sharing is caring: understanding and measuring threat intelligence sharing effectiveness
TRANSCRIPT
SharingisCaring:UnderstandingandMeasuringThreatIntelligenceSharing
Effectiveness(#ddti)AlexPinto
ChiefDataScientistMLSec Project/Niddel
@alexcpsec@MLSecProject @NiddelCorp
Previouslyon#ddti• UsefulMethodsandMeasurementsforHandlingIndicators• AnalysisofThreatIntelligenceFeeds• Indirectly,amethodologyforanalyzingTIProviders
• Combine(https://github.com/mlsecproject/combine)• GathersTIdata(ip/host)fromInternetandlocalfiles
• TIQ-Test(https://github.com/mlsecproject/tiq-test)• RunsstatisticalsummariesandtestsonTIfeeds
TIQ-TEST- TonsofThreat-yTests
• NOVELTY – Howoftendothefeedsupdatethemselves?• AGING – Howlongdoesanindicatorsitonafeed?• POPULATION – Howdoesthispopulationdistributioncomparetomydata?
• OVERLAP– Howdotheindicatorscomparetotheonesyougot?
• UNIQUENESS – Howmanyindicatorsarefoundonlyononefeed?
Puttingthisthreatinteldatatowork
TISharingSolutionPlan:
1. ThebestThreatIntelligenceistheonethatyouanalyzefromyourownincidents(homegrown/organicintelligence)
2. Thereisstrengthinnumbers– verticalherdimmunity!
3. ????????
4. PROFIT!!(oratleastSECURITY!!)
Oratleastaroughstrawman
Issue2- HerdImmunity
Source:www.vaccines.gov
• Wemaybeabletodetectmore”virusstrains”togetherbutweare*terrible*atinoculation.
• Thethingswedetectthemostmutatetoofast(PyramidofPain)
• Whodidn’tgetimmunized,stillgetssick(FOMO-TI)
Issue?- Whatarewesharing• AUTOMATION-DRIVEN(PLATFORMS)• StraighttothepointIOCsharing
• ANALYST-DRIVEN(COMMUNITIES)• Strategicdata,bestpractices,unstructuredIOCs
• ”Analyst-driven”hasbeenaroundforever(innon-IC,atleastsinceFS-ISACwascreated)
• Thesamepeoplewhobash”justIOCsharing”:• BashSTIX/TAXIIfortryingtoencodecomplexity• TellseveryoneitisIMPOSSIBLEtohireanalysts
ThreatIntelligenceSharingWewouldliketothankthekindcontributionofdatafromthefinefolksatFacebookThreatExchange andThreatConnect
…andalsothesharingcommunitiesthatchosetoremainanonymous.Youknowwhoyouare,andwe❤ youtoo.
UNIQUENESSSLIDE
Lookslikewewouldgetsimilarqualityona”good”ThreatIntelligenceSharingPlatformaswewouldon
a”paidfeed"
SuggestedMetricsforSharing
• ACTIVITY – Howmanyindicators/postsarebeingshareddaybyday?
• DIVERSITY –Whatisthepercentageofthepopulationthatisactivelysharing?
• FEEDBACK – Areorgscollaboratingonimprovingtheknowledgeinthesharingenvironment?
• TRUST– Howmuchdataisshared”openly”inrelationto”privately”?
Lookingforhealthydynamics
Someorganizationsareclearlyinabetterpositionoperationallyandlegallytoshare.Andthatis
expectedduetoourpremises.
FeedbackMetric• Almostnosupportonautomation-drivenplatforms• Someallowyoutoleave”comments”or”newdescriptors”fortheIOCs– evenbycountingthoseverylow%inrelationtonewshareddata
• Analyst-drivenenvironmentsallowforcollaborationone-mailsandforumpoststodescribeandrefinestrategiesandbestpractices.
Howcanwemakethiscollaborationworkonautomation-drivenplatforms?
TrustMetric• Theroughestimateseemstobethatmorethan80%of”sharing”(IOCs,messages,etc)happensin”privategroups”insidetheinfrastructureofthesharingplatform
• Allcommunitieshavethem:• PartoftheDNAoftheIC/clearedcommunity• Offsetsthetrustequation,butdefeatsthe”herdimmunity”argument• UsuallyMANDATORYoncollaborationwithLEA
Butthenthe”good”dataisnothelping”thecommunity”!Isthereanywaywecanreconcile?
TRUST:Anonymity+GoodCuration
Somesharingcommunitiesacceptanonymoussubmissionsthattheythencurateanddisseminate
toallorganizations
IOCs
Feedback
TelemetryLESSMATURE
MOREMATURE
With❤ andapologiesto@DavidJBianco
TECHNICALBARRIER:”PyramidofSharing”
Takeaways• IntelligenceSharingisaveryanalyst-centricactivitythatwehavebeentaskedwithscalingoutwithautomation.Nowonderitseemssohard.
• Datacanbeasgoodasapaidfeed,butyouhavetobeintherightcirclesoftrust
• Doesnotsolveanalystshortageandmakingtheindicators/strategiesoperationalintoyourenvironment