Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Effective Threat Intelligence Sharing

Scott J. Roberts
July 23, 2017
Technology
1
88

Building Effective Threat Intelligence Sharing

A SANS Webex I did... awhile ago?

Scott J. Roberts

July 23, 2017
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Homemade Ramen & Threat Intelligence
sroberts
2
370
Introduction to Open Source Security Tools
sroberts
3
4.5k
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
71
Crisis Communication for Incident Response
sroberts
1
240
Hipster DFIR on OSX - BSidesCincy
sroberts
3
2.9k
Community Intelligence & Open Source Tools
sroberts
5
1k
Responding @ Scale: osquery for Mass Incident Response and Detection
sroberts
1
12k
Hipster DFIR on OSX
sroberts
2
880
Crisis Communication for Incident Response
sroberts
2
7.5k

Other Decks in Technology

See All in Technology
WINTICKET QA における Autify 活用
kj455
1
180
オンプレk8sとEKSの並行運用の実際
ch1aki
0
130
データエンジニアを助けてくれるFivetranとSnowflakeの仕様&機能のご紹介
sagara
0
420
データベースの発表には RDBMS 以外もありますよ
maroon1st
0
220
ラズパイとGASで加湿器の消し忘れをLINEでリマインド&操作
minako__ph
0
110
PHPのimmutable arrayとは
hnw
1
130
目指せCoverage100%! AutoScale環境におけるSavings Plans購入戦略 / JAWS-UG_SRE_Coverage
taishin
0
160
2022年に起きたフロントエンドの変化
sakito
28
16k
SPA・SSGでSSRのようなOGP対応!
simo123
2
140
Exploring MapStore Release 2022.02: improved 3DTiles support and more
simboss
PRO
0
160
エアドロップ for オープンソースプロジェクト
epicsdao
0
170
ERC3525 Semi-Fungible token
sbtechnight
0
330

Featured

See All Featured
Practical Orchestrator
shlominoach
178
8.9k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
13
1.1k
Bootstrapping a Software Product
garrettdimon
299
110k
Scaling GitHub
holman
453
140k
Art Directing for the Web. Five minutes with CSS Template Areas
malarkey
196
9.8k
Adopting Sorbet at Scale
ufuk
65
7.8k
Intergalactic Javascript Robots from Outer Space
tanoku
261
26k
Product Roadmaps are Hard
iamctodd
38
7.7k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
29
7.7k
Facilitating Awesome Meetings
lara
33
4.6k
Infographics Made Easy
chrislema
235
17k
WebSockets: Embracing the real-time Web
robhawkes
58
6k

Transcript

  1. Building Effective CTI Sharing

  2. Scott J Roberts

  3. Comments? Use #ctisharing and/or @sroberts

  4. Table Stakes

  5. Talk to Legal

  6. TLP https://www.us-cert.gov/tlp

  7. • WWWWH&W • Example: My Story • What To Do

    Next?

  8. Why?

  9. Your Security Will Improve

  10. You Will Improve Others Security

  11. Share More Get More

  12. A rising tide raises all boats

  13. When?

  14. Ingestion vs. Production

  15. When You’re Ready to Act

  16. When You’re Ready to Reciprocate

  17. When You Can Be Confident

  18. Who?

  19. Formal Groups

  20. Open Source Groups

  21. Informal Groups

  22. BONUS: Orgs With Similar Technology...

  23. BONUS: Competitors

  24. What?

  25. Indicators of Compromise

  26. Tactics, Techniques, & Procedures

  27. Reports

  28. Techniques, Methods, & Capabilities

  29. (Legally Required) Pyramid of Pain https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

  30. Sharing Hierarchy of Value* * The Author acknowledges this is

    a rip off

  31. How?

  32. Don’t Ask to Join

  33. Be Trusting

  34. Be Trustworthy

  35. Be Action Oriented

  36. BONUS: The Best Groups Have A Written Set of Expectations

    & Procedures

  37. Where?

  38. Mailing Lists

  39. Chat

  40. Semi Structured

  41. Threat Intelligence Platform

  42. Hybrid

  43. Example: My Story

  44. This is Kyle @kylemaxwell

  45. Kyle & I started a Slack

  46. We Invited Folks We Knew Shared Tools & Techniques We

    Invited More Folks

  47. Kyle Invited Mark @markpars0ns

  48. Mark Invited Me to Another Slack

  49. Met New Folks Shared Intelligence Collaborated On Investigations Demonstrated Value

    to My Boss

  50. So I Invited My Coworker John @swannysec

  51. What To Do Next?

  52. What To Do Next • • • • • •

  53. Go Make Friends & Share Intelligence

  54. Join Me @ SANS Rocky Mountain 2017 for FOR578