Six Years of Threat Intelligence: Have We Learned Nothing?

Six Years of Threat Intelligence: Have We Learned Nothing?

[As presented at the SANS CTI Summit 2016]

The modern era of open threat reporting began in 2010, when Google first broke the news that it and several other large companies had been the target of an APT campaign which came to be known as “Operation Aurora.” Security companies around the world rushed to be the first to provide reports on the threat actors, their activities and their toolset. Six years later, security companies still race to publish reports on the hottest new actors or malware families.

With all this practice, the industry should be very good at communicating actionable threat intelligence, and organizations should have mature processes in place for consuming and using it. So why is this still so hard? In this presentation, we’ll take a look back at the last six years of open threat reporting. Using models like the Pyramid of Pain and the Detection Maturity Model, we’ll examine the types of intel these reports contain and how that has (or has not!) changed over time. If you are a creator of threat reports, we’ll give you some recommendations for improving your offerings
to make them more useful to enterprise defenders. If you are a consumer of threat reports, we’ll cover our best tips for gathering and making use of the intel they contain. No matter your role, though, learning from our threat intel past can help us all be more successful at making life harder for the attackers.

49d635b47da1fee5d0972745390e0633?s=128

David J. Bianco

February 03, 2016
Tweet

Transcript

  1. Securely explore your data SIX YEARS OF THREAT INTEL Have

    we learned nothing?
  2. © 2016 Sqrrl | All Rights Reserved

  3. IT STARTED WITH A SIMPLE QUESTION… © 2016 Sqrrl |

    All Rights Reserved Are we getting better at communicating useful threat intel over time?
  4. SO I TRIED TO ANSWER THE QUESTION Focused on “advanced”

    threats, since that’s where most of the reporting is anyway. Feeds & intel sharing sites are out of scope (for now?) Kiran Bandla’s APTNotes site is a great collection of these reports (https://github.com/kbandla/APTnotes) I analyzed all the 2010 reports, plus a random selection of 2015 reports © 2016 Sqrrl | All Rights Reserved
  5. EXPONENTIAL INCREASE IN REPORTS © 2016 Sqrrl | All Rights

    Reserved 0 20 40 60 80 100 120 140 2010 2011 2012 2013 2014 2015 Number of Reports Trend (Exponential)
  6. GOOD THING LENGTH IS GOING DOWN! © 2016 Sqrrl |

    All Rights Reserved 0 5 10 15 20 25 2010 2015
  7. MEASURING INDICATOR USEFULNESS © 2016 Sqrrl | All Rights Reserved

    http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html
  8. MEASURING INDICATOR USEFULNESS © 2016 Sqrrl | All Rights Reserved

  9. © 2016 Sqrrl | All Rights Reserved COMBINED INDICATOR HIERARCHY

    Goals Strategies TTPs Tools Artifacts Domains IP Addresses Hash Values Other
  10. THE AVERAGE REPORT HAS… © 2016 Sqrrl | All Rights

    Reserved 0 5 10 15 20 25 30 35 40 Goals Strategy TTPs Tools Artifacts Domains IP Addresses Hashes Others 2010 2015
  11. © 2016 Sqrrl | All Rights Reserved | Proprietary and

    Confidential WHAT IS THIS INTEL GOOD FOR? Detection • If this event happens, I want to know about it. Attribution • Who/what is responsible for this activity? Profiling • What are the targeting parameters for this threat? Prediction • Given the current state, what can I expect from this threat in the future? There are different types of indicators for different purposes. Most security teams need detection indicators. Most reports lag events by weeks or months. If you consume reports, assume low-level indicators are already blown unless otherwise noted. If you’re looking for detection/response intel, most reports are not for you.
  12. IF YOU PRODUCE REPORTS… Keep the documents brief. No one

    can read all these. • At least, provide a meaty-but-concise exec summary List indicators in an appendix. • Group them by type, with bulleted text for high level indicators • Include relevant context (actor, kill chain phase, etc) • Provide machine-readable (CSV,JSON, STIX, etc) file to speed consumption and reduce transcription errors © 2016 Sqrrl | All Rights Reserved Make consumption easier!
  13. QUESTIONS? © 2016 Sqrrl | All Rights Reserved David J.

    Bianco dbianco@sqrrl.com @DavidJBianco