SlideShare une entreprise Scribd logo

Threat Intelligence 101 - Steve Lodin - Submitted

Steve Lodin
Steve Lodin
1  sur  48
Télécharger pour lire hors ligne
Threat Intelligence 101
Getting Smarter Steve Lodin Sallie Mae Bank Director, Cyber Security Operations
Threat Intelligence 101 • Learn about Threat Intelligence • What/Why/How • Technology • Be able to evaluate your organization’s maturity • Understand some of the Gotchas
Traffic Light Protocol Before we begin… https://www.us-cert.gov/tlpWeare:
Acronyms • CND – Cyber Network Defense • CISA – Cyber Information Sharing Act • CTI – Cyber Threat Intelligence • CybOX – Cyber Observable eXpression • CTIIC - Cyber Threat Intelligence Integration Center • DGA – Domain Generation Algorithm • IOA – Indicators of Attack • IOC – Indicators of Compromise • ISAC / ISAO – Information Sharing and Analysis Center / Organization • MD5 – Message Digest v5 • MRTI – Machine Readable Threat Intelligence • NCCIC - National Cybersecurity and Communications Integration Center • OSINT – Open Source Intelligence • OTX – Open Threat eXchange • SHA1/SHA2 – Secure Hash Algorithm v1 and 2 • SIEM – Security Information and Event Management • STIX – Structured Threat Information eXchange • TAP – Threat Analytics Platform • TAXII – Trusted Automated eXchange of Indicator Infomation • TLP – Traffic Light Protocol • TTP – Tactics, Techniques, and Procedures Before we begin…
Example Threat Intelligence Before we begin… What/How Who/Why/How Investigate Implement Hunt Share
What / Why / How
Gartner – May 2013 What is Threat Intelligence? Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. What / Why / How
Where are we? What / Why / How Audience Participation: Are you aware of CTI Sharing…?
Where are we? What / Why / How Audience Participation: Do you think it is valuable…?
Why should you care? • Sobering Stats • There were 38% more cyberattacks in 2015 than in 2014, along with a 56% rise in the theft of intellectual property • In the U.S., a mind-boggling 169 million personal records were compromised, across the major sectors of financial, business, education, government and healthcare • In 2015 ISACA survey, 86% of nearly 3500 organizations believed there is a shortage of skilled IT security professionals to handle these problems What / Why / How TechRepublic Article 3/15/2016
Why should you care? • Tactical Perspective • Proactively detect or defend against attacks before they happen • Diagnose infected corporate systems • Breach Discovery • Discovery of an APT • Strategic Enhancements • Track threats targeting your company or industry • Use of Analysis to Improve Risk Assessments • Change in Defenses • Community Posture • Be a good neighbor – help support your sharing community What / Why / How
How does a company use Threat Intelligence? • Attack prevention/detection • Primary use case • Forensics • Helping to investigate attacks and compromises • Hunting • Using big data to discover anomalies What / Why / How
What “data” do you see? • Compromised Devices • Systems communicating with known bad sites and C&Cs • Malware Indicators • IOAs and IOCs • IP Reputation • Geolocation • Known bad Tor/Proxy/VPN providers • Watering Holes • Command and Control Networks • Malware origination, botnet controllers • Phishing Messages • Business Email Compromise and Email Attack Campaigns What / Why / How
Soltra What/Why/How
Pain Level David Bianco What / Why / How
What does the team do? What / Why / How What’s coming at us How we respond
What does the team do? What / Why / How Threat Intelligence Sources Security Solutions Distribute Indicators of Compromise Nothing Found Investigate Forrester Research + Steve
Here is how we handle threats! What / Why / How Sometimes that can backfire!
Sharing • Threat intelligence sharing is considered the most effective in preventing attacks. • According to respondents, an average of 39% of all hacks can be thwarted because the targeted organization engaged in the sharing of threat intelligence with its peers. • Additionally, out of all technologies available, threat intelligence sharing was cited by 55% of respondents as the most likely to prevent or curtail successful attacks. • Requires an excellent IT security infrastructure • The platform also must be part of a larger, global ecosystem that enables a constant and near real time sharing of attack information that can be used immediately to apply protections to prevent other organizations in the ecosystem from falling victim to the same or similar attacks. What / Why / How Ponemon Report: Flipping the Economics of Attacks Jan 2016
Types of Sharing • OSINT • Share with the world • ISACs • Share your attacks and IOCs with your industry peers • Anonymous • Share your attacks and IOCs with peers under no attribution • Cybersecurity Information Sharing Act • Share your data with the DHS and DOJ What / Why / How
