Threat Intelligence for Incident Response

Transcript

1. Threat Intelligence for Incident Response BSides Puerto Rico 2014 Kyle

   Maxwell @kylemaxwell

2. Yada Yada Yada Opinions are my own and not necessarily

   anybody else’s. I don’t represent anybody but myself here. I am not a lawyer and this is not legal advice. Wait 30 minutes after this presentation before swimming. Snape kills Dumbledore and Vader is Luke’s father. Your mileage may vary. Standard terms and exclusions apply.

3. Example: Pissed-off Penguin Rick Kobylinski

4. Strategic Operational Tactical Taxonomy

5. Taxonomy: Open vs Closed Source Breanna Agnor

6. Taxonomy: Pyramid of Pain David J. Bianco

7. Intelligence Cycle

8. Direction What will the program achieve? Who will act on

   the intelligence? What do they need?

9. What do you already have? What do you need? What

   can you get (easily?) How will you store it? Collection

10. Processing: Automation Hed Kodin

11. Processing: Scalability Alexander Boden

12. Analysis analyst(caffeine, data) -> knowledge

13. Actor - who did it? Action - what did they

    do? Asset - what did they do it to? Attribute - how was it affected? Documentation, classification examples, enumerations: http://veriscommunity.net VERIS Framework

14. Analysis Analyst’s Cookbook (Pillar & Vallone)

15. Analysis Data Knowledge Understanding

16. Dissemination: Information Sharing MITRE FireEye

17. Feedback: Improvement NASA

18. Now what? @kylemaxwell [email protected]