Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Quality Over Quantity: Determining Your CTI Det...

David J. Bianco
March 20, 2019
Technology
1
390

Quality Over Quantity: Determining Your CTI Detection Efficacy

You’ve collected a lot of IOCs, but is your Cyber Threat Intelligence (CTI) process serving you well? Quantity alone doesn’t tell the whole story. What kinds of intel are you collecting and how useful is it for identifying incidents? What are your strongest areas and where are your gaps? Do you know enough about your priority threats to feel confident in your detection stance against them? These are hard questions to answer, and there’s little existing guidance for answering them.

Taking a case study approach, this session will teach attendees how to use models such as the MITRE ATT&CK framework and the Pyramid of Pain to analyze and visualize the quality of their collected CTI information, not just it’s quantity.

Attendees will learn:
1) How to load, normalize, and merge IOC data from disparate sources in your environment to make it ready for analysis
2) How to enrich the data with information from the Pyramid of Pain and the ATT&CK framework
3) How to visualize your collected threat intel to validate your collection strategy, to identify CTI strengths, and to prioritize closing collection gaps
4) Why you should do these things on a regular basis

David J. Bianco

March 20, 2019
Tweet

More Decks by David J. Bianco

See All by David J. Bianco
Generative AI in Cybersecurity: Rise of the Machines?
davidjbianco
0
39
Trust Unearned? Evaluating CA Trustworthiness Across 5 Billion Certificates
davidjbianco
0
190
Five Lies & a Truth: Attacking the Defender's Dilemma
davidjbianco
0
63
Five Lies and a Truth: Attacking the Defender's Dilemma
davidjbianco
0
290
Developers: What Your Security Team Wishes You Knew (And It's Not Secure Coding!)
davidjbianco
0
130
Raising the Tide: Driving Improvement in Security by Being a Good Human
davidjbianco
0
41
Evolving the Hunt: A Case Study in Improving a Mature Hunt Program
davidjbianco
0
970
Quality over Quantity: Determining Your CTI Detection Efficacy
davidjbianco
0
270
Introduction to Data Analysis with Security Onion (and Other Open Source Tools)
davidjbianco
0
1.2k

Other Decks in Technology

See All in Technology
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
250
Lambdaと地方とコミュニティ
miu_crescent
2
370
【Startup CTO of the Year 2024 / Audience Award】アセンド取締役CTO 丹羽健
niwatakeru
0
980
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
強いチームと開発生産性
onk
PRO
34
11k
データプロダクトの定義からはじめる、データコントラクト駆動なデータ基盤
chanyou0311
2
300
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
120
AWS Lambdaと歩んだ“サーバーレス”と今後 #lambda_10years
yoshidashingo
1
170
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
3
200
Taming you application's environments
salaboy
0
180
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
7
760

Featured

See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
25
1.8k
Automating Front-end Workflow
addyosmani
1366
200k
Practical Orchestrator
shlominoach
186
10k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
356
29k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
A Philosophy of Restraint
colly
203
16k
Product Roadmaps are Hard
iamctodd
PRO
49
11k
Happy Clients
brianwarren
98
6.7k
Navigating Team Friction
lara
183
14k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
A designer walks into a library…
pauljervisheath
203
24k

Transcript

  1. None

  2. “ ” I’d like you to review and identify gaps

    in what we know about our high priority threat actors going into peak [retail season].

  3. • • • •

  4. Clean Merge Dump Extract Visualize IOCs TTPs

  5. • • • • •

  6. Assigning the IOCs and TTPs to phases in MITRE’s ATT&CK™

    lifecycle model allows us to see “where” in the lifecycle we know the most. Source: attack.mitre.org

  7. Most of our CTI centers around the attacker’s process for

    gaining a foothold in the environment. We know little about what happens before or after.

  8. Assigning IOCs to the appropriate Pyramid level helps describe their

    potential volatility and replaceability. Put another way, we want to maximize our ability to increase the adversary’s cost of action against us. Source: http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

  9. We’re doing pretty well covering most of the Pyramid. Looks

    like we need more info about their toolset, though.

  10. Good Good Best Plotting the lifecycle phase vs. Pyramid level

    can reveal not only current strengths, but also opportunities for improvement.

  11. Box plot of IOC age reveals your balance between currency

    and history. ”Banding” on the left reveals patterns of collection. Oldest Median Newest

  12. Breaking down the ages by lifecycle phase gives more info

    about how current we are for each.

  13. Analyzing it by Pyramid level is also useful in comparing

    IOC ages to volatility. The lower the level, the fresher your IOCs need to be.

  14. Mapping the known TTPs to the ATT&CK Enterprise Matrix quickly

    shows strengths and weaknesses. White doesn’t imply a gap. Maybe the actor doesn’t do that thing. I’d like to find something better.

  15. Challenge What we did CTI data in multiple repositories •

    Developed custom extraction for each and merging/deduplication logic • Manual review of priority actor wiki pages Data tracked by different repos is inconsistent, sometimes even when it looks the same (e.g., timestamps mean different things) • Analyzed using estimates and approximations when necessary • Custom merging/deduplication logic Converting a one-time analysis into a repeatable, automatable process • Captured code, documentation and graphs in a Jupyter Notebook • Work is still ongoing…

  16. • • • • • •

  17. “ ”