Alex Pinto, profile picture
Uploaded byAlex Pinto
PDF, PPTX12,274 views

Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)

The document discusses a framework called TIQ-Test designed to measure the effectiveness of threat intelligence feeds by analyzing their capability and intent. It outlines various data testing methodologies, including novelty, overlap, and population tests, as well as presenting tools for data preparation and cleansing. The authors emphasize the importance of extracting value from threat data and encourage community engagement in suggesting new tests and sharing data.

Embed presentation

Download as PDF, PPTX
Measuring  the  IQ  of  your  Threat   Intelligence  Feeds  (#TIQtest)   Alex  Pinto   MLSec  Project     @alexcpsec   @MLSecProject! Kyle  Maxwell   Researcher   @kylemaxwell!
Alex  Pinto   •  Science  guy  at  MLSec  Project   •  ML  trainer   •  Network  security  aficionado     •  Tortured  by  SIEMs  as  a  child   •  Hacker  Spirit  Animal™:   CAFFEINATED  CAPYBARA! whoami(s)   Kyle  Maxwell   •  Researcher  at  [REDACTED]   •  Math  Smuggler   •  Recovering  Incident  Responder   •  GPL  zealot   •  Hacker  Spirit  Animal™:   AXIOMATIC  ARMADILLO! (hUps://secure.flickr.com/photos/kobashi_san/)   (hUp://www.langorigami.com/art/gallery/ gallery.php?tag=mammals&name=armadillo)  
•  Threat  Intel  102   •  Measuring  Intelligence   •  Data  Preparaaon   •  Tesang  the  Data   •  Tools:   •  COMBINE   •  TIQ-­‐TEST   •  Some  parang  ideas   Agenda   (hUp://www.savagechickens.com/2008/12/iq-­‐test.html)  
Threat  Intel  102:  Capability  and   Intent   •  What  are  they  able  to  do?   •  What  are  they  intending  to  do?!
Threat  Intel  102:  Cage  Matches   •  Signatures  vs  Indicators   •  Data  vs  Intelligence   •  Tacacal  vs  Strategic   •  Atomic  vs  Composite  
Threat  Intel  102:  Pyramid  of  Pain   “Simple”  and  “easy”  aren’t  always   (David  Bianco  –  Pyramid  of  Pain)  
What  about  IP  addresses?   •  Approximately  same  value  as  hostnames  (APT  vs  DGA)   •  Finite  resource  (unal  IPv6,  that  is)   •  Managed  /  controlled  by  orgs   •  Difficulty  /  economic  incenaves  /  implied  “cost”   •  Also,  recyclable     (hUps://xkcd.com/865/)  
Given  IP  addresses  harvested  from   TI  feeds,  can  we  measure  how   much  they  “help”  our  defense   metrics?!
Introducing  TIQ-­‐TEST   •  All  these  tests  are  available  as  R  funcaons  at     •  hUps://github.com/mlsecproject/aq-­‐test   •  Have  fun,  prove  me  wrong,  suggest  stuff   •  Tools  that  implement  those  tests   •  Sample  data  +  R  Markdown  file   •  The  excuse  to  learn  a  staasacal  language  you  were  waiang   for!  
Data  Sources  –  Types  of  data   •  Extract  the  “raw”  informaaon  from  indicator  feeds   •  Both  IP  addresses  and  hostnames  were  extracted  
Data  Sources  –  Feeds  Selected   •  Data  was  separated  into  “inbound”  and  “outbound”  
Data  PreparaLon  and  Cleansing   •  Convert  the  hostname  data  to  IP  addresses:   •  Acave  IP  addresses  for  the  respecave  date  (“A”  query)   •  Passive  DNS  from  Farsight  Security  (DNSDB)   •  We  removed  non-­‐public  IPs  from  the  dataset  (RFC1918)     •  Yeah,  we  know  it  is  a  “parking  technique”   (hUps://xkcd.com/742/)  
Data  PreparaLon  and  Cleansing   •  For  each  IP  record  (including  the  ones  from  hostnames):   •  Add  asnumber  and  asname  (from  MaxMind  ASN  DB)   •  Add  country  (from  MaxMind  GeoLite  DB)   •  Add  rhost  (again  from  DNSDB)  –  most  popular  “PTR”   •  The  experiments  will  be  around  ASNs  and  Geolocaaon  
Data  PreparaLon  and  Cleansing   •  However,  we  will  NOT  be  using  maps.  Just  let  it  go.  
Data  PreparaLon  and  Cleansing   •  Small  enriched  sample:!
