When leveraged properly cyber threat intel (CTI) can be a valuable tool in the security toolbox. And as vendors and customers continue to improve CTI there will be a continued increase in its value. But one use case for CTI which has eluded full potential is leveraging it in a crowdsourced way. This talk will go over the challenges and opportunities of crowdsourced CTI from both the security vendor and customer perspective.

1. Copyright © 2019 JASK
Collective Intelligence:
Crowdsourcing CTI Challenges and Opportunities
Rob Fry, CTO @JASK
September 17th 2019
LA Cyber Lab - Security Summit

2. Copyright © 2019 JASK
• CTI Background
• Value of Crowdsourcing CTI?
• Challenges/Opportunities to Make it Real
• Customer Interest Level
Agenda
2

3. Copyright © 2019 JASK
About Me
3
VP of Eng
Software Engineer
Co-Founder
Advisor
Mentor
Pain-in-the-Ass
Inventor
Internet Streaming
Security Engineer
Docker Containers
Orchestration
Public Cloud
Board Member
CASB
Microservices
Venture
Cloud SIEM
Public Speaker
Open Source
CTO

4. Copyright © 2019 JASK
! The facts expressed here belong to everybody, the
opinions to me. The distinction is yours to draw.
! Any similarity to actual companies or technology, living or
dead, is purely coincidental.
! Every statement in this presentation is probably true when stated,
but truth changes over time.
! Any disclaimer issued by me is subject to change without notice or
reason or anything else.
! Disclaimer does not cover misuse, accident, lightning, flood, tornado, tsunami, volcanic
eruption, earthquake, hurricanes, or other acts of God, neglect, damage from improper use,
incorrect line voltage, unauthorized use, unauthorized repair, improper installation, typos, broken antenna or
marred cabinet, missing or altered serial numbers, electromagnetic radiation from nuclear blasts, sonic boom vibrations, customer
adjustments that are not covered in this list, and incidents owing to an airplane crash, ship sinking or taking on water, motor vehicle crashing, dropping the item, falling rocks, leaky roof, broken glass, disk failure,
accidental file deletions, mud slides, forest fire, hitting of a deer, milk coming out of your nose due to laughing while drinking, or projectiles, which can include, but are not limited to, arrows, bullet shots, BBs, shrapnel, lasers, napalm, torpedoes, emissions of X-rays, Alpha, Beta and Gamma
rays, knives, stones, etc.
Disclaimer!
4

5. Copyright © 2019 JASK
Crowdsourced Cyber Threat Intelligence
5

6. Copyright © 2019 JASK
Crowdsourced Cyber Threat Intelligence
6

7. Copyright © 2019 JASK
Crowdsourced Cyber Threat Intelligence
7
Is it a New Idea?

8. Copyright © 2019 JASK
Crowdsourced Cyber Threat Intelligence
8

9. Copyright © 2019 JASK
Crowdsourced Cyber Threat Intelligence
9
What is this about?

10. Copyright © 2019 JASK
Crowdsourced Cyber Threat Intelligence
10
• Contribution - vs - Consumption
• Context - vs - Indicators
• Quality - vs - Quantity
• One to Many, Many to One

11. Copyright © 2019 JASK
CTI Background - History
11
Visualize This

12. Copyright © 2019 JASK
CTI Background - History
12
The Year is:
2010

13. Copyright © 2019 JASK
CTI Background - History
13
Operation Aurora

14. Copyright © 2019 JASK
CTI Background - History
14
Evolution of Threat Intel

15. Copyright © 2019 JASK
CTI Background - History
15
Evolution of Threat Intel
It was probably here.

16. Copyright © 2019 JASK
CTI Background - History
16
Artifacts of Love & Disdain

17. Copyright © 2019 JASK
CTI Background - History
17
Evolution of Threat Intel
Email IM Msg Boards

18. Copyright © 2019 JASK
CTI Background - History
18
Evolution of Threat Intel
Email IM Msg Boards
Sidenote:
For Many of Us, This is Still Standard Operating

19. Copyright © 2019 JASK
CTI Background - History
19
The Year is:
2012-ish

20. Copyright © 2019 JASK
CTI Background - History
20
Evolution of Threat Intel
Anubis

21. Copyright © 2019 JASK
CTI Background - History
21
Evolution of Threat Intel

22. Copyright © 2019 JASK
CTI Background - History
22
Evolution of Threat Intel
Is Bad?
Yes
No
Binary Return

23. Copyright © 2019 JASK
CTI Background - History
23
Evolution of Threat Intel
Product Market
Cost
Product/Market Fit

24. Copyright © 2019 JASK
CTI Background - History
24
Evolution of Threat Intel
Startups! Open Source
&

25. Copyright © 2019 JASK
CTI Background - History
25
Evolution of Threat Intel

26. Copyright © 2019 JASK
CTI Background - History
26
Evolution of Threat Intel

27. Copyright © 2019 JASK
CTI Background - History
27
Evolution of Threat Intel
DATA!

28. Copyright © 2019 JASK
CTI Background - History
28
Example

29. Copyright © 2019 JASK
CTI Background - History
29
Evolution of Threat Intel
Threat Score
User Score
Machine Score
Total Score
Incident Response

