From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tidatasci)

Transcription

1 From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tidatasci) Alex Pinto Chief Data Scientist Niddel /

2 () { :; }; whoami Alex Pinto That guy that started MLSec Project Chief Data Scientist at Niddel Machine Learning Researcher focused on Security Data Network security and incident response aficionado Tortured by Log Management / SIEMs as a child A BIG FAN of Attack Maps #pewpew Does not know who hacked Sony Has nothing to do with attribution in Operation Capybara

3 Agenda Cyber War Threat Intel What is it good for? Combine and TIQ-test Using TIQ-test Novelty Test Overlap Test Population Test Aging Test Uniqueness Test Use case: Feed Comparison

4 What is TI good for anyway?

5 What is TI good for anyway? 1) Attribution

6 What is TI good for anyway?

7 What is TI good for anyway? 2) Cyber Threat Maps (

8 What is TI good for anyway? 3) How about actual defense? Use it as blacklists? As research data? Thing is RAW DATA is hard to work with

9 (Semi-)Required Reading #tiqtest slides: RPubs Page:

10 Combine and TIQ-Test Combine ( Gathers TI data (ip/host) from Internet and local files Normalizes the data and enriches it (AS / Geo / pdns) Can export to CSV, tiq-test format and CRITs Coming soon: CybOX / STIX TIQ-Test ( Runs statistical summaries and tests on TI feeds Generates charts based on the tests and summaries Written in R (because you should learn a stat language)

11 Using TIQ-TEST Available tests and statistics: NOVELTY How often do they update themselves? OVERLAP How do they compare to what you got? POPULATION How does this population distribution compare to another one? AGING How long does an indicator sit on a feed? UNIQUENESS How many indicators are found in only one feed?

12 Using TIQ-TEST New dataset!

13 Using TIQ-TEST Feeds Selected Dataset was separated into inbound and outbound

14 Using TIQ-TEST Data Prep Extract the raw information from indicator feeds Both IP addresses and hostnames were extracted

15 Using TIQ-TEST Data Prep Convert the hostname data to IP addresses: Active IP addresses for the respective date ( A query) Passive DNS from Farsight Security (DNSDB) For each IP record (including the ones from hostnames): Add asnumber and asname (from MaxMind ASN DB) Add country (from MaxMind GeoLite DB) Add rhost (again from DNSDB) most popular PTR

16 Using TIQ-TEST Data Prep Done

17 Novelty Test measuring added and dropped indicators

18 Novelty Test - Inbound

19 Overlap Test More data is better, but make sure it is not the same data

20 Overlap Test - Inbound

21 Overlap Test - Outbound

22 Population Test Let us use the ASN and GeoIP databases that we used to enrich our data as a reference of the true population. But, but, human beings are unpredictable! We will never be able to forecast this!

23

24 Is your sampling poll as random as you think?

25 Can we get a better look? Statistical inference-based comparison models (hypothesis testing) Exact binomial tests (when we have the true pop) Chi-squared proportion tests (similar to independence tests)

26

27 Aging Test Is someone cleaning this up eventually?

28 INBOUND

29 OUTBOUND

30 Uniqueness Test

31 Uniqueness Test Domain-based indicators are unique to one list between 96.16% and 97.37% IP-based indicators are unique to one list between 82.46% and 95.24% of the time

32

33 Intermission

34 OPTION 1: Cool Story, Bro! Some of you are probably like: You Data Scientists and your algorithms, how quaint. Why aren t you doing some useful research like nation-state attribution?

35 OPTION 2: How can I use this awesomeness on my data?

36 Use Case: Comparing Private Feeds How about using TIQ-TEST to evaluate a private intel feed? Trying stuff before you buy is usually a good idea. Just sayin Let s compare a new feed, private1, against our combined outbound indicators

37 Population Test

38 Population Test

39 Population Test

40 Aging Test Mostly DGA Related Churn I guess most DGAs rotate every 24 hours, right? Rotation means the private data is still fresh, from research or DGA generation procedures

41

42

43 A++ WOULD THREAT INTEL AGAIN

44 MLSec Project Both projects are available as GPLv3 by MLSec Project Doing ML research on Security? Let us know! Putting together a trust group to share experiences and develop open-source tools to help with data gathering and analysis Liked TIQ-TEST? We can help benchmark your private feeds using these and other techniques Visit or just me.

45 Don t want to do all this work? Come talk to me about Niddel! Private Beta of Magnet, the Machine Learning-powered Threat Intelligence Platform. Our models extrapolate the knowledge of existing threat intelligence feeds as experienced analysis would. Models make use of the same data analyst would have. Automatically triages and hunts on pivots of enriched information

46 Take Aways Analyze your data. Extract value from it! Try before you buy! Different test results mean different things to different orgs. Try the sample data, replicate the experiments:

47 Greets for helping with for his work on for IPEW and chart revisions for TIQ- TEST All the MLSec Project community peps!

48

49 Thanks! Q&A? Feedback! @NiddelCorp The measure of intelligence is the ability to change." - Albert Einstein