threat intelligence 101 - steve lodin - submitted
TRANSCRIPT
![Page 1: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/1.jpg)
Threat Intelligence 101
![Page 2: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/2.jpg)
Getting SmarterSteve Lodin
Sallie Mae Bank
Director, Cyber Security Operations
![Page 3: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/3.jpg)
Threat Intelligence 101
• Learn about Threat Intelligence• What/Why/How
• Technology
• Be able to evaluate your organization’s maturity
• Understand some of the Gotchas
![Page 4: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/4.jpg)
Traffic Light Protocol
Before we begin…
https://www.us-cert.gov/tlpW
e ar
e:
![Page 5: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/5.jpg)
Acronyms• CND – Cyber Network Defense
• CISA – Cyber Information Sharing Act
• CTI – Cyber Threat Intelligence
• CybOX – Cyber Observable eXpression
• CTIIC - Cyber Threat Intelligence Integration Center
• DGA – Domain Generation Algorithm
• IOA – Indicators of Attack
• IOC – Indicators of Compromise
• ISAC / ISAO – Information Sharing and Analysis Center / Organization
• MD5 – Message Digest v5
• MRTI – Machine Readable Threat Intelligence
• NCCIC - National Cybersecurity and Communications Integration Center
• OSINT – Open Source Intelligence
• OTX – Open Threat eXchange
• SHA1/SHA2 – Secure Hash Algorithm v1 and 2
• SIEM – Security Information and Event Management
• STIX – Structured Threat Information eXchange
• TAP – Threat Analytics Platform
• TAXII – Trusted Automated eXchange of Indicator Infomation
• TLP – Traffic Light Protocol
• TTP – Tactics, Techniques, and Procedures
Before we begin…
![Page 6: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/6.jpg)
Example Threat Intelligence
Before we begin…
What/How
Who/Why/How
InvestigateImplement
Hunt
Share
![Page 7: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/7.jpg)
What / Why / How
![Page 8: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/8.jpg)
Gartner – May 2013
What is Threat Intelligence?
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.
What / Why / How
![Page 9: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/9.jpg)
Where are we?
What / Why / How
Audience Participation:Are you aware of CTI Sharing…?
![Page 10: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/10.jpg)
Where are we?
What / Why / How
Audience Participation:Do you think it is valuable…?
![Page 11: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/11.jpg)
Why should you care?
• Sobering Stats
• There were 38% more cyberattacks in 2015 than in 2014, along with a 56% rise in the theft of intellectual property
• In the U.S., a mind-boggling 169 million personal records were compromised, across the major sectors of financial, business, education, government and healthcare
• In 2015 ISACA survey, 86% of nearly 3500 organizations believed there is a shortage of skilled IT security professionals to handle these problems
What / Why / How
TechRepublic Article 3/15/2016
![Page 12: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/12.jpg)
Why should you care?
• Tactical Perspective• Proactively detect or defend against attacks before they happen• Diagnose infected corporate systems• Breach Discovery • Discovery of an APT
• Strategic Enhancements• Track threats targeting your company or industry• Use of Analysis to Improve Risk Assessments• Change in Defenses
• Community Posture• Be a good neighbor – help support your sharing community
What / Why / How
![Page 13: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/13.jpg)
How does a company use Threat Intelligence?
• Attack prevention/detection• Primary use case
• Forensics• Helping to investigate attacks and compromises
• Hunting• Using big data to discover anomalies
What / Why / How
![Page 14: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/14.jpg)
What “data” do you see?
• Compromised Devices• Systems communicating with known bad sites and C&Cs
• Malware Indicators• IOAs and IOCs
• IP Reputation• Geolocation• Known bad Tor/Proxy/VPN providers• Watering Holes
• Command and Control Networks• Malware origination, botnet controllers
• Phishing Messages• Business Email Compromise and Email Attack Campaigns
What / Why / How
![Page 15: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/15.jpg)
Soltra
Wh
at /
Wh
y /
Ho
w
![Page 16: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/16.jpg)
Pain Level
David Bianco
What / Why / How
![Page 17: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/17.jpg)
What does the team do?
What / Why / How
What’s coming at us
How we respond
![Page 18: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/18.jpg)
What does the team do?
What / Why / How
Threat IntelligenceSources
Security Solutions
Distribute Indicators of Compromise
NothingFound
Investigate
Forrester Research + Steve
![Page 19: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/19.jpg)
Here is how we handle threats!
What / Why / How
Sometimes that can backfire!
![Page 20: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/20.jpg)
Sharing
• Threat intelligence sharing is considered the most effective in preventing attacks.• According to respondents, an average of 39% of all hacks can be thwarted
because the targeted organization engaged in the sharing of threat intelligence with its peers.
• Additionally, out of all technologies available, threat intelligence sharing was cited by 55% of respondents as the most likely to prevent or curtail successful attacks.
• Requires an excellent IT security infrastructure• The platform also must be part of a larger, global ecosystem that enables a
constant and near real time sharing of attack information that can be used immediately to apply protections to prevent other organizations in the ecosystem from falling victim to the same or similar attacks.
What / Why / How
Ponemon Report: Flipping the Economics of Attacks Jan 2016
![Page 21: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/21.jpg)
Types of Sharing
• OSINT• Share with the world
• ISACs• Share your attacks and IOCs with your industry peers
• Anonymous• Share your attacks and IOCs with peers
under no attribution
• Cybersecurity Information Sharing Act• Share your data with the DHS and DOJ
What / Why / How
![Page 22: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/22.jpg)
How can you succeed?
