Rob Gresham - This is not your Mommas Threat Intelligence

sir Rob Russian and I asked if there's he had a special Russian you like me too yeah exactly alma mater so he's on please welcome mr. rob Russia Thanks I've been just a little bit about me I've been in South Carolina for since 2006 I've done 26 years of military peace I work for faust own services which is a subset unit inside Maxie oriental security I also work in the South Carolina army national guard and you'll see a bunch of my guys here letter malleable shirts on with that little over over there and here I'm probably one of the few people on the face of the planet that still actually have an active yahoo account to have not

true transition to the golden so unfortunately that's one of those pieces what we're going to talk about today is threat intelligence from a perspective of what you guys normally do for credibility when I see in the industry from being part of the services of seeing what's going on the private sector and from what I've learned from those understandings we're going to cover is where what's threat hellboy where are we now what are we doing and then you go through the pieces of why is there a parallel universe two things that we've already done and why are you eating at all because a lot of things that we get a whole line and all these cool things if we get to play with it

and one of the unique things if we don't understand is it there's a methodology for finding bad guys hunting isn't new right hunting has been going on since the existence of man and the reality is is that this new sexy thing that we talked about hunting what is intelligence right well what your intelligence is now present day is exactly mrs. Doubtfire right it's a fraud it's a mistake because the reality of threat intelligence right it's not hunting hunting isn't threat intelligence it's not the agents analytics it's not indicators of popping off its numbers engineering it's not any of these things is not reactive it's a process right it's sexy sort of maybe maybe not right for the requirement and

the proactiveness I'll try the intelligence is what's lead right and there's three bullies distinct levels from a military perspective that all transition to commercials better leadership or members want to have strategic intelligence they want to know not what's happening right now on my network but how does it affect my procurement three two to three years of that soft operators want to know what's operationally decision making what do I need to make a decision now we're going to my controls now where are my tactical thinners right we haven't have a process for analysis right analysis what we talked about machine learning threat intelligence is a part of machine learning because it's a process in order to derive a different spray and those

that's why machine learning inning and a I all the buzz because it removes the human but the reality is is when you look at the email God you singing when Rob says you know what I've seen honey us I don't really feel for them in Isis because there's too much of the say back that's a gut and experience then the best anti fan or is the one between you two years right I could automate all the world the ants that do the best have the brain and thought process to look above the problem and start to build those products for TTP's start to look at the ends right the siggins the mass and the oceans open source intelligence sick of

intelligence measures intelligence geo intelligence imagery intelligence all these things are cool in the military space but what do they need to me mostly right now open source intelligence is key because they actors in your space they want to advertise they want to talk about the stuff that they got right that's their motivation right ransomware motivated by greed right I want to make pay for something so we've got to understand this shared operational picture either whether it's contextual in our country in our region worth even lower our verbal in our business but the threats to financial institution and the threats to an industrial control system are completely different spaces so for you had to sit here and stare at this

one picture so for the ladies out there here's something for you right at the realities yeah we can't be a male chauvinist up here in this predominantly male environment right sometimes but we really have to understand this that this is for everybody this thread as long as P you shared situational awareness for everybody one of the things that you'll hear me bawling would it be is it free the data right because data from my vendor from fire from silent from pops right the one thing about BTW i that makes it awesome is there green today they're giving everybody and puts in a piece to play the game to be able to compete it the same level because when

we talk about later down the road integrated adaptive cyber defense is an option and it's something that we need to have so talking about this parallel universe and creating your thoughts of your own realities one of the things that i love about chris chris is talks and the waitress is going with psychology as a lot of people tell me that it's 12 this is my reality this is how i see you don't understand my drift that's exactly true because perception is your reality and that's really the problem great for the solution because every organization runs that reality there on when you're looking for the needle in a needle stack when you're talking about parallel universes between

on terrorism in cyberspace something to me for the gold villages in a beast for the last year's on counterinsurgency operations of those of you know where they're at or media what is it asymmetrical were there all that's litigating cyberspace now the same moment of y'all solve all of us and holiday that kitty litter climb and the pants are going around in the ceiling creamy we're really looking at access the question is how meaningful what do we learn ask if we can travel to the future their social and hopefully is right okay mom look at it agus looking straight days looking at cyber crime you can see the same pattern hopefully or overly overlord most people if they're