How can you succeed? 1. Understand Threat Intelligence 2. Achieve Organizational / Leadership / Board Buy-in • Requires approval for People / Process / Technology 3. Determine Necessary Skills and Staffing • Options are internal, outsourced, MSSP 4. Buy Appropriate Technology Solutions • RFI/RFP and PoC 5. Choose the Right Feeds 6. “A Cyber Hunting We Will Go” What / Why / How
Technology
Threat Intelligence Feeds • Internal (+$0-$$$, +Info, +Private) • Security logs and network data, including DNS logs, email logs, web proxy logs, etc… • OSINT and Open Source Data ($0, +Info, +Work) • Open source intelligence (OSINT) providers comb through a multitude of information sources, looking for intelligence about possible threats against your company. • OSINT feeds give you needed intelligence to prevent attacks before they happen. • ISACs (+$, ++Industry, +Info) • Information sharing and analysis centers (ISAC) provide threat intelligence to specific industries. Examples FS-ISAC, MS-ISAC, NH-ISAC and HITRUST Cyber Threat XChange • Commercial (++$$, ++Info) • Threat intelligence feeds from commercial companies contain proprietary research determined by how the company detects threats. • Some companies focus mainly on threat intelligence streams. Other companies offer threat intelligence streams as part of an integrated suite of security services. Technology Audience Participation: Who has a team using…?
automaterPacketmailPacketmail OSINT Feed Examples Technology
OSINT & Commercial Feed Example Technology
Commercial Feed Example Technology
Anonymous Data Sharing Technology
The Big Picture Technology Soltra
Platforms • These are threat intelligence aggregation, analysis, and collaboration environments. • Provides visibility across feed sources, threat classifications, network, applications, host elements and many other threat observables. Technology
Platform Functions • Ingest threat intelligence and normalize it • Rate intelligence sources (over time) • Provide an analyst workspace • Provide visualization and pivoting • Provide enrichment • Enable internal and external collaboration/sharing Technology
ThreatConnect Level 4 – Well-defined Threat Intelligence Program Operational and Strategic Operational Playbooks, C-level Alignment, Integration with Biz, IT, Sec Leading Industry and/or Technology TI Community Level 3 – Threat Intelligence Platform in Place Dedicated Personnel, Multi-tier People/Process/Tech Bi-directional Sharing, Participation in ISAC Level 2 – Expanding Threat Intelligence Capabilities Team and SOC Threat Intelligence Platform Hunt and Respond, Internal and External Level 1 – Warming up to Threat Intelligence Small Team Some Automation Internal Focus Level 0 - Unclear where to start No Team Manual, incident based efforts Internal Focus Maturity
Hunting Maturity Model Maturity David Bianco – Oct 2015
Gotchas
Overloading the team • To say that the threat landscape is overwhelming is the understatement of the year. Targeted attacks are on the rise with increasing sophistication, and our detection and response capabilities are woefully inadequate. Advanced persistent threats, espionage, spear phishing, and disrupted denial of service attacks dominate the headlines. Gotchas
Got Intelligence? Now what? • When the incoming sources start adding up, how do you manage that efficiently? • Need to scale up to a platform • Wouldn’t it be easier to have high confidence threat indicators loaded into your security systems for detection and immediately take action? • Orchestration • Easier said than done Gotchas
Things are not always as they seem • Location, Reputation, and Confidence Conflicts • Indicators can age Gotchas
Things are not always as they seem • Over compensating for every threat that may not impact your company Gotchas
There is no silver bullet • Quality matters more than quantity when choosing feeds • It's Not What You Know, It's What You Do With It • It’s not so much the collection or processing of intelligence. • It's the communication of intelligence between different areas of the organization. Red teams, security operations centers (SOCs), incident response (IR), vulnerability management… Gotchas
Closing
Threat intelligence cannot be bought Rather, the threat intelligence journey is a multistep road map 1) lays a solid foundation of essential capabilities 2) establishes buy-in 3) identifies required staffing and skill levels 4) establishes your intelligence sources 5) drives actionnable intelligence Closing
Possible Solution Providers Closing Forrester Research 2015
Research Closing https://www.mindmeister.com/de/137280416/information-security-technologies-markets
Why (or Why Not)? Closing Audience Participation: Do you feel stronger now about using TI than when we started today...? Is TI more valuable now?
Why? The power of threat intelligence is it allows somebody else's detection to be your prevention. Orchestration and bi- directional participation signals growing in maturity. Closing Median Days to Breach Detection FireEye/Mandiant
Questions? Closing
Thank you! Email: Steve.Lodin@SallieMae.com Twitter: @stevelodin LinkedIn: http://www.linkedin.com/in/stevelodin

