USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence.

Threat Intel CapabilityKick Start

- Matt Nelson

Quick Bio

USMC Veteran – 2651 Secure Comms/Intel SysAdmin+14 Years in Information Technology/Security

Specialties:• Incident Response/Forensics• Threat Intelligence• Offensive Security

$dayjob = Senior Malware & Threat Intel Analyst$sidejob = AdroitSec LLC – Principal/Consultant

What we’ll cover..

What Threat Intel is / does Managing Threat Intel Implementing Threat Intel Threat Intel & IR integration Threat Intel sharing

What is Threat Intel?

What your boss thinks Threat Intel is:

What your Threat Intel probably is:

Or…

Business Intelligence

“Business intelligence (BI) is the set of techniques and tools for the transformation of raw data into meaningful and useful information for business analysis purposes.”

What is Threat Intel (TI)?(depends on who you ask)

“Details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence's primary purpose is to inform business decisions regarding the risks and implications associated with threats.”

- Forrester

“Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”

-Gartner

Threat Intel (TI) = Strategic:

Context Motivations Capabilities Implications Actionable Advice

Operational: Context Mechanisms Indicators Tactics Techniques Procedures

Aspects of Threat Intel

Aspects: Outside Inside Inside > Out

Sources of Threat Intel

Internal:• Logs• Network• Endpoints • Malware Analysis• Phishing Emails• Past incidents

Industry Sharing Groups• ISACs (Ag, IT, Financial,

etc.) Government

• US-CERT, FBI, etc. Org to Org partnerships Vendors (data /

analysis) Open Source

Threat Data or Threat Intel?

Indicators of Compromise• IPs• Hashes• Names• Etc..

Threat Feeds Etc. .

Etc.

Feeds

IOCs

Threat Data

Pyramid of Pain – David Bianco

Threat Intel Analysis

Analysis of: • Internal Intel• Threat Data

• External Intel Analysts analyze Automation and analytics can increase effectiveness

Analysis

Etc.

Feeds

IOCs

What differentiates Threat Intel / Data?

CONTEXT

Context (via analysis)

Target victim(s)• Size• Victim type

Targeted or Spray Malware• Custom or commodity

Remove context and it is just data…

Other orgs Target vertical Tools/Tactics/

Procedures Intent of attack• Passwords/Credentials

• Configurations

Caveat: External Analysis

Supplemental Still requires analysis Application of context

What Threat Intel Does

Situational Awareness

Strategic: Risk Management Vulnerability

Management Threat Modeling

Situational Awareness

Tactical: Proactive/Reactive IR Threat

Communications Breach Discovery

Prevention

Detection

Managing Threat Intel

Day in the life…

Analyst

Malware Analysis

Incident Response Course of Action

Open Source

Analysis

Email Analysis

Protocol Analysis

SIEM

Data Correlation

Asset Tracking

Executive Briefs

Attack Vector

Mitigating Controls

Shared Threat

Intelligence

AttackerTTPs

H/T: ThreatConnect

Threat Intel Platform (TIP)

Organization of threat data Contextualize threat data Draw relationships Historical Perspective Automate in parallel with other tools

Threat Intel Platform (TIP)

Open Source:• CRITs• Soltra• MANTIS• Etc.

Commercial:• ThreatConnect• ThreatStream• RecordedFuture• Etc.

Implementing Threat Intel

Component of bigger strategy Parallel/Integral to other capabilities

Place it properly

Threat Intel as Component/Program

Threat Intel could be it’s own “Program”

Threat Intel

Program

OSINT

Threat Research

External Intelligence Services

ISACs

Firewall

IPS/IDS

Web Gateway

Anti-Virus

HIDs/HIPs

DLP

Network

Endpoint

SIEM

Detection &

Response

Governance /

Resistance

Implementing Threat Intel

Define the goals of TI for the organization.

Define how you will leverage TI to accomplish those goals.

Make it “Actionable”

Realize that threat TI is 80% internal 20% external

(relative to your business)

Actionable Intelligence Analysis

Know your: Assets Infrastructure Personnel Business operations Weaknesses/Entry Points

Actionable Intelligence Analysis

Know: How to apply threat intel (or not) Where to apply (capabilities) How & who to communicate to

May not be a “technical” application

Actionable Intelligence Application(Tactical)

Apply to Infrastructure: SIEM/Log Management Network Security Monitoring Firewalls Proxies Mail Gateways Training/Communication

Actionable Intelligence Application(Strategic)

Apply to security program:

Org Threat Modeling Risk Management Security Planning

Integration:Threat Intel & Incident Response

"A shiny threat intel capability without a mature IR capability is like putting a big ole fancy spoiler on a stock 4 cyl Dodge Neon.“

- @mattnels

Proactive vs. Reactive IR

Hunting for breaches / incidents / anomalies Identifying avenues of attack and addressing Detecting shifts of attack

•Visibility• SIEM/Logs•Network•Hosts•Threat Intel

•Analysis•Verification•Containment•Remediation•CSIRT

• Security reviews• Identity mgmt• Security design/reqs•Vuln Mgmt• Security Operations

•Policy•Risk Management• Security program design•Compliance Reporting•Audit

Resist

DetectIR

Plan

Ops

IR

Active Cyber Defense Model

Threat Intelligence

Consumption

Asset Classification and

Security Monitoring

Incident Response

Threat & Environment Manipulation

Source: RecordedFuture.com – Robert Lee

TI/IR Focal Points

• Logs• Network• Endpoint • Threat Intel

Focal points:Logs

Network

Threat Intel

Endpoint

Kill Chain & Focal Points

Logs

Network

Endpoint

Threat Intel

Threat Intel

Threat Intel

ReconWeaponizati

on DeliveryExploitatio

nC2 Exfiltration

Threat Intel Sharing

Advantages of Sharing

Benevolence:• Greater Good

Self-Interested:• Give some to get some

Scope, Relevancy, Context, Breadth, Capabilities

Ways to share

Vertical/Industry sharing groups• ISACs (Ag, IT, Financial, Edu, etc.)

Government• US-CERT, FBI Infragard, etc.

Org to Org partnerships Vendor(s)

Sharing Strategy

Define a sharing strategy (TLP class)

Sanitize Targeted sharing No regurgitation (unique data)

Ingestible, concise/clear

Wrap-up

Define your goals Collect relevant TI Analysis / Context Make Actionable/apply it

Share your Intel

Questions?

Contact info:

Email: [email protected]

Twitter: @mattnels