TesLng  the  Data   •  Let’s  generate  some  interesang  metrics:   •  NOVELTY  –  How  oxen  do  they  update  themselves?   •  OVERLAP  –  How  do  they  compare  to  what  you  got?   •  POPULATION  –  what  is  in  them  anyway?   •  Populaaon  is  tricky:   •  Could  mean  the  enare  world  (all  IPv4  space)   •  Should  ideally  mean  YOUR  world  
But  WHAT  IS  THE  IQ?!??1?   •  We  will  withhold  judgment   •  The  best  data  composiaon  is  the  best  one  for  you   •  We  will  do  our  best  to  explain  results  so  you  can  decide.   •  Maybe  on  further  (or  more  private)  research…      
Novelty  Test  –  measuring  added   and  dropped  indicators!
Novelty  Test  (1)  
Novelty  Test  (2)  
Overlap  Test  –  More  data  is  beUer,   but  make  sure  it  is  not  the  same   data!
Overlap  Test  
Overlap  Test  
Overlap  Test  
PopulaLon  Test   •  Let  us  use  the  ASN  and   GeoIP  databases  that  we   used  to  enrich  our  data  as  a   reference  of  the  “true”   populaaon.     •  But,  but,  human  beings  are   unpredictable!  We  will   never  be  able  to  forecast   this!      
Can  we  get  a  beSer  look?   •  Don’t  like  squinang  either   •  Staasacal  inference-­‐based  comparison  models   (hypothesis  tesang)   •  Exact  binomial  tests  (when  we  have  the  “true”  pop)   •  Chi-­‐squared  proporaon  tests  (similar  to   independence  tests)    
Can  we  get  a  beSer  look?   •  We  can  beUer  esamate,  with  confidence  intervals,  our   measures  of  error.   •  Also,  p-­‐values!  (with  apologies  to  Alex  HuUon)   •  We  promise  to  be  very  conservaave  in  using  them.    
Hacker  Spirit  Animal™  Guide   •  US  –  Eagle   •  CA  –  Moose   •  FR  –  Frog   •  GB  –  Bulldog   •  AU  –  Koala   •  BR  –  Capybara  /  Toucan   •  Texas  –  Armadillo   •  Disclaimer:  we  do  not  endorse  Geolocaaon-­‐based  aUribuaon  
Trend  Comparison  
Introducing  COMBINE   •  Harvesang  feeds   takes  some  work.   •  Most  of  us  let   somebody  else  do  it   without  thinking   about  what  it   actually  takes.  
Introducing  COMBINE   hUps://github.com/mlsecproject/combine  
Introducing  COMBINE   •  Components:   1.  Reaper  gathers  the  threat  data  directly  from  feeds.   2.  Thresher  normalizes  it  into  a  simplisac  data  model.   3.  Winnower  opaonally  performs  basic  validaaon  or   enrichment.   4.  Baler  transforms  the  data  into  CybOX,  CSV,  JSON,  and   CIM.  (Only  CSV  and  JSON  work  right  now).  Could  also   write  others  fairly  easily.  (nudge  nudge,  wink  wink)  
Introducing  COMBINE   •  Always  trying  to  feed   it  more.  Lots  of   possibiliaes,   including  your  own   data  sources.   •  We  clearly  do  NOT   endorse  any  included   feeds.    
Introducing  COMBINE   •  Enrichments  -­‐  think   metadata.     •  AS,  geolocaaon   •  DNS  resoluaons   courtesy  of  Farsight   DNSDB     •  Ask  them  for  an   API  key  to  test  it,  tell   them  Alex  Pinto   sent  you  ;)    
MLSec  Project   •  Both  projects  have  been  released  as  GPLv3  by  MLSec  Project   •  Will  replace  the  internal  versions  we  have  on  the  main  code     •  Looking  for  paracipants  and  data  sharing  agreements   •  Liked  TIQ-­‐TEST?  We  can  benchmark  your  private  feeds  using   these  and  other  techniques     •  Visit  hSps://www.mlsecproject.org  ,  message  @MLSecProject   or  just  e-­‐mail  me.!
Take  Aways   •  Analyze  your  data.     •  Extract  value  from  it!   •  Try  before  you  buy!  Different  test   results  mean  different  things  to   different  orgs.   •  Use  the  tools!  Suggest  new  tests!   •  Share  data  with  us!  We  take  good   care  of  it,  make  sure  it  gets   proper  exercise.    
Thanks!   •  Q&A?   •  Feedback!   Alex  Pinto     @alexcpsec   @MLSecProject   ”The  measure  of  intelligence  is  the  ability  to  change."                  -­‐  Albert  Einstein     Kyle  Maxwell   @kylemaxwell  

