THREAT INTELLIGENCE IN A NUTSHELL:FROM INTELLIGENCE TO EXPLOITATION

Abdel Sy FaneChicago CyberSecurity Meetup – President

Application Security Manager - Allstate

WHAT IS THREAT-INTEL (TI)?

• Collecting Informa tion on your a dversa ries (Threa t-Actors)• Defining who they a re a nd wha t they’re ca pa ble of (Threa t Modeling)

• Ha cktivist, APT Groups, Na tion Sta tes, Ha ckers (driven by money or cha os)

• Cura ting the Da ta (there ’s tons of da ta out there !)• Contextua lize & Visua lize Threa t Actors

• Security Inte lligence Tools (Ga ther & Ana lyze Threa ts)

WHAT IS THREAT MODELING & WHY IS IT IMPORTANT?

MODELING FOR INTELLIGENCE

• Know Your Orga niza tion• Wha t is your orga niza tion’s role in the industry?

• Know Your Infra structure• Wha t a sse ts do you need to protect?

• Know Your Actors• Which ba d a ctor is most like ly to come a fte r your a sse ts?

• Know Your Tools• How a re you going to ga the r threa t da ta & a na lyze it?

WHAT IS THREAT DATA, INFORMATION & INTELLIGENCE?

• Unusua l Network Tra ffic• Log-In Red Fla gs• Geogra phica l Irregula rities• Web Tra ffic with Unhuma n

Beha vior • Anoma lies in Privileged User

Account Activity• Other Indica tors of Compromise

(IOC )

THREAT INTEL, FEEDS & PLATFORMS

• Threa t Da ta Feeds• Pros:

• Good sta rting point for Threa t Inte l (Threa t Da ta is knowledge but not power)• Tons of OpenSource Feeds (FREE!)• Department of Homeland Security's (DHS) Enhanced Cybersecurity Services (ECS)

• Knowledge shared among organizations and govt. entities (also FREE!)

• Cons:• Data Feed alone cannot answer any vital questions regarding the threat• Data overload• Relevant intel can only be extracted by human (time consuming)

THREAT INTEL, FEEDS & PLATFORMS (CONT.)

• Huma n Inte lligence (HUMINT)• Pros:

• Collecting Threa t Inte lligence from huma n a nd ma chine sources• Rich in de ta ils a nd loca ted in a sea rcha ble DB• Contextua lized da ta preva lent to your orga niza tion

• Cons:• Time:

• Time consuming to collect da ta from multiple sources• Time consuming for huma n to a na lyze a nd corre la te the da ta• Time consuming for huma n to connect the threa t to your specific orga niza tion/industry

THREAT INTEL, FEEDS & PLATFORMS (CONT.)

• Threa t Inte lligence Pla tforms• Pros:

• Help orga nize threa t da ta feeds (up to thousa nds of feeds)• Centra lized feeds you’re subscribed to

• Contextua lize a nd visua lize da ta a nd corre la ting/integra ting to other security pla tforms, i.e . SIEMs

• Prioritize wha t ma tte rs a nd se tup a le rts• Cons:

• Configure threa t da ta feeds• Only a s good a s the da ta coming in (feeds)• Ca n be costly

OPENSOURCE THREAT INTELLIGENCE

• Write APIs to collect da ta from public ly a va ila ble sources• Security News

• Security Blogs

• Security Forums

• Security Resea rches

• Socia l Media• Twitte r – tinfolea k (Github)

• Check out Awesome-Threa t-Inte lligence (Github)

NOTABLE OPEN SOURCE THREAT INTELLIGENCE RESOURCES

• vFeed (Github)

• MISP - Ma lwa re Informa tion Sha ring Pla tform a nd Threa t Sha ring (Github)

• AlienVa ult - provides open a ccess to a globa l community of threa t resea rchers a nd security professiona ls

DEMO

• Goa ls:• Find a vulnera bility reported by vendor (CVE, CWE, CPE, OVAL, CAPEC, CVSS,

WASC)

• Find a nd corre la te a vulnera bility to a threa t da ta

• Use the threa t inte lligence to exploit the reported vulnera bility

THANK YOU!

The Team:Abdel Sy FaneEmily StammAndrea Kim

ChicagoSecurity.Org Meetup.com/ChicagoSecurity