Finding the Best Threat Intelligence Provider for a specific purpose - #trials and #tribulations

Transcript

1. FINDING THE BEST THREAT INTELLIGENCE PROVIDER Trials & Tribulations Alicia

   Hickey & Dror-John Roecher

2. about us @lonelypeanut @droecher htttps://blog.dcso.de

3. Incident Response Threat Intelligence Network Security Monitoring

4. THREAT ACTORS OF INTEREST

5. NETWORK SECURITY MONITORING Customer A Network Sensor Network Sensor Network

   Sensor Our Backend Rule Engine
 (Yara, Suricata, Indicators) Analyst Workbench Customer B Network Sensor Network Sensor Network Sensor

6. Who is the best Threat Intelligence provider to detect APTs?

7. SOME BACKGROUND Alex Pinto, Kyle Maxwell Pawel Pawlinski, Andrew Kompanek

8. Who is the best Threat Intelligence provider to detect APTs?

9. None

10. THE CHALLENGES

11. ‘Best’?! Labelling an IoC as ‘APT’ Setting up a controlled

    experiment Standardising the data Timestamps *sigh*

12. ‘Best’ means that it fits our purpose

13. ‘BEST’ FOR US Low False-Positive rate High quality context (targets,

    kill chain…) Quick to publish Expiry dates Machine readable … labelled data!

14. ‘BEST’ FOR US Low False-Positive rate High quality context (targets,

    kill chain…) Quick to publish Expiry dates Machine readable … labelled data!

15. CHALLENGE: WHAT MAKES AN IOC ‘APT’? Data: I need labels

    Security: It is not about the labels Data: I need labels

16. Assumption: An IoC is considered ‘APT’ if there is a

    direct mention to an APT actor in its metadata.

17. DATA FORMATS

18. DATA FORMATS {…, type: [threat- actor]} {…, actors: [FANCYBEAR]}

19. DATA FORMATS {…, info: ‘Charming Kitten 2017’} {…, info: ‘Charming

    Kittens’} {…, info: ‘Report XXX XXX’} {…, type: [threat- actor]} {…, actors: [FANCYBEAR]}

20. DATA FORMATS timestamp != timestamp

21. FIRST SEEN ? time Infrastructure used by Threat Actor A

    Activities discovered
 by researcher B Indicators available
 to customers C

22. DATA FORMATS {…, ‘date’: XXX, …} {…,{ {‘created_on’: XXX, 'last_valid_on':

    XXX, 'last_updated': XXX, ‘published_date': XXX, ‘created_date': XXX, 'last_valid_date': XXX, …}}

23. Assumption: Earliest timestamp associated with an IoC is the time

    when the IoC was first discovered.

24. TEMPORAL ALIGNMENT time providers

25. TEMPORAL ALIGNMENT time providers

26. TEMPORAL ALIGNMENT time providers

27. None

28. TEMPORAL ALIGNMENT time providers

29. THE RESULTS

30. FROM 10…

31. …DOWN TO 4

32. What was best again?

33. RESULTS: FALSE POSITIVES 1 2 3 URLs Domains IPs

34. RESULTS: GEOGRAPHIC FOCUS China Iran North Korea Russia Other Unknown

    Network Files Network Files China Iran North Korea Russia Other Unknown Vendor 2 Vendor 1 China Iran North Korea Russia Other Unknown Network Files Network Files

35. Q&A

36. CONCLUSION Purpose matters Definitions matter Formats matter … and failure

    is part of the process

37. Who benefits from the status quo? @lonelypeanut @droecher

38. CREDITS Photo by Asa Rodger on Unsplash Photo by Jamie

    Haughton on Unsplash Photo by Paolo Nicolello on Unsplash http://clipart-library.com/clipart/51476.htm http://clipart-library.com/clipart/310528.htm http://clipart-library.com/clipart/8TznLgpRc.htm http://clipart-library.com/clipart/99389.htm