More Related Content

PDF
Offensive OSINT
byChristian Martorella
 
PPTX
Detection Rules Coverage
bySunny Neo
 
PDF
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
PPTX
OpenSourceIntelligence-OSINT.pptx
byanonymousanonymous428352
 
PPTX
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
PPTX
Tools for Open Source Intelligence (OSINT)
bySudhanshu Chauhan
 
PDF
Threat Intelligence Workshop
byPriyanka Aash
 
PDF
Threat Hunting with Splunk Hands-on
bySplunk
 
Offensive OSINT
byChristian Martorella
 
Detection Rules Coverage
bySunny Neo
 
Mapping to MITRE ATT&CK: Enhancing Operations Through the Tracking of Interac...
byMITRE ATT&CK
 
OpenSourceIntelligence-OSINT.pptx
byanonymousanonymous428352
 
Effective Threat Hunting with Tactical Threat Intelligence
byDhruv Majumdar
 
Tools for Open Source Intelligence (OSINT)
bySudhanshu Chauhan
 
Threat Intelligence Workshop
byPriyanka Aash
 
Threat Hunting with Splunk Hands-on
bySplunk
 

What's hot

PDF
OSINT for Attack and Defense
byAndrew McNicol
 
PDF
Web Application Penetration Testing
byPriyanka Aash
 
PPT
Open source intelligence
bybalakumaran779
 
PPTX
Ethical hacking : Its methodologies and tools
bychrizjohn896
 
PDF
Threat Intelligence
byDeepak Kumar (D3)
 
PPTX
Understanding NMAP
byPhannarith Ou, G-CISO
 
PDF
Hacking With Nmap - Scanning Techniques
byamiable_indian
 
PPTX
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
PDF
Cyber Threat Intelligence - It's not just about the feeds
byIain Dickson
 
PDF
Threat Hunting Report
byMorane Decriem
 
PDF
Osint presentation nov 2019
byPriyanka Aash
 
PPTX
NMap
byPritesh Raka
 
PPTX
Cyber threat intelligence: maturity and metrics
byMark Arena
 
PPTX
Cyber Threat Intelligence | Information to Insight
byDeep Shankar Yadav
 
PPTX
OSINT: Open Source Intelligence gathering
byJeremiah Tillman
 
PDF
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
PDF
Global Cyber Threat Intelligence
byNTT Innovation Institute Inc.
 
