Threat Intelligence Awakens Rick Holland (Kylo Rick) @rickhholland VP Strategy #CTISummit
#CTIAwakens 1
A long time ago in CTI Summits far far way 2
3
Recognizing previous work 4
Episode Derp 5
Sienar Fleet Systems 6
7
Threat intelligence Providers Platforms Enrichment Integration 8
Many Bothan spies died to bring us this information (Providers) 9
10
Providers Pyramid of Pain is painful for threat intel providers too Relevancy is hard Tactical, Operational, Strategic providers 11
This isn't a one stormtrooper fits all scenario 12
13
A TIP should make intel flow like The Force Threat intelligence should surround us and bind our security programs together, TIPs should enable this Gross misuse of the term "platform" Answering the relevancy question is a huge opportunity for TIPs 14
Emerging TIP functional areas Ingestion Enrichment Analysis/Exploration Collaboration Integration/Orchestration 15
Sharing alone does not a platform make 16
Enrichment is delivered to the analyst (Force pull) 17
Enrichment sources Passive DNS (Farsight) WHOIS (DomainTools) Infrastructure (PassiveTotal) Malware (VirusTotal) GeoIP (MaxMind) 18
Take a look in the mirror We need to start focusing more efforts on internal enrichment sources · Identity · Asset · Data value · Vulnerabilities 19
Integrating threat intelligence today is a bit like watching Episodes 1, 2, and 3 repeatedly 20
Integration Many APIs are weak (or non-existent) We perform DoS attacks against our controls TIPs and the emerging orchestration/automation players are trying to solve this 21
22
THREAT INTELLIGENCE OPERATIONS
#CTISummit
#CTIAwakens 23
There's too many of them! Indicators of Exhaustion 24
25
Rey is a scavenger Before you invest in any commercial provider, you must maximize your own intrusions Collect indicators & build dossiers No threat intel is more relevant than what is occurring within your own environment 26
> 35 years? And you've never fired a bowcaster? Really? 27
The ship that made the Kessel Run in fourteen twelve parsecs 28
She may not look like much, but she's got it where it counts You don't have the best technology and most expensive intel sources to be effective You probably will never have a fusion center but you can make threat intelligence work The Millennium Falcon approach (DIY / Open Source tools) is perfectly acceptable 29
Collaborate, find your Bros 30
Collaborate, don't just share IOCs For most sharing is putting the cart before the horse Share processes & tradecraft Share cool leather jackets 31
Spawn camping 32
Camp on your adversaries Segment the network Adversaries will re-spawn, funnel them to make hunting scalable 33
ANALYSTS
#CTISummit
#CTIAwakens 34
That's all she is, yes. A scavenger from that inconsequential Jakku. 35
Fear leads to anger. Anger leads to hate. Hate leads to poor analysis. 36
Avoid analytical pitfalls 37
Avoid analytical pitfalls Daniel Kahneman reveals "where we can and cannot trust our intuitions and how we can tap into the benefits of slow thinking." 38
Check out: cyintanalysis.com 39
Avoid analysis paralysis Actionable intelligence must be timely Don't spend so much time performing analysis that timeliness suffers Ask yourself What Would Han Solo Do (WWHSD)? 40
This can take too long 41
I never answer that question until after I've done it. 42
Easier to track down Luke than to hire intel analysts? 43
Not enough analysts to go around Many are going to have to rely upon intel providers and MSSPs for support Look at providers who offer analysts on demand or tailored intelligence offerings 44
You need threat intel younglings 45
Retention is critical Maturity doesn't just evolve, it can devolve. You must be creative with retention strategies: · Remote workers · Training (Individual & team) · Career pathing · Work with HR to create salary exceptions 46
I'VE HAVE A BAD FEELING ABOUT THIS
#CTISummit
#CTIAwakens 47
Many intel programs are setup for failure Buy Buy Buy! Chasing silver bullets Buy all the feedz! Not prepared to demonstrate the value of threat intelligence program 48
Do this Conduct after action reviews post intrusion and capture intelligence Measure and track - Time to detection, containment, remediation Analyze all intel sources and track sightings. Periodically reevaluate sources Produce your own strategic intelligence 49
Avoid this 50
Previous public work SANS CTI Summit 2013 If It Bleeds We Can Kill It SANS CTI Summit 2014 Threat Intelligence Buyers Guide SANS CTI Summit 2015 State of Cyber Threat Intelligence Address RSA Conference 2015 Threat Intelligence is Like Three Day Potty Training 51
Thank you!
#CTISummit
@rickhholland
#CTIAwakens 52