Crowd-Sourced Threat Intelligence

1,941 views
1,608 views

Published on

This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.

Published in: Technology, Economy & Finance
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
1,941
On SlideShare
0
From Embeds
0
Number of Embeds
95
Actions
Shares
0
Downloads
102
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Crowd-Sourced Threat Intelligence

  1. 1. Crowd-Sourced Threat Intelligence
  2. 2. About me - Director, AlienVault Labs - Security Research - Malware Analysis - Incident response
  3. 3. The attacker’s advantage • They only need to be successful once • Determined, skilled and often funded adversaries • Custom malware, 0days, multiple attack vectors, social engineering • Persistent
  4. 4. The defender’s disadvantage • They can’t make a mistake • Understaffed, jack of all trades, underfunded • Increasing complex IT infrastructure: – Moving to the cloud – Virtualization – Bring your own device • Prevention controls fail to block everything • Hundreds of systems and vulnerabilities to patch
  5. 5. What is Threat Intelligence? • Information about malicious actors • Helps you make better decisions about defense • Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..
  6. 6. How can I use Threat Intelligence? • Detect what my prevention technologies fail to block • Security planning, threat assessment • Improves incident response / Triage • Decide which vulnerabilities should I patch first
  7. 7. State of the art • Most sharing is unstructured & human-to- human • Closed groups • Actual standards require knowledge, resources and time to integrate the data
  8. 8. Standards & Tools • IODEF: Incident Object Description Exchange Format • MITRE: – STIX: Structured Threat Information eXpression – TAXXII: Trusted Automated eXchange of Indicator Information – MAEC, CAPEC, CyBOX • CIF: Collective Intelligence Framework
  9. 9. Collective Intelligence Framework
  10. 10. The Threat Intelligence Pyramid of Pain
  11. 11. The Power of the “Crowd” for Threat Detection  Cyber criminals are using (and reusing) the same exploits against others (and you).  Sharing (and receiving) collaborative threat intelligence makes us all more secure.  Using this data, detect, flag and block attackers using indicators (Threat Intel)
  12. 12. Disrupt the Incident response cycle Detect Respond Prevent A traditional cycle … 1. Prevents known threats. 2. Detects new threats in the environment. 3. Respond to the threats – as they happen. This isolated closed loop offers no opportunity to learn from what others have experienced ….no advance notice
  13. 13. Traditional Response First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  14. 14. Traditional Response First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products Attack
  15. 15. Traditional Response First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products Attack Detect
  16. 16. Traditional Response First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products Attack Detect Respond
  17. 17. Traditional Response First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products Attack Detect Respond
  18. 18. OTX Enables Preventative Response Through an automated, real-time, threat exchange framework
  19. 19. A Real-Time Threat Exchange framework First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products Attack Detect Open Threat Exchange Puts Preventative Response Measures in Place Through Shared Experience
  20. 20. A Real-Time Threat Exchange framework First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products Attack Detect Open Threat Exchange Protects Others in the Network With the Preventative Response Measures
  21. 21. Benefits of open Threat Exchange Shifts the advantage from the attacker to the defender Open and free to everyone Each member benefits from the incidents of all other members Automated sharing of threat data
  22. 22. Open Source Security Information Management OSSIM/USM ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring SECURITY INTELLIGENCE • SIEM Event Correlation • Incident Response THREAT DETECTION • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring USM Product Capabilities
  23. 23. Open Threat Exchange
  24. 24. Thank you!! @jaimeblascob http://www.alienvault.com/open-threat-exchange/blog

×