PDF
Windows logging cheat sheet
byMichael Gough
 
PDF
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
PDF
Windows Threat Hunting
byGIBIN JOHN
 
OSINT for Attack and Defense
byAndrew McNicol
 
Web Application Penetration Testing
byPriyanka Aash
 
Open source intelligence
bybalakumaran779
 
Ethical hacking : Its methodologies and tools
bychrizjohn896
 
Threat Intelligence
byDeepak Kumar (D3)
 
Understanding NMAP
byPhannarith Ou, G-CISO
 
Hacking With Nmap - Scanning Techniques
byamiable_indian
 
Cyber Threat Intelligence.pptx
byAbimbolaFisher1
 
Cyber Threat Intelligence - It's not just about the feeds
byIain Dickson
 
Threat Hunting Report
byMorane Decriem
 
Osint presentation nov 2019
byPriyanka Aash
 
NMap
byPritesh Raka
 
Cyber threat intelligence: maturity and metrics
byMark Arena
 
Cyber Threat Intelligence | Information to Insight
byDeep Shankar Yadav
 
OSINT: Open Source Intelligence gathering
byJeremiah Tillman
 
Threat hunting 101 by Sandeep Singh
byOWASP Delhi
 
Global Cyber Threat Intelligence
byNTT Innovation Institute Inc.
 
Windows logging cheat sheet
byMichael Gough
 
Hunting Lateral Movement in Windows Infrastructure
bySergey Soldatov
 
Windows Threat Hunting
byGIBIN JOHN
 

Viewers also liked

PDF
Cyber Threat Intelligence
bymohamed nasri
 
PDF
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
byAlex Pinto
 
PDF
Ducky USB - Indicators of Compromise (IOCs)
byBrent Muir
 
PDF
Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing
byAlex Pinto
 
PDF
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
byAlex Pinto
 
PPTX
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
byAlex Pinto
 
PDF
BSidesLV 2013 - Using Machine Learning to Support Information Security
byAlex Pinto
 
PDF
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
byLiang Chen
 
PDF
Finite elements for 2‐d problems
byTarun Gehlot
 
PDF
Beyond Matching: Applying Data Science Techniques to IOC-based Detection
byAlex Pinto
 
PDF
11 x1 t16 05 volumes (2013)
byNigel Simmons
 
PDF
11 x1 t16 02 definite integral (2013)
byNigel Simmons
 
PPTX
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
byNorth Texas Chapter of the ISSA
 
PPTX
Graphing inverse functions
byTarun Gehlot
 
PDF
Finite elements : basis functions
byTarun Gehlot
 
PPT
The beauty of mathematics
byTarun Gehlot
 
PDF
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
byAlex Pinto
 
PPTX
Tarea seminario 3
bycarsuro25
 
PDF
Cyber Threat Intelligence: Who is Targeting your Information?
byControl Risks
 
PDF
11 x1 t01 03 factorising (2014)
byNigel Simmons
 
Cyber Threat Intelligence
bymohamed nasri
 
From Threat Intelligence to Defense Cleverness: A Data Science Approach (#tid...
byAlex Pinto
 
Ducky USB - Indicators of Compromise (IOCs)
byBrent Muir
 
Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing
byAlex Pinto
 
Secure Because Math: A Deep-Dive on Machine Learning-Based Monitoring (#Secur...
byAlex Pinto
 
Data-Driven Threat Intelligence: Useful Methods and Measurements for Handling...
byAlex Pinto
 
BSidesLV 2013 - Using Machine Learning to Support Information Security
byAlex Pinto
 
Poc2015 os x_kernel_is_as_strong_as_its_weakest_part_liang_shuaitian
byLiang Chen
 
Finite elements for 2‐d problems
byTarun Gehlot
 
Beyond Matching: Applying Data Science Techniques to IOC-based Detection
byAlex Pinto
 
11 x1 t16 05 volumes (2013)
byNigel Simmons
 
11 x1 t16 02 definite integral (2013)
byNigel Simmons
 
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
byNorth Texas Chapter of the ISSA
 
Graphing inverse functions
byTarun Gehlot
 
Finite elements : basis functions
byTarun Gehlot
 
The beauty of mathematics
byTarun Gehlot
 
Applying Machine Learning to Network Security Monitoring - BayThreat 2013
byAlex Pinto
 
Tarea seminario 3
bycarsuro25
 
Cyber Threat Intelligence: Who is Targeting your Information?
byControl Risks
 
11 x1 t01 03 factorising (2014)
byNigel Simmons
 

Similar to Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)

