This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.
2. About me
- Director, AlienVault Labs
- Security Research
- Malware Analysis
- Incident response
3. The attacker’s advantage
• They only need to be successful once
• Determined, skilled and often funded adversaries
• Custom malware, 0days, multiple attack vectors,
social engineering
• Persistent
4. The defender’s disadvantage
• They can’t make a mistake
• Understaffed, jack of all trades, underfunded
• Increasing complex IT infrastructure:
– Moving to the cloud
– Virtualization
– Bring your own device
• Prevention controls fail to block everything
• Hundreds of systems and vulnerabilities to
patch
5. What is Threat Intelligence?
• Information about malicious actors
• Helps you make better decisions about
defense
• Examples: IP addresses, Domains, URL’s, File
Hashes, TTP’s, victim’s industries, countries..
6. How can I use Threat Intelligence?
• Detect what my prevention technologies fail
to block
• Security planning, threat assessment
• Improves incident response / Triage
• Decide which vulnerabilities should I patch
first
7. State of the art
• Most sharing is unstructured & human-to-
human
• Closed groups
• Actual standards require knowledge,
resources and time to integrate the data
8. Standards & Tools
• IODEF: Incident Object Description Exchange
Format
• MITRE:
– STIX: Structured Threat Information eXpression
– TAXXII: Trusted Automated eXchange of Indicator
Information
– MAEC, CAPEC, CyBOX
• CIF: Collective Intelligence Framework
11. The Power of the “Crowd” for
Threat Detection
Cyber criminals are using (and reusing)
the same exploits against others (and
you).
Sharing (and receiving) collaborative
threat intelligence makes us all more
secure.
Using this data, detect, flag and block
attackers using indicators (Threat Intel)
12. Disrupt the Incident response cycle
Detect
Respond
Prevent
A traditional cycle …
1. Prevents known threats.
2. Detects new threats in the
environment.
3. Respond to the threats – as
they happen.
This isolated closed loop offers
no opportunity to learn from
what others have
experienced
….no advance notice
16. Traditional Response
First Street
Credit Union
Alpha Insurance Group
John Elway
Auto Nation
Regional Pacific Telecom Marginal Food Products
Attack
Detect
Respond
17. Traditional Response
First Street
Credit Union
Alpha Insurance Group
John Elway
Auto Nation
Regional Pacific Telecom Marginal Food Products
Attack
Detect
Respond
19. A Real-Time Threat Exchange framework
First Street
Credit Union
Alpha Insurance Group
John Elway
Auto Nation
Regional Pacific Telecom Marginal Food Products
Attack
Detect
Open Threat Exchange
Puts Preventative Response Measures in Place Through Shared Experience
20. A Real-Time Threat Exchange framework
First Street
Credit Union
Alpha Insurance Group
John Elway
Auto Nation
Regional Pacific Telecom Marginal Food Products
Attack
Detect
Open Threat Exchange
Protects Others in the Network With the Preventative Response Measures
21. Benefits of open Threat Exchange
Shifts the advantage from the
attacker to the defender
Open and free to everyone
Each member benefits from the
incidents of all other members
Automated sharing of threat data