Building Effective Threat Intelligence Sharing

Transcript

1. Building Effective CTI Sharing

2. Scott J Roberts

3. Comments? Use #ctisharing and/or @sroberts

4. Table Stakes

5. Talk to Legal

6. TLP https://www.us-cert.gov/tlp

7. • WWWWH&W • Example: My Story • What To Do

   Next?

8. Why?

9. Your Security Will Improve

10. You Will Improve Others Security

11. Share More Get More

12. A rising tide raises all boats

13. When?

14. Ingestion vs. Production

15. When You’re Ready to Act

16. When You’re Ready to Reciprocate

17. When You Can Be Confident

18. Who?

19. Formal Groups

20. Open Source Groups

21. Informal Groups

22. BONUS: Orgs With Similar Technology...

23. BONUS: Competitors

24. What?

25. Indicators of Compromise

26. Tactics, Techniques, & Procedures

27. Reports

28. Techniques, Methods, & Capabilities

29. (Legally Required) Pyramid of Pain https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

30. Sharing Hierarchy of Value* * The Author acknowledges this is

    a rip off

31. How?

32. Don’t Ask to Join

33. Be Trusting

34. Be Trustworthy

35. Be Action Oriented

36. BONUS: The Best Groups Have A Written Set of Expectations

    & Procedures

37. Where?

38. Mailing Lists

39. Chat

40. Semi Structured

41. Threat Intelligence Platform

42. Hybrid

43. Example: My Story

44. This is Kyle @kylemaxwell

45. Kyle & I started a Slack

46. We Invited Folks We Knew Shared Tools & Techniques We

    Invited More Folks

47. Kyle Invited Mark @markpars0ns

48. Mark Invited Me to Another Slack

49. Met New Folks Shared Intelligence Collaborated On Investigations Demonstrated Value

    to My Boss

50. So I Invited My Coworker John @swannysec

51. What To Do Next?

52. What To Do Next • • • • • •

53. Go Make Friends & Share Intelligence

54. Join Me @ SANS Rocky Mountain 2017 for FOR578