Data-DrivenThreatIntelligence:MetricsonIndicatorDisseminationandSharing

(#ddti)

AlexPintoChiefDataScientist

MLSec Project/Niddel@alexcpsec

@MLSecProject /Niddel

• WhatisTIgoodfor?• CombineandTIQ-test• MeasuringIndicators• ThreatIntelligenceSharing• Futureresearchdirection(i.e.willworkfordata)

Agenda

HTto@RCISCwendy

WhatisTIgoodfor(1)Attribution

WhatisTIgoodforanyway?

TYto@bfist forhisworkonhttp://sony.attributed.to

WhatisTIgoodfor(2)– CyberMaps!!

TYto@hrbrmstr forhisworkonhttps://github.com/hrbrmstr/pewpew

WhatisTIgoodforanyway?• (3)Howaboutactualdefense?• Strategicvs.tacticalvs.operational:planning• Technicalindicators:DFIRandmonitoring

AffirmingtheConsequentFallacy

1. IfA,thenB.2. B.3. Therefore,A.

1. Evilmalwaretalksto8.8.8.8.2. Iseetrafficto8.8.8.8.3. ZOMG,APT!!!

Thisisadata-driventalk!Pleasecheckyouranecdotesatthedoor

CombineandTIQ-Test• Combine(https://github.com/mlsecproject/combine)• GathersTIdata(ip/host)fromInternetandlocalfiles• Normalizesthedataandenrichesit(AS/Geo/pDNS)• CanexporttoCSV,“tiq-testformat”andCRITs• h/t@kylemaxwell,@sconzo,@c0wl

• TIQ-Test(https://github.com/mlsecproject/tiq-test)• RunsstatisticalsummariesandtestsonTIfeeds• Generateschartsbasedonthetestsandsummaries• WritteninR(becauseyoushouldlearnastatlanguage)• h/t@hrbrmstr

SuddenlyDatahttps://github.com/mlsecproject/tiq-test-Summer-2015

UsingTIQ-TEST– FeedsSelected• Datasetwasseparatedinto“inbound”and“outbound”

TYto@kafeine andJohnBambenek foraccesstotheirfeeds

DataFormatforTIQ-TEST

TonsofThreat-yTests

• NOVELTY – Howoftendothefeedsupdatethemselves?• AGING – Howlongdoesanindicatorsitonafeed?• POPULATION – Howdoesthispopulationdistributioncomparetomydata?

• OVERLAP– Howdotheindicatorscomparetotheonesyougot?

• UNIQUENESS – Howmanyindicatorsarefoundonlyononefeed?

Puttingthisthreatdatatowork

TonsofThreat-yTests

• NOVELTY – Howoftendothefeedsupdatethemselves?• AGING – Howlongdoesanindicatorsitonafeed?• POPULATION – Howdoesthispopulationdistributioncomparetomydata?

• OVERLAP– Howdotheindicatorscomparetotheonesyougot?

• UNIQUENESS – Howmanyindicatorsarefoundonlyononefeed?

Puttingthisthreatdatatowork

OverlapTestMoredataisfine,butmakesure

itisdifferent

OverlapTest- Inbound

OverlapTest- Outbound

UniquenessTestHowmanyfishREALLYarethereatthesea?

Ihatequotingmyself,but…

KeyTakeaway#1

MORE!=BETTERThreatIntelligenceIndicatorFeeds

ThreatIntelligenceProgram

“TISharingisTOTALLYgoingtosolvethis”

Right,people?Right?

HerdImmunity,isit?

Source:www.vaccines.gov

ThreatIntelligenceSharingWewouldliketothankthekindcontributionofdatafromthefinefolksatFacebookThreatExchangeandThreatConnect…

…andalsothesharingcommunitiesthatchosetoremainanonymous.Youknowwhoyouare,andwe❤ youtoo.

ThreatIntelligenceSharing– Data

Fromaperiodof2015-03-01to2015-05-31:- NumberofIndicatorsShared

§ Perday§ Permember

Notsharingthisdata– privacyconcernsforthemembersandcommunities

OVERLAPSLIDE

OVERLAPSLIDE

UNIQUENESSSLIDE

TheCognitiveDissonancesofTISharing

Everybody shouldshare! TheCIRCLEOFTRUST

Whatdoyoushare?

Whatdoyouconsume?

TheTwoSidesofTrust

ActivityTestIsthereanyactualsharinggoing

on?

Updatefrequencychart

High10saverage Low100saverage

Large– 10.000smembers Small– High10smembers

DiversityTestCheckyoursharingprivilege

RecallTestButisthedataanygood?

Whatdoesgoodcurationlookslike?

KarmaandAnonymity

KeyTakeaway#1

'Howcansharingmakemebetterunderstandwhatare

attacksthat“aretargeted”andwhatare“commodity”?'

Telemetry>AnalysisNoteveryoneshouldneedtoknowhowtohunttomakeameaningfulcontribution

MoreTakeaways

• Analyzeyourdata.Extractmorevaluefromit!• IfyouABSOLUTELYHAVETObuyThreatIntelligenceordata,evaluateitfirst.

• Trythesampledata,replicatetheexperiments:• https://github.com/mlsecproject/tiq-test-Summer2015• http://rpubs.com/alexcpsec/tiq-test-Summer2015

• Sharedatawithus.I’llmakesureitgetsproperexercise!

Thanks!

• Q&A?• Feedback!

”Themeasureofintelligenceistheabilitytochange."- AlbertEinstein

AlexPinto@alexcpsec

@MLSecProject /@NiddelCorp