Threat Intelligence Awakens

Transcript

1. 1 Threat Intelligence Awakens #CTIAwakens Rick Holland (Kylo Rick) VP

   Strategy, Digital Shadows @rickhholland #CTISummit

2. 2 A long time ago in CTI Summits far far

   way

3. 3

4. 4 Recognizing previous work

5. 5 Episode Derp

6. 6 Sienar Fleet Systems

7. 7

8. 8 ‣  Providers ‣  Platforms ‣  Enrichment ‣  Integration Threat

   intelligence

9. 9 Many Bothan spies died to bring us this information

   (Providers)

10. 10

11. 11 ‣  Pyramid of Pain is painful for threat intel

    providers too ‣  Relevancy is hard ‣  Tactical, Operational, Strategic providers Providers

12. 12 This isn’t a one stormtrooper fits all scenario

13. 13

14. 14 ‣  Threat intelligence should surround us and bind our

    security programs together, TIPs should enable this ‣  Gross misuse of the term “platform” ‣  Answering the relevancy question is a huge opportunity for TIPs A TIP should make intel flow like The Force

15. 15 ‣  Ingestion ‣  Enrichment ‣  Analysis/Exploration ‣  Collaboration ‣ 

    Integration/Orchestration Emerging TIP functional areas

16. 16 Sharing alone does not a platform make

17. 17 Enrichment is delivered to the analyst (Force pull)

18. 18 ‣  Passive DNS (Farsight) ‣  WHOIS (DomainTools) ‣  Infrastructure

    (PassiveTotal) ‣  Malware (VirusTotal) ‣  GeoIP (MaxMind) Enrichment sources

19. 19 ‣  We need to start focusing more efforts on

    internal enrichment sources •  Identity •  Asset •  Data value •  Vulnerabilities Take a look in the mirror

20. 20 Integrating threat intelligence today is a bit like watching

    Episodes 1, 2, and 3 repeatedly

21. 21 ‣  Many APIs are weak (or non-existent) ‣  We

    perform DoS attacks against our controls ‣  TIPs and the emerging orchestration/automation players are trying to solve this Integration

22. 22

23. 23 #CTIAwakens #CTISummit THREAT INTELLIGENCE OPERATIONS

24. 24 Indicators of Exhaustion There’s too many of them!

25. 25

26. 26 ‣  Before you invest in any commercial provider, you

    must maximize your own intrusions ‣  Collect indicators & build dossiers ‣  No threat intel is more relevant than what is occurring within your own environment Rey is a scavenger

27. 27 > 35 years? And you’ve never fired a bowcaster?

    Really?

28. 28 The ship that made the Kessel Run in fourteen

    twelve parsecs

29. 29 ‣  You don’t have the best technology and most

    expensive intel sources to be effective ‣  You probably will never have a fusion center but you can make threat intelligence work ‣  The Millennium Falcon approach (DIY / Open Source tools) is perfectly acceptable She may not look like much, but she's got it where it counts

30. 30 Collaborate, find your Bros

31. 31 ‣  For most sharing is putting the cart before

    the horse ‣  Share processes & tradecraft ‣  Share cool leather jackets Collaborate, don’t just share IOCs

32. 32 Spawn camping

33. 33 ‣  Segment the network ‣  Adversaries will re-spawn, funnel

    them to make hunting scalable Camp on your adversaries

34. 34 #CTIAwakens #CTISummit ANALYSTS

35. 35 That’s all she is, yes. A scavenger from that

    inconsequential Jakku.

36. 36 Fear leads to anger. Anger leads to hate. Hate

    leads to poor analysis.

37. 37 Avoid analytical pitfalls

38. 38 Avoid analytical pitfalls Daniel Kahneman reveals “where we can

    and cannot trust our intuitions and how we can tap into the benefits of slow thinking.”

39. 39 Check out: cyintanalysis.com

40. 40 ‣  Actionable intelligence must be timely ‣  Don’t spend

    so much time performing analysis that timeliness suffers ‣  Ask yourself What Would Han Solo Do (WWHSD)? Avoid analysis paralysis

41. 41 This can take too long

42. 42 I never answer that question until after I’ve done

    it.

43. 43 Easier to track down Luke than to hire intel

    analysts?

44. 44 ‣  Many are going to have to rely upon

    intel providers and MSSPs for support ‣  Look at providers who offer analysts on demand or tailored intelligence offerings Not enough analysts to go around

45. 45 You need threat intel younglings

46. 46 ‣  Maturity doesn’t just evolve, it can devolve. ‣ 

    You must be creative with retention strategies: •  Remote workers •  Training (Individual & team) •  Career pathing •  Work with HR to create salary exceptions Retention is critical

47. 47 #CTIAwakens #CTISummit I’VE HAVE A BAD FEELING ABOUT THIS

48. 48 ‣  Buy Buy Buy! Chasing silver bullets ‣  Buy

    all the feedz! ‣  Not prepared to demonstrate the value of threat intelligence program Many intel programs are setup for failure

49. 49 ‣  Conduct after action reviews post intrusion and capture

    intelligence ‣  Measure and track - Time to detection, containment, remediation ‣  Analyze all intel sources and track sightings. Periodically reevaluate sources ‣  Produce your own strategic intelligence Do this

50. 50 Avoid this

51. 51 ‣  SANS CTI Summit 2013 – If It Bleeds

    We Can Kill It ‣  SANS CTI Summit 2014 – Threat Intelligence Buyers Guide ‣  SANS CTI Summit 2015 – State of Cyber Threat Intelligence Address ‣  RSA Conference 2015 – Threat Intelligence is Like Three Day Potty Training Previous public work

52. 52 Thank you! #CTIAwakens #CTISummit @rickhholland