looking at ready touch understand that when they start seeing interested there will be in Europe and the Middle East watched it up a bit uneasy first and then it will assess and United States and grows whether you're playing resile Rollo peel on different interval an eye on this so we have a bowl of you yeah for some reason right you need to say okay or Adams only way this is going to work so we talk about a team one of the things that I brought my team that made it kind of weird is that the analyst and operators doesn't really see I got military decided they were going to sit intelligence analyst no no Mary Liz

oxymoron me through this a little bit without always admitted into the responsible all the first time you did it what a fatal was I am I need videos animation so here's a little altered home before everything right onward overunity wasn't clean epic a day because I didn't let Amos do what they were good at and that is analyze what's going on so as we've all the next few years and the things that we did I leaned up with other operators that i've been i've been an army rainier online career and in my blood is employed a hobby and being part of that team ever and then tally does everybody know this puts cause there i got

one rubber ducky thing can somebody tell me a predominant Army Ranger that little [ __ ] that's me mom did it boys alive

things that I had a lot in Special Forces and the teams because i was also and i'm a radially kind of a bigger course and i could wring wait a minute but also i was like man here but he is that when you please eat the optimizing your boy one of these a lot is an inflatable people in the same space is going to have to bolt sab SE natalia name seal and a behalf 30 years you have different ollie and interscope but that's the same name is occurring and operations teams industry average variable is me and the street opportunity to get a bit some heavy rap way they buy a glob of it you like rude

behavior mendez rapper boolean song pretty fun even if so let me how he is that for how long but i didn't even a co-writer that's the environment they go well this all day createprocess video the reality is is that it singing setup they need the capability of force protection they needed a different skill set now the cool thing about either one of these teams they both do similar missions and they both two separate missions and those two mission sets make them epically cool when they work together right when you look at how bin Laden is taking and how that process works who was doing what when you look at Black Hawk Down who is pulling the security so that the

other guys go in and do what they needed to do the key is is that we were together as a team it's how we organize those teams in that team dynamic so one of the things that we talked about in ops fusion and dynamics is that there has to be what people need right there's a give-and-take in this process there's a relationship between the analyst and the operators the guys are actually running the systems we're actually trying to go out and solve a prop the security problem that's going out there panelists the detailed information is relevant to their situation right now you just can't give them an IP hash and a domain and expect them to solve world

hunger it's not going to happen they're not going to fix you in that grown they're not going to be predicted they're not going to be able to draw campanian end process do you have their own internal reconnaissance so that they didn't see things a little bit before grade but who drives the reconnaissance process is it just the IRS's driver times or is it the analyst looking at the train and trying to figure out how that network worse right because one of the talks of your class shameless plug we do classes threat intelligence it teaches the intelligence preparation of bowel which is basically what every guy does and apparently in this process when he brought arrives to the environment he

tried to find them to be training in that deterring process what is important like in raw station what's important in the ICS system I don't want them to get too and then I go work from that Katrina work and I expand my security capability until I can find are making contact immunity never a joke them in different place these days and the military law will apply in security operations and should apply in defending your networks because is anybody protected all the things is anybody got a security solution that detects all the users all the equipment yeah hi you can break the reality is you not to do some things the risk of something is being compromised is obey the question

is what can you learn right how can you drive any tags and procedures that are actually occurring how can you build on the skills and abilities and when and where right who has the authority to act when they need to so what that fundamentally leads to who provides what or whom right patterns associations and awareness and prediction capabilities is something that an analyst is supposed to do they're supposed to study the threat they point is there's when they do that process and they own the threat then they can give you the capability to understand what's really going on they'll build a development over time if you talk to like Paul Nelson where they know what they're doing because they're

seeing every day piece of how how that cybercrime environment is affecting them and how they're transitioning any different tool sets they're using different capabilities they're coming in different angles they're doing different techniques all on the earth all the presence of trying to make some money try to motivate operators are really about surprise speed and precision what kind of conference what kind of feedback mechanism from their analysis feedback the analyst process and helps them go find more bad debts right and then the preventive process of overwhelming and protection so as we we come into a process and this is what I'll share with you is the method methodology from the Special Forces teams f3 aedes been

