Introduction to Threat Intelligence

1All material confidential and proprietary

Interop 2016

COLLECTING AND USING THREAT INTELLIGENCE DATA


INTRODUCTIONS


WE MAKE THREAT INTELLIGENCE ACCESSIBLE

ThreatConnect unites cybersecurity people, processes and technologies behind a cohesive intelligence-driven defense. Designed for security teams at all maturity levels, ThreatConnect enables organizations to maximize the value of their security technology investments, combat the fragmentation of their security organizations, and enhance their infrastructure with relevant threat intelligence.


ABOUT ME

Bhaskar Karambelkar,Data Science Lead


WHAT IS GOING ON?


VERIZON 2016 DBIR – DETECTION DEFICIT

• Attackers are getting faster and we are not catching up.•Most compromises happen within

days.•Most compromises are discovered

weeks and months out if not years.

WHAT IS GOING ON?

Source: Verizon 2016 Data Breach Investigations Report.


VERIZON 2016 DBIR – DISCOVERY METHODS

• Internal discovery is less and less common.• Third Party (often Victims) and L&E

are the ones who discover breaches.

WHAT IS GOING ON?

Source: Verizon 2016 Data Breach Investigations Report.


THREAT INTELLIGENCE


GARTNER HYPE CYCLE

SOURCE: http://www.gartner.com/technology/research/methodologies/hype-cycle.jsp


THREAT INTELLIGENCE (TI)•Gartner defines TI as ‘evidence-based knowledge, including context, mechanisms,

indicators, implications, and actionable advice about an existing or emerging menace or hazard to assets, that can be used to inform decisions regarding the subject’s response to that menace or hazard’.1

• But often TI is mistaken for just the Indicators of Compromise (IOCs) and ergo has become a marketing buzzword. LET US CHANGE THAT PERCEPTION.

• TI works best in collaboration with other security practices, Vulnerability & Patch Management (VM), Security Operations (SOC), Incident Response (IR) etc.

• It is an important piece in the data-driven approach to Threat Management.


THE THREAT INTELLIGENCE PROCESS

Collect

Enrich

Connect

Contextualize

Analyze & Prioritize

Operationalize

External Sources

Whois/ passive-DNS/ GeoIP

Firewalls, IDS/IPS, Vuln Scanners, Endpoint Sec.

SEIM


THREAT INTELLIGENCE PROGRAM MATURITY MODELWell-DefinedTIProgram

TIProgramInPlace

Expanding

WarmingUp

Notsurewheretostart


CHARACTERISTICS OF GOOD TI• RELEVANT

• TIMELY

• COMPREHENSIVE

• ACCURATE

• All these make it ACTIONABLE.


FEEDS, FEEDS, FEEDS


TI FEEDS AND DONE, RIGHT ?... WRONG!• Subscribing to a bunch of open and/or premium external feeds and sticking them in your

firewall, IDS/IPS, SIEMs will not work. WHY ?• Too many false positives, too much irrelevant data, exhausted and overworked security

analysts, false sense of security.• If anything this will hurt your security posture.• So feeds are useless then? Not quiet.• External feeds are only a piece of the TI management process. They add a unique value to

the process but are not the be all and end all of TI.• Vetted sources can help drive down the false positives. • Contextualized/Enriched/Connected indicator sources can help Ops, IR teams make

proper decisions and prioritize correctly.


SO, WHICH FEEDS DO I NEED?WRONG QUESTION, YOU FAIL AT JEOPARDY!• Correct Question: •What are the key areas in my defense that need strengthening based on my security risk

assessment and threat modeling ?

• So what do I do?• Look for vetted feeds.• Compare and contrast premium vendor feeds. • Evaluate your subscribed feeds.• Be part of a Industry specific sharing community (FS-ISAC, ONG-ISAC etc.)

BEST INTEL COMES FROM YOUR OWN ORGANIZATION.


THREAT INTELLIGENCE PLATFORM


WHAT IS A TI PLATFORM (TIP) AND WHY DO I NEED ONE ?A product to manage your threat intelligence processes in one central place.

Allows you to:• subscribe to internal/external feeds.• enrich/connect/contextualize/prioritize your data.• integrate your TI data with security tools (Firewalls, IDS/IPS, WAFs, VM, SIEMs).• keep track of historic data for reference and trend analysis.• interact with common interest communities for sharing data.

And also allows:• various security teams (IR, SOC, IT) to collaborate on threat data.• your CIO/CISO and other senior execs to gain insights for strategic decision making.


HOW DO I GET ONE?Find a TIP vendor!

• Things to consider when looking for a vendor:o Integration with existing tools.o Hosting options (multi-tenant, on-prem, private cloud)o Collaboration, Community supporto Reporting and Dashboards.o Service provider support.

Your TIP needs to be a team player in your security infrastructure and aid you in your tactical/operational/strategic threat management needs.


ACTING ON THREAT INTELLIGENCE


PUT THOSE IOCS RIGHT TO BED WORK!•Make your TIP the central nervous system of your security infrastructure.

• There should be bi-directional communication between your TIP and your firewalls/SIEMs/IDS/IPS/Endpoint Security.

• Not all devices need all IOCs, segregate by device type as well as kill chain target.

• Vet good IOCs, share them as much as possible/allowed with peers.

•Mark bad IOCs (known goods or false positives) but don’t completely get rid of them as they may provide context.


THANK YOU!• Comments/Questions

• http://www.treatconnect.com/

• https://twitter.com/bhaskar_vk• https://www.linkedin.com/in/bhaskarvk

Introduction to Threat Intelligence

Technology

Transcript of Introduction to Threat Intelligence