The New ROI: Results Oriented Intel

The New ROI: Results Oriented
Intel
David Amsler, Founder
Foreground Security
•
Dedicated Security services firm
•
Founded in 2000 with offices in Florida, Virginia, and
Maryland
•
Federal and commercial clients
•
Specializing in Advanced Hunting, Security Operations,
Assessment, and Response
•
RSA Certified MSSP & Only Level 3 ASN certified partner
in US
Threat Intelligence
What is Threat Intelligence (TI)?
Definition:
Threat intelligence is evidence-based knowledge,
including context, mechanisms, indicators,
implications and actionable advice, about an
existing or emerging menace or hazard to assets
that can be used to inform decisions regarding
the subject's response to that menace or hazard.
Source: https://www.gartner.com/doc/2487216/definition-threat-intelligence
What is Threat Intelligence (TI)?
•
Unless you have an explicit intelligence operations
mission, threat intelligence is not a product by itself; it is
an enabler
•
Not all intel is created equal, but that isn’t necessarily a
bad thing
Threat Intelligence Market
Important Questions
•
Are you interested in intelligence or indicators
(one provides context, one does not)
•
How “wide of a net” do you want to cast for
intelligence?
•
Are all threats equally important to you?
•
How will you operationalize your intel?
Operationalizing Threat Intelligence
Operations
•
Metrics are key – constantly re-assess value
•
Know your tool limitations; for example, what good are
full path indicators if your APIs don’t support them?
•
Know your threats; are you really interested in knowing
all addresses that once may have hosted a spam
domain?
•
Managing intelligence is a full time job, but should not
be independent of analysis/detection operations
Intelligence vs. Indicators
Detailed intelligence
records with full context
Individual information
records (e.g. domains)
with no context
Intelligence vs. Information
Individual information
records (e.g. domains)
with no context
TI Formats
•
•
•
•
•
TI Frameworks
Plain text list
Comma separated value
(CSV) list
Email body
Extensible markup language
(XML) file
Web page
Formats =
•
•
•
•
•
OpenIOC
IODEF
VERIS
STIX
CybOX
Parsers
STIX Architecture
Threat Intelligence Life Cycle
Threat Intel Life Cycle
Case Studies
Case Study – Phishing Email
From Indicators to TTPs
Indicators:
Valuable, but
usually not for
long; easy for
an attacker to
modify
Case Study – Phishing Email
From Indicators to TTPs
Executive
Admin Assistant
Admin Assistant
TTPs:
Harder for attacker
to change, can be
derived from
macro-level
analysis.*
Command and
Control
*Google Bianco’s “Pyramid of Pain”
Case Study – System Compromise
Drive-by exploit is
served to
unsuspecting user
Case Study – Investigation
Malware identified and extracted
Static Analysis
• File name
• File type
• File size
• File hashes
• Strings
Dynamic Analysis
• API/library calls
• Processes created
• File activity
• Registry activity
• Network activity
Base
(1st Degree)
Indicators
Case Study – Research
Registrant Details
IP Addresses
Netblock Owner
ASN
Domains
Email Header Data
Pivot from base (1st degree) indicators to
identify additional current campaign or
future campaign indicators
Case Study – Research
Base/Pivot
Indicators
+
Techniques,
Tactics, &
Procedures (TTPs)
Threat Actor
Attribution
=
Campaign
Identification
Case Study – Management
Threat Intel
Sources
•
•
•
•
•
Normalization
Deduplication
Tagging
Ranking
Weighting
Threat Intel
Storage
Case Study – Application
Option 1:
Manual application
of threat
intelligence via
rules/custom
content
Option 2:
Automated
application of threat
intelligence through
intelligent
broker/Live/API
Security
Controls
Automated Threat Intelligence Platform: ATIP
Case Study – Application
and Hunting
Manual or automated hunting is performed
Threat Intelligence is applied to controls
Other Tools
Historical and ongoing compromises are identified
Metrics
In Summary
Questions?
• David Amsler, President & Founder
• dave@foregroundsecurity.com
• www.foregroundsecurity.com
•