Intelligent Intelligence: Secrets to Threat Intel Success

Intelligent Intelligence: Secrets to Threat Intel Success

Those of us tasked with defending networks are lucky to live in a time when there is so much information floating around about our adversaries, their goals, techniques and tools. The sheer amount of information that’s readily available, though, can present a problem of it’s own: overload. From reports to indicator feeds to samples of malicious files, there’s just so much raw data available that it’s often not clear which pieces will have the most impact on our ability to resist our adversaries. Using them all indiscriminately leads to piles of ignored alerts, swamped analysts and undetected attacks. However, by making smart choices about which pieces of information we use, we can both reduce the burden on the defender and increase the cost of the adversary’s attacks, making it harder for them to operate against us. Join us to hear about a smarter, goal-driven approach to using threat intelligence intelligently as we discuss “Secrets to Threat Intel Success”.

49d635b47da1fee5d0972745390e0633?s=128

David J. Bianco

January 12, 2016
Tweet

Transcript

  1. Target. Hunt. Disrupt. INTELLIGENT INTELLIGENCE Secrets to Threat Intel Success

  2. © 2016 Sqrrl | All Rights Reserved ABOUT ME Security

    Technologist at Sqrrl. Research areas include threat intelligence, security analytics and the art & science of hunting. 15 years of detection & response experience in government, research, educational and corporate arenas. A founding member of a Fortune 5’s CIRT. Spent 5 years helping to build a global detection & response capability (500+ sensors, 5PB PCAP , 4TB logs/day).
  3. THREAT INTEL SECRETS Threat Intel is not about finding bad

    guys You have less intel than you think Every workflow is an intel workflow © 2016 Sqrrl | All Rights Reserved
  4. Target. Hunt. Disrupt. SECRET #1: THREAT INTEL IS NOT ABOUT

    FINDING BAD GUYS The best offense is a great defense!
  5. WACKY WALL WALKER INTEL © 2016 Sqrrl | All Rights

    Reserved Throw everything at the wall & see what sticks! “Deploy every fact we know to every detection platform we have” The most common strategy for those getting started with threat intel. Too bad it’s the WRONG strategy! • Too many alerts • Lack of context means near 100% FP rate • Any real events are guaranteed to be lost in the noise
  6. WACKY WALL WALKER INTEL © 2016 Sqrrl | All Rights

    Reserved Throw everything at the wall & see what sticks! “Deploy every fact we know to every detection platform we have” The most common strategy for those getting started with threat intel. Too bad it’s the WRONG strategy! • Too many alerts • Lack of context means near 100% FP rate • Any real events are guaranteed to be lost in the noise
  7. © 2016 Sqrrl | All Rights Reserved OBJECTIVE: BRING THE

    FIGHT TO THEM The Pyramid of Pain When you quickly detect, respond to and disrupt your adversaries’ activities, you shift the burden back to them. They have to expend more resources to accomplish their mission. Defense becomes offense. http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
  8. Target. Hunt. Disrupt. SECRET #2:YOU HAVE LESS INTEL THAN YOU

    THINK “You keep using that word. I do not think it means what you think it means.”
  9. © 2016 Sqrrl | All Rights Reserved

  10. © 2016 Sqrrl | All Rights Reserved DON’T CONFUSE “DATA”

    WITH “INTEL” Intel is what data wants to be when it grows up Direct Collect Analyze Disseminate Direction What you need intel about Collection Gathering the necessary raw data Analysis Applying expert knowledge to produce a finished product Dissemination Getting intel into the right hands.
  11. © 2016 Sqrrl | All Rights Reserved DON’T CONFUSE “DATA”

    WITH “INTEL” Intel is what data wants to be when it grows up Direct Collect Analyze Disseminate Most people think this is threat intel. “Ok, we got the list of bad domains from our feed. Put it into the SIEM!”
  12. © 2016 Sqrrl | All Rights Reserved DON’T CONFUSE “DATA”

    WITH “INTEL” Intel is what data wants to be when it grows up Direct Collect Analyze Disseminate In fact, this is the really critical part! Humans are necessary to • Examine all the facts in combination • Apply expert knowledge and experience • Resolve conflicts • Distill & contextualize
  13. Target. Hunt. Disrupt. SECRET #3: EVERY WORKFLOW IS AN INTEL

    WORKFLOW Intel, like the Force, surrounds us and binds our work together.
  14. © 2016 Sqrrl | All Rights Reserved THE INTEL CYCLE

    How the data sausage is made Direct Collect Analyze Disseminate
  15. © 2016 Sqrrl | All Rights Reserved THE AUTOMATED DETECTION

    CYCLE Computers telling humans what to pay attention to Observe Compare Alert Validate
  16. © 2016 Sqrrl | All Rights Reserved THE INCIDENT RESPONSE

    CYCLE Zen and the Art of Getting Back Into Production Contain Investigate Remediate
  17. © 2016 Sqrrl | All Rights Reserved THE THREAT HUNTING

    CYCLE Incident Detection met Data Science and fell in love… Hypothesize Test Discover Automate http://blog.sqrrl.com/the-threat-hunting-reference-model-part-2-the-hunting- loop
  18. © 2016 Sqrrl | All Rights Reserved INTEL-DRIVEN OPERATIONS Direct

    Collect Analyze Disseminate Observe Compare Alert Validate Contain Investigate Remediate Hypothesize Investigate Discover Automate Incident Data Detection Improvements Intel Automated Detection Incident Response Hunting
  19. © 2016 Sqrrl | All Rights Reserved INTEL-DRIVEN OPERATIONS Direct

    Collect Analyze Disseminate Observe Compare Alert Validate Contain Investigate Remediate Hypothesize Investigate Discover Automate Incident Data Detection Improvements Intel Automated Detection Incident Response Hunting
  20. THREAT INTEL SECRETS Threat Intel is not about finding bad

    guys You have less intel than you think Every workflow is an intel workflow © 2016 Sqrrl | All Rights Reserved
  21. QUESTIONS? © 2016 Sqrrl | All Rights Reserved David J.

    Bianco dbianco@sqrrl.com @DavidJBianco