# From the field ###### Cyber Threat Landscape Cyber Threat Intelligence Anca Holban ----- ### What is Mandiant Consulting… one of FireEye’s souls **Prevent, detect, & respond to advanced cyber-security events and protect your organization’s critical assets.** Trusted by organizations **14+ years responding to** **Mandiant DNA – Pioneers** Portfolio of services to assess, worldwide – Over 40% of and remediating in sophisticated incident **enhance and transform** Fortune 100 companies[1] headline breaches response security posture and upskill internal security staff Cutting-edge threat Cyber security services Global workforce of over ----- ### M-Trends: Tracking our investigative experience ######  Informing the cyber security community since 2010  Annual publication sought after by security professionals and market analysts  Data based on 12 months of forensic investigative findings (10/01/16 – 09/30/17) ----- # What would you do if you had 101 days of time? ----- ### Zoom in to EMEA ----- ### EMEA organizations investigated in 2017, by industry Other Business & Professional Services Healthcare 2% Energy ###### 22% 12% 7% High Tech ###### 7% Entertainment & Media 4% Retail & Hospitality 5% ###### 18% 24% Financial ----- ### Median Dwell Time Trending **Median Dwell Time, By Year** **400** **416** **350** **300** **250** **243** **200** **229** **205** **150** **146** **100** **99** **101** **50** **0** **2011** **2012** **2013** **2014** **2015** **2016** **2017** ----- ### Notification by Source ----- # Cyber Security Skills Gap – The Invisible Risk ----- ### The Gap, according to Mandiant CDC Engagements ###### LACK OF EXPERTISE LACK OF PROCESSES - CYBER DEFENDERS - ACTIONABLE THREAT INTEL - INVESTIGATORS - TELEMETRY PRIORITIZATION - THREAT ANALYSTS - ORCHESTRATION LACK OF PEOPLE - NUMERIC (9/12 PER CDC) - 24/7 AVAILABILITY ----- ### Enduring Trends in Security Fundamentals ###### Security Risk Identity and Data Management Access Mgmt Protection Network, Cloud Incident Host and Endpoint ----- **Main Offices** **Intel Personnel** **FireEye as a Service** **Security Operations** **Center** ----- ### Newly Named APT Groups ###### TEMP EVIL TRACKING X 1000s **Sponsoring** **Target** **Attack** **TTP** **Nation** **Profile** **Motivation** ###### ATTRIBUTION – relate activity to a specific sponsoring nation Identify TTPs Targeting specific VERTICAL or GEO ----- ### APT32 ######  Known as OceanLotus Group  Vietnamese threat group  Primary targets: – Journalists – Dissidents – Foreign corporations  Leveraged social engineering emails **APT 32** March 20, 2017 with Microsoft ActiveMime file ###### attachments to deliver malicious macros ----- ### APT33 ######  Iranian threat group  Targets – Defense – Aerospace – Petrochemical – Western companies who support Saudi Arabia’s military **APT 33** - Uses public and non-public tools August 21, 2017 ###### – DROPSHOT -> TURNEDUP – DROPSHOT -> SHAPESHIFT? ----- ### APT34 ######  Iranian threat group  Targets Middle Eastern – Financial – Government – Energy – Chemical – Telco **APT 34** November 14, 2017 - Public and non-public tools ----- ### APT35 ######  Also known as Newscaster Team  Iranian  Targets – U.S. and Middle Eastern government personnel – Military – Diplomatic – Media **APT 35** – Energy and engineering December 15, 2017 ###### – Business services and telecommunications  Complex social engineering campaigns ----- ### APT36 (Lapis) ######  Pakistani espionage group  supports Pakistani military and diplomatic interests  Targets – Indian Military and government  Operations also seen in US, Europe, Central Asia  Social engineering emails, multiple open-source and custom malware tools ----- ### APT37 (Reaper) ######  North Korea espionage group  In 2012 targeted South Korea  In 2017 expanded to Japan, Vietnam, Middle East  Intelligence gathering for government  Toolsets includes access to zero-day vulnerabilities and wiper malware **APT 37** ----- ### APT38 ######  North Korea threat group  Financially motivated, backed by North Korean regime  Since 2014 compromised more than 16 organizations in at least 13 different countries  Very well planned sophisticated attacks against banks **APT 38** October 2018 ----- ### APT Groups ######  APT0-27, 30/31 = China (APT0 was a very short lived one)  APT28/29 = Russia  APT32 = Vietnam  APT33/34/35 = Iran  APT36 = Pakistan  APT37 = North Korea  APT38 = North Korea ----- ##### Most people confuse ----- ###### INFORMATION INTELLIGENCE Raw, unfiltered data Processed, sorted, and distilled information ----- ###### INFORMATION INTELLIGENCE Raw, unfiltered data Processed, sorted, and distilled information Unevaluated when delivered Evaluated and