usmc veteran – 2651 secure comms/intel sysadmin +14 years in information technology/security...
TRANSCRIPT
![Page 1: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/1.jpg)
Threat Intel CapabilityKick Start
- Matt Nelson
![Page 2: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/2.jpg)
Quick Bio
USMC Veteran – 2651 Secure Comms/Intel SysAdmin+14 Years in Information Technology/Security
Specialties:• Incident Response/Forensics• Threat Intelligence• Offensive Security
$dayjob = Senior Malware & Threat Intel Analyst$sidejob = AdroitSec LLC – Principal/Consultant
![Page 3: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/3.jpg)
What we’ll cover..
What Threat Intel is / does Managing Threat Intel Implementing Threat Intel Threat Intel & IR integration Threat Intel sharing
![Page 4: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/4.jpg)
What is Threat Intel?
![Page 5: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/5.jpg)
What your boss thinks Threat Intel is:
![Page 6: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/6.jpg)
What your Threat Intel probably is:
Or…
![Page 7: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/7.jpg)
Business Intelligence
“Business intelligence (BI) is the set of techniques and tools for the transformation of raw data into meaningful and useful information for business analysis purposes.”
![Page 8: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/8.jpg)
What is Threat Intel (TI)?(depends on who you ask)
![Page 9: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/9.jpg)
“Details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence's primary purpose is to inform business decisions regarding the risks and implications associated with threats.”
- Forrester
![Page 10: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/10.jpg)
“Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
-Gartner
![Page 11: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/11.jpg)
Threat Intel (TI) = Strategic:
Context Motivations Capabilities Implications Actionable Advice
Operational: Context Mechanisms Indicators Tactics Techniques Procedures
![Page 12: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/12.jpg)
Aspects of Threat Intel
Aspects: Outside Inside Inside > Out
![Page 13: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/13.jpg)
Sources of Threat Intel
Internal:• Logs• Network• Endpoints • Malware Analysis• Phishing Emails• Past incidents
Industry Sharing Groups• ISACs (Ag, IT, Financial,
etc.) Government
• US-CERT, FBI, etc. Org to Org partnerships Vendors (data /
analysis) Open Source
![Page 14: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/14.jpg)
Threat Data or Threat Intel?
![Page 15: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/15.jpg)
Indicators of Compromise• IPs• Hashes• Names• Etc..
Threat Feeds Etc. .
Etc.
Feeds
IOCs
Threat Data
![Page 16: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/16.jpg)
Pyramid of Pain – David Bianco
![Page 17: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/17.jpg)
Threat Intel Analysis
Analysis of: • Internal Intel• Threat Data
• External Intel Analysts analyze Automation and analytics can increase effectiveness
Analysis
Etc.
Feeds
IOCs
![Page 18: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/18.jpg)
What differentiates Threat Intel / Data?
CONTEXT
![Page 19: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/19.jpg)
Context (via analysis)
Target victim(s)• Size• Victim type
Targeted or Spray Malware• Custom or commodity
Remove context and it is just data…
Other orgs Target vertical Tools/Tactics/
Procedures Intent of attack• Passwords/Credentials
• Configurations
![Page 20: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/20.jpg)
Caveat: External Analysis
Supplemental Still requires analysis Application of context
![Page 21: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/21.jpg)
What Threat Intel Does
Situational Awareness
![Page 22: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/22.jpg)
Strategic: Risk Management Vulnerability
Management Threat Modeling
Situational Awareness
Tactical: Proactive/Reactive IR Threat
Communications Breach Discovery
Prevention
Detection
![Page 23: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/23.jpg)
Managing Threat Intel
![Page 24: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/24.jpg)
Day in the life…
Analyst
Malware Analysis
Incident Response Course of Action
Open Source
Analysis
Email Analysis
Protocol Analysis
SIEM
Data Correlation
Asset Tracking
Executive Briefs
Attack Vector
Mitigating Controls
Shared Threat
Intelligence
AttackerTTPs
H/T: ThreatConnect
![Page 25: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/25.jpg)
Threat Intel Platform (TIP)
Organization of threat data Contextualize threat data Draw relationships Historical Perspective Automate in parallel with other tools
![Page 26: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/26.jpg)
Threat Intel Platform (TIP)
Open Source:• CRITs• Soltra• MANTIS• Etc.
