Test

Transcript

1. Threat Intel Capability Kick Start - Matt Nelson

2. Quick Bio USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14

   Years in Information Technology/Security Specialties: • Incident Response/Forensics • Threat Intelligence • Offensive Security $dayjob = Senior Malware & Threat Intel Analyst $sidejob = AdroitSec LLC – Principal/Consultant

3. What we’ll cover.. What Threat Intel is / does Managing

   Threat Intel Implementing Threat Intel Threat Intel & IR integration Threat Intel sharing

4. What is Threat Intel?

5. What your boss thinks Threat Intel is:

6. What your Threat Intel probably is: Or…

7. Business Intelligence “Business intelligence (BI) is the set of techniques

   and tools for the transformation of raw data into meaningful and useful information for business analysis purposes.”

8. What is Threat Intel (TI)? (depends on who you ask)

9. “Details of the motivations, intent, and capabilities of internal and

   external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence's primary purpose is to inform business decisions regarding the risks and implications associated with threats.” - Forrester

10. “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice

    about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.” -Gartner

11. Threat Intel (TI) = Strategic: Context Motivations Capabilities Implications Actionable

    Advice Operational: Context Mechanisms Indicators Tactics Techniques Procedures

12. Aspects of Threat Intel Aspects: Outside Inside Inside > Out

13. Sources of Threat Intel Internal: Logs Network Endpoints Malware Analysis

    Phishing Emails Past incidents Industry Sharing Groups ISACs (Ag, IT, Financial, etc.) Government US-CERT, FBI, etc. Org to Org partnerships Vendors (data / analysis) Open Source

14. Threat Data or Threat Intel?

15. Indicators of Compromise IPs Hashes Names Etc.. Threat Feeds Etc.

    . Etc. Feeds IOCs Threat Data

16. Pyramid of Pain – David Bianco

17. Threat Intel Analysis Analysis of: Internal Intel Threat Data External

    Intel Analysts analyze Automation and analytics can increase effectiveness Analysis Etc. Feeds IOCs

18. What differentiates Threat Intel / Data? CONTEXT

19. Context (via analysis) Target victim(s) Size Victim type Targeted or

    Spray Malware Custom or commodity Remove context and it is just data… Other orgs Target vertical Tools/Tactics/Procedures Intent of attack Passwords/Credentials Configurations

20. Caveat: External Analysis Supplemental Still requires analysis Application of context

21. What Threat Intel Does Situational Awareness

22. Strategic: Risk Management Vulnerability Management Threat Modeling Situational Awareness Tactical:

    Proactive/Reactive IR Threat Communications Breach Discovery Prevention Detection

23. Managing Threat Intel

24. Day in the life… Analyst Malware Analysis Incident Response Course

    of Action Open Source Analysis Email Analysis Protocol Analysis SIEM Data Correlation Asset Tracking Executive Briefs Attack Vector Mitigating Controls Shared Threat Intelligence Attacker TTPs H/T: ThreatConnect

25. Threat Intel Platform (TIP) Organization of threat data Contextualize threat

    data Draw relationships Historical Perspective Automate in parallel with other tools

26. Threat Intel Platform (TIP) Open Source: CRITs Soltra MANTIS Etc.

    Commercial: ThreatConnect ThreatStream RecordedFuture Etc.

27. Implementing Threat Intel

28. Component of bigger strategy Parallel/Integral to other capabilities Place it

    properly Threat Intel as Component/Program Threat Intel could be it’s own “Program”

29. Threat Intel Program OSINT Threat Research External Intelligence Services ISACs

    Firewall IPS/IDS Web Gateway Anti-Virus HIDs/HIPs DLP Network Endpoint SIEM Detection & Response Governance / Resistance

30. Implementing Threat Intel Define the goals of TI for the

    organization. Define how you will leverage TI to accomplish those goals. Make it “Actionable” Realize that threat TI is 80% internal 20% external (relative to your business)

31. Actionable Intelligence Analysis Know your: Assets Infrastructure Personnel Business operations

    Weaknesses/Entry Points

32. Actionable Intelligence Analysis Know: How to apply threat intel (or

    not) Where to apply (capabilities) How & who to communicate to May not be a “technical” application

33. Actionable Intelligence Application (Tactical) Apply to Infrastructure: SIEM/Log Management Network

    Security Monitoring Firewalls Proxies Mail Gateways Training/Communication

34. Actionable Intelligence Application (Strategic) Apply to security program: Org Threat

    Modeling Risk Management Security Planning

35. Integration: Threat Intel & Incident Response

36. "A shiny threat intel capability without a mature IR capability

    is like putting a big ole fancy spoiler on a stock 4 cyl Dodge Neon.“ - @mattnels
37. None

38. Proactive vs. Reactive IR Hunting for breaches / incidents /

    anomalies Identifying avenues of attack and addressing Detecting shifts of attack

39. •Visibility •SIEM/Logs •Network •Hosts •Threat Intel •Analysis •Verification •Containment •Remediation

    •CSIRT •Security reviews •Identity mgmt •Security design/reqs •Vuln Mgmt •Security Operations •Policy •Risk Management •Security program design •Compliance Reporting •Audit Resist Detect IR Plan Ops IR

40. Active Cyber Defense Model Threat Intelligence Consumption Asset Classification and

    Security Monitoring Incident Response Threat & Environment Manipulation Source: RecordedFuture.com – Robert Lee

41. TI/IR Focal Points • Logs • Network • Endpoint •

    Threat Intel Focal points: Logs Network Threat Intel Endpoint

42. Kill Chain & Focal Points Logs Network Endpoint Threat Intel

    Threat Intel Threat Intel Recon Weaponization Delivery Exploitation C2 Exfiltration

43. Threat Intel Sharing

44. Advantages of Sharing Benevolence: Greater Good Self-Interested: Give some to

    get some Scope, Relevancy, Context, Breadth, Capabilities

45. Ways to share Vertical/Industry sharing groups ISACs (Ag, IT, Financial,

    Edu, etc.) Government US-CERT, FBI Infragard, etc. Org to Org partnerships Vendor(s)

46. Sharing Strategy Define a sharing strategy (TLP class) Sanitize Targeted

    sharing No regurgitation (unique data) Ingestible, concise/clear

47. Wrap-up Define your goals Collect relevant TI Analysis / Context

    Make Actionable/apply it Share your Intel