Removing the FUD from Threat Intelligence - Russ Pierce

we do this on your own leisure significance beards that that slightly different description of her intelligence okay this is one that focuses on rats and attacks but there's also my everyone thinks of things like that but there's really a whole lot more to it than just indicators of modern eyes now that seems to be some of the more actionable and more tactful type of threat intelligence so a lot of people have high ratings for that but there's other disciplines within projects that are focused so the indicators compromise we did it in this technical round down here when you get a little bit higher in the triangle there the pyramid of pain you have your tools tactics and

procedures as well but if you have if you have the luxury of having in into your attackers and I have knowledge that they are there's an imminent threat that kind of falls more on the operational side of threat intelligence and of course one of the more important areas is also the strategic if you have the ability to influence upper management on where security needs to be moving your it's probably more important in some sense than passing indicators down to your controls so you've got to you've got to be able to speak upstream but you also have to be able to speak downstream when it comes to threat Intel now this is just a couple of stats from

the Symantec I STR and as Ryan was just talking in the previous everyone is a target I mean no matter how small how big you are so regardless of what what what you think security is critical and everybody is a target yeah yeah sure increase in target attacks from last year yeah the the semantics is TR is an annual report and this is based on their 2014 compared to the previous year so I mean just last year alone you know based on that information there's a lot more people trying to customize their attacks instead of them being broad widespread campaigns that are easier to TechEd and generate a lot more noise the attackers are getting more specialized especially

with all the information that's getting stolen it makes it easier to create a dossier and target your attack now we're also dealing with a significance in the frequency you can't even see the years on the bottom of that Kenya yeah I think that was a not I think this is based on nine years of activity and I mean you can see a significant increase and what would be 2013 2014 over here and this is part of what's led to a lot of the I associated with threat intelligence you know everybody it's the buzzword and all that sort of stuff and it's for good reason I mean all of security in a sense is getting a lot of buzz and a lot of

attention and these are the really the reasons why the cost of the breach is interestingly kind of stable you would think after so many years of breaches that we'd be getting better at responding and these costs of the breaches would be getting lower but they're actually kind of stabilized for the most part but that's not necessarily a good thing because you know you might still be spending you know somewhere around $200 per record in terms of your breaches but you're dealing with a much higher frequency much bigger breaches so your your actual cost is going to be more when you add all that up but per record it's surprisingly kind of stable is that where you were going yeah

exactly so I mean you would hope that the price would go down but so far it doesn't appear to be moving in that direction that's a good point absolutely all right this is another factor that's affecting the importance and push towards security and threat Intel and things like that is it's getting a whole lot easier you used to have to have a lot more skill and knowledge to be able to pull off some of these attacks but with the mature underground market I mean if you're a bad guy and you're only good at one thing you can easily go out and find other people to supplement the skills that you're not good at you you might be

great at denial of services but you need somebody composing your phishing attacks or developing your malware or things like that so the the underground economy has made it a lot easier for unskilled attackers to generate their own campaigns

now this is just a you know generalized kind of evolution of Ti and in a sense this is kind of the evolution of a whole security program in the beginning you might only be dealing with prevention you know you're just trying to survive you're blocking as much as you can but you don't have enough time to get much further than just walk walk so as you evolve you'll get to the point where you can do a little bit more response in terms of flexibility you'll have a lot more visibility and the things that are going on which is going to improve all of your agility and your security program and eventually you get to the point of course where you you can

actually dive in and see the the attacks happening and you can kind of make decisions on whether you want to let that attack continue and you want to watch and see what the attackers are doing and lead them towards a honeypot so you know the sophistication will of course increase with time but it does take an investment to get there in terms of the detection it's very similar to the previous in terms of the evolution they're very beginning antivirus you know is really more of a preventive sort of thing but with the volume of attacks antivirus signatures they're not dead but they're not nearly as useful as they used to be so you have to evolve into

other detection mechanisms and this kind of indication of how that evolution might occur it's really just volume now that think the apt is still just an apt sorry to use the term but they were neither advanced or really that persistent it was just volume gameplay down I think you're pointing out pretty clearly that's the other side of the coin right yeah I believe so I mean there are certainly a big difference between your run-of-the-mill attackers and your AP teams I mean you don't have to be sophisticated to have a successful campaign but they're certainly very successful and sophisticated attackers out there I mean the let's see what was at the the group that kept our ski the