1. Understand Threat Intelligence
2. Achieve Organizational / Leadership / Board Buy-in• Requires approval for People / Process / Technology
3. Determine Necessary Skills and Staffing• Options are internal, outsourced, MSSP
4. Buy Appropriate Technology Solutions• RFI/RFP and PoC
5. Choose the Right Feeds
6. “A Cyber Hunting We Will Go”
What / Why / How
![Page 23: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/23.jpg)
Technology
![Page 24: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/24.jpg)
Threat Intelligence Feeds
• Internal (+$0-$$$, +Info, +Private)• Security logs and network data, including DNS logs, email logs, web proxy logs, etc…
• OSINT and Open Source Data ($0, +Info, +Work)• Open source intelligence (OSINT) providers comb through a multitude of information
sources, looking for intelligence about possible threats against your company.• OSINT feeds give you needed intelligence to prevent attacks before they happen.
• ISACs (+$, ++Industry, +Info)• Information sharing and analysis centers (ISAC) provide threat intelligence to specific
industries. Examples FS-ISAC, MS-ISAC, NH-ISAC and HITRUST Cyber Threat XChange
• Commercial (++$$, ++Info)• Threat intelligence feeds from commercial companies contain proprietary research
determined by how the company detects threats.• Some companies focus mainly on threat intelligence streams. Other companies offer
threat intelligence streams as part of an integrated suite of security services.
Technology
Audience Participation:Who has a team using…?
![Page 25: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/25.jpg)
automaterPacketmailPacketmail
OSINT Feed Examples
Technology
![Page 26: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/26.jpg)
OSINT & Commercial Feed Example
Technology
![Page 27: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/27.jpg)
Commercial Feed Example
Technology
![Page 28: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/28.jpg)
Anonymous Data Sharing
Technology
![Page 29: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/29.jpg)
The Big Picture
Technology
Soltra
![Page 30: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/30.jpg)
Platforms
• These are threat intelligence aggregation, analysis, and collaboration environments.
• Provides visibility across feed sources, threat classifications, network, applications, host elements and many other threat observables.
Technology
![Page 31: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/31.jpg)
Platform Functions
• Ingest threat intelligence and normalize it
• Rate intelligence sources (over time)
• Provide an analyst workspace
• Provide visualization and pivoting
• Provide enrichment
• Enable internal and external collaboration/sharing
Technology
![Page 32: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/32.jpg)
![Page 33: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/33.jpg)
ThreatConnect
Level 4 – Well-defined Threat Intelligence Program
Operational and StrategicOperational Playbooks, C-level Alignment,
Integration with Biz, IT, SecLeading Industry and/or Technology TI
Community
Level 3 – Threat Intelligence Platform in Place
Dedicated Personnel, Multi-tier People/Process/Tech Bi-directional Sharing, Participation in ISAC
Level 2 – Expanding Threat Intelligence Capabilities
Team and SOC Threat Intelligence Platform Hunt and Respond, Internal and External
Level 1 – Warming up to Threat Intelligence
Small Team Some Automation Internal Focus
Level 0 - Unclear where to start
No Team Manual, incident based efforts Internal Focus
Mat
uri
ty
![Page 34: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/34.jpg)
Hunting Maturity Model
Maturity
David Bianco – Oct 2015
![Page 35: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/35.jpg)
Gotchas
![Page 36: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/36.jpg)
Overloading the team
• To say that the threat landscape is overwhelming is the understatement of the year. Targeted attacks are on the rise with increasing sophistication, and our detection and response capabilities are woefully inadequate. Advanced persistent threats, espionage, spear phishing, and disrupted denial of service attacks dominate the headlines.
Gotchas
![Page 37: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/37.jpg)
Got Intelligence? Now what?
• When the incoming sources start adding up, how do you manage that efficiently?• Need to scale up to a platform
• Wouldn’t it be easier to have high confidence threat indicators loaded into your security systems for detection and immediately take action?• Orchestration
• Easier said than done
Gotchas
![Page 38: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/38.jpg)
Things are not always as they seem
• Location, Reputation, and Confidence Conflicts
• Indicators can age
Gotchas
![Page 39: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/39.jpg)
Things are not always as they seem
• Over compensating for every threat that may not impact your company
Gotchas
![Page 40: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/40.jpg)
There is no silver bullet
• Quality matters more than quantity when choosing feeds
• It's Not What You Know, It's What You Do With It• It’s not so much the collection or processing of intelligence.
• It's the communication of intelligence between different areas of the organization. Red teams, security operations centers (SOCs), incident response (IR), vulnerability management…
Gotchas
![Page 41: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/41.jpg)
Closing
![Page 42: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/42.jpg)
Threat intelligence cannot be bought
Rather, the threat intelligence journey is a multistep road map
1) lays a solid foundation of essential capabilities
2) establishes buy-in
3) identifies required staffing and skill levels
4) establishes your intelligence sources
5) drives actionnable intelligence
Closing
![Page 43: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/43.jpg)
Possible Solution Providers
Closing
Forrester Research 2015
![Page 44: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/44.jpg)
Research
Closing
https://www.mindmeister.com/de/137280416/information-security-technologies-markets
![Page 45: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/45.jpg)
Why (or Why Not)?
Closing
Audience Participation:
Do you feel stronger now about using TI than when we started today...?
Is TI more valuable now?
![Page 46: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/46.jpg)
Why?
The power of threat intelligence is it allows
somebody else's detection to be your prevention.
Orchestration and bi-directional participation
signals growing in maturity.
Closing
Median Days to Breach DetectionFireEye/Mandiant
![Page 47: Threat Intelligence 101 - Steve Lodin - Submitted](https://reader033.vdocument.in/reader033/viewer/2022042907/587efc711a28ab35528b63dd/html5/thumbnails/47.jpg)
Questions?
Closing