Detecting Emerging Threats in OCI

Threat Intelligence Service & Threat Detector

Christa Scura
Daniel Hirschberg
Oracle, Inc.
April 14th, 2022
Speakers

Christa Scura Daniel Hirschberg

Manager of Product Management Sr. Principal Product Manager

2 Copyright © 2022, Oracle and/or its affiliates

Agenda

1. OCI Security Services

2. Threat Intelligence Service intro and demo
3. Cloud Guard Threat Detector intro and demo
4. Q&A

3 Copyright © 2022, Oracle and/or its affiliates

Integrated and Automated Security – Defense in Depth
Internet
Oracle Cloud Platform Native Security Services & Edge

Monitoring
& Prevention

Networking
Compute
• DDoS Protection
Identity Data • SD-WAN
• Enhanced WAF
Protection
• Oracle Cloud Guard
- CG Threat Detector
• Threat Intelligence
Service
• Virtual Cloud Network • Security Zones
• Hardware • Interface Segmentation • Vulnerability
• Data Safe Root-Of-Trust • Private Networks Scanning
• OCI Identity &
• Oracle Vault • Signed Firmware • OCI FastConnect • Audit & Flow Logs
Access
- Managed Vault • Off-box Networking • Secure VPN • Compliance
Management
- Managed Keys • Hardened Images • P2P, NAT, and DRG
-Identity Federation
- Custom Keys • Autonomous Linux Gateways
-Role-based Policy
- Cross-Region • HSMs • Bastion Threat
Replication • Certificates
Detection

4 Copyright © 2022, Oracle and/or its affiliates

Two Pillars of Threat Detection

Indicators Techniques/Tactics

example.exe Emdsif32ffd34… Password spraying

malware.example 12.13.14.15 Ssh hijacking Network sniffing
User@co.com Privilege escalation

e.g. what infrastructure or tools e.g. what patterns of behavior

are adversaries known to use? could signal a compromise?
5 Copyright © 2022, Oracle and/or its affiliates
What is threat intelligence/threat intelligence data?

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators,

implications and action-oriented advice about an existing or emerging menace or hazard to assets. This
intelligence can be used to inform decisions regarding the subject’s response to that menace or
hazard.” — Gartner

Threat intelligence data often refers to pieces of digital forensics, or indicators, such as IP addresses,
domains, URLs, file hashes, and usernames that have been observed in association with malicious
cyber activity.

6 Copyright © 2022, Oracle and/or its affiliates

Monitoring and prevention
Threat intelligence can help detect threats, prioritize alerts, and protect assets in near real-time

How can I prevent it

How do I detect How do I How can I fix it? from happening
threats? prioritize this?
again?

Understand scope of
What is it? Understand threat landscape
Threat intelligence- investigation
based detection

False positive Block unwanted or malicious

Isolate/terminate
resource or user access attempts

Machine learning Crypto miner

Follow cloud security best
Ransomware Asset recovery practices

Correlated event Monitor configuration

IP theft
detection changes
Rotate credentials
Hacktivists
Monitor and remediate
vulnerabilities
Espionage
7 Copyright © 2022, Oracle and/or its affiliates
Threat Intelligence Service
Benefits:
• Out of the box integration with Cloud Guard to reduce complexity
• Oracle-curated and managed for higher coverage across feeds and fewer false positives
• No additional cost

Oracle threat intelligence

Open-source feeds (Tor,

abuse.ch, etc.)

Honeypot network Threat Intelligence Service Cloud Guard

Crowdstrike partner intelligence

8 Copyright © 2022, Oracle and/or its affiliates

What does Threat Intelligence Indication of potential
Service provide? ”maliciousness” of the
indicator based on
quality of sources,
High level summary provides observed behavior, and
key basic information like recency
recency, geolocation, and
aggregate confidence score

History provides a summary

of the sources that have
reported this indicator to
Threat Intelligence Service so
security teams have full
context. Note: it does not
reflect activity in the
Customer’s tenancy.

9 Copyright © 2022, Oracle and/or its affiliates

What data comes out of the
box with Oracle Threat
Intelligence Service?
Threat intelligence from
Oracle’s insights and
security experts
security insights

Third party data from

partner commercial feeds like
Crowdstrike Partner threat intelligence

Trusted open-source feeds

like abuse.ch and tor exit
relays
Managed open-source threat intelligence

10 Copyright © 2022, Oracle and/or its affiliates

Differentiators

• Out of the box integration with Cloud Guard means simple, integrated TI is built into Cloud Guard
detections, reducing configuration complexity and redundancy
• Prescriptive overall confidence assessments based on source, frequency, quality of sightings and
recency help analysts prioritize alerts
• There are a lot of threats in the world, customers need warnings. Transparency into our threat
intelligence backing detections helps customers trust the warnings they get from Oracle
• Access to Oracle intelligence from observed telemetry and our threat research teams provides
unique threat intelligence from our unique POV

11 Copyright © 2022, Oracle and/or its affiliates

Demo

12 Copyright © 2022, Oracle and/or its affiliates

 Threat Detector

13 Copyright © 2022, Oracle and/or its affiliates

 Cloud Guard
Quick Introduction

Rogue User
Compute
Instance is Stop Instance
Public

Suspicious IP Suspend User

Bucket is Make Bucket

Public Private

Targets Detectors Problems Responders

Targets set the scope Detectors are Cloud Problems are Responders provide
of resources to be Guard components notifications that a notifications and
examined. For OCI, that identify issues configuration or corrective actions to for
compartments and with resources or user activity is a potential security problems.
their descendent actions and alert when security issue.
structures are used. an issue is found.