equation one of the attacks that they were but I mean incredibly sophisticated sort of stuff yep exactly Dooku - one of the most important elements of threat intelligence is you have to understand your environment internally what's going on especially you know in terms of your assets because this is where where the attackers are going after so you know they're you you definitely have to know what's going on in terms of your threats externally but you can't make that stuff relevant if you don't know what's going on internally so I mean sometimes you have the luxury of coming in and your organization already tells you what's all what's a priority to them here's their your Intel requirements this is

what you need to go after but in other cases you might come in and the business just says I want you to do threat intelligence you know they don't give you necessarily any direction so you have to spend the time understanding your environment figuring out what's important to your company so that you can tailor your threat intelligence towards the threat profile of your business and the threat profiling is similar to what we have here depending on the size of your organization and the type of business you might be in if you're a large bank you're probably dealing with all of these problems all of the time concurrently really but if you're a small shop maybe not dealing in

a whole lot of transactions or something like that you might have maybe only the left-hand side of that profile chart

now this was a presentation that was done by Ryan Stillings and I think he did a really good job and there's a couple more slides in here from his presentation but this was a real good explanation of how the context of these attacks gets broken down and reconstructed there's there's a cycle here you've clearly got all this information that comes in to your platform you're gonna push this information down to your tools but these tools are gonna generate events that you still your response team and forensics team might have to get involved in they're gonna learn some new things based on their investigation maybe some other indicators are compromised maybe they figure out what kind of tools were being used what

techniques were the attackers had and they can feed that information back into your platform now this platform itself has its own cycle of information that going on and we'll look at that on the next slide but externally is its own cycle so you've got a lot of different things going on you've got a lot of curation of the data here you've got these events happening here that's feeding more data in so it's a very active cycle the thread and tell part of it there's a variety of different ways that people have tried to describe the process and they're slightly different but there's enough similarities to where you can almost just pick any one of them

and follow that to understand how the data is a continuous cycle but you've got to collect as much of this information in as you can identifying the stuff that's relevant to you making assessments on that stuff pushing the information out to your audience getting feedback from them on whether that's valuable or not and it feeds right back into collecting more data and starting all over again

this is from that Ryan Stillings presentation again and I mean it just kind of it's a I thought it was really useful here because a lot of people think that it's just a matter of going getting a feed of some kind that has a bunch of IPs and add hashes and things like that and you push it straight down to your security controls and you're done it's clearly a whole lot more to it than that the first little block over there and in his talk he goes into each of these different phases and each of these steps so I'd recommend looking at that full presentation if this slide interests you but as you can see I mean you you've got

to get all the right data I mean you want to profile your company so that you're getting the data that's most relevant to the attackers obviously you have to be able to deploy this information with so many different security controls you might not be able to push sticks down to to a IDs machine you might have to push regular expressions you might have to push XML or JSON depending on the format that they take so it's not a matter of just taking the information and then pushing it out once you bring the information in you might have to format it and massage it in a way that it can even be used in the first place and then of course you

can't just keep taking on information without cleaning it and get rid of the stuff that's not relevant anymore the Incident Response Team might come back and tell you that this other data was useful this data is not so you can't keep it all so there's going to be a point where you've got stuff that say you is more valuable than others and that will I mean that will evolve through a lot of experience and trial and error but clearly it's it's not an easy job of bringing in all this raw data about threats and just you know expecting to be able to improve your security security controls without a lot of effort

there's a lot of variety in the platforms that are available and I think this leads to confusion a lot as well I mean like for your cloud based collaborative thread exchanges you've got the Microsoft inter flows and you've got your threat connects and you've got all these wonderful sharing platforms everybody's invite you to come out there and share all your indicators and that's great for collaboration but in those platforms you have no choice on what kind of data gets pulled in it's only what community collaborates on and adds in some cases they might be pulling stuff from your emerging threats and stuff like that but there might be a source that's important to you that

they're not willing to include in that platform so it's great for collaboration but it doesn't have the data that you want in that platform so it fails on the collection side of it the second one or it might not be good platform for analysis so they tend to it tends to be very difficult to find a single platform that's good at collecting it's good at collaborating it's good at making an analysis enrichment it tends to be kind of a collection to do it right at this point requires a collection of tools to pull all this stuff off there is no one tool that can do it all the FSI stack has its own in a sense its own platform

that all the FIS are contributing to you've also got you know some of the private information sharing communities they have their own platforms where you can go out and pull information so there's a lot of sources a lot of variety and what their capabilities are now in terms of the providers this is obviously a problem as well leading to a lot of the FUD the these sales teams want to want to tell everybody that their company has threat Intel but after asking a few questions it really might be no nothing more than just a raw feed of indicators so you have to be really careful listening of course the salespeople you know anytime but especially when it

