Threat Intel Capability Kick Start - Matt Nelson
Dec 16, 2015
Threat Intel CapabilityKick Start
- Matt Nelson
Quick Bio
USMC Veteran – 2651 Secure Comms/Intel SysAdmin+14 Years in Information Technology/Security
Specialties:• Incident Response/Forensics• Threat Intelligence• Offensive Security
$dayjob = Senior Malware & Threat Intel Analyst$sidejob = AdroitSec LLC – Principal/Consultant
What we’ll cover..
What Threat Intel is / does Managing Threat Intel Implementing Threat Intel Threat Intel & IR integration Threat Intel sharing
What is Threat Intel?
What your boss thinks Threat Intel is:
What your Threat Intel probably is:
Or…
Business Intelligence
“Business intelligence (BI) is the set of techniques and tools for the transformation of raw data into meaningful and useful information for business analysis purposes.”
What is Threat Intel (TI)?(depends on who you ask)
“Details of the motivations, intent, and capabilities of internal and external threat actors. Threat intelligence includes specifics on the tactics, techniques, and procedures of these adversaries. Threat intelligence's primary purpose is to inform business decisions regarding the risks and implications associated with threats.”
- Forrester
“Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.”
-Gartner
Threat Intel (TI) = Strategic:
Context Motivations Capabilities Implications Actionable Advice
Operational: Context Mechanisms Indicators Tactics Techniques Procedures
Aspects of Threat Intel
Aspects: Outside Inside Inside > Out
Sources of Threat Intel
Internal:• Logs• Network• Endpoints • Malware Analysis• Phishing Emails• Past incidents
Industry Sharing Groups• ISACs (Ag, IT, Financial,
etc.) Government
• US-CERT, FBI, etc. Org to Org partnerships Vendors (data /
analysis) Open Source
Threat Data or Threat Intel?
Indicators of Compromise• IPs• Hashes• Names• Etc..
Threat Feeds Etc. .
Etc.
Feeds
IOCs
Threat Data
Pyramid of Pain – David Bianco
Threat Intel Analysis
Analysis of: • Internal Intel• Threat Data
• External Intel Analysts analyze Automation and analytics can increase effectiveness
Analysis
Etc.
Feeds
IOCs
What differentiates Threat Intel / Data?
CONTEXT
Context (via analysis)
Target victim(s)• Size• Victim type
Targeted or Spray Malware• Custom or commodity
Remove context and it is just data…
Other orgs Target vertical Tools/Tactics/
Procedures Intent of attack• Passwords/Credentials
• Configurations
Caveat: External Analysis
Supplemental Still requires analysis Application of context
What Threat Intel Does
Situational Awareness
Strategic: Risk Management Vulnerability
Management Threat Modeling
Situational Awareness
Tactical: Proactive/Reactive IR Threat
Communications Breach Discovery
Prevention
Detection
Managing Threat Intel
Day in the life…
Analyst
Malware Analysis
Incident Response Course of Action
Open Source
Analysis
Email Analysis
Protocol Analysis
SIEM
Data Correlation
Asset Tracking
Executive Briefs
Attack Vector
Mitigating Controls
Shared Threat
Intelligence
AttackerTTPs
H/T: ThreatConnect
Threat Intel Platform (TIP)
Organization of threat data Contextualize threat data Draw relationships Historical Perspective Automate in parallel with other tools
Threat Intel Platform (TIP)
Open Source:• CRITs• Soltra• MANTIS• Etc.
Commercial:• ThreatConnect• ThreatStream• RecordedFuture• Etc.
Implementing Threat Intel
Component of bigger strategy Parallel/Integral to other capabilities
Place it properly
Threat Intel as Component/Program
Threat Intel could be it’s own “Program”
Threat Intel
Program
OSINT
Threat Research
External Intelligence Services
ISACs
Firewall
IPS/IDS
Web Gateway
Anti-Virus
HIDs/HIPs
DLP
Network
Endpoint
SIEM
Detection &
Response
Governance /
Resistance
Implementing Threat Intel
Define the goals of TI for the organization.
Define how you will leverage TI to accomplish those goals.
Make it “Actionable”
Realize that threat TI is 80% internal 20% external
(relative to your business)
Actionable Intelligence Analysis
Know your: Assets Infrastructure Personnel Business operations Weaknesses/Entry Points
Actionable Intelligence Analysis
Know: How to apply threat intel (or not) Where to apply (capabilities) How & who to communicate to
May not be a “technical” application
Actionable Intelligence Application(Tactical)
Apply to Infrastructure: SIEM/Log Management Network Security Monitoring Firewalls Proxies Mail Gateways Training/Communication
Actionable Intelligence Application(Strategic)
Apply to security program:
Org Threat Modeling Risk Management Security Planning
Integration:Threat Intel & Incident Response
"A shiny threat intel capability without a mature IR capability is like putting a big ole fancy spoiler on a stock 4 cyl Dodge Neon.“
- @mattnels
Proactive vs. Reactive IR
Hunting for breaches / incidents / anomalies Identifying avenues of attack and addressing Detecting shifts of attack
•Visibility• SIEM/Logs•Network•Hosts•Threat Intel
•Analysis•Verification•Containment•Remediation•CSIRT
• Security reviews• Identity mgmt• Security design/reqs•Vuln Mgmt• Security Operations
•Policy•Risk Management• Security program design•Compliance Reporting•Audit
Resist
DetectIR
Plan
Ops
IR
Active Cyber Defense Model
Threat Intelligence
Consumption
Asset Classification and
Security Monitoring
Incident Response
Threat & Environment Manipulation
Source: RecordedFuture.com – Robert Lee
TI/IR Focal Points
• Logs• Network• Endpoint • Threat Intel
Focal points:Logs
Network
Threat Intel
Endpoint
Kill Chain & Focal Points
Logs
Network
Endpoint
Threat Intel
Threat Intel
Threat Intel
ReconWeaponizati
on DeliveryExploitatio
nC2 Exfiltration
Threat Intel Sharing
Advantages of Sharing
Benevolence:• Greater Good
Self-Interested:• Give some to get some
Scope, Relevancy, Context, Breadth, Capabilities
Ways to share
Vertical/Industry sharing groups• ISACs (Ag, IT, Financial, Edu, etc.)
Government• US-CERT, FBI Infragard, etc.
Org to Org partnerships Vendor(s)
Sharing Strategy
Define a sharing strategy (TLP class)
Sanitize Targeted sharing No regurgitation (unique data)
Ingestible, concise/clear
Wrap-up
Define your goals Collect relevant TI Analysis / Context Make Actionable/apply it
Share your Intel