Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Quality over Quantity: Determining Your CTI Det...

David J. Bianco
January 21, 2019
Technology
0
270

Quality over Quantity: Determining Your CTI Detection Efficacy

[As presented at the SANS CTI Summit 2019]

You’ve collected a lot of IOCs, but is your Cyber Threat Intelligence (CTI) process serving you well? Quantity alone doesn’t tell the whole story. What kinds of intel are you collecting and how useful is it for identifying incidents? What are your strongest areas and where are your gaps? Do you know enough about your priority threats to feel confident in your detection stance against them? These are hard questions to answer, and there’s little existing guidance for answering them.

Taking a case study approach, this session will teach attendees how to use models such as the MITRE ATT&CK framework and the Pyramid of Pain to analyze and visualize the quality of their collected CTI information, not just it’s quantity.

David J. Bianco

January 21, 2019
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
39
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
190
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
63
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
290
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
130
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
41
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
970
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
390
Introduction to Data Analysis with Security Onion (and Other Open Source Tools)
davidjbianco
0
1.2k

Other Decks in Technology

See All in Technology
OCI Security サービス 概要
oracle4engineer
PRO
0
6.5k
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
470
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
180
Can We Measure Developer Productivity?
ewolff
1
150
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
190
Lambda10周年!Lambdaは何をもたらしたか
smt7174
2
110
CysharpのOSS群から見るModern C#の現在地
neuecc
2
3.1k
ISUCONに強くなるかもしれない日々の過ごしかた/Findy ISUCON 2024-11-14
fujiwara3
8
870
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
280
ExaDB-D dbaascli で出来ること
oracle4engineer
PRO
0
3.8k
B2B SaaS × AI機能開発 〜テナント分離のパターン解説〜 / B2B SaaS x AI function development - Explanation of tenant separation pattern
oztick139
2
220

Featured

See All Featured
Practical Orchestrator
shlominoach
186
10k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Visualization
eitanlees
145
15k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Raft: Consensus for Rubyists
vanstee
136
6.6k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
What's in a price? How to price your products and services
michaelherold
243
12k
Fashionably flexible responsive web design (full day workshop)
malarkey
405
65k
Thoughts on Productivity
jonyablonski
67
4.3k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
44
2.2k

Transcript

  1. None

  2. “ ” I’d like you to review and identify gaps

    in what we know about our high priority threat actors going into peak [retail season].

  3. • • • •

  4. Clean Merge Dump Extract Visualize IOCs TTPs

  5. • • • • •

  6. Assigning the IOCs and TTPs to phases in MITRE’s ATT&CK™

    lifecycle model allows us to see “where” in the lifecycle we know the most. Source: attack.mitre.org

  7. Most of our CTI centers around the attacker’s process for

    gaining a foothold in the environment. We know little about what happens before or after.

  8. Assigning IOCs to the appropriate Pyramid level helps describe their

    potential volatility and replaceability. Put another way, we want to maximize our ability to increase the adversary’s cost of action against us. Source: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

  9. We’re doing pretty well covering most of the Pyramid. Looks

    like we need more info about their toolset, though.

  10. Good Good Best Plotting the lifecycle phase vs. Pyramid level

    can reveal not only current strengths, but also opportunities for improvement.

  11. Box plot of IOC age reveals your balance between currency

    and history. ”Banding” on the left reveals patterns of collection. Oldest Median Newest

  12. Breaking down the ages by lifecycle phase gives more info

    about how current we are for each.

  13. Analyzing it by Pyramid level is also useful in comparing

    IOC ages to volatility. The lower the level, the fresher your IOCs need to be.

  14. Mapping the known TTPs to the ATT&CK Enterprise Matrix quickly

    shows strengths and weaknesses. White doesn’t imply a gap. Maybe the actor doesn’t do that thing. I’d like to find something better.

  15. Challenge What we did CTI data in multiple repositories •

    Developed custom extraction for each and merging/deduplication logic • Manual review of priority actor wiki pages Data tracked by different repos is inconsistent, sometimes even when it looks the same (e.g., timestamps mean different things) • Analyzed using estimates and approximations when necessary • Custom merging/deduplication logic Converting a one-time analysis into a repeatable, automatable process • Captured code, documentation and graphs in a Jupyter Notebook • Work is still ongoing…

  16. • • • • • •

  17. “ ”