Your SlideShare is downloading. ×
  • Like
Crowd-Sourced Threat Intelligence
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

Crowd-Sourced Threat Intelligence

  • 852 views
Published

This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management …

This talk will include an overview and demo of the Open Threat Exchange (OTX) and describe some of its information sources, including anonymous sharing from Open Source Security Information Management (OSSIM.) Jaime will share some of his experiences using OTX as a security researcher. He will also provide his thoughts on how OWASP members can benefit from security research and threat intelligence to "build in" security rather than constantly reacting.

Published in Technology , Economy & Finance
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
852
On SlideShare
0
From Embeds
0
Number of Embeds
5

Actions

Shares
Downloads
42
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Crowd-Sourced Threat Intelligence
  • 2. About me - Director, AlienVault Labs - Security Research - Malware Analysis - Incident response
  • 3. The attacker’s advantage • They only need to be successful once • Determined, skilled and often funded adversaries • Custom malware, 0days, multiple attack vectors, social engineering • Persistent
  • 4. The defender’s disadvantage • They can’t make a mistake • Understaffed, jack of all trades, underfunded • Increasing complex IT infrastructure: – Moving to the cloud – Virtualization – Bring your own device • Prevention controls fail to block everything • Hundreds of systems and vulnerabilities to patch
  • 5. What is Threat Intelligence? • Information about malicious actors • Helps you make better decisions about defense • Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..
  • 6. How can I use Threat Intelligence? • Detect what my prevention technologies fail to block • Security planning, threat assessment • Improves incident response / Triage • Decide which vulnerabilities should I patch first
  • 7. State of the art • Most sharing is unstructured & human-to- human • Closed groups • Actual standards require knowledge, resources and time to integrate the data
  • 8. Standards & Tools • IODEF: Incident Object Description Exchange Format • MITRE: – STIX: Structured Threat Information eXpression – TAXXII: Trusted Automated eXchange of Indicator Information – MAEC, CAPEC, CyBOX • CIF: Collective Intelligence Framework
  • 9. Collective Intelligence Framework
  • 10. The Threat Intelligence Pyramid of Pain
  • 11. The Power of the “Crowd” for Threat Detection  Cyber criminals are using (and reusing) the same exploits against others (and you).  Sharing (and receiving) collaborative threat intelligence makes us all more secure.  Using this data, detect, flag and block attackers using indicators (Threat Intel)
  • 12. Disrupt the Incident response cycle Detect Respond Prevent A traditional cycle … 1. Prevents known threats. 2. Detects new threats in the environment. 3. Respond to the threats – as they happen. This isolated closed loop offers no opportunity to learn from what others have experienced ….no advance notice
  • 13. Traditional Response First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products
  • 14. Traditional Response First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products Attack
  • 15. Traditional Response First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products Attack Detect
  • 16. Traditional Response First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products Attack Detect Respond
  • 17. Traditional Response First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products Attack Detect Respond
  • 18. OTX Enables Preventative Response Through an automated, real-time, threat exchange framework
  • 19. A Real-Time Threat Exchange framework First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products Attack Detect Open Threat Exchange Puts Preventative Response Measures in Place Through Shared Experience
  • 20. A Real-Time Threat Exchange framework First Street Credit Union Alpha Insurance Group John Elway Auto Nation Regional Pacific Telecom Marginal Food Products Attack Detect Open Threat Exchange Protects Others in the Network With the Preventative Response Measures
  • 21. Benefits of open Threat Exchange Shifts the advantage from the attacker to the defender Open and free to everyone Each member benefits from the incidents of all other members Automated sharing of threat data
  • 22. Open Source Security Information Management OSSIM/USM ASSET DISCOVERY • Active Network Scanning • Passive Network Scanning • Asset Inventory • Host-based Software Inventory VULNERABILITY ASSESSMENT • Continuous Vulnerability Monitoring • Authenticated / Unauthenticated Active Scanning BEHAVIORAL MONITORING • Log Collection • Netflow Analysis • Service Availability Monitoring SECURITY INTELLIGENCE • SIEM Event Correlation • Incident Response THREAT DETECTION • Network IDS • Host IDS • Wireless IDS • File Integrity Monitoring USM Product Capabilities
  • 23. Open Threat Exchange
  • 24. Thank you!! @jaimeblascob http://www.alienvault.com/open-threat-exchange/blog