PPTX
Threat hunting for Beginners
bySKMohamedKasim
 
PDF
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
byElasticsearch
 
PPTX
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
bylior mazor
 
PDF
Wm4
byUmang Patel
 
PDF
OSMC 2023 | Know your data: The stats behind your alerts by Dave McAllister
byNETWAYS
 
PDF
Know Your Data: The stats behind your alerts
byAll Things Open
 
PPT
Data Mining
byshrapb
 
PDF
Ethical hacking
byKhairi Aiman
 
PDF
Intro to Python for Data Science
byTJ Stalcup
 
PDF
Cyber Threat Ranking using READ
byZachary S. Brown
 
PDF
Just the basics_strata_2013
byKen Mwai
 
PDF
ethical Hack
byViggi Unbeaten
 
PDF
Wm4
byUmang Patel
 
PPTX
Eating the elephant
byRamece Cave
 
PDF
BSides Lisbon - Data science, machine learning and cybersecurity
byTiago Henriques
 
PPT
Lecture1
bysumit621
 
PPTX
Musings of kaggler
byKai Xin Thia
 
PPTX
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
byDefCamp
 
PDF
Securerank ping-opendns
byPing Yan
 
PDF
Implementation of Secured Network Based Intrusion Detection System Using SVM ...
byIRJET Journal
 
Threat hunting for Beginners
bySKMohamedKasim
 
Threat Hunting with Elastic at SpectorOps: Welcome to HELK
byElasticsearch
 
The Hacking Game - Think Like a Hacker Meetup 12072023.pptx
bylior mazor
 
Wm4
byUmang Patel
 
OSMC 2023 | Know your data: The stats behind your alerts by Dave McAllister
byNETWAYS
 
Know Your Data: The stats behind your alerts
byAll Things Open
 
Data Mining
byshrapb
 
Ethical hacking
byKhairi Aiman
 
Intro to Python for Data Science
byTJ Stalcup
 
Cyber Threat Ranking using READ
byZachary S. Brown
 
Just the basics_strata_2013
byKen Mwai
 
ethical Hack
byViggi Unbeaten
 
Wm4
byUmang Patel
 
Eating the elephant
byRamece Cave
 
BSides Lisbon - Data science, machine learning and cybersecurity
byTiago Henriques
 
Lecture1
bysumit621
 
Musings of kaggler
byKai Xin Thia
 
Needles, Haystacks and Algorithms: Using Machine Learning to detect complex t...
byDefCamp
 
Securerank ping-opendns
byPing Yan
 
Implementation of Secured Network Based Intrusion Detection System Using SVM ...
byIRJET Journal
 

Recently uploaded

PDF
Sky High Insights: AWS Data Mesh That Unified 100 Databases for Airline Excel...
byBojan Sovilj
 
PPTX
PPT on Introduction to Data Science.pptx
bygohadcompsci
 
PPTX
Agentic AI Presentation | PowerPoint Presentation | Generative AI | Artificia...
bySiddharth Ghosh
 
PPTX
Q3-RESEARCH II -1.pptxWWWWWWWWWWWWWWWWWWW
byJoewelsonMherLimos
 
PPTX
Computer Fundamentals-1_9facced54627132ad872ee2f20e2bd86.pptx
bysagewrites13
 
PDF
Yellow and Black Futuristic Cloud Computing Presentation.pdf
byrenuanas786
 
PDF
Yellow and Black Futuristic Cloud Computing Presentation.pdf
byrenuanas786
 
PPTX
aaaaaaaaaaaaaaaaaaaaaCloud Computing.pptx
byYashAggarwal233278
 
PDF
3-5-Measures-of-Variability-Ungrouped.pd
bysheineencarnacion
 
PDF
Introduction to Get Google Voice Accounts.pdf
byhttps://topsellerit.com/product/buy-verified-paypal-accounts/
 
PPTX
Smart-PLS_Notes_28_12_2021 in a Nutshell
byKN36 Slideshare - Khuyennong36.Com
 
