Intelligent Intelligence: Secrets to Threat Intel Success

Transcript

1. Target. Hunt. Disrupt. INTELLIGENT INTELLIGENCE Secrets to Threat Intel Success

2. © 2016 Sqrrl | All Rights Reserved ABOUT ME Security

   Technologist at Sqrrl. Research areas include threat intelligence, security analytics and the art & science of hunting. 15 years of detection & response experience in government, research, educational and corporate arenas. A founding member of a Fortune 5’s CIRT. Spent 5 years helping to build a global detection & response capability (500+ sensors, 5PB PCAP , 4TB logs/day).

3. THREAT INTEL SECRETS Threat Intel is not about finding bad

   guys You have less intel than you think Every workflow is an intel workflow © 2016 Sqrrl | All Rights Reserved

4. Target. Hunt. Disrupt. SECRET #1: THREAT INTEL IS NOT ABOUT

   FINDING BAD GUYS The best offense is a great defense!

5. WACKY WALL WALKER INTEL © 2016 Sqrrl | All Rights

   Reserved Throw everything at the wall & see what sticks! “Deploy every fact we know to every detection platform we have” The most common strategy for those getting started with threat intel. Too bad it’s the WRONG strategy! • Too many alerts • Lack of context means near 100% FP rate • Any real events are guaranteed to be lost in the noise

6. WACKY WALL WALKER INTEL © 2016 Sqrrl | All Rights

   Reserved Throw everything at the wall & see what sticks! “Deploy every fact we know to every detection platform we have” The most common strategy for those getting started with threat intel. Too bad it’s the WRONG strategy! • Too many alerts • Lack of context means near 100% FP rate • Any real events are guaranteed to be lost in the noise

7. © 2016 Sqrrl | All Rights Reserved OBJECTIVE: BRING THE

   FIGHT TO THEM The Pyramid of Pain When you quickly detect, respond to and disrupt your adversaries’ activities, you shift the burden back to them. They have to expend more resources to accomplish their mission. Defense becomes offense. http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

8. Target. Hunt. Disrupt. SECRET #2:YOU HAVE LESS INTEL THAN YOU

   THINK “You keep using that word. I do not think it means what you think it means.”

9. © 2016 Sqrrl | All Rights Reserved

10. © 2016 Sqrrl | All Rights Reserved DON’T CONFUSE “DATA”

    WITH “INTEL” Intel is what data wants to be when it grows up Direct Collect Analyze Disseminate Direction What you need intel about Collection Gathering the necessary raw data Analysis Applying expert knowledge to produce a finished product Dissemination Getting intel into the right hands.

11. © 2016 Sqrrl | All Rights Reserved DON’T CONFUSE “DATA”

    WITH “INTEL” Intel is what data wants to be when it grows up Direct Collect Analyze Disseminate Most people think this is threat intel. “Ok, we got the list of bad domains from our feed. Put it into the SIEM!”

12. © 2016 Sqrrl | All Rights Reserved DON’T CONFUSE “DATA”

    WITH “INTEL” Intel is what data wants to be when it grows up Direct Collect Analyze Disseminate In fact, this is the really critical part! Humans are necessary to • Examine all the facts in combination • Apply expert knowledge and experience • Resolve conflicts • Distill & contextualize

13. Target. Hunt. Disrupt. SECRET #3: EVERY WORKFLOW IS AN INTEL

    WORKFLOW Intel, like the Force, surrounds us and binds our work together.

14. © 2016 Sqrrl | All Rights Reserved THE INTEL CYCLE

    How the data sausage is made Direct Collect Analyze Disseminate

15. © 2016 Sqrrl | All Rights Reserved THE AUTOMATED DETECTION

    CYCLE Computers telling humans what to pay attention to Observe Compare Alert Validate

16. © 2016 Sqrrl | All Rights Reserved THE INCIDENT RESPONSE

    CYCLE Zen and the Art of Getting Back Into Production Contain Investigate Remediate

17. © 2016 Sqrrl | All Rights Reserved THE THREAT HUNTING

    CYCLE Incident Detection met Data Science and fell in love… Hypothesize Test Discover Automate http://blog.sqrrl.com/the-threat-hunting-reference-model-part-2-the-hunting- loop

18. © 2016 Sqrrl | All Rights Reserved INTEL-DRIVEN OPERATIONS Direct

    Collect Analyze Disseminate Observe Compare Alert Validate Contain Investigate Remediate Hypothesize Investigate Discover Automate Incident Data Detection Improvements Intel Automated Detection Incident Response Hunting

19. © 2016 Sqrrl | All Rights Reserved INTEL-DRIVEN OPERATIONS Direct

    Collect Analyze Disseminate Observe Compare Alert Validate Contain Investigate Remediate Hypothesize Investigate Discover Automate Incident Data Detection Improvements Intel Automated Detection Incident Response Hunting

20. THREAT INTEL SECRETS Threat Intel is not about finding bad

    guys You have less intel than you think Every workflow is an intel workflow © 2016 Sqrrl | All Rights Reserved

21. QUESTIONS? © 2016 Sqrrl | All Rights Reserved David J.

    Bianco [email protected] @DavidJBianco