This document discusses threat intelligence, defining it as information about threats that can be used for action. It categorizes threat intelligence as either tactical (specific indicators like IP addresses and files) or strategic (trends and lessons from past incidents). For intelligence to be effective, it should be timely, accurate, actionable, and relevant. Traditional methods of obtaining intelligence include security vendor alerts, government reports, and automated feeds. Many security products now incorporate threat intelligence. The document stresses the importance of intelligence being actionable so security teams can respond quickly with minimal validation or manual work based on their specific context. It also cautions that intelligence integration requires a staged process and not all intelligence will be relevant to every organization.

1. ACTIONABLE
THREAT
INTELLIGENCE
Chandra Ballabh

2. Threat Intelligence Defined
 What isThreat
 What is Intelligence
 What isThreat Intelligence
 Actionable outcomes

3. Threat Intelligence Categorization
 TI can be categorized as
 Tactical:
 Offending IP addresses
 URLs
 Registry entries
 Hashes
 Strategic
 Business use cases
 Learning from past incidents
 Global trends

4. Effectiveness of Threat Intelligence
 Intelligence should strive to be timely
 Intelligence should strive to be accurate
 Intelligence should strive to be actionable
 Intelligence should strive to be relevant

5. Traditional Threat Intelligence Methods
 Mailers from security vendors
 Mailers from Government agencies
 Inputs from internal stakeholders
 Automated thread feed from security vendors
 Automated thread feed from open sources

6. Threat Intelligence Market Offerings
 Every security vendor offers some form of threat intelligence feed or other
 Next gen firewall
 Anti-APT
 Web proxy
 DLP Solution
 Email security gateway
 SIEM & SOAR
 UEBA solutions
 Threat hunting platforms
 Get a list of such services from http://thecyberthreat.com/cyber-threat-
intelligence-feeds/

7. Indicators of Compromise (IoC)
 IoC monitoring facilitatesThreat Intelligence capabilities-
 Unusual Outbound NetworkTraffic
 Anomalies In Privileged User Account Activity
 Mismatched Port-ApplicationTraffic
 Suspicious Registry or System File Changes
 WebTrafficWith Unhuman Behavior
 Signs of DDoS Activity

8. Commercial Threat Intelligence – Points to
Ponder
 UsingTI is tricky
– know to find grain from chaff is the key
 TI is often probabilistic and often context agnostic
– align it to your context
– determine the rules of when and when not to act
 TI is not an information for Senior Executives or Leaders
– only the actions and outcomes of usingTI are
 IntegratingTI feeds to SIEM is fraught with traps

9. Actionable Threat Intelligence
 Effective use of time and effort
 No additional validation
 Minimal manual intervention
 Relevant to the operations
 Action as per the context
 High accuracy

10. Threat Intelligence – SIEM Integration

11. Enhance your Threat Intelligence capability
 UseTI Solutions
 Follow CERT Organizations
 Subscribe to Security vendor alerts
 Integrate open source threat feeds with your security solutions
 Identify new threat patterns
 Monitor zero days
 Identify social engineering attacks (human is weak link)
 Adopt big data analytics

12. Summary
 TI is not new – We all do it
 TI can become noise – context sensitize it
 Know what you want to protect – select the relevant intelligence
 SIEM –TI integration is a staged process
 One size does not fit all – but one principle fits all
 Use what suits you
 ActionableThreat Intelligence is the key – use it wisely

13. Q & A