Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti)

Transcription

1 Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief Data Scientist MLSec Project / Niddel

2 Agenda What is TI good for? Combine and TIQ-test Measuring Indicators Threat Intelligence Sharing Future research direction (i.e. will work for data) HT

3 What is TI good for (1) Attribution

4 What is TI good for anyway? TY for his work on

5 What is TI good for (2) Cyber Maps!! TY for his work on

6 What is TI good for anyway? (3) How about actual defense? Strategic vs. tactical vs. operational: planning Technical indicators: DFIR and monitoring

7 Affirming the Consequent Fallacy 1. If A, then B. 2. B. 3. Therefore, A. 1. Evil malware talks to I see traffic to ZOMG, APT!!!

8 This is a data-driven talk! Please check your anecdotes at the door

9 Combine and TIQ-Test Combine ( Gathers TI data (ip/host) from Internet and local files Normalizes the data and enriches it (AS / Geo / pdns) Can export to CSV, tiq-test format and @c0wl TIQ-Test ( Runs statistical summaries and tests on TI feeds Generates charts based on the tests and summaries Written in R (because you should learn a stat language)

10 Suddenly Data

11

12 Using TIQ-TEST Feeds Selected Dataset was separated into inbound and outbound TY and John Bambenek for access to their feeds

13 Data Format for TIQ-TEST

14 Tons of Threat-y Tests Putting this threat data to work NOVELTY How often do the feeds update themselves? AGING How long does an indicator sit on a feed? POPULATION How does this population distribution compare to my data? OVERLAP How do the indicators compare to the ones you got? UNIQUENESS How many indicators are found only on one feed?

15 Tons of Threat-y Tests Putting this threat data to work NOVELTY How often do the feeds update themselves? AGING How long does an indicator sit on a feed? POPULATION How does this population distribution compare to my data? OVERLAP How do the indicators compare to the ones you got? UNIQUENESS How many indicators are found only on one feed?

16 Overlap Test More data is fine, but make sure it is different

17 Overlap Test - Inbound

18 Overlap Test - Outbound

19 Uniqueness Test How many fish REALLY are there at the sea?

20

21

22 I hate quoting myself, but

23 Key Takeaway #1 MORE!= BETTER Threat Intelligence Indicator Feeds Threat Intelligence Program

24

25 TI Sharing is TOTALLY going to solve this Right, people? Right?

26 Herd Immunity, is it? Source:

27

28

29 Threat Intelligence Sharing We would like to thank the kind contribution of data from the fine folks at Facebook Threat Exchange and Threat Connect and also the sharing communities that chose to remain anonymous. You know who you are, and we you too.

30 Threat Intelligence Sharing Data From a period of to : - Number of Indicators Shared Per day Per member Not sharing this data privacy concerns for the members and communities

31 OVERLAP SLIDE

32 OVERLAP SLIDE

33 UNIQUENESS SLIDE

34 The Cognitive Dissonances of TI Sharing Everybody should share! The CIRCLE OF TRUST

35 The Two Sides of Trust What do you share? What do you consume?

36 Activity Test Is there any actual sharing going on?

37 Large s members Small High 10s members Update frequency chart High 10s average Low 100s average

38 Diversity Test Check your sharing privilege

39

40

41 Recall Test But is the data any good?

42

43 What does good curation looks like?

44 Karma and Anonymity

45

46 Key Takeaway #1 'How can sharing make me better understand what are attacks that are targeted and what are commodity?'

47 Telemetry > Analysis Not everyone should need to know how to hunt to make a meaningful contribution

48 More Takeaways Analyze your data. Extract more value from it! If you ABSOLUTELY HAVE TO buy Threat Intelligence or data, evaluate it first. Try the sample data, replicate the experiments: Share data with us. I ll make sure it gets proper exercise!

49

50 Thanks! Q&A? Feedback! The measure of intelligence is the ability to change." - Albert Einstein