data-driven threat intelligence: metrics on indicator … · 2018-05-11 · data-driven threat...
TRANSCRIPT
![Page 1: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/1.jpg)
Data-DrivenThreatIntelligence:MetricsonIndicatorDisseminationandSharing
(#ddti)
AlexPintoChiefDataScientist
MLSec Project@alexcpsec
@MLSecProject
AlexandreSieiraCTONiddel
@AlexandreSieira@NiddelCorp
![Page 2: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/2.jpg)
• Previouslyon#ddti• ChallengesatTISharing• MeasuringTISharing• TheFutureofSharing
Agenda
![Page 3: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/3.jpg)
Thisisadata-drivenwebinar!Pleasecheckyouranecdotesatthedoor
![Page 4: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/4.jpg)
Previouslyon#ddti• UsefulMethodsandMeasurementsforHandlingIndicators• AnalysisofThreatIntelligenceFeeds• Indirectly,amethodologyforanalyzingTIProviders
• Combine(https://github.com/mlsecproject/combine)• GathersTIdata(ip/host)fromInternetandlocalfiles
• TIQ-Test(https://github.com/mlsecproject/tiq-test)• RunsstatisticalsummariesandtestsonTIfeeds
![Page 5: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/5.jpg)
TIQ-TEST- TonsofThreat-yTests
• NOVELTY – Howoftendothefeedsupdatethemselves?• AGING – Howlongdoesanindicatorsitonafeed?• POPULATION – Howdoesthispopulationdistributioncomparetomydata?
• OVERLAP– Howdotheindicatorscomparetotheonesyougot?
• UNIQUENESS – Howmanyindicatorsarefoundonlyononefeed?
Puttingthisthreatinteldatatowork
![Page 6: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/6.jpg)
OverlapTestMoredataisfine,butmakesure
itisdifferent
![Page 7: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/7.jpg)
OverlapTest- Outbound
![Page 8: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/8.jpg)
UniquenessTestCanwetellifweareclosetofinding*all*thethreats?
![Page 9: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/9.jpg)
![Page 10: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/10.jpg)
Ihatequotingmyself,but…
![Page 11: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/11.jpg)
KeyTakeaway#1
MORE!=BETTERThreatIntelligenceIndicatorFeeds
ThreatIntelligenceProgram
![Page 12: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/12.jpg)
ConstructiveFeedbackfromtheInternet:
“TISharingisTOTALLYgoingtosolvethis”
Right,folks?Right?
![Page 13: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/13.jpg)
TISharingSolutionPlan:
1. ThebestThreatIntelligenceistheonethatyouanalyzefromyourownincidents(homegrown/organicintelligence)
2. Thereisstrengthinnumbers– verticalherdimmunity!
3. ????????
4. PROFIT!!(oratleastSECURITY!!)
Oratleastaroughstrawman
![Page 14: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/14.jpg)
IfCONSUMINGisforthe1%,whatisthepercentageoforganizationsabletoPRODUCE?
Issue1- BYOTI
![Page 15: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/15.jpg)
Issue2- HerdImmunity
Source:www.vaccines.gov
• Wemaybeabletodetectmore”virusstrains”togetherbutweare*terrible*atinoculation.
• Thethingswedetectthemostmutatetoofast(PyramidofPain)
• Whodidn’tgetimmunized,stillgetssick(FOMO-TI)
![Page 16: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/16.jpg)
TheCognitiveDissonancesofTISharing
Everybody shouldshare! TheCIRCLEOFTRUST
![Page 17: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/17.jpg)
Doyoutrustthegroupenoughtoconsume?
TheTwoSidesoftheTrustCoin
Doyoutrustthegroupenoughtoshare?
![Page 18: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/18.jpg)
Howaboutmeasuringit?WewouldliketothankthekindcontributionofdatafromthefinefolksatFacebookThreatExchange andThreatConnect
…andalsothesharingcommunitiesthatchosetoremainanonymous.Youknowwhoyouare,andwe❤ youtoo.
