The New ROI: Results Oriented Intel. David Amsler, Founder

Size: px

Start display at page:

Download "The New ROI: Results Oriented Intel. David Amsler, Founder"

Liliana Harmon
8 years ago
Views:

1 The New ROI: Results Oriented Intel David Amsler, Founder

2 Foreground Security Dedicated Security services firm Founded in 2000 with offices in Florida, Virginia, and Maryland Federal and commercial clients Specializing in Advanced Hunting, Security Operations, Assessment, and Response RSA Certified MSSP & Only Level 3 ASN certified partner in US

clients Specializing in Advanced Hunting, Security Operations,

3 Threat Intelligence

4 What is Threat Intelligence (TI)? Definition: Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. Source:

indicators, implications and actionable advice, about an existing or emerging menace or hazard to

5 What is Threat Intelligence (TI)? Unless you have an explicit intelligence operations mission, threat intelligence is not a product by itself; it is an enabler Not all intel is created equal, but that isn t necessarily a bad thing

6 Threat Intelligence Market

7 Important Questions Are you interested in intelligence or indicators (one provides context, one does not) How wide of a net do you want to cast for intelligence? Are all threats equally important to you? How will you operationalize your intel?

a net do you want to cast for intelligence?

8 Operationalizing Threat Intelligence

9 Operations Metrics are key constantly re-assess value Know your tool limitations; for example, what good are full path indicators if your APIs don t support them? Know your threats; are you really interested in knowing all addresses that once may have hosted a spam domain? Managing intelligence is a full time job, but should not be independent of analysis/detection operations

Know your threats; are you really interested in knowing all addresses that once may have

10 Intelligence vs. Indicators Detailed intelligence records with full context Individual information records (e.g. domains) with no context

11 Intelligence vs. Information Individual information records (e.g. domains) with no context

12 TI Formats TI Frameworks Plain text list OpenIOC Comma separated value (CSV) list body Extensible markup language (XML) file IODEF VERIS STIX CybOX Web page Formats = Parsers

Email body Extensible markup language (XML)

13 STIX Architecture

14 Threat Intelligence Life Cycle

15 Threat Intel Life Cycle

16 Case Studies

17 Case Study Phishing From Indicators to TTPs Indicators: Valuable, but usually not for long; easy for an attacker to modify

18 Case Study Phishing From Indicators to TTPs TTPs: Executive Admin Assistant Admin Assistant Harder for attacker to change, can be derived from macro-level Command and Control analysis.* *Google Bianco s Pyramid of Pain

attacker to change, can be derived from macro-level

19 Case Study System Compromise Drive-by exploit is served to unsuspecting user

20 Case Study Investigation Malware identified and extracted Static Analysis File name File type File size File hashes Strings Dynamic Analysis API/library calls Processes created File activity Registry activity Network activity Base (1 st Degree) Indicators

Strings Dynamic Analysis API/library calls Processes created

21 Case Study Research Registrant Details ASN IP Addresses Domains Netblock Owner Header Data Pivot from base (1 st degree) indicators to identify additional current campaign or future campaign indicators

22 Case Study Research Base/Pivot Indicators Techniques, + = Tactics, & Procedures (TTPs) Campaign Identification Threat Actor Attribution

23 Case Study Management Threat Intel Sources Normalization Deduplication Tagging Ranking Weighting Threat Intel Storage

24 Case Study Application Option 1: Manual application of threat intelligence via rules/custom content Option 2: Automated application of threat intelligence through intelligent broker/live/api Security Controls

25 Automated Threat Intelligence Platform: ATIP

26 Case Study Application and Hunting Manual or automated hunting is performed Threat Intelligence is applied to controls Other Tools Historical and ongoing compromises are identified

27 Metrics

28 In Summary Questions? David Amsler, President & Founder

Threat Intelligence is Dead. Long Live Threat Intelligence!

SESSION ID: STR-R02 Threat Intelligence is Dead. Long Live Threat Intelligence! Mark Orlando Director of Cyber Operations Foreground Security Background Threat Intelligence is Dead. Long Live Threat Intelligence!