PPTX
Software Installation manual stata .pptx
byMerajAhmad38409
 
PPTX
Asset Tokenization in Blockchain123.pptx
byrevathi148366
 
PPTX
DM Session 2 Websites_Lecture-1A-Intro-to-websites.pptx
byphdmb1006824
 
PPTX
mangai ppt test 4.pptx PROJECT PHD PRESENTATION FOR DOCTRATE.....
byvetrivendan7177
 
PPTX
acute pancreatitis.pptxnmnmnklnkmm,,mm,d
byPB2013DhanashreeNaik
 
PPTX
RAJAGOPALAN ppt of ai and research in architecture of the clg
byVinod Deenathayalan
 
PDF
How Fashion & Apparel Brands Use Web Scraping for Trend Forecasting.pdf
by3i Data Scraping
 
PPTX
Social_Work_DIASS_Presentation.pptx owner
byalcontinjuvy82
 
PPTX
GROUP20720-20SCIENCE20THE20GALAXY203-2.pptx
bycasinoruxlloydjude
 
Sky High Insights: AWS Data Mesh That Unified 100 Databases for Airline Excel...
byBojan Sovilj
 
PPT on Introduction to Data Science.pptx
bygohadcompsci
 
Agentic AI Presentation | PowerPoint Presentation | Generative AI | Artificia...
bySiddharth Ghosh
 
Q3-RESEARCH II -1.pptxWWWWWWWWWWWWWWWWWWW
byJoewelsonMherLimos
 
Computer Fundamentals-1_9facced54627132ad872ee2f20e2bd86.pptx
bysagewrites13
 
Yellow and Black Futuristic Cloud Computing Presentation.pdf
byrenuanas786
 
Yellow and Black Futuristic Cloud Computing Presentation.pdf
byrenuanas786
 
aaaaaaaaaaaaaaaaaaaaaCloud Computing.pptx
byYashAggarwal233278
 
3-5-Measures-of-Variability-Ungrouped.pd
bysheineencarnacion
 
Introduction to Get Google Voice Accounts.pdf
byhttps://topsellerit.com/product/buy-verified-paypal-accounts/
 
Smart-PLS_Notes_28_12_2021 in a Nutshell
byKN36 Slideshare - Khuyennong36.Com
 
Software Installation manual stata .pptx
byMerajAhmad38409
 
Asset Tokenization in Blockchain123.pptx
byrevathi148366
 
DM Session 2 Websites_Lecture-1A-Intro-to-websites.pptx
byphdmb1006824
 
mangai ppt test 4.pptx PROJECT PHD PRESENTATION FOR DOCTRATE.....
byvetrivendan7177
 
acute pancreatitis.pptxnmnmnklnkmm,,mm,d
byPB2013DhanashreeNaik
 
RAJAGOPALAN ppt of ai and research in architecture of the clg
byVinod Deenathayalan
 
How Fashion & Apparel Brands Use Web Scraping for Trend Forecasting.pdf
by3i Data Scraping
 
Social_Work_DIASS_Presentation.pptx owner
byalcontinjuvy82
 
GROUP20720-20SCIENCE20THE20GALAXY203-2.pptx
bycasinoruxlloydjude
 

Measuring the IQ of your Threat Intelligence Feeds (#tiqtest)

