5. Threat Intelligence derived alerts showing the nature of various
connections
Traditional public sources / external “TI”
• Externally available threat data source
lists
– Botnets, C&C systems, known malware sites,
compromised URLs, DLP risks
• Regular updates / scheduled retrieval
• Different sources/feeds used for
different purposes
• Detection of :
– Communication with suspicious/risky
hosts/domains
– Data exfiltration risks
– Etc...
6. Traditional public sources / external “TI”
• Emerging Threats – Raw IP list
– C&C servers (Shadowserver)
– Spam nets (Spamhaus)
– Top Attackers (Dshield)
– Compromised IP addresses
• Abuse.ch
– SSLBL IP Blacklist
– ZeuS Tracker
– Palevo Tracker
– SpyEye Tracker
• Malc0de – IP blacklist
• URLBlacklist.com
• Malware domains
• Threat Expert
• Norse
Plus various commercial sources
7. Geo-location is useful – both external (risky locations) and internal
(sensitive sites)
Geo-location Visualisation
• Display or reference to GeoIP
information
• Risk locations/attack sources used in
security decisions
• Additionally WHOIS and DNS
information useful
Getting to this information quickly in the
decision making process is key
8. Defence sector – Real example
• Defence customers are
major user of Threat
Intelligence
• Intelligence agencies
provide threat information
to Defence network
administrators
• Reference data used to raise real-time alerts of suspicious network traffic
• Information from alerts subsequently adds to their internal threat intelligence
reference data
– i.e. Observed incidents create “new” TI that automatically adds to the reference data set
9. Internal Security Intelligence
• Creation of bespoke/local Threat Intelligence
– Manual or Automated
• Particular value in MSSPs
– Leverage threat observations across customers
• Better decision making in context of “real”, observed threats
10. Government sector use case
• Suspicious network/IP addresses received from intelligence
agency
• Post-analyse logs for traffic to/from those addresses
1. Suspicious hosts data set (high risk destinations)
2. Predefined reports use data for analysis
Threat intelligence MATCHED WITH Observed activity and traffic
• Minimal operational workload
• Data automatically updated in the background
• Scheduled, automated, pre-defined processes
11. Detection and Resolution
Apply Security Intelligence during
resolution
• When an attack occurs, specific information
relating to the threat is vital
• More than just log/event/activity data
– System configurations/registry
– Changes to affected systems files
– Network traffic/connections
– Other behaviour
• Malware - Specific example
– Network sessions/connection patterns
– Known effects of specific malware activity within file
system and registry
13. Applying Security Intelligence
• Meaningful threat intelligence involves all available security data –
internal and external – to give context
• Automatic identification of known attacks and threats needs to happen in
real-time
• Intelligence is vital for both detection AND during the diagnosis and
investigation of cyber attacks
• Dealing with false positives efficiently means having processes and tools
that rapidly provide understanding of threats and confident resolution
Speed and Accuracy are key to Cyber Resilience