comes to threat Intel if you're seeking out specialized reports specialized in Intel that's really relevant and meaningful to you it's probably not going to be cheap and you're gonna have to have an intimate relationship with your vendor really all the vendors I mean not just in Ti but in security in general in my opinion you know all they can provide is almost a one-size-fits-all in a sense type of security it takes thread Intel or your own security team to supplement those controls that are more specific to your organization and that's one of the special things about thread intelligence is that you can pull all this information together and supplement your existing controls beyond what your vendors are capable of doing

they of course come in all shapes and sizes and all different types of cost and of course of the very very little overlap excuse me that's a very interesting one and I think I've got the talk at the sources at the end of the slides here but it was a Ryan trois did a presentation at blackhat last year where he did an analysis of a lot of the different feeds and sources and he looked at all this information and tried to do a comparison and the interesting result was that of all these big well named well-known companies there was very very little overlap in the information and bad IPs and bad domains that they had and that's a challenge

from a business perspective because now you kind of feel like you have to buy a bunch of sources you have to pay for sources everywhere to be able to get the big picture because a lot of the vendors are only seeing a small subset of the problem and they all seem to have a little bit of a unique perspective of course going forward the emphasis is that the data that's coming from our vendors it's got to have more context it can't just be a bad IP or a bad hash you need to know where it came from or maybe what what it was affiliated with what type of attack or you know even languages and things like that any kind

of data that can be added to the threat information can act can be very valuable in making decisions

this is a set of intelligence objectives that we put together my day job and it's what we call our neighborhood approach if people are trying to break into your house or your company you know obviously that's gonna be your number one priority so you need to spend a majority of your time concerned about things that are directly affecting your company now if people are breaking into your neighbor's house you know you might want to know how they're getting in are they breaking the windows are they sneaking in through the garage so having the information about what's going on in your neighborhood or your industry can be very valuable as well if you can get to

the point where you're partnering with other banks that are even the same size or different organizations that are the same size as yours that's even more valuable information than a that someone that's in your industry but they're way bigger than you are way smaller than you so so the more you're able to partner especially within your industry that's another great way of being able to supplement your controls with meaningful Intel of course lastly the big bucket pretty much anything that's happening on the internet if it's new or unique or special in any sort of way you're going to want to know what's going on with that campaign and try and get as much information as you can it might just be

a matter of making a few different changes in your organization to be able to defend against this new attack any questions on this one yeah I guess this one is kind of a second wall of text isn't it all right so there's certainly no shortage of challenges when it comes to threat Intel and data is the biggest problem at this point there is an abundance of information just a few years ago if you were in threat Intel you were trying to get as much data as you could because there wasn't a lot out there you know three four years ago or so I mean you'd be going to blogs just reading a blog trying to find bad IDs in

some case I mean it's completely flip-flop now it is too much data you've got to find a way to ingest the data that's most meaningful to you so the volume of data is a huge problem you can't take it all in so you've got to decide what's what's the best source and that's not easy they don't they won't necessarily tell you you know where they're getting the data from or what it's related to they'll just tell you we've got you know five million IP addresses a day or you know whatever there's more about volume and quantity rather than quality there will be people that buy it yes if you can create just a list of a whole bunch of

bad information and start dumping it out there will be people that want to buy it they'll think it's threat Intel it is [Laughter]

[Applause] [Laughter] the lack of industry maturity is the lack of industry maturity is the problem as well but that's you know that's gonna come with time as I mentioned in terms of the different platforms you got to have to piecemeal things together I mean a thread into a program is not gonna be one or two pieces of technology it's gonna be a variety of technology to make that work now in the future they might be able to consolidate some of these features and capabilities into a bigger solution but right now it's bits and pieces in terms of the standards everyone has an opinion on that there's a variety of different indicator thread information sharing proposed standards

you know we'll get to a point where we either agree to accept these two or three or if we're lucky maybe get down to just one but there's there's just not really a good way to communicate thread information from one organism organization to the next and that's going to be key and being able to share of course the previous slides we looked at the increase in sophistication and frequency and all that says is obviously problem and then the others are relatively obvious in terms of some recommendations I could make limiting your sources is big obviously the amount of data that we've been talking about you're gonna have to think outside the box I mean this

