Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing

3,291 views

Published on

For the last 18 months, MLSec Project and Niddel collected threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. These projects have been improved upon for the last year, and are able to gather and compare data from multiple Threat Intelligence sources on the Internet. This research culminated on a talk on SANS CTI Summit 2015 and a contribution to the Verizon DBIR on the same year.

On this talk, we have gathered aggregated usage information from intelligence sharing communities in order to determine if the added interest and "push" towards sharing is really being followed by the companies and if its adoption is putting us in the right track to close these gaps. We propose a new set of metrics on the same vein as TIQ-test to help you understand what does a "healthy" threat intelligence sharing community looks like.

To better illustrate the points and metrics, we will be conducting part of this analysis using usage data from some high-profile threat intelligence platforms and sharing communities, that have been kind enough to contribute with usage data for this research.

Join us in an data-driven analysis of threat intelligence sharing communities and their impact on operational usage of indicators!

Published in: Data & Analytics
  • There is a useful site for you that will help you to write a perfect and valuable essay and so on. Check out, please ⇒ www.HelpWriting.net ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • To get professional research papers you must go for experts like ⇒ www.WritePaper.info ⇐
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • DOWNLOAD THE BOOK INTO AVAILABLE FORMAT (New Update) ......................................................................................................................... ......................................................................................................................... Download Full PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download Full doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download PDF EBOOK here { https://urlzs.com/UABbn } ......................................................................................................................... Download EPUB Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... Download doc Ebook here { https://urlzs.com/UABbn } ......................................................................................................................... ......................................................................................................................... ................................................................................................................................... eBook is an electronic version of a traditional print book THE can be read by using a personal computer or by using an eBook reader. (An eBook reader can be a software application for use on a computer such as Microsoft's free Reader application, or a book-sized computer THE is used solely as a reading device such as Nuvomedia's Rocket eBook.) Users can purchase an eBook on diskette or CD, but the most popular method of getting an eBook is to purchase a downloadable file of the eBook (or other reading material) from a Web site (such as Barnes and Noble) to be read from the user's computer or reading device. Generally, an eBook can be downloaded in five minutes or less ......................................................................................................................... .............. Browse by Genre Available eBOOK .............................................................................................................................. Art, Biography, Business, Chick Lit, Children's, Christian, Classics, Comics, Contemporary, CookBOOK, Manga, Memoir, Music, Mystery, Non Fiction, Paranormal, Philosophy, Poetry, Psychology, Religion, Romance, Science, Science Fiction, Self Help, Suspense, Spirituality, Sports, Thriller, Travel, Young Adult, Crime, EBOOK, Fantasy, Fiction, Graphic Novels, Historical Fiction, History, Horror, Humor And Comedy, ......................................................................................................................... ......................................................................................................................... .....BEST SELLER FOR EBOOK RECOMMEND............................................................. ......................................................................................................................... Blowout: Corrupted Democracy, Rogue State Russia, and the Richest, Most Destructive Industry on Earth,-- The Ride of a Lifetime: Lessons Learned from 15 Years as CEO of the Walt Disney Company,-- Call Sign Chaos: Learning to Lead,-- StrengthsFinder 2.0,-- Stillness Is the Key,-- She Said: Breaking the Sexual Harassment Story THE Helped Ignite a Movement,-- Atomic Habits: An Easy & Proven Way to Build Good Habits & Break Bad Ones,-- Everything Is Figureoutable,-- What It Takes: Lessons in the Pursuit of Excellence,-- Rich Dad Poor Dad: What the Rich Teach Their Kids About Money THE the Poor and Middle Class Do Not!,-- The Total Money Makeover: Classic Edition: A Proven Plan for Financial Fitness,-- Shut Up and Listen!: Hard Business Truths THE Will Help You Succeed, ......................................................................................................................... .........................................................................................................................
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