interpreted by trained expert analysts ----- ###### INFORMATION INTELLIGENCE Raw, unfiltered data Processed, sorted, and distilled information Unevaluated when delivered Evaluated and interpreted by trained expert analysts Aggregated from virtually every source Aggregated from reliable sources and cross correlated for accuracy ----- ###### INFORMATION INTELLIGENCE Raw, unfiltered data Processed, sorted, and distilled information Unevaluated when delivered Evaluated and interpreted by trained expert analysts Aggregated from virtually every source Aggregated from reliable sources and cross correlated for accuracy May be true, false, misleading, incomplete, Accurate, timely, complete (as possible), relevant, or irrelevant assessed for relevancy ----- ###### INFORMATION INTELLIGENCE Raw, unfiltered data Processed, sorted, and distilled information Unevaluated when delivered Evaluated and interpreted by trained expert analysts Aggregated from virtually every source Aggregated from reliable sources and cross correlated for accuracy May be true, false, misleading, incomplete, Accurate, timely, complete (as possible), relevant, or irrelevant assessed for relevancy Or as the FBI put it: “simply defined, intelligence is information that has been analyzed and refined so that it is useful to policymakers in making decisions – specifically, decisions about potential threats to our national security.” ----- ###### Purpose of Intelligence ####  To reduce the degree of uncertainty about an adversary, or ###### potential adversary, situation or threat which may be experienced by decision makers. ####  To convey the truth to decision makers and provide managers ###### with accurate information so they can make informed, reasoned, and timely decisions. ----- ### The Pyramid of Pain ----- # How To Think about Threat Intelligence ----- ### How NOT To Think About Threat Intelligence ###### A Cyber attack is coming on Tue at 2pm ----- ### How To Think About Threat Intelligence Executives **_Future oriented_** - Use emerging trends and patterns to make long-term decisions ###### Strategic - Helping business decision makers to reduce risk Intel Analysts ----- ### How To Think About Threat Intelligence Executives **_Future oriented_** - Use emerging trends and patterns to make long-term decisions ###### Strategic - Helping business decision makers to reduce risk Intel Analysts Incident **_Prioritize Resources for “real” versus “perceived” threats_** Response - Consider historical capabilities, affiliations, and motivations of actors ###### Operational  Factor business outcomes of threats into detection, mitigation strategies and priorities Security Operations ----- ### How To Think About Threat Intelligence Executives **_Future oriented_** - Use emerging trends and patterns to make long-term decisions ###### Strategic - Helping business decision makers to reduce risk Intel Analysts Incident **_Prioritize Resources for “real” versus “perceived” threats_** Response - Consider historical capabilities, affiliations, and motivations of actors ###### Operational  Factor business outcomes of threats into detection, mitigation strategies and priorities Security Operations Infrastructure **_Interactive analysis and intelligence flow between internal and partner_** Operations **_technology tools and threat environment_** ###### Tactical  Prioritize mitigation and triage resources leveraging intel in real time - Factor business outcomes of the threats/vulns into mitigation actions Vulnerability Management ----- ### How To Think About Threat Intelligence ----- ### Not all Intel is created equal : From Indicators to Expertise ###### Indicators “This IP Address is bad” ----- ### Not all Intel is created equal : From Indicators to Expertise ###### Indicators Context “This IP Address is bad” “This IP Address is used by APT29” ----- ### Not all Intel is created equal : From Indicators to Expertise ###### Indicators Context Insight “This IP Address is bad” “This IP Address is used “APT29 is a Russian threat by APT29” group that targets these industries” ----- ### Not all Intel is created equal : From Indicators to Expertise ###### Indicators Context Insight Expertise “This IP Address is bad” “This IP Address is used “APT29 is a Russian threat “To protect yourself by APT29” group that targets these against APT29 you industries” need to do these things” ----- ###### What Happens if You Are Breached and Do Not Utilize Threat Intelligence? Time-to-Respond Can Be Months, Not Days ## 498 DAYS ###### APJ 58 DAYS 186 DAYS **GLOBAL** **76 DAYS** **GLOBAL** Americas ###### 175 DAYS EMEA INTERNAL EXTERNAL DISCOVERY NOTIFICATION ----- # Thank you! ###### anca.holban@fireeye.com -----