30. Copyright © 2019 JASK
CTI Background - History
30
Evolution of Threat Intel
Threat Score
User Score
Machine Score
Total Score
Incident Response Asset Score

31. Copyright © 2019 JASK
CTI Background - History
31
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset Value

32. Copyright © 2019 JASK
CTI Background - History
32
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset Value
Context For CTI

33. Copyright © 2019 JASK
CTI Background - History
33
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos

34. Copyright © 2019 JASK
CTI Background - History
34
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
Triggers
Severity,
Correlation, Risk,
Behavior
Total Detectors
Alerted
Previous Detected
IP, Hash, URL,
Domain?
Machine or User
Alerted Before?
Title, Group,
Function, Etc.
Gather AV, Patch,
Location, Function
Information.
Storing or Access to
Sensitive Data

35. Copyright © 2019 JASK
CTI Background - History
35
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
Triggers
Weights
Severity,
Correlation, Risk,
Behavior
Total Detectors
Alerted
Previous Detected
IP, Hash, URL,
Domain?
Machine or User
Alerted Before?
Title, Group,
Function, Etc.
Gather AV, Patch,
Location, Function
Information.
Storing or Access to
Sensitive Data
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight

36. Copyright © 2019 JASK
CTI Background - History
36
Evolution of Threat Intel

37. Copyright © 2019 JASK
CTI Background - History
37
Evolution of Threat Intel

38. Copyright © 2019 JASK
CTI Background - History
38
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
Triggers
Weights
Severity,
Correlation, Risk,
Behavior
Total Detectors
Alerted
Previous Detected
IP, Hash, URL,
Domain?
Machine or User
Alerted Before?
Title, Group,
Function, Etc.
Gather AV, Patch,
Location, Function
Information.
Storing or Access to
Sensitive Data
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Threat Score Threat Score Threat Score Threat Score

39. Copyright © 2019 JASK
CTI Background - History
39
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
Triggers
Weights
Severity,
Correlation, Risk,
Behavior
Total Detectors
Alerted
Previous Detected
IP, Hash, URL,
Domain?
Machine or User
Alerted Before?
Title, Group,
Function, Etc.
Gather AV, Patch,
Location, Function
Information.
Storing or Access to
Sensitive Data
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Threat Score Threat Score Threat Score Threat Score
Machine Score Machine Score Machine Score Machine Score

40. Copyright © 2019 JASK
CTI Background - History
40
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
Triggers
Weights
Severity,
Correlation, Risk,
Behavior
Total Detectors
Alerted
Previous Detected
IP, Hash, URL,
Domain?
Machine or User
Alerted Before?
Title, Group,
Function, Etc.
Gather AV, Patch,
Location, Function
Information.
Storing or Access to
Sensitive Data
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Threat Score Threat Score Threat Score Threat Score
Machine Score Machine Score Machine Score Machine Score
User Score User Score User Score User Score

41. Copyright © 2019 JASK
CTI Background - History
41
Evolution of Threat Intel
CTI Detectors Historical Alerted User Posture
Machine
Posture
Asset ValueSilos
Triggers
Weights
Severity,
Correlation, Risk,
Behavior
Total Detectors
Alerted
Previous Detected
IP, Hash, URL,
Domain?
Machine or User
Alerted Before?
Title, Group,
Function, Etc.
Gather AV, Patch,
Location, Function
Information.
Storing or Access to
Sensitive Data
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Silo Weight
Scoring Weight
Threat Score Threat Score Threat Score Threat Score
Machine Score Machine Score Machine Score Machine Score
User Score User Score User Score User Score
Injection of Context

42. Copyright © 2019 JASK
CTI Background - History
42
Evolution of Threat Intel
Threat Score
User Score
Machine Score
Total Score
(Silo 1 * Silo Weight %) + (Silo 2 * Silo Weight %) + (Silo 3 * Silo Weight %) + (Silo 4 * Silo Weight %)
(Silo 3 * Silo Weight %) + (Silo 4 * Silo Weight %) + (Silo 5 * Silo Weight %) + (Silo 7 * Silo Weight %)
(Silo 3 * Silo Weight %) + (Silo 4 * Silo Weight %) + (Silo 6 * Silo Weight %) + (Silo 7 * Silo Weight %)