SANS CTI Summit 2016 - Data-Driven Threat Intelligence: Sharing

  1. 1. Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) Alex Pinto Chief Data Scientist MLSec Project / Niddel @alexcpsec @MLSecProject @NiddelCorp
  2. 2. • Previously on #ddti • Challenges at TI Sharing • Measuring TI Sharing • The Future of Sharing Agenda
  3. 3. This is a data-driven talk! Please check your anecdotes at the door
  4. 4. Previously on #ddti • Useful Methods and Measurements for Handling Indicators • Analysis of Threat Intelligence Feeds • Indirectly, a methodology for analyzing TI Providers • Combine (https://github.com/mlsecproject/combine) • Gathers TI data (ip/host) from Internet and local files • TIQ-Test (https://github.com/mlsecproject/tiq-test) • Runs statistical summaries and tests on TI feeds
  5. 5. TIQ-TEST - Tons of Threat-y Tests • NOVELTY – How often do the feeds update themselves? • AGING – How long does an indicator sit on a feed? • POPULATION – How does this population distribution compare to my data? • OVERLAP – How do the indicators compare to the ones you got? • UNIQUENESS – How many indicators are found only on one feed? Putting this threat intel data to work
  6. 6. Overlap Test More data is fine, but make sure it is different
  7. 7. Overlap Test - Outbound
  8. 8. Uniqueness Test Can we tell if we are close to finding *all* the threats?
  9. 9. I hate quoting myself, but…
  10. 10. Key Takeaway #1 MORE != BETTERThreat Intelligence Indicator Feeds Threat Intelligence Program
  11. 11. Constructive Feedback from the Internet: “TI Sharing is TOTALLY going to solve this” Right, folks? Right?
  12. 12. TI Sharing Solution Plan: 1. The best Threat Intelligence is the one that you analyze from your own incidents (homegrown / organic intelligence) 2. There is strength in numbers – vertical herd immunity! 3. ???????? 4. PROFIT!! (or at least SECURITY!!) Or at least a rough straw man
  13. 13. If CONSUMING is for the 1%, what is the percentage of organizations able to PRODUCE? Issue 1 - BYOTI
  14. 14. Issue 2 - Herd Immunity Source: www.vaccines.gov • We may be able to detect more ”virus strains” together but we are *terrible* at inoculation. • The things we detect the most mutate too fast (Pyramid of Pain) • Who didn’t get immunized, still gets sick (FOMO-TI)
  15. 15. Issue ? - What are we sharing • AUTOMATION-DRIVEN (PLATFORMS) • Straight to the point IOC sharing • ANALYST-DRIVEN (COMMUNITIES) • Strategic data, best practices, unstructured IOCs • ”Analyst-driven” has been around forever (in non-IC, at least since FS-ISAC was created) • The same people who bash ”just IOC sharing”: • Bash STIX/TAXII for trying to encode complexity • Tells everyone it is IMPOSSIBLE to hire analysts
  16. 16. The Cognitive Dissonances of TI Sharing Everybody should share! The CIRCLE OF TRUST
  17. 17. Do you trust the group enough to consume? The Two Sides of the Trust Coin Do you trust the group enough to share?
  18. 18. Okay, I’ll bite Can we measure our current sharing platforms communities?
  19. 19. Threat Intelligence Sharing We would like to thank the kind contribution of data from the fine folks at Facebook ThreatExchange and ThreatConnect … and also the sharing communities that chose to remain anonymous. You know who you are, and we ❤ you too.
  20. 20. Sharing Communities ARE Social Networks Social Network Selfie Sharing Community Selfie
  21. 21. Let’s look at the indicators first Using TIQ-TEST Overlap and Uniqueness tests
  22. 22. OVERLAP SLIDE
  23. 23. OVERLAP SLIDE
  24. 24. UNIQUENESS SLIDE Looks like we would get similar quality on a ”good” Threat Intelligence Sharing Platform as we would on a ”paid feed"
  25. 25. Suggested Metrics for Sharing • ACTIVITY – How many indicators / posts are being shared day by day? • DIVERSITY – What is the percentage of the population that is actively sharing? • FEEDBACK – Are orgs collaborating on improving the knowledge in the sharing environment? • TRUST – How much data is shared ”openly” in relation to ”privately”? Looking for healthy dynamics
  26. 26. Activity Metric Is there any actual sharing going on?
  27. 27. Less data / Delays More data / Timely Large Group is roughly 40x bigger than Small Group
  28. 28. Organizations are less likely to share if they perceive they ”lost control” of who can consume.
  29. 29. Diversity Metric Check your sharing privilege
  30. 30. Roughly 10% of the organizations share data into the community
  31. 31. Some organizations are clearly in a better position operationally and legally to share. And that is expected due to our premises.
  32. 32. Feedback Metric But is the data any good?
  33. 33. 🙀 I’m sure we can do better than this 🙀
  34. 34. Feedback Metric • Almost no support on automation-driven platforms • Some allow you to leave ”comments” or ”new descriptors” for the IOCs – even by counting those very low % in relation to new shared data • Analyst-driven environments allow for collaboration on e- mails and forum posts to describe and refine strategies and best practices. How can we make this collaboration work on automation-driven platforms?
  35. 35. Trust Metric Are we helping all the community or just a few orgs at a time?
  36. 36. 76%. Again, sounds about right
  37. 37. Overall ”quality” of data goes up too!
  38. 38. Trust Metric • The rough estimate seems to be that more than 60% of ”sharing” (IOCs, messages, etc) happens in ”private groups” inside the infrastructure of the sharing platform • All communities have them: • Part of the DNA of the IC / cleared community • Offsets the trust equation, but defeats the ”herd immunity” argument • Usually MANDATORY on collaboration with LEA But then the ”good” data is not helping ”the community”! Is there any way we can reconcile?
  39. 39. The Future of Sharing 🔮 At the very least my humble opinion
  40. 40. #squadgoals Increase the TRUST among peers Reduce the TECHNICAL BARRIER for sharing useful information
  41. 41. TRUST: Reputation and Anonymity
  42. 42. AlienVault OTX clearly got the memo
  43. 43. TRUST: Anonymity + Good Curation Some sharing communities accept anonymous submissions that they then curate and disseminate to all organizations
  44. 44. IOCs Feedback Telemetry LESS MATURE MORE MATURE With ❤ and apologies to @DavidJBianco TECHNICAL BARRIER: ”Pyramid of Sharing”
  45. 45. Takeaways • Intelligence Sharing is a very analyst-centric activity that we have been tasked with scaling out with automation. No wonder it seems so hard. • Data can be as good as a paid feed, but you have to be in the right circles of trust • Does not solve analyst shortage and making the indicators / strategies operational into your environment
  46. 46. Thanks! • Q&A? • Feedback! ”The measure of intelligence is the ability to change." - Albert Einstein Alex Pinto @alexcpsec @MLSecProject / @NiddelCorp

×