cyber threat intelligence
TRANSCRIPT
CYBER THREAT INTELLIGENCE
Mohamed NASRI
Cyber Intelligence Analyst
Securiday 2015 Big Data Security
1
BIG DATA SECURITY
2
CYBER THREAT INTELLIGENCE
3
CYBER THREAT INTELLIGENCE
4
5
CYBER THREAT INTELLIGENCE
6
2010
7
8
Guardian of Peace
2014
Securiday 2015 Big Data Security 9
08-09 April 2015
From 22h to 1h
THREAT-BASED
DEFENSE STRATEGY
10
# If you know your enemy and know yourself you need not fear the result of 100 battles Sun Tzu “The art of war”
Cyber-attack life cycle
Model « Kill Chain » Lockheed Martin’s 2010.
11
Courses of action Matrix
12
13
THREAT INTELLIGENCE
STANDARD AND TOOLS
Securiday 2015 Big Data Security 14
Structured Threat Information eXpression
• Language to represent structured cyber threat indicators
With What is Cyber Threat Intelligence? Consider these questions:
What activity are we seeing?
What threats should I look for on my networks
and systems and why?
Where has this threat been seen?
What does it do?
What weaknesses does this threat exploit?
Why does it do this?
Who is responsible for this threat?
What can I do about it?
Architecture
Use Cases
19
SHARE
20
# My detection becomes your prevention
21
Trusted Automated eXchange of Indicator Information
• Standardizes exchange of cyber threat information
SIEM
• « SIEM is Dead! » John Linkous 2012
• « Don’t Stretch SIEM Beyond its Capabilities for
Contextual Security Analytics »
Jody Ma Kissling 2015
26
Securiday 2015 Big Data Security 27
Vendor specific
intel
SIEM
Preventive Detective Fusion
Host Controls
IDS AV IPS
Network Controls
Web
Content
Gateway
IPS IDS
Automated defense threat intelligence to augment Security
Securiday 2015 Big Data Security 28
OS-Intelligence
Threat
Collector
Preventive Detective Fusion Contextuel
Host Controls
IDS AV IPS
Network Controls
Web
Content
Gateway
IPS IDS
SIEM
Contextuel Information
Vulnerability Scanner
Sandbox
Cyber Threat Analyst
Securiday 2015 Big Data Security 29
OS-Intelligence
Threat
Collector
Preventive Detective Fusion Contextuel Actuator
Host Controls
IDS AV IPS
Network Controls
Web
Content
Gateway
IPS IDS
SIEM
Contextuel Information
Vulnerability Scanner
Sandbox
Cyber Threat Analyst
Actuator
Network isolation
script
Ticketing System
Workflow
Polyglot Persistence Martin Fowler 2011
RDBMS
Horizontal scalability Data consistency
30
31
Public sources
Private sources
Collaborators
ETL
SOC/CERT
SIEM
Merci de votre attention
32