$30 off During Our Annual Pro Sale. View Details »

Quality over Quantity: Determining Your CTI Detection Efficacy

David J. Bianco
January 21, 2019
Technology
0
260

Quality over Quantity: Determining Your CTI Detection Efficacy

[As presented at the SANS CTI Summit 2019]

You’ve collected a lot of IOCs, but is your Cyber Threat Intelligence (CTI) process serving you well? Quantity alone doesn’t tell the whole story. What kinds of intel are you collecting and how useful is it for identifying incidents? What are your strongest areas and where are your gaps? Do you know enough about your priority threats to feel confident in your detection stance against them? These are hard questions to answer, and there’s little existing guidance for answering them.

Taking a case study approach, this session will teach attendees how to use models such as the MITRE ATT&CK framework and the Pyramid of Pain to analyze and visualize the quality of their collected CTI information, not just it’s quantity.

David J. Bianco

January 21, 2019
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
11
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
150
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
25
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
200
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
120
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
37
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
920
Quality Over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
1
350
Introduction to Data Analysis with Security Onion (and Other Open Source Tools)
davidjbianco
0
1.2k

Other Decks in Technology

See All in Technology
開発生産性大幅アップ!Postman VS Code拡張機能
nagix
0
150
SmartHRのマルチプロダクト戦略実行の苦悩と挑戦
h1kita
5
3.3k
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
6
5.2k
朝起こしてくれるメイドさんが欲しい (LT) - NIFTY Tech Day 2023
niftycorp
1
110
VRの世界でLTしていく (LT) - NIFTY Tech Day 2023
niftycorp
0
110
⾃律的な開発チームを⽀えるためのSLO運⽤
sansantech
PRO
5
880
開発生産性向上へのコミットについて理解してもらうためのスライドテンプレートを作った話
ouchi2501
0
260
極力楽してKubernetes環境を構築したいwith AWS, terraform, EKS, Argo-CD
bigwheel
0
170
CI/CDプロセスの拡充からはじめる技術的負債の解消/Eliminate technical debt, starting with expanding CI/CD processes
onecareer_tech
0
620
NIKKEI COMPASSの Stripe決済フローと決済高速化の方法/20231205-compass
nikkei_engineer_recruiting
1
200
visionOSについてGlobeeが取り組んでいること
toshi0383
0
240
AutoGenで作るLLM Agen
peisuke
1
330

Featured

See All Featured
In The Pink: A Labor of Love
frogandcode
135
21k
The Brand Is Dead. Long Live the Brand.
mthomps
48
7.3k
The Art of Programming - Codeland 2020
erikaheidi
39
12k
BBQ
matthewcrist
76
8.5k
Rebuilding a faster, lazier Slack
samanthasiow
71
7.9k
Infographics Made Easy
chrislema
236
17k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.3k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
271
12k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
26
5.7k
Optimising Largest Contentful Paint
csswizardry
6
2k
Designing for Performance
lara
601
66k
Reflections from 52 weeks, 52 projects
jeffersonlam
342
19k

Transcript

  1. View Slide



  2. I’d like you to review and identify gaps in
    what we know about our high priority threat
    actors going into peak [retail season].

    View Slide





  3. View Slide

  4. Clean
    Merge
    Dump Extract
    Visualize
    IOCs TTPs

    View Slide






  5. View Slide

  6. Assigning the IOCs and TTPs to phases in MITRE’s ATT&CK™
    lifecycle model allows us to see “where” in the lifecycle we know
    the most.
    Source: attack.mitre.org

    View Slide

  7. Most of our CTI
    centers around
    the attacker’s
    process for gaining
    a foothold in the
    environment.
    We know little
    about what
    happens before or
    after.

    View Slide

  8. Assigning IOCs to the
    appropriate Pyramid
    level helps describe their
    potential volatility and
    replaceability.
    Put another way, we want to maximize our ability to increase
    the adversary’s cost of action against us.
    Source: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

    View Slide

  9. We’re doing pretty
    well covering most
    of the Pyramid.
    Looks like we need
    more info about
    their toolset,
    though.

    View Slide

  10. Good
    Good
    Best
    Plotting the
    lifecycle phase vs.
    Pyramid level can
    reveal not only
    current strengths,
    but also
    opportunities for
    improvement.

    View Slide

  11. Box plot of IOC
    age reveals your
    balance between
    currency and
    history.
    ”Banding” on the
    left reveals
    patterns of
    collection.
    Oldest
    Median
    Newest

    View Slide

  12. Breaking down the
    ages by lifecycle
    phase gives more
    info about how
    current we are for
    each.

    View Slide

  13. Analyzing it by
    Pyramid level is
    also useful in
    comparing IOC
    ages to volatility.
    The lower the
    level, the fresher
    your IOCs need to
    be.

    View Slide

  14. Mapping the known
    TTPs to the ATT&CK
    Enterprise Matrix
    quickly shows strengths
    and weaknesses.
    White doesn’t imply a
    gap. Maybe the actor
    doesn’t do that thing.
    I’d like to find
    something better.

    View Slide

  15. Challenge What we did
    CTI data in multiple repositories
    • Developed custom extraction for each and
    merging/deduplication logic
    • Manual review of priority actor wiki pages
    Data tracked by different repos is
    inconsistent, sometimes even when it
    looks the same (e.g., timestamps mean
    different things)
    • Analyzed using estimates and approximations
    when necessary
    • Custom merging/deduplication logic
    Converting a one-time analysis into a
    repeatable, automatable process
    • Captured code, documentation and graphs
    in a Jupyter Notebook
    • Work is still ongoing…

    View Slide







  16. View Slide



  17. View Slide