daniel mccauley - retr3at

What is Threat Intelligenceand How Best to Leverage It

Daniel McCauley

´ Sr. Cyber Security & Threat Intelligence Analyst

´ Annual Cyber Exercise and Security Awareness Initiatives

´ Western North Carolina

´ BSides Asheville, WNC InfoSec

Definition

“Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.” -Gartner

Another Description

A process or methodolgy which effectively reduces risks associated with threats by identifying and raising awareness to relevant events. Also includes facilitating remediation efforts to reduce overall impact.

Not Just…

´ Attack Maps

´ Threat Feeds

´ Intelligence Portals

´ Blinky Lights

TI Objectives

´ Monitoring

´ Assessment

´ Communication

Actionable Intelligence!

Monitoring

´ Potential Direct Risk to Your Organization

´ Media Attention

´ Direct Inquiries

´ Neighborhood

´ Internal/External Sources

´ New and/or Previous Techniques or Campaigns

Monitoring - Internal Sources

´ Non-Security Events

´ Security Control Events

´ Customer Reported

Monitoring - External Sources

´ Commercial/Paid

´ Private – member organizations (ISAC’s), mailing lists, etc.

´ Government

´ OSINT´ Social Media

´ Blogs, Forums, Wikis

´ Text Sharing

´ IRC

´ Dark Web

Assessment

´ Risk Factors and Levels

´ Keep it Simple

´ Potential vs Current Risk

Assessment - Potential Risk

Considerations:

Attack Vectors

Impact

Scope

Assessment - Current Risk

Considerations:

Effectiveness of Mitigating Controls

Maturity/Life Cycle of Threat

Communication

´ Traffic Light Protocol

´ Standardized Templates´ Summary

´ Assessment

´ Actions

´ Reference

´ SLA

´ Know Your Audience!

Communication - Best Practices

´ Keep Media Hype in Perspective

´ Become a Single Source of Authority

´ Tailor Message to Your Audience´ Define notifications based on recipient groups (people, events, etc.)

Important to Know

´ Assets

´ Defense in Depth Capabilities and Limitations

´ Available Resources

The Process

U.S. Department of Defense’s Joint Publication 2-0: Joint Intelligence

Information vs Intelligence

iSight Partners – What is Cyber Intelligence and why do I need it?

Lifecycle

Types

´ Tactical

´ Strategic

´ Technical

´ Operational

Tactical

´ Long Term

´ Attacker TTPs

´ Audience – Network Architects and Administrators

Strategic

´ Long Term

´ High-Level Information on Threat Landscape

´ Audience – Board, Senior Executives, Management

Technical

´ Immediate Use

´ IOC’s Related to Specific Malware

´ Audience – Security Operations Center and Incident Response

Operational

´ Immediate Use

´ Details of Specific Attacks and Campaigns

´ Audience – Defensive Teams

Confidence

´ High Quality Intelligence à Higher Confidence Risk Assessment

´ High Confidence Assessments à Improved Response to Threats

Sharing

´ Greatly Beneficial to Those Involved

´ Widespread Adoption is Lacking

´ Difficult to Quickly and Efficiently Distribute Large Amounts of Indicators

Sharing – Cyber Threat Alliance

Sharing – Cyber Threat Alliance

The Analyst

´ Analytical and Creative Problem-Solver

´ Aware of Biases

´ Diverse Background´ Network Engineering, Malware Analysis, Security Architecture, Systems

Administration, Social Engineering, etc.

´ Strong Communication Skills

´ Coding/Programming

Some Problems…

´ Abundance of sources (OSINT, paid/subscription, private)

´ Not all “threats” are relevant

´ Various formats of data

´ Storage and Maintenance

Managing the Data/Information

´ Organizations are eager to ingest more and more´ Internal, External, or Both

´ Elasticsearch, Hadoop, etc.

´ Data Format Agnostic

´ Fusion Centers´ Dedicated Teams

´ Analyzing Events 24/7

Data/Information Goals

´ Provide Context to Threats

´ Enrich Events

´ Correlate

´ Visualize/Present

´ Parse and Efficiently Index´ Through custom efforts within a specific context

Innovation Engineer

´ Strong Unix /Linux background

´ Big Data architecture and engineering experience

´ Threat Intelligence background

´ Data Correlation background

´ Data Visualization background

´ Development experience in multiple programming languages.

Tools

´ ELK Container – https://hub.docker.com/r/sebp/elk/

´ Combine – https://github.com/sooshie/combine

´ OSCAR-F - https://github.com/V12-Operations/OSCARf-public

ELK Container

Combine

Combine - Plugins

OSCAR-F

Resources/References

´ http://www.robertmlee.org/

´ http://digital-forensics.sans.org/blog/2015/07/09/your-threat-feed-is-not-threat-intelligence

´ http://countuponsecurity.com/

´ https://www.cpni.gov.uk/Documents/Publications/2015/23-March-2015-MWR_Threat_Intelligence_whitepaper-2015.pdf

´ http://researchcenter.paloaltonetworks.com/2015/10/cryptowall-3-the-cyber-threat-alliance-and-the-future-of-information-sharing/

Thank You!

daniel.mccauley@gmail.com

@vintsurf