![Page 19: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/19.jpg)
OVERLAPSLIDE
![Page 20: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/20.jpg)
OVERLAPSLIDE
![Page 21: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/21.jpg)
UNIQUENESSSLIDE
Lookslikewewouldgetsimilarqualityona”good”ThreatIntelligenceSharingPlatformaswewouldon
a”paidfeed"
![Page 22: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/22.jpg)
ActivityMetricIsthereanyactualsharinggoing
on?
![Page 23: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/23.jpg)
Updatefrequencychart
High10saverage Low100saverage
Large– 10.000smembers Small– High10smembers
LargeCommunityisroughly36x
biggerthanSmallCommunity
![Page 24: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/24.jpg)
DiversityMetricCheckyoursharingprivilege
![Page 25: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/25.jpg)
Roughly10%oftheorganizationsshare
dataintothecommunity
![Page 26: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/26.jpg)
Someorganizationsareclearlyinabetterpositionoperationallyandlegallytoshare.Andthatis
expectedduetoourpremises.
![Page 27: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/27.jpg)
FeedbackMetricButisthedataanygood?
![Page 28: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/28.jpg)
![Page 29: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/29.jpg)
FeedbackMetric• Almostnosupportonautomation-drivenplatforms• Someallowyoutoleave”comments”or”newdescriptors”fortheIOCs– evenbycountingthoseverylow%inrelationtonewshareddata
• Analyst-drivenenvironmentsallowforcollaborationone-mailsandforumpoststodescribeandrefinestrategiesandbestpractices.
• Howcanwemakethiscollaborationworkonautomation-drivenplatforms?
![Page 30: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/30.jpg)
TrustMetricArewehelpingallthecommunity
orjustafeworgsatatime?
![Page 31: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/31.jpg)
![Page 32: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/32.jpg)
TrustMetric• Theroughestimateseemstobethatmorethan50%of”sharing”(IOCs,messages,etc)happensin”privategroups”insidetheinfrastructureofthesharingplatform
• Allcommunitieshavethem:• PartoftheDNAoftheIC/clearedcommunity• Offsetsthetrustequation,butdefeatsthe”herdimmunity”argument• UsuallyMANDATORYoncollaborationwithLEA
• Butthenthe”good”dataisnothelping”thecommunity”isthereanywaywecanreconcile?
![Page 33: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/33.jpg)
TheFutureofSharingAttheveryleastmyhumble
opinionJ
![Page 34: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/34.jpg)
#squadgoalsIncreasetheTRUST
amongpeers
ReducetheTECHNICALBARRIERforsharinguseful
information
![Page 35: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/35.jpg)
TRUST:Anonymity+GoodCuration
Somesharingcommunitiesacceptanonymoussubmissionsthattheythencurateanddisseminate
toallorganizations
![Page 36: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/36.jpg)
IOCs
Feedback
TelemetryLESSMATURE
MOREMATURE
❤ andapologiesto@DavidJBianco
TECHNICALBARRIER:”PyramidofSharing”
![Page 37: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/37.jpg)
Takeaways
• IntelligenceSharingisaveryanalyst-centricactivitythatwehavebeentaskedwithscalingout
• Datacanbeasgoodasapaidfeed,butyouhavetobeintherightcirclesoftrust
• Doesnotsolveanalystshortageandmakingtheindicators/strategiesoperationalintoyourenvironment
![Page 38: Data-Driven Threat Intelligence: Metrics on Indicator … · 2018-05-11 · Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief](https://reader034.vdocuments.us/reader034/viewer/2022043003/5f81997544f1fd21db324dbd/html5/thumbnails/38.jpg)
Thanks!
• Q&A?• Feedback!
”Themeasureofintelligenceistheabilitytochange."- AlbertEinstein
AlexPinto@alexcpsec
@MLSecProject
Alexandre Sieira@AlexandreSieira@NiddelCorp