Recommandé

Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat IntelligenceSirius
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 

Recommandé

Cyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersCyber Threat Hunting: Identify and Hunt Down Intruders
Cyber Threat Hunting: Identify and Hunt Down IntrudersInfosec
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat IntelligenceSirius
 
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghCyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber threat Intelligence and Incident Response by:-Sandeep SinghOWASP Delhi
 
What is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityWhat is Threat Hunting? - Panda Security
What is Threat Hunting? - Panda SecurityPanda Security
 
Threat Intelligence Workshop
Threat Intelligence WorkshopThreat Intelligence Workshop
Threat Intelligence WorkshopPriyanka Aash
 
Global Cyber Threat Intelligence
Global Cyber Threat IntelligenceGlobal Cyber Threat Intelligence
Global Cyber Threat IntelligenceNTT Innovation Institute Inc.
 
Threat Intelligence
Threat IntelligenceThreat Intelligence
Threat IntelligenceDeepak Kumar (D3)
 
Threat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonThreat hunting - Every day is hunting season
Threat hunting - Every day is hunting seasonBen Boyd
 
Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxInfosec
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Threat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesThreat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesLearningwithRayYT
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 
KAIST 전산학과 iDBLab 소개 20130319-발표용
KAIST 전산학과 iDBLab 소개 20130319-발표용KAIST 전산학과 iDBLab 소개 20130319-발표용
KAIST 전산학과 iDBLab 소개 20130319-발표용Taehun Kim, Ph.D
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 

Contenu connexe

Tendances

Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceDhruv Majumdar
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceMarlabs
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsIain Dickson
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceZaiffiEhsan
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopDigit Oktavianto
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmPriyanka Aash
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report Morane Decriem
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You AreKatie Nickels
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghOWASP Delhi
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتReZa AdineH
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for BeginnersSKMohamedKasim
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceMITRE - ATT&CKcon
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxInfosec
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxAbimbolaFisher1
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1Priyanka Aash
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)Ahmed Ayman
 
Threat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesThreat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesLearningwithRayYT
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations centerCMR WORLD TECH
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation CenterS.E. CTS CERT-GOV-MD
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)Shah Sheikh
 

Tendances (20)

Effective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat IntelligenceEffective Threat Hunting with Tactical Threat Intelligence
Effective Threat Hunting with Tactical Threat Intelligence
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feedsCyber Threat Intelligence - It's not just about the feeds
Cyber Threat Intelligence - It's not just about the feeds
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Cyber Threat Hunting Workshop
Cyber Threat Hunting WorkshopCyber Threat Hunting Workshop
Cyber Threat Hunting Workshop
 
From SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity ChasmFrom SIEM to SOC: Crossing the Cybersecurity Chasm
From SIEM to SOC: Crossing the Cybersecurity Chasm
 
Threat Hunting Report
Threat Hunting Report Threat Hunting Report
Threat Hunting Report
 
Putting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You ArePutting MITRE ATT&CK into Action with What You Have, Where You Are
Putting MITRE ATT&CK into Action with What You Have, Where You Are
 
Threat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep SinghThreat hunting 101 by Sandeep Singh
Threat hunting 101 by Sandeep Singh
 