14 Copyright © 2022, Oracle and/or its affiliates

Threat detection first impulse

SIEMs are traditionally the one-stop shop

for threat detection and threat hunting
but…
On average, SIEM solution rules cover only
16% of techniques listed in the MITRE
ATT&CK framework! [SC Magazine]

15 Copyright © 2022, Oracle and/or its affiliates

16 Copyright © 2022, Oracle and/or its affiliates
https://attack.mitre.org/matrices/enterprise/cloud/iaas/
Cybersecurity state of affairs

1. Defense teams are exhausted – large number of alerts go unattended

2. Attacker dwell times are abysmal, and likely to get worse

Source: CrowdStrike Services Cyber Front Lines Report 2021

3. Incidents are very expensive – and climbing

17 Copyright © 2022, Oracle and/or its affiliates

So we are building cloud guard threat detector

A new cloud guard detector recipe type …by combining…

that can be attached diverse CG targets • World-class engineering
• Modern, ML-based data platform • Leading-edge data science and machine learning
• Runs targeted threat models • Top-shelf security research
• Aligned with the MITRE ATT&CK® framework
…into…
• Looks for malicious behavior, not just anomalies

• Assesses severity and confidence of sightings

SaaS PaaS IaaS
• Assigns global risk scores based on attack
progression Consumption Delivery

• Creates problems to trigger responder ML threat

automation Cloud detection Oracle Detection
engine
• Tracks feedback for continuous improvement Guard and Response

Customers’ responsibility Oracle’s responsibility

…to catch the bad guys quickly!

18 Copyright © 2022, Oracle and/or its affiliates
Anomaly Detection and Intent
Generic Anomaly Detection
New face. Different voice. Strange attire.
Out of the ordinary purchases on your
credit card some time back (makeup)…
you must be here to rob the bank!
19 Copyright © 2022, Oracle and/or its affiliates
Targeted Threat Models
Running out of the bank. Carrying big bags of
money. Around the time when new bills are
delivered. And I see you made some
uncommon purchases a few weeks ago (gun)!
Conceptually

Cloud Guard Threat Detector

Sighting type,
Technique, Tactic,
ML PLATFORM `
Severity, Confidence,
Region, Duration,
SOURCES Resources, …
…
IN IT IA L A C C E S S

PROBLEM
Data … Sightings
Features
P E R S IS T E N C E
OCI Audit Logs
…
Threat Intel Feeds Scoring and
OCI Config Correlation SCORE
E V ID E N C E
IM P A C T

Rule-/Statistical-/ML-based
Technique Models aligned with
MITRE Att&ck® framework Regional Global Active Active
Partitioning Risk Score Problem
Sightings Sightings Techniques Tactics

20 Copyright © 2022, Oracle and/or its affiliates

Threat detection

Prioritized: Critical events

are surfaced as problems
for immediate response

Actionable: Full
understanding of
compromised resources

Proactive: Monitor budding

incidents as they develop

Evidence based:
Comprehensive view of chain
of events that drive scoring

21 Copyright © 2022, Oracle and/or its affiliates

Cloud Guard Threat Detector Advantage

Global visibility
Large base of tenancies for model training, with global inference and
tenant-level feedback gives us the ability to better detect attacks like
password spraying, which can span multiple tenancies and
regions.

Targeted behavioral models

Models tuned to detect malicious activities across long periods of
time and report back details like Severity and Confidence levels,
impacted resources and IP address help create a clear picture.

Intent-based correlation and scoring

Alerts that combine sightings of different behaviors scored
according attack progression surface the right information without
distractions.

22 Copyright © 2021, Oracle and/or its affiliates, Confidential: Restricted

Demo

23 Copyright © 2022, Oracle and/or its affiliates

Resources

Documentation
• Cloud Guard Threat Detector Documentation
• https://docs.oracle.com/en-us/iaas/cloud-guard/using/threats.htm
• Threat Intelligence Service Documentation
• https://docs.oracle.com/en-us/iaas/Content/threat-intel/home.htm

Launch Blogs
• Cloud Guard Threat Detector Blog
• https://blogs.oracle.com/cloudsecurity/post/cloud-guard-threat-detector-available
• Threat Intelligence Service Blog
• https://blogs.oracle.com/cloudsecurity/post/threat-intelligence-available-in-oci

24 Copyright © 2022, Oracle and/or its affiliates

 Q&A

25 Copyright © 2022, Oracle and/or its affiliates

Thank you

We hope you enjoyed this session!

• Have you enabled Cloud Cloud Guard?

Cloud Guard is free for paid tenancies so you should not be afraid to
use it!

• Turn on Threat Detector

Don’t forget to attach the threat detector recipe to your Cloud Guard
root target.

• Access Threat Intelligence Service data

Threat Intelligence is already baked into Cloud Guard, just make sure
sure your users have permissions to view the data

26 Copyright © 2022, Oracle and/or its affiliates