Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat Intelligence Awakens

F0c9efd79ff9ea97a28f8552fae3b645?s=47 Rick Holland
February 04, 2016

Threat Intelligence Awakens

SANS Cyber Threat Intelligence Summit, Rick Holland Digital Shadows

F0c9efd79ff9ea97a28f8552fae3b645?s=128

Rick Holland

February 04, 2016
Tweet

Transcript

  1. 1 Threat Intelligence Awakens #CTIAwakens Rick Holland (Kylo Rick) VP

    Strategy, Digital Shadows @rickhholland #CTISummit
  2. 2 A long time ago in CTI Summits far far

    way
  3. 3

  4. 4 Recognizing previous work

  5. 5 Episode Derp

  6. 6 Sienar Fleet Systems

  7. 7

  8. 8 ‣  Providers ‣  Platforms ‣  Enrichment ‣  Integration Threat

    intelligence
  9. 9 Many Bothan spies died to bring us this information

    (Providers)
  10. 10

  11. 11 ‣  Pyramid of Pain is painful for threat intel

    providers too ‣  Relevancy is hard ‣  Tactical, Operational, Strategic providers Providers
  12. 12 This isn’t a one stormtrooper fits all scenario

  13. 13

  14. 14 ‣  Threat intelligence should surround us and bind our

    security programs together, TIPs should enable this ‣  Gross misuse of the term “platform” ‣  Answering the relevancy question is a huge opportunity for TIPs A TIP should make intel flow like The Force
  15. 15 ‣  Ingestion ‣  Enrichment ‣  Analysis/Exploration ‣  Collaboration ‣ 

    Integration/Orchestration Emerging TIP functional areas
  16. 16 Sharing alone does not a platform make

  17. 17 Enrichment is delivered to the analyst (Force pull)

  18. 18 ‣  Passive DNS (Farsight) ‣  WHOIS (DomainTools) ‣  Infrastructure

    (PassiveTotal) ‣  Malware (VirusTotal) ‣  GeoIP (MaxMind) Enrichment sources
  19. 19 ‣  We need to start focusing more efforts on

    internal enrichment sources •  Identity •  Asset •  Data value •  Vulnerabilities Take a look in the mirror
  20. 20 Integrating threat intelligence today is a bit like watching

    Episodes 1, 2, and 3 repeatedly
  21. 21 ‣  Many APIs are weak (or non-existent) ‣  We

    perform DoS attacks against our controls ‣  TIPs and the emerging orchestration/automation players are trying to solve this Integration
  22. 22

  23. 23 #CTIAwakens #CTISummit THREAT INTELLIGENCE OPERATIONS

  24. 24 Indicators of Exhaustion There’s too many of them!

  25. 25

  26. 26 ‣  Before you invest in any commercial provider, you

    must maximize your own intrusions ‣  Collect indicators & build dossiers ‣  No threat intel is more relevant than what is occurring within your own environment Rey is a scavenger
  27. 27 > 35 years? And you’ve never fired a bowcaster?

    Really?
  28. 28 The ship that made the Kessel Run in fourteen

    twelve parsecs
  29. 29 ‣  You don’t have the best technology and most

    expensive intel sources to be effective ‣  You probably will never have a fusion center but you can make threat intelligence work ‣  The Millennium Falcon approach (DIY / Open Source tools) is perfectly acceptable She may not look like much, but she's got it where it counts
  30. 30 Collaborate, find your Bros

  31. 31 ‣  For most sharing is putting the cart before

    the horse ‣  Share processes & tradecraft ‣  Share cool leather jackets Collaborate, don’t just share IOCs
  32. 32 Spawn camping

  33. 33 ‣  Segment the network ‣  Adversaries will re-spawn, funnel

    them to make hunting scalable Camp on your adversaries
  34. 34 #CTIAwakens #CTISummit ANALYSTS

  35. 35 That’s all she is, yes. A scavenger from that

    inconsequential Jakku.
  36. 36 Fear leads to anger. Anger leads to hate. Hate

    leads to poor analysis.
  37. 37 Avoid analytical pitfalls

  38. 38 Avoid analytical pitfalls Daniel Kahneman reveals “where we can

    and cannot trust our intuitions and how we can tap into the benefits of slow thinking.”
  39. 39 Check out: cyintanalysis.com

  40. 40 ‣  Actionable intelligence must be timely ‣  Don’t spend

    so much time performing analysis that timeliness suffers ‣  Ask yourself What Would Han Solo Do (WWHSD)? Avoid analysis paralysis
  41. 41 This can take too long

  42. 42 I never answer that question until after I’ve done

    it.
  43. 43 Easier to track down Luke than to hire intel

    analysts?
  44. 44 ‣  Many are going to have to rely upon

    intel providers and MSSPs for support ‣  Look at providers who offer analysts on demand or tailored intelligence offerings Not enough analysts to go around
  45. 45 You need threat intel younglings

  46. 46 ‣  Maturity doesn’t just evolve, it can devolve. ‣ 

    You must be creative with retention strategies: •  Remote workers •  Training (Individual & team) •  Career pathing •  Work with HR to create salary exceptions Retention is critical
  47. 47 #CTIAwakens #CTISummit I’VE HAVE A BAD FEELING ABOUT THIS

  48. 48 ‣  Buy Buy Buy! Chasing silver bullets ‣  Buy

    all the feedz! ‣  Not prepared to demonstrate the value of threat intelligence program Many intel programs are setup for failure
  49. 49 ‣  Conduct after action reviews post intrusion and capture

    intelligence ‣  Measure and track - Time to detection, containment, remediation ‣  Analyze all intel sources and track sightings. Periodically reevaluate sources ‣  Produce your own strategic intelligence Do this
  50. 50 Avoid this

  51. 51 ‣  SANS CTI Summit 2013 – If It Bleeds

    We Can Kill It ‣  SANS CTI Summit 2014 – Threat Intelligence Buyers Guide ‣  SANS CTI Summit 2015 – State of Cyber Threat Intelligence Address ‣  RSA Conference 2015 – Threat Intelligence is Like Three Day Potty Training Previous public work
  52. 52 Thank you! #CTIAwakens #CTISummit @rickhholland