43. Copyright © 2019 JASK
CTI Background - History
43
Evolution of Threat Intel
Probably got to here.

44. Copyright © 2019 JASK
CTI Background - History
44
Evolution of Threat Intel
Somedays it felt here. Security is hard.

45. Copyright © 2019 JASK
ourced CTI
45
The Year is:
2013

46. Copyright © 2019 JASK
You
Value of Crowdsourced CTI
46
Crowdsourced Data
One-way
Vendor or Community Aggregated
Good Start But Little Context

47. Copyright © 2019 JASK
You
Value of Crowdsourced CTI
47
Crowdsourced Data
One-way
Upload

48. Copyright © 2019 JASK
Value of Crowdsourced CTI
48
Company “A”
Company “B”

49. Copyright © 2019 JASK
Value of Crowdsourced CTI
49
Company “A”
Company “B”Exchange
Channel
Community

50. Copyright © 2019 JASK
Value of Crowdsourced CTI
50
Mind Blown!

51. Copyright © 2019 JASK
Value of Crowdsourced CTI
51
Herd Methodology

52. Copyright © 2019 JASK
Value of Crowdsourced CTI
52
Wait a minute…

53. Copyright © 2019 JASK
Value : Challenge
53
• How Much Data?
• How Many Customers?
• What Business Verticals?

54. Copyright © 2019 JASK
Value : Challenge
54
+ Volume
+ Velocity
+ Relevance

55. Copyright © 2019 JASK
Value : Challenge
55
+ Volume
+ Velocity
+ Relevance

56. Copyright © 2019 JASK
Challenges/Opportunities to Make it Real
56
?What Would it Take?

57. Copyright © 2019 JASK
57
Challenge & Opportunity - Customer
?

58. Copyright © 2019 JASK
58
What is Your Team’s Posture?
Challenge & Opportunity - Customer

59. Copyright © 2019 JASK
Challenge & Opportunity - Customer
59
Efficacy
Measure
History
Curation

60. Copyright © 2019 JASK
Challenge & Opportunity - Customer
60
Context
CTI Pipeline

61. Copyright © 2019 JASK
Challenge - Product
61
What Specific Customer Problem Are You Solving?

62. Copyright © 2019 JASK
Challenge - Product
62
What Specific Customer Problem Are You Solving?
People Data Expertise

63. Copyright © 2019 JASK
Challenge - Product
63
Curation
Update Look Back History Tombstone

64. Copyright © 2019 JASK
Challenge - Product
64
The “Presentation” Problem

65. Copyright © 2019 JASK
Challenge - Product
65
• Automatic Aggregate
• New Methodologies
• Easier Potential for Sharing
• Private Channels
• Ownership Dilema
The “Cloud” Challenge

66. Copyright © 2019 JASK
Challenge - Product
66
The “Data” Challenge
• Data Protection
• Anonymization
• Secure Point-to-Point
• Business Risk
• Authorization/Legal (Opt-in)
• T&Cs With Product Vendor

67. Copyright © 2019 JASK
Challenge & Opportunity - Product
67
The Waze Analogy
Courtesy of Google

68. Copyright © 2019 JASK
Challenge & Opportunity - Product
68

69. Copyright © 2019 JASK
Challenge & Opportunity - Product
69
Crowdsourced Herd Methodology

70. Copyright © 2019 JASK
Challenge & Opportunity - Product
70
User Validated Indicators

71. Copyright © 2019 JASK
Challenge & Opportunity - Product
71
Business Vertical
Business Vertical
Business Vertical Relevance

72. Copyright © 2019 JASK
Challenge & Opportunity - Product
72
Crowdsourced Herd Methodology
?

73. Copyright © 2019 JASK
Challenge & Opportunity - Product
73
Crowdsourced Herd Methodology
?
True Positive True Negative False Positive False Negative

74. Copyright © 2019 JASK
74
User Validated Indicators
Challenge & Opportunity - Product

75. Copyright © 2019 JASK
75
Feedback Loop
Challenge & Opportunity - Product

76. Copyright © 2019 JASK
76
Individual Individual
User Validating User
Verdict?
Community
Challenge & Opportunity - Product

77. Copyright © 2019 JASK
77
Individual
Company
Business Vertical
Community
• Measure for Efficacy
• Understand Layers
• Changes in Data
• Integrity of the Data
Challenge & Opportunity - Product

78. Copyright © 2019 JASK
• 10:1 - Velocity
• Which Products Are Most Suited to Support?
• What Product(s) or Organizations Have Been Successful?
• What Have We Learned From Previous Shortcomings?
• “Brass Tacks” - What Would Customers Rather Have?
Customer Interest Level
78

79. Copyright © 2019 JASK
• How Do We Make it Easier?
• Ownership on Both Sides
• New Technologies Provide Opportunity?
• Importance of Measuring Efficacy
• Data, et al.
Wrap-up
79

80. Copyright © 2019 JASK
Questions?
Thank You!
80
rob@jask.com
@_robfry on Twitter