RSA 2017: Ad Hoc Threat Intelligence with ExtraHop and Octoblu

In his RSA Conference session, Ad Hoc Threat Intelligence, ExtraHop Solutions Architect John Smith describes the tools you need to engage in close-quarters combat with malware.

This is ground-zero for a Cryptowall infection: An employee downloads malicious Flash content.

How quickly can your incident response team react?

OctobluExtraHop Octoblu makes it easy to orchestrate automation based on events detected by ExtraHop.

With today's toolset, IT organizations are not equipped to deal with threats that bypass their perimeter and endpoint defenses. The data tells us that attackers are finding ways around organizations' hardened defenses, much like the walking dead worming their way beneath your perimeter walls.

Today's malware authors have tools to run checks against antivirus software and can churn out new variants with the push of a button. We're now the human survivors trying to stay alive in the zombie apocalypse! According to the latest Verizon Data Breach Investigations Report, 93% of compromises occur within minutes. Current toolsets don't have the shutter speed to consistently catch these threats.

If security teams want to get quick enough to fight hand-to-hand against the undead hordes, they're going to have get creative. That's the gist of the Ad hoc Threat Intelligence: Two unlikely partners combine to enhance Intel session that Citrix's Chris Matthieu and I are presenting today at RSA Conference.

Stick and Move! Today's InfoSec Is Hand-to-Hand Combat

In our session, I will demonstrate how security teams can respond within seconds to critical events such as when a user unwittingly downloads malicious Flash content. This is an eye-catching example, but here are the key points and next steps I'm hoping to convey:

  • Even the best, most accurate threat intelligence is ineffective unless combined with your local real-time intelligence (what's happening right now in your environment).
  • You can gather meaningful local intelligence from multiple places that may not be part of your security practice now, such as application performance monitoring tools that write to a database or PCAPs from a SPAN aggregator. Look at your organization's current assets and see what information collected can be accessed through open architectures.
  • Your teams need to embrace the DevOps/SecOps mindset and learn Python and/or Javascript. APIs are your friend because they thread together disparate but complementary data and allow you take advantage of open-source threat intelligence. And, as in my example, they enable you to evaluate your transactions on-premises instead of sending data to the cloud.
  • The people with the skills you need are likely in your organization already. You should evaluate your team's skills matrix and build up development skills or "deputize" developers on other teams to help out.

Ad Hoc Threat Intelligence Example

You may not be at RSA to attend the session, but you can still watch the basic demo where I show how to run ad hoc threat intelligence in the video below.

Things that happen within seconds:
ExtraHop - Observes URI from external source with .swf extension and triggers a JSON message to Octoblu containing the URI and IP addresses for both server and client. ExtraHop also captures a precision PCAP (only the packets comprising the suspect flow) for digital evidence.
Octoblu - Receives the JSON message from ExtraHop and sends the suspect IP to the VirusTotal API for analysis. Octoblu consolidates the data from ExtraHop and VirusTotal into a message sent to the incident response team. Octoblu can also trigger automated firewall and network access control actions to block malicious IPs and/or quarantine an infected client.
VirusTotal API - Provides "rap sheet" on malicious IPs, including associated domains, URLs, and files.

If you'd like to talk to me about this solution or ExtraHop in general, I'll be at our booth (N4813) in the North Expo Hall.

Subscribe to our Newsletter

Get the latest from ExtraHop delivered straight to your inbox.