  • 1.
    Measuring  the  IQ  of  your  Threat   Intelligence  Feeds  (#TIQtest)   Alex  Pinto   MLSec  Project     @alexcpsec   @MLSecProject! Kyle  Maxwell   Researcher   @kylemaxwell!
  • 2.
    Alex  Pinto   • Science  guy  at  MLSec  Project   •  ML  trainer   •  Network  security  aficionado     •  Tortured  by  SIEMs  as  a  child   •  Hacker  Spirit  Animal™:   CAFFEINATED  CAPYBARA! whoami(s)   Kyle  Maxwell   •  Researcher  at  [REDACTED]   •  Math  Smuggler   •  Recovering  Incident  Responder   •  GPL  zealot   •  Hacker  Spirit  Animal™:   AXIOMATIC  ARMADILLO! (hUps://secure.flickr.com/photos/kobashi_san/)   (hUp://www.langorigami.com/art/gallery/ gallery.php?tag=mammals&name=armadillo)  
  • 3.
    •  Threat  Intel  102   •  Measuring  Intelligence   •  Data  Preparaaon   •  Tesang  the  Data   •  Tools:   •  COMBINE   •  TIQ-­‐TEST   •  Some  parang  ideas   Agenda   (hUp://www.savagechickens.com/2008/12/iq-­‐test.html)  
  • 4.
    Threat  Intel  102:  Capability  and   Intent   •  What  are  they  able  to  do?   •  What  are  they  intending  to  do?!
  • 5.
    Threat  Intel  102:  Cage  Matches   •  Signatures  vs  Indicators   •  Data  vs  Intelligence   •  Tacacal  vs  Strategic   •  Atomic  vs  Composite  
  • 6.
    Threat  Intel  102:  Pyramid  of  Pain   “Simple”  and  “easy”  aren’t  always   (David  Bianco  –  Pyramid  of  Pain)  
  • 7.
    What  about  IP  addresses?   •  Approximately  same  value  as  hostnames  (APT  vs  DGA)   •  Finite  resource  (unal  IPv6,  that  is)   •  Managed  /  controlled  by  orgs   •  Difficulty  /  economic  incenaves  /  implied  “cost”   •  Also,  recyclable     (hUps://xkcd.com/865/)  
  • 8.
    Given  IP  addresses  harvested  from   TI  feeds,  can  we  measure  how   much  they  “help”  our  defense   metrics?!
  • 9.
    Introducing  TIQ-­‐TEST   • All  these  tests  are  available  as  R  funcaons  at     •  hUps://github.com/mlsecproject/aq-­‐test   •  Have  fun,  prove  me  wrong,  suggest  stuff   •  Tools  that  implement  those  tests   •  Sample  data  +  R  Markdown  file   •  The  excuse  to  learn  a  staasacal  language  you  were  waiang   for!  
  • 10.
    Data  Sources  –  Types  of  data   •  Extract  the  “raw”  informaaon  from  indicator  feeds   •  Both  IP  addresses  and  hostnames  were  extracted  
  • 11.
    Data  Sources  –  Feeds  Selected   •  Data  was  separated  into  “inbound”  and  “outbound”  
  • 12.
    Data  PreparaLon  and  Cleansing   •  Convert  the  hostname  data  to  IP  addresses:   •  Acave  IP  addresses  for  the  respecave  date  (“A”  query)   •  Passive  DNS  from  Farsight  Security  (DNSDB)   •  We  removed  non-­‐public  IPs  from  the  dataset  (RFC1918)     •  Yeah,  we  know  it  is  a  “parking  technique”   (hUps://xkcd.com/742/)  
  • 13.
    Data  PreparaLon  and  Cleansing   •  For  each  IP  record  (including  the  ones  from  hostnames):   •  Add  asnumber  and  asname  (from  MaxMind  ASN  DB)   •  Add  country  (from  MaxMind  GeoLite  DB)   •  Add  rhost  (again  from  DNSDB)  –  most  popular  “PTR”   •  The  experiments  will  be  around  ASNs  and  Geolocaaon  
  • 14.
    Data  PreparaLon  and  Cleansing   •  However,  we  will  NOT  be  using  maps.  Just  let  it  go.  
  • 15.
    Data  PreparaLon  and  Cleansing   •  Small  enriched  sample:!
  • 16.
    TesLng  the  Data   •  Let’s  generate  some  interesang  metrics:   •  NOVELTY  –  How  oxen  do  they  update  themselves?   •  OVERLAP  –  How  do  they  compare  to  what  you  got?   •  POPULATION  –  what  is  in  them  anyway?   •  Populaaon  is  tricky:   •  Could  mean  the  enare  world  (all  IPv4  space)   •  Should  ideally  mean  YOUR  world  
