What is Threat Intelligence and How Best to Leverage It
Daniel McCauley ´ Sr. Cyber Security & Threat Intelligence Analyst ´ Annual Cyber Exercise and Security Awareness Initiatives ´ Western North Carolina ´ BSides Asheville, WNC InfoSec
Definition “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.� -Gartner
Another Description A process or methodolgy which effectively reduces risks associated with threats by identifying and raising awareness to relevant events. Also includes facilitating remediation efforts to reduce overall impact.
Not Just… ´ Attack Maps ´ Threat Feeds ´ Intelligence Portals ´ Blinky Lights
TI Objectives ´ Monitoring ´ Assessment ´ Communication Actionable Intelligence!
Monitoring ´ Potential Direct Risk to Your Organization ´ Media Attention ´ Direct Inquiries ´ Neighborhood ´ Internal/External Sources ´ New and/or Previous Techniques or Campaigns
Monitoring - Internal Sources ´ Non-Security Events ´ Security Control Events ´ Customer Reported
Monitoring - External Sources ´ Commercial/Paid ´ Private – member organizations (ISAC’s), mailing lists, etc. ´ Government ´ OSINT ´ Social Media ´ Blogs, Forums, Wikis ´ Text Sharing ´ IRC ´ Dark Web
Assessment ´ Risk Factors and Levels ´ Keep it Simple ´ Potential vs Current Risk
Assessment - Potential Risk Considerations: Attack Vectors Impact Scope
Assessment - Current Risk Considerations: Effectiveness of Mitigating Controls Maturity/Life Cycle of Threat
Communication ´ Traffic Light Protocol ´ Standardized Templates ´ Summary ´ Assessment ´ Actions ´ Reference
´ SLA ´ Know Your Audience!
Communication - Best Practices ´ Keep Media Hype in Perspective ´ Become a Single Source of Authority ´ Tailor Message to Your Audience ´ Define notifications based on recipient groups (people, events, etc.)
Important to Know ´ Assets ´ Defense in Depth Capabilities and Limitations ´ Available Resources
The Process
U.S. Department of Defense’s Joint Publication 2-0: Joint Intelligence
Information vs Intelligence
iSight Partners – What is Cyber Intelligence and why do I need it?
Lifecycle
Types ´ Tactical ´ Strategic ´ Technical ´ Operational
Tactical ´ Long Term ´ Attacker TTPs ´ Audience – Network Architects and Administrators
Strategic ´ Long Term ´ High-Level Information on Threat Landscape ´ Audience – Board, Senior Executives, Management
Technical ´ Immediate Use ´ IOC’s Related to Specific Malware ´ Audience – Security Operations Center and Incident Response
Operational ´ Immediate Use ´ Details of Specific Attacks and Campaigns ´ Audience – Defensive Teams
Confidence ´ High Quality Intelligence à Higher Confidence Risk Assessment ´ High Confidence Assessments à Improved Response to Threats
Sharing ´ Greatly Beneficial to Those Involved ´ Widespread Adoption is Lacking ´ Difficult to Quickly and Efficiently Distribute Large Amounts of Indicators
Sharing – Cyber Threat Alliance
Sharing – Cyber Threat Alliance
The Analyst ´ Analytical and Creative Problem-Solver ´ Aware of Biases ´ Diverse Background ´ Network Engineering, Malware Analysis, Security Architecture, Systems Administration, Social Engineering, etc.
´ Strong Communication Skills ´ Coding/Programming
Some Problems… ´ Abundance of sources (OSINT, paid/subscription, private) ´ Not all “threats” are relevant ´ Various formats of data ´ Storage and Maintenance
Managing the Data/Information ´ Organizations are eager to ingest more and more ´ Internal, External, or Both ´ Elasticsearch, Hadoop, etc.
´ Data Format Agnostic ´ Fusion Centers ´ Dedicated Teams ´ Analyzing Events 24/7
Data/Information Goals ´ Provide Context to Threats ´ Enrich Events ´ Correlate ´ Visualize/Present ´ Parse and Efficiently Index ´ Through custom efforts within a specific context
Innovation Engineer ´ Strong Unix /Linux background ´ Big Data architecture and engineering experience ´ Threat Intelligence background ´ Data Correlation background ´ Data Visualization background ´ Development experience in multiple programming languages.
Tools ´ ELK Container – https://hub.docker.com/r/sebp/elk/ ´ Combine – https://github.com/sooshie/combine ´ OSCAR-F - https://github.com/V12-Operations/OSCARf-public
ELK Container
Combine
Combine - Plugins
OSCAR-F
Resources/References ´ http://www.robertmlee.org/ ´ http://digital-forensics.sans.org/blog/2015/07/09/your-threat-feed-is-notthreat-intelligence ´ http://countuponsecurity.com/ ´ https://www.cpni.gov.uk/Documents/Publications/2015/23-March-2015MWR_Threat_Intelligence_whitepaper-2015.pdf ´ http://researchcenter.paloaltonetworks.com/2015/10/cryptowall-3-thecyber-threat-alliance-and-the-future-of-information-sharing/
Thank You! daniel.mccauley@gmail.com @vintsurf