The New ROI: Results Oriented Intel David Amsler, Founder Foreground Security • Dedicated Security services firm • Founded in 2000 with offices in Florida, Virginia, and Maryland • Federal and commercial clients • Specializing in Advanced Hunting, Security Operations, Assessment, and Response • RSA Certified MSSP & Only Level 3 ASN certified partner in US Threat Intelligence What is Threat Intelligence (TI)? Definition: Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard. Source: https://www.gartner.com/doc/2487216/definition-threat-intelligence What is Threat Intelligence (TI)? • Unless you have an explicit intelligence operations mission, threat intelligence is not a product by itself; it is an enabler • Not all intel is created equal, but that isn’t necessarily a bad thing Threat Intelligence Market Important Questions • Are you interested in intelligence or indicators (one provides context, one does not) • How “wide of a net” do you want to cast for intelligence? • Are all threats equally important to you? • How will you operationalize your intel? Operationalizing Threat Intelligence Operations • Metrics are key – constantly re-assess value • Know your tool limitations; for example, what good are full path indicators if your APIs don’t support them? • Know your threats; are you really interested in knowing all addresses that once may have hosted a spam domain? • Managing intelligence is a full time job, but should not be independent of analysis/detection operations Intelligence vs. Indicators Detailed intelligence records with full context Individual information records (e.g. domains) with no context Intelligence vs. Information Individual information records (e.g. domains) with no context TI Formats • • • • • TI Frameworks Plain text list Comma separated value (CSV) list Email body Extensible markup language (XML) file Web page Formats = • • • • • OpenIOC IODEF VERIS STIX CybOX Parsers STIX Architecture Threat Intelligence Life Cycle Threat Intel Life Cycle Case Studies Case Study – Phishing Email From Indicators to TTPs Indicators: Valuable, but usually not for long; easy for an attacker to modify Case Study – Phishing Email From Indicators to TTPs Executive Admin Assistant Admin Assistant TTPs: Harder for attacker to change, can be derived from macro-level analysis.* Command and Control *Google Bianco’s “Pyramid of Pain” Case Study – System Compromise Drive-by exploit is served to unsuspecting user Case Study – Investigation Malware identified and extracted Static Analysis • File name • File type • File size • File hashes • Strings Dynamic Analysis • API/library calls • Processes created • File activity • Registry activity • Network activity Base (1st Degree) Indicators Case Study – Research Registrant Details IP Addresses Netblock Owner ASN Domains Email Header Data Pivot from base (1st degree) indicators to identify additional current campaign or future campaign indicators Case Study – Research Base/Pivot Indicators + Techniques, Tactics, & Procedures (TTPs) Threat Actor Attribution = Campaign Identification Case Study – Management Threat Intel Sources • • • • • Normalization Deduplication Tagging Ranking Weighting Threat Intel Storage Case Study – Application Option 1: Manual application of threat intelligence via rules/custom content Option 2: Automated application of threat intelligence through intelligent broker/Live/API Security Controls Automated Threat Intelligence Platform: ATIP Case Study – Application and Hunting Manual or automated hunting is performed Threat Intelligence is applied to controls Other Tools Historical and ongoing compromises are identified Metrics In Summary Questions? • David Amsler, President & Founder • [email protected] • www.foregroundsecurity.com •