  • 17.
    But  WHAT  IS  THE  IQ?!??1?   •  We  will  withhold  judgment   •  The  best  data  composiaon  is  the  best  one  for  you   •  We  will  do  our  best  to  explain  results  so  you  can  decide.   •  Maybe  on  further  (or  more  private)  research…      
  • 18.
    Novelty  Test  –  measuring  added   and  dropped  indicators!
  • 19.
  • 20.
  • 21.
    Overlap  Test  –  More  data  is  beUer,   but  make  sure  it  is  not  the  same   data!
  • 22.
  • 23.
  • 24.
  • 25.
    PopulaLon  Test   • Let  us  use  the  ASN  and   GeoIP  databases  that  we   used  to  enrich  our  data  as  a   reference  of  the  “true”   populaaon.     •  But,  but,  human  beings  are   unpredictable!  We  will   never  be  able  to  forecast   this!      
  • 28.
    Can  we  get  a  beSer  look?   •  Don’t  like  squinang  either   •  Staasacal  inference-­‐based  comparison  models   (hypothesis  tesang)   •  Exact  binomial  tests  (when  we  have  the  “true”  pop)   •  Chi-­‐squared  proporaon  tests  (similar  to   independence  tests)    
  • 29.
    Can  we  get  a  beSer  look?   •  We  can  beUer  esamate,  with  confidence  intervals,  our   measures  of  error.   •  Also,  p-­‐values!  (with  apologies  to  Alex  HuUon)   •  We  promise  to  be  very  conservaave  in  using  them.    
  • 31.
    Hacker  Spirit  Animal™  Guide   •  US  –  Eagle   •  CA  –  Moose   •  FR  –  Frog   •  GB  –  Bulldog   •  AU  –  Koala   •  BR  –  Capybara  /  Toucan   •  Texas  –  Armadillo   •  Disclaimer:  we  do  not  endorse  Geolocaaon-­‐based  aUribuaon  
  • 32.
  • 35.
    Introducing  COMBINE   • Harvesang  feeds   takes  some  work.   •  Most  of  us  let   somebody  else  do  it   without  thinking   about  what  it   actually  takes.  
  • 36.
  • 37.
    Introducing  COMBINE   • Components:   1.  Reaper  gathers  the  threat  data  directly  from  feeds.   2.  Thresher  normalizes  it  into  a  simplisac  data  model.   3.  Winnower  opaonally  performs  basic  validaaon  or   enrichment.   4.  Baler  transforms  the  data  into  CybOX,  CSV,  JSON,  and   CIM.  (Only  CSV  and  JSON  work  right  now).  Could  also   write  others  fairly  easily.  (nudge  nudge,  wink  wink)  
  • 38.
    Introducing  COMBINE   • Always  trying  to  feed   it  more.  Lots  of   possibiliaes,   including  your  own   data  sources.   •  We  clearly  do  NOT   endorse  any  included   feeds.    
  • 39.
    Introducing  COMBINE   • Enrichments  -­‐  think   metadata.     •  AS,  geolocaaon   •  DNS  resoluaons   courtesy  of  Farsight   DNSDB     •  Ask  them  for  an   API  key  to  test  it,  tell   them  Alex  Pinto   sent  you  ;)    
  • 40.
    MLSec  Project   • Both  projects  have  been  released  as  GPLv3  by  MLSec  Project   •  Will  replace  the  internal  versions  we  have  on  the  main  code     •  Looking  for  paracipants  and  data  sharing  agreements   •  Liked  TIQ-­‐TEST?  We  can  benchmark  your  private  feeds  using   these  and  other  techniques     •  Visit  hSps://www.mlsecproject.org  ,  message  @MLSecProject   or  just  e-­‐mail  me.!
  • 41.
    Take  Aways   • Analyze  your  data.     •  Extract  value  from  it!   •  Try  before  you  buy!  Different  test   results  mean  different  things  to   different  orgs.   •  Use  the  tools!  Suggest  new  tests!   •  Share  data  with  us!  We  take  good   care  of  it,  make  sure  it  gets   proper  exercise.    
  • 42.
    Thanks!   •  Q&A?   •  Feedback!   Alex  Pinto     @alexcpsec   @MLSecProject   ”The  measure  of  intelligence  is  the  ability  to  change."                  -­‐  Albert  Einstein     Kyle  Maxwell   @kylemaxwell