stuff's not going to be clear I mean they're not going to give you a list of all the things that you need to do they're going to give you some ideas of things that you need to do and you're going to do your homework find out if it's something that you really need to do don't be dependent on your vendors as I mentioned I mean they're the vendors are providing a one size fits all in a sense it's good it's important but it's not tailored for your organization your vendor doesn't know exactly what you do and what's most important to you and what your key assets are and you know maybe even who are the most add that

types of threats and types of attacks that you're going to be exposed to that takes a little more focus and being able to use that your skills and employees that you already have to make those sort of decisions improve your security posture threaten tell don't expect threat Intel to come in and fix all your problems I mean it's not a silver bullet it's not a miracle it's an enhancement the controls that you already have it's unfortunately not it'll be a miracle once we figure out how to do it right that'll be the miracle there are a lot of food providers out there there are people that are able to sell feeds with nothing more than indicators in it and

they're calling it threat Intel that's not gonna last long people are gonna figure this stuff out they're gonna understand what threat Intel is and those companies that are getting by with that it's not gonna last much longer so you're a window of opportunity Marcus's is closing quickly

[Music]

it is it is a challenge I mean there's data comes in our variety of forms and from a variety of different locations and we're you know the the challenge now is definitely trying to figure out where the most valuable data can be collected from and being a distraction from the things that are important absolutely now another interesting way of being able to improve your return on investment when it comes to threat Intel is is expand your audience I mean this isn't just about your security controls improving them although that is important it's not just about senior management I mean you could be providing Intel to your your sales team your corporate communications teams your the

people that watch for inclement weather you know in case you've got to close down there's a lot threat Intel depending on the types of tools that you're using to collect this information can collect other information for other parts of your business that might be a value now bad weather or you know earthquakes and hurricanes might seem like it's outside of threat Intel but it's still a threat to your business so in some cases you might be lucky enough to be using a product that's more than just seeking out indicators it might be more event based so you'll be informed when there's events that are a threat to your organization and not just indicators an accord machine machine

sharing I mean information sharing there's all kinds of legislature and pushes to to implement something more effective rapid I guess and that's really the next big movement when it comes to the rent Intel and that is it for my talk there's several the references that I used on here the Vigilant one the third one there is the Ryan Stillings where he goes through a discussion of all the different data and where to get it the process the Ryan Trust was the blackhat one I mentioned and the other ones the first one if you if you haven't read any like white papers on threat Intel that MWR white paper up there at the top is probably one of the best when it comes

to describing what threat Intel is and that's it if you need to reach out to me my contact information is there I've got a little bit of my I bio information in the description as well any questions do you personally deal with a lot of different feeds and have actually seen what the content is like for a lot of these providers yes okay so based on that say I were not interested in IOC s but I'm really interested in things like TTP's or what sort of vendors or feeds have you seen that are actually pretty good about that oh that's that's definitely a more challenging area a lot of the TTP's is i've seen most of it

being generated from other organizations sharing threats more so than vendors sharing threat information so the the FSI sac platform thus ultra that's one of them because it's sticks they're getting to the point where they can allow add a lot more context so a part of it has to do with the the standard in terms of being able to express a threat right now we express threats through emails and through blogs and it's unstructured so sticks and cybox and some of these other things are enabling that to be a more structured data set that's more easily packaged and shipped so right now not many of them can do it the lack of s ability to communicate in

a standard way Thanks so a lot of yeah the TTP's right now come through email yeah I mean we're getting most of them through our ice axe or just partners we have one-on-one sharing with and I wear ones that we've developed in-house absolutely you're right on anyone else a lot of those those cycles like right right here I always talk about scientific method it's just using that as a good really template because it at least allows you to assess what's actually making a positive benefit from from from your thing from your your thread Intel program or whatever program because you can kind of observe like okay cool this is exactly what works test it and you

know form a hypothesis and all that stuff observations and then feed it back into the funnel I think some of these things are saying that I think it should be a general thing that we do is try to bring more science to information security because if all these vendors are just creating crap and it's not helping anybody out it's not it can't be sons now no absolutely and I the see where's the one that had already yeah I mean this a lot of this one is a very scientific approach to the data especially once you get down here and he'll go into a little more of that in his presentation but yes the more time

you can spend on looking at what indicators came in which of these indicators had a positive match on something happening inside your environment all of a sudden that source got a few you know notches in the value blindly right

absolutely you've got a you've got to identify those sources that are the most relevant to your organization's and the ones that aren't relevant stop ingesting it focus thank you much [Applause]