Security operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیتSecurity operations center-SOC Presentation-مرکز عملیات امنیت
Security operations center-SOC Presentation-مرکز عملیات امنیت
 
Threat hunting for Beginners
Threat hunting for BeginnersThreat hunting for Beginners
Threat hunting for Beginners
 
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat IntelligenceATTACKers Think in Graphs: Building Graphs for Threat Intelligence
ATTACKers Think in Graphs: Building Graphs for Threat Intelligence
 
Threat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptxThreat hunting foundations: People, process and technology.pptx
Threat hunting foundations: People, process and technology.pptx
 
Cyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptxCyber Threat Intelligence.pptx
Cyber Threat Intelligence.pptx
 
SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1SOC Architecture Workshop - Part 1
SOC Architecture Workshop - Part 1
 
Security operation center (SOC)
Security operation center (SOC)Security operation center (SOC)
Security operation center (SOC)
 
Threat Intelligence & Threat research Sources
Threat Intelligence & Threat research SourcesThreat Intelligence & Threat research Sources
Threat Intelligence & Threat research Sources
 
Strategy considerations for building a security operations center
Strategy considerations for building a security operations centerStrategy considerations for building a security operations center
Strategy considerations for building a security operations center
 
Building Security Operation Center
Building Security Operation CenterBuilding Security Operation Center
Building Security Operation Center
 
DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)DTS Solution - Building a SOC (Security Operations Center)
DTS Solution - Building a SOC (Security Operations Center)
 

En vedette

KAIST 전산학과 iDBLab 소개 20130319-발표용
KAIST 전산학과 iDBLab 소개 20130319-발표용KAIST 전산학과 iDBLab 소개 20130319-발표용
KAIST 전산학과 iDBLab 소개 20130319-발표용Taehun Kim, Ph.D
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingPriyanka Aash
 
Honeycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feedsHoneycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feedsF _
 
Michael W. Meissner - Cyber Security Engineering Biography
Michael W. Meissner - Cyber Security Engineering BiographyMichael W. Meissner - Cyber Security Engineering Biography
Michael W. Meissner - Cyber Security Engineering BiographyMichael W. Meissner, RCDD
 
Graph visualization options and latest developments
Graph visualization options and latest developmentsGraph visualization options and latest developments
Graph visualization options and latest developmentsLinkurious
 
Visualize Big Graph Data
Visualize Big Graph DataVisualize Big Graph Data
Visualize Big Graph DataMathieu Bastian
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsMark Arena
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextDavid Sweigert
 

En vedette (8)

KAIST 전산학과 iDBLab 소개 20130319-발표용
KAIST 전산학과 iDBLab 소개 20130319-발표용KAIST 전산학과 iDBLab 소개 20130319-발표용
KAIST 전산학과 iDBLab 소개 20130319-발표용
 
Threat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty TrainingThreat Intelligence Is Like Three Day Potty Training
Threat Intelligence Is Like Three Day Potty Training
 
Honeycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feedsHoneycon2014: Mining IoCs from Honeypot data feeds
Honeycon2014: Mining IoCs from Honeypot data feeds
 
Michael W. Meissner - Cyber Security Engineering Biography
Michael W. Meissner - Cyber Security Engineering BiographyMichael W. Meissner - Cyber Security Engineering Biography
Michael W. Meissner - Cyber Security Engineering Biography
 
Graph visualization options and latest developments
Graph visualization options and latest developmentsGraph visualization options and latest developments
Graph visualization options and latest developments
 
Visualize Big Graph Data
Visualize Big Graph DataVisualize Big Graph Data
Visualize Big Graph Data
 
Cyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metricsCyber threat intelligence: maturity and metrics
Cyber threat intelligence: maturity and metrics
 
SABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 contextSABSA vs. TOGAF in a RMF NIST 800-30 context
SABSA vs. TOGAF in a RMF NIST 800-30 context
 

Similaire à Threat Intelligence 101 - Steve Lodin - Submitted

Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...
Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...
Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...maximumnetworks
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planCameron Forbes Over
 
Threat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsThreat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsJayeshGadhave1
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Andreas Sfakianakis
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeAaron White
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Karl Kispert
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceResilient Systems
 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber SecurityAllen Zhang
 