Commercial:• ThreatConnect• ThreatStream• RecordedFuture• Etc.
![Page 27: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/27.jpg)
Implementing Threat Intel
![Page 28: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/28.jpg)
Component of bigger strategy Parallel/Integral to other capabilities
Place it properly
Threat Intel as Component/Program
Threat Intel could be it’s own “Program”
![Page 29: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/29.jpg)
Threat Intel
Program
OSINT
Threat Research
External Intelligence Services
ISACs
Firewall
IPS/IDS
Web Gateway
Anti-Virus
HIDs/HIPs
DLP
Network
Endpoint
SIEM
Detection &
Response
Governance /
Resistance
![Page 30: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/30.jpg)
Implementing Threat Intel
Define the goals of TI for the organization.
Define how you will leverage TI to accomplish those goals.
Make it “Actionable”
Realize that threat TI is 80% internal 20% external
(relative to your business)
![Page 31: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/31.jpg)
Actionable Intelligence Analysis
Know your: Assets Infrastructure Personnel Business operations Weaknesses/Entry Points
![Page 32: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/32.jpg)
Actionable Intelligence Analysis
Know: How to apply threat intel (or not) Where to apply (capabilities) How & who to communicate to
May not be a “technical” application
![Page 33: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/33.jpg)
Actionable Intelligence Application(Tactical)
Apply to Infrastructure: SIEM/Log Management Network Security Monitoring Firewalls Proxies Mail Gateways Training/Communication
![Page 34: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/34.jpg)
Actionable Intelligence Application(Strategic)
Apply to security program:
Org Threat Modeling Risk Management Security Planning
![Page 35: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/35.jpg)
Integration:Threat Intel & Incident Response
![Page 36: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/36.jpg)
"A shiny threat intel capability without a mature IR capability is like putting a big ole fancy spoiler on a stock 4 cyl Dodge Neon.“
- @mattnels
![Page 37: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/37.jpg)
![Page 38: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/38.jpg)
Proactive vs. Reactive IR
Hunting for breaches / incidents / anomalies Identifying avenues of attack and addressing Detecting shifts of attack
![Page 39: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/39.jpg)
•Visibility• SIEM/Logs•Network•Hosts•Threat Intel
•Analysis•Verification•Containment•Remediation•CSIRT
• Security reviews• Identity mgmt• Security design/reqs•Vuln Mgmt• Security Operations
•Policy•Risk Management• Security program design•Compliance Reporting•Audit
Resist
DetectIR
Plan
Ops
IR
![Page 40: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/40.jpg)
Active Cyber Defense Model
Threat Intelligence
Consumption
Asset Classification and
Security Monitoring
Incident Response
Threat & Environment Manipulation
Source: RecordedFuture.com – Robert Lee
![Page 41: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/41.jpg)
TI/IR Focal Points
• Logs• Network• Endpoint • Threat Intel
Focal points:Logs
Network
Threat Intel
Endpoint
![Page 42: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/42.jpg)
Kill Chain & Focal Points
Logs
Network
Endpoint
Threat Intel
Threat Intel
Threat Intel
ReconWeaponizati
on DeliveryExploitatio
nC2 Exfiltration
![Page 43: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/43.jpg)
Threat Intel Sharing
![Page 44: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/44.jpg)
Advantages of Sharing
Benevolence:• Greater Good
Self-Interested:• Give some to get some
Scope, Relevancy, Context, Breadth, Capabilities
![Page 45: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/45.jpg)
Ways to share
Vertical/Industry sharing groups• ISACs (Ag, IT, Financial, Edu, etc.)
Government• US-CERT, FBI Infragard, etc.
Org to Org partnerships Vendor(s)
![Page 46: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/46.jpg)
Sharing Strategy
Define a sharing strategy (TLP class)
Sanitize Targeted sharing No regurgitation (unique data)
Ingestible, concise/clear
![Page 47: USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence](https://reader030.vdocument.in/reader030/viewer/2022033106/56649ce15503460f949abe2a/html5/thumbnails/47.jpg)
Wrap-up
Define your goals Collect relevant TI Analysis / Context Make Actionable/apply it
Share your Intel