coined in different pieces in commercial optiv is using it a couple of other companies are using it offensive biggest one but when I know what starting an open source research and the people that are actually talking about f380 which is fine face finish analyze slowly sunny what I long is that Hannah Singh and operated one in it and above all honey operator and one of them true that how they are experiences promise right you talk about air forces model for the food or and was Observatory a to decide right this is a software or psychologist of inversions and inside that liver SS in the pit like usual process [ __ ] major some online contact with buffer for things think i

want you to see as far as out at once why am I starting outside right oh my gosh I night within my salary and I'm back in bed nah I know how to hold up this is inhuman a certain right okay there's a vertical change there's a minor pack huh there's mean Zack cycles there's fine model home every time all those in still and I'm still the same step easy process okay so I'm just go here you know together with a fly and fly out about the world's oldest so I will give a lock pick for the best costume all right the reality of the situation really matters how you perceive it so when you look at

and you're trying to find the bad guys you've got to understand the context of that environment to find it right you've got to go after those high value and identifications and then focus your sensors and locate the enemy where you want to find them right and then fixate on them once you go through the fixation process you're going to try and maintain and track on them right whether you're doing in an open source and you're tracking a campaign from multiple vendors and multiple capabilities or you're working with proof point or some other product vendors is providing you extended or what enhanced threat intelligence capabilities you want to be able to track the programs because really attackers are really on for

motivation sirens and that's really the key right the first one nation states you want to keep slow low and slow they want to be able for you not to see them until they're ready for you to see them right cybercrime is all about the money I got to make money right activist they want to demand that you do something that that forwards their cause script kiddies want notoriety when you look at the motivation and you can reduce your risk to motivation then you could move to a finish right and you can contain and eradicate that capability or reduce your risk right and then you can refocus your scent sensors to go even smaller but you have to be able to look

at it from that perspective and that's when you start to deliver a security model our security capability that gets you there and then exploit use what you've learned and share that picture target their actions look at exploitation share that with other people so that when you disseminate it everybody learns on the same process dissemination can happen internally and externally start small and grow big you get to a point where you can manage all of the things but you if you don't care about what's important when we talk about pointing a gun at the composer's in preparation of the battlefield you have to focus on the key terrain you have to focus on the things that are

important that make that mission run so look at your business and what makes your business run a prime example is a lot of people want to protect the web servers they want it and I'm going to beat on David a little bit but you want to protect the web server right that's great that's awesome but where's the data where's this stuff that the actor wants it's not on the web server let's in the database so maybe you point at the database and you do those controls there so as we're moving forward we want our hands integrate and corpus straight want to enhance the information that we're looking at we want to integrate all our information across our systems

and then orchestrate our response mechanisms right you want to use those honey pots in those sandbox to forward the information of the indicators that they find two other security devices this is the essence of integrated adaptive cyber defense Johns Hopkins did include with the several tool sets that are in industry right now that you can do this best of free and that's great you can do it with a single with a few single vendors it just depends on how you want to go about the process but if can't orchestrate these processes you're not going to get efficient i T is spending more time and energy on the systems that they're keeping available than they're doing to prevent the

system's it's half the team running to security then there is to keep it running on a day to day basis so my challenge to you is only the strong will survive if you you know wax on wax off right you you gotta rinse lather repeat and some of the best security operators I know take it out of the shower on a regular basis because they keep doing the basics right they rinse lather keep doing it over and over you know how tall you are to be able to ride this ride it is a maturity process right here start small work a good at what you're doing focus on automating the the response mechanisms ransomware is a particular

type of threat learn how to mitigate in your environment shrink the availability tonight add respond right this is more of a people process and technology and buying processes those processes when used with technology made them back maybe more people effective with technology is where we're going that's why machine learning is there so in my last thing and the last thing I want to carry with you before i do a mic drop pretty much cuz i think i'm at a time hunt what matters and automating everything else if you can take that away here's my twitter handle follow me if you choose if not you can heckle it happen me like my crew back here to see

them around okay i've been lucky so far thank you and appreciate it