CYB205-1 Evolving Threat Landscapes_01.pdf
CYB205-1 Evolving Threat Landscapes_01.pdfCYB205-1 Evolving Threat Landscapes_01.pdf
CYB205-1 Evolving Threat Landscapes_01.pdfssuser4db968
 
CYB205-1 Evolving Threat Landscapes_01.pptx
CYB205-1 Evolving Threat Landscapes_01.pptxCYB205-1 Evolving Threat Landscapes_01.pptx
CYB205-1 Evolving Threat Landscapes_01.pptxssuser4db968
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessSirius
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence pptKumar Gaurav
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with aiBurhan Ahmed
 
Managed Security Operations Centre Alternative - Managed Security Service
Managed Security Operations Centre Alternative - Managed Security Service Managed Security Operations Centre Alternative - Managed Security Service
Managed Security Operations Centre Alternative - Managed Security Service Netpluz Asia Pte Ltd
 

Similaire à Threat Intelligence 101 - Steve Lodin - Submitted (20)

Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...
Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...
Threat Intelligence Making your Bespoke Security Operations Centre Work for Y...
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
Threat intelligence minority report
Threat intelligence minority reportThreat intelligence minority report
Threat intelligence minority report
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Final presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit planFinal presentation january iia cybersecurity securing your 2016 audit plan
Final presentation january iia cybersecurity securing your 2016 audit plan
 
Threat intelligence life cycle steps by steps
Threat intelligence life cycle steps by stepsThreat intelligence life cycle steps by steps
Threat intelligence life cycle steps by steps
 
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon MurphyNTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
NTXISSACSC2 - Top Ten Trends in TRM by Jon Murphy
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
 
13734729.ppt
13734729.ppt13734729.ppt
13734729.ppt
 
Cyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat LandscapeCyber-Espionage: Understanding the Advanced Threat Landscape
Cyber-Espionage: Understanding the Advanced Threat Landscape
 
Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016Aujas incident management webinar deck 08162016
Aujas incident management webinar deck 08162016
 
How To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat IntelligenceHow To Turbo-Charge Incident Response With Threat Intelligence
How To Turbo-Charge Incident Response With Threat Intelligence
 
2015 Cyber Security
2015 Cyber Security2015 Cyber Security
2015 Cyber Security
 
CYB205-1 Evolving Threat Landscapes_01.pdf
CYB205-1 Evolving Threat Landscapes_01.pdfCYB205-1 Evolving Threat Landscapes_01.pdf
CYB205-1 Evolving Threat Landscapes_01.pdf
 
CYB205-1 Evolving Threat Landscapes_01.pptx
CYB205-1 Evolving Threat Landscapes_01.pptxCYB205-1 Evolving Threat Landscapes_01.pptx
CYB205-1 Evolving Threat Landscapes_01.pptx
 
Optimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to SuccessOptimizing Security Operations: 5 Keys to Success
Optimizing Security Operations: 5 Keys to Success
 
Cyber threat intelligence ppt
Cyber threat intelligence pptCyber threat intelligence ppt
Cyber threat intelligence ppt
 
Cyber security with ai
Cyber security with aiCyber security with ai
Cyber security with ai
 
Ctia course outline
Ctia course outlineCtia course outline
Ctia course outline
 
Managed Security Operations Centre Alternative - Managed Security Service
Managed Security Operations Centre Alternative - Managed Security Service Managed Security Operations Centre Alternative - Managed Security Service
Managed Security Operations Centre Alternative - Managed Security Service
 

