context Aware 情境感知 信誉库,OSINT Dell SecureWorks RSA NetWitness Live/Verisign iDefense Symantec Deepsight McAfee Threat Intelligence SANS CVEs, CWEs, OSVDB (Vulns) iSight Partners ThreatStream OpenD
5、NS MAPP,企业外部的安全威胁情报源(含开源及商业),IBM QRadar Palo Alto Wildfire Crowdstrike AlienVault OTX RecordedFuture Team Cymru ISACs / US-CERT FireEye/Mandiant Vorstack CyberUnited Norse IPViking/Darklist,企业内部的安全威胁情报源(提供安全情境),Directory user information (personal e-mail, access, user privilege, start/end date) Prox
6、y information (content) DLP & business unit risk(trade secrets / IP sensitive docs) IT Case history / ticket tracking Malware detection / AV alerts Sensitive business roles,Application usage & consumption events (in-house) Database usage / access monitoring (privileged) Entitlements / access outlier
7、s (in- house) User behavior association based on geography, frequency, uniqueness, and privilege,情报平台Threat intelligence platforms(TIPS),预计至2018,50%的一线组织和MSSPs将会使用以MRTI为基础的TIP平台(目前不到5%),安全威胁情报应用示例之RSA NetWitness Live,Live gathers the best advanced threat intelligence and content in the global securi
8、ty community,Live Manager provides configurable manager with a dashboard,Aggregates & consolidates only the most pertinent information,Transparent integration with customers live and recorded network traffic,安全威胁情报应用示例之RSA NetWitness Live,RSA Fraudaction Domains RSA Fraudaction IP NW APT Attachments
9、 NW APT IP NW APT Domains NW Suspicious IP Intel NW Criminal VPN Entry Domains NW Criminal VPN Entry IP NW Criminal VPN Exit IP NW Criminal VPN Exit Domains NW Criminal SOCKS nodes NW Criminal SOCKS User IPs NW Insider Threat Domains NW Insider Threat IP,APT Filenames Palevo Tracker IP Palevo Tracke
10、r Domains QakBot C2 Domains Critical Intelligence Domains - SCADA Critical Intelligence IPs - SCADA Dynamic DNS Domains TOR Exit Nodes TOR Nodes eFax sites (data leakage) iDefense Threat Indicators ISEC Exposure Blacklist Domains,安全威胁情报应用示例之RSA NetWitness Live,安全威胁情报应用示例之IBM Qradar SIP,Bridges silos
11、 Highly scalable Flexible & adaptable,Easy deployment Rapid time to value Operational efficiency,Proactive threat management Identifies critical anomalies Rapid, extensive impact analysis,安全威胁情报应用示例之IBM QRadar SIP,Context and Correlation Drive Deepest Insight,Extensive Data Sources,Deep Intelligence
12、,Exceptionally Accurate and Actionable Insight,+,=,Suspected Incidents,Database Activity,Servers & Mainframes,Users & Identities,Vulnerability Info,Configuration Info,Security Devices,Network & Virtual Activity,Application Activity,安全威胁情报应用示例之IBM QRadar SIP,Fully Integrated Security Intelligence,安全威
13、胁情报应用示例之McAfee Threat Intelligence,安全威胁情报体系的建设,STIX - Structured Threat Information eXpression TAXII - Trusted Automated eXchange of Indicator Information CybOX - Cyber Observable eXpression MAEC - Malware Attribute Enumeration and Characterization OpenIOC - Open sourced schema from Mandiant IODEF -
14、 Incident Object Description Exchange Format CIF - Collective Intelligence Framework IDXWG - Incident Data eXchange Working Group,标准是最好的建设参考,主要协议和标准比较,STIX标准要点浅析,STIX标准要点浅析,TAXII标准要点浅析,TAXII标准要点浅析,TAXII标准要点浅析,美国联邦政府标准NIST 800-150 Draft要点浅析,美国联邦政府标准NIST 800-150 Draft浅析,美国联邦政府标准NIST 800-150 Draft浅析,美国
15、联邦政府标准NIST 800-150 Draft浅析,IP addresses and domain names URLs involved with attacks Simple Mail Transport Protocol (SMTP) headers, email addresses, subject lines, and contents of emails used in phishing attacks Malware samples and artifacts Adversary Tactics, Techniques, and Procedures (and effectiv
16、eness) Response and mitigation strategies,Exploit code Intrusion signatures or patterns Packet captures of attack traffic NetFlow data Malware analysis reports Campaign/actor analyses Disk and memory images,典型共享信息内容:,美国联邦政府标准NIST 800-150 Draft浅析,共享过程中需要注意隐私问题 URL、域名、IP、文件名等信息不能暴露被攻击者 捕获的报文不能包含登陆凭据、财
17、务信息、健康信息、案件信息及web表单提交数据等 钓鱼文件样本不能包括任何与事件响应人员无关的敏感信息 Web/代理日志中不能包含如登陆凭据、URL参数中的ID数字等个人或业务行为 网络流量/NetFlow信息不能暴露员工行为或企业中与调查无关的内容(如访问了医疗情况相关的网站) 恶意代码样本,内容里面不能包括用户业务或个人相关信息 信息的敏感性也至关重要,需要遵从谅解备忘录MOUs、保密协议NDAs或其他协议框架,同时也需要遵从PII、SOX、PCI DSS、HIPPA、FISMA、GLBA等法律法规。 同时也必须对交换的信息进行标识,约定其使用范围。,我的TIPS理想架构,智能威胁信息交换
18、平台,防火墙,IDS/ IPS,Anti-APT,防病毒网关,客户端防病毒,SDN&DPI,检测、网关类设备,SIEM,网管,分析平台,上级智能威胁信息交换平台,外部智能威胁信息交换源,待分析威胁数据,威胁数据feed,APT分析,事件管理,日志关联分析,查询搜索,验证,威胁情报管理,威胁情报 上报,威胁情报 获取,威胁情报 获取,威胁情报 获取,威胁情报 上报,威胁情报 共享,响应管理,安全威胁情报体系的应用,NG的NG?,情境/情报感知?,以SECaaS模式为核心的网络安全情报中心,安全威胁情报的发展方向,人读,机读,简单,丰富,非实时,实时,孤立,共享,应用结构化的 indicators of compromise(IOC ) 参考STIX定义安全威胁情报元模型,并对关键指标进行标准化 内部、外部可共享的IOCs 情报数据尽量多样化,不应仅是信誉库 应用威胁情报开展情境分析 SOC等分析型优先,逐步推动防护设备支持 自动化共享和分析处置,对于企业应用实践的建议,讨论!,NUKE同学的手抄报,也可以关注网站 www.sec-un.org/author/nuke,