Threat Intelligence 101 - Steve Lodin - Submitted

  • 2. Getting Smarter Steve Lodin Sallie Mae Bank Director, Cyber Security Operations
  • 3. Threat Intelligence 101 • Learn about Threat Intelligence • What/Why/How • Technology • Be able to evaluate your organization’s maturity • Understand some of the Gotchas
  • 4. Traffic Light Protocol Before we begin… https://www.us-cert.gov/tlpWeare:
  • 5. Acronyms • CND – Cyber Network Defense • CISA – Cyber Information Sharing Act • CTI – Cyber Threat Intelligence • CybOX – Cyber Observable eXpression • CTIIC - Cyber Threat Intelligence Integration Center • DGA – Domain Generation Algorithm • IOA – Indicators of Attack • IOC – Indicators of Compromise • ISAC / ISAO – Information Sharing and Analysis Center / Organization • MD5 – Message Digest v5 • MRTI – Machine Readable Threat Intelligence • NCCIC - National Cybersecurity and Communications Integration Center • OSINT – Open Source Intelligence • OTX – Open Threat eXchange • SHA1/SHA2 – Secure Hash Algorithm v1 and 2 • SIEM – Security Information and Event Management • STIX – Structured Threat Information eXchange • TAP – Threat Analytics Platform • TAXII – Trusted Automated eXchange of Indicator Infomation • TLP – Traffic Light Protocol • TTP – Tactics, Techniques, and Procedures Before we begin…
  • 6. Example Threat Intelligence Before we begin… What/How Who/Why/How Investigate Implement Hunt Share
  • 7. What / Why / How
  • 8. Gartner – May 2013 What is Threat Intelligence? Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. What / Why / How
  • 9. Where are we? What / Why / How Audience Participation: Are you aware of CTI Sharing…?
  • 10. Where are we? What / Why / How Audience Participation: Do you think it is valuable…?
  • 11. Why should you care? • Sobering Stats • There were 38% more cyberattacks in 2015 than in 2014, along with a 56% rise in the theft of intellectual property • In the U.S., a mind-boggling 169 million personal records were compromised, across the major sectors of financial, business, education, government and healthcare • In 2015 ISACA survey, 86% of nearly 3500 organizations believed there is a shortage of skilled IT security professionals to handle these problems What / Why / How TechRepublic Article 3/15/2016
  • 12. Why should you care? • Tactical Perspective • Proactively detect or defend against attacks before they happen • Diagnose infected corporate systems • Breach Discovery • Discovery of an APT • Strategic Enhancements • Track threats targeting your company or industry • Use of Analysis to Improve Risk Assessments • Change in Defenses • Community Posture • Be a good neighbor – help support your sharing community What / Why / How
  • 13. How does a company use Threat Intelligence? • Attack prevention/detection • Primary use case • Forensics • Helping to investigate attacks and compromises • Hunting • Using big data to discover anomalies What / Why / How
  • 14. What “data” do you see? • Compromised Devices • Systems communicating with known bad sites and C&Cs • Malware Indicators • IOAs and IOCs • IP Reputation • Geolocation • Known bad Tor/Proxy/VPN providers • Watering Holes • Command and Control Networks • Malware origination, botnet controllers • Phishing Messages • Business Email Compromise and Email Attack Campaigns What / Why / How
  • 17. What does the team do? What / Why / How What’s coming at us How we respond
  • 18. What does the team do? What / Why / How Threat Intelligence Sources Security Solutions Distribute Indicators of Compromise Nothing Found Investigate Forrester Research + Steve
  • 19. Here is how we handle threats! What / Why / How Sometimes that can backfire!
  • 20. Sharing • Threat intelligence sharing is considered the most effective in preventing attacks. • According to respondents, an average of 39% of all hacks can be thwarted because the targeted organization engaged in the sharing of threat intelligence with its peers. • Additionally, out of all technologies available, threat intelligence sharing was cited by 55% of respondents as the most likely to prevent or curtail successful attacks. • Requires an excellent IT security infrastructure • The platform also must be part of a larger, global ecosystem that enables a constant and near real time sharing of attack information that can be used immediately to apply protections to prevent other organizations in the ecosystem from falling victim to the same or similar attacks. What / Why / How Ponemon Report: Flipping the Economics of Attacks Jan 2016
  • 21. Types of Sharing • OSINT • Share with the world • ISACs • Share your attacks and IOCs with your industry peers • Anonymous • Share your attacks and IOCs with peers under no attribution • Cybersecurity Information Sharing Act • Share your data with the DHS and DOJ What / Why / How
  • 22. How can you succeed? 1. Understand Threat Intelligence 2. Achieve Organizational / Leadership / Board Buy-in • Requires approval for People / Process / Technology 3. Determine Necessary Skills and Staffing • Options are internal, outsourced, MSSP 4. Buy Appropriate Technology Solutions • RFI/RFP and PoC 5. Choose the Right Feeds 6. “A Cyber Hunting We Will Go” What / Why / How
  • 24. Threat Intelligence Feeds • Internal (+$0-$$$, +Info, +Private) • Security logs and network data, including DNS logs, email logs, web proxy logs, etc… • OSINT and Open Source Data ($0, +Info, +Work) • Open source intelligence (OSINT) providers comb through a multitude of information sources, looking for intelligence about possible threats against your company. • OSINT feeds give you needed intelligence to prevent attacks before they happen. • ISACs (+$, ++Industry, +Info) • Information sharing and analysis centers (ISAC) provide threat intelligence to specific industries. Examples FS-ISAC, MS-ISAC, NH-ISAC and HITRUST Cyber Threat XChange • Commercial (++$$, ++Info) • Threat intelligence feeds from commercial companies contain proprietary research determined by how the company detects threats. • Some companies focus mainly on threat intelligence streams. Other companies offer threat intelligence streams as part of an integrated suite of security services. Technology Audience Participation: Who has a team using…?
  • 26. OSINT & Commercial Feed Example Technology
  • 30. Platforms • These are threat intelligence aggregation, analysis, and collaboration environments. • Provides visibility across feed sources, threat classifications, network, applications, host elements and many other threat observables. Technology
  • 31. Platform Functions • Ingest threat intelligence and normalize it • Rate intelligence sources (over time) • Provide an analyst workspace • Provide visualization and pivoting • Provide enrichment • Enable internal and external collaboration/sharing Technology
  • 32.
  • 33. ThreatConnect Level 4 – Well-defined Threat Intelligence Program Operational and Strategic Operational Playbooks, C-level Alignment, Integration with Biz, IT, Sec Leading Industry and/or Technology TI Community Level 3 – Threat Intelligence Platform in Place Dedicated Personnel, Multi-tier People/Process/Tech Bi-directional Sharing, Participation in ISAC Level 2 – Expanding Threat Intelligence Capabilities Team and SOC Threat Intelligence Platform Hunt and Respond, Internal and External Level 1 – Warming up to Threat Intelligence Small Team Some Automation Internal Focus Level 0 - Unclear where to start No Team Manual, incident based efforts Internal Focus Maturity
  • 36. Overloading the team • To say that the threat landscape is overwhelming is the understatement of the year. Targeted attacks are on the rise with increasing sophistication, and our detection and response capabilities are woefully inadequate. Advanced persistent threats, espionage, spear phishing, and disrupted denial of service attacks dominate the headlines. Gotchas
  • 37. Got Intelligence? Now what? • When the incoming sources start adding up, how do you manage that efficiently? • Need to scale up to a platform • Wouldn’t it be easier to have high confidence threat indicators loaded into your security systems for detection and immediately take action? • Orchestration • Easier said than done Gotchas
  • 38. Things are not always as they seem • Location, Reputation, and Confidence Conflicts • Indicators can age Gotchas
  • 39. Things are not always as they seem • Over compensating for every threat that may not impact your company Gotchas
  • 40. There is no silver bullet • Quality matters more than quantity when choosing feeds • It's Not What You Know, It's What You Do With It • It’s not so much the collection or processing of intelligence. • It's the communication of intelligence between different areas of the organization. Red teams, security operations centers (SOCs), incident response (IR), vulnerability management… Gotchas
  • 42. Threat intelligence cannot be bought Rather, the threat intelligence journey is a multistep road map 1) lays a solid foundation of essential capabilities 2) establishes buy-in 3) identifies required staffing and skill levels 4) establishes your intelligence sources 5) drives actionnable intelligence Closing
  • 45. Why (or Why Not)? Closing Audience Participation: Do you feel stronger now about using TI than when we started today...? Is TI more valuable now?
  • 46. Why? The power of threat intelligence is it allows somebody else's detection to be your prevention. Orchestration and bi- directional participation signals growing in maturity. Closing Median Days to Breach Detection FireEye/Mandiant
  • 48. Thank you! Email: Steve.Lodin@SallieMae.com Twitter: @stevelodin LinkedIn: http://www.linkedin.com/in/stevelodin