Downloaded 11 times
Uploaded byAlexandre Sieira
Threat Intelligence Baseada em Dados: Métricas de Disseminação e Compartilhamento de Indicadores
A apresentação discute a inteligência de ameaças, focando na medição e compartilhamento de indicadores através de ferramentas como combine e tiq-test. Aborda a eficácia das informações coletadas, ressaltando a importância da análise e do compartilhamento comunitário para melhorar a segurança cibernética. O futuro da inteligência de ameaças é explorado, enfatizando a necessidade de mensurar dados e a colaboração entre os membros da comunidade.
More Related Content
Similar to Threat Intelligence Baseada em Dados: Métricas de Disseminação e Compartilhamento de Indicadores
Threat Intelligence Baseada em Dados: Métricas de Disseminação e Compartilhamento de Indicadores
- 1. THREAT INTELLIGENCE BASEADAEM DADOS : MÉTRICAS DE DISSEMINAÇÃO E COMPARTILHAMENTO DE INDICADORES Alexandre Sieira Alex Pinto
- 2. • Cyber War…Threat Intel – What is it good for? • Combine and TIQ-test • Measuring indicators • Threat Intelligence Sharing • Future research direction (i.e. will work for data) Agenda HT to @RCISCwendy
- 3. 50-ish Slides 3 KeyTakeaways 2 Heartfelt and genuine defenses of Threat Intelligence Providers 1 Prediction on “The Future of Threat Intelligence Sharing” Presentation Metrics!!
- 4. What is TIgood for (1) Attribution
- 5. What is TIgood for anyway? TY to @bfist for his work on http://sony.attributed.to
- 6. What is TIgood for (2) – Cyber Maps!! TY to @hrbrmstr for his work on https://github.com/hrbrmstr/pewpew
- 7. What is TIgood for anyway? • (3) How about actual defense? • Strategic and tactical: planning • Technical indicators: DFIR and monitoring
- 8. Affirming the ConsequentFallacy 1. If A, then B. 2. B. 3. Therefore, A. 1. Evil malware talks to 8.8.8.8. 2. I see traffic to 8.8.8.8. 3. ZOMG, APT!!!
- 9. But this isa Data-Driven talk!
- 10. Combine and TIQ-Test •Combine (https://github.com/mlsecproject/combine) • Gathers TI data (ip/host) from Internet and local files • Normalizes the data and enriches it (AS / Geo / pDNS) • Can export to CSV, “tiq-test format” and CRITs • Coming Soon™: CybOX / STIX / SILK /ArcSight CEF • TIQ-Test (https://github.com/mlsecproject/tiq-test) • Runs statistical summaries and tests on TI feeds • Generates charts based on the tests and summaries • Written in R (because you should learn a stat language)
- 11.
- 12. Using TIQ-TEST –Feeds Selected • Dataset was separated into “inbound” and “outbound” TY to @kafeine and John Bambenek for access to their feeds
- 13. Using TIQ-TEST –Data Prep • Extract the “raw” information from indicator feeds • Both IP addresses and hostnames were extracted
- 14. Using TIQ-TEST –Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective date (“A” query) • Passive DNS from Farsight Security (DNSDB) • For each IP record (including the ones from hostnames): • Add asnumber and asname (from MaxMind ASN DB) • Add country (from MaxMind GeoLite DB) • Add rhost (again from DNSDB) – most popular “PTR”
- 15. Using TIQ-TEST –Data Prep Done
- 16. Novelty Test Measuring addedand dropped indicators
- 17. Novelty Test -Inbound
- 18. Aging Test Is anyonecleaning this mess up eventually?
- 19.
- 20.
- 21. Population Test • Letus use the ASN and GeoIP databases that we used to enrich our data as a reference of the “true” population. • But, but, human beings are unpredictable! We will never be able to forecast this!
- 23. Is your samplingpoll as random as you think?
- 24. Can we geta better look? • Statistical inference-based comparison models (hypothesis testing) • Exact binomial tests (when we have the “true” pop) • Chi-squared proportion tests (similar to independence tests)
- 26. Overlap Test More datacan be better, but make sure it is not the same data
- 27. Overlap Test -Inbound
- 28. Overlap Test -Outbound
- 29.
- 30. Uniqueness Test • “Domain-basedindicators are unique to one list between 96.16% and 97.37%” • “IP-based indicators are unique to one list between 82.46% and 95.24% of the time”
- 32. I hate quotingmyself, but…
- 33. Key Takeaway #1 MORE!= BETTER Threat Intelligence Indicator Feeds Threat Intelligence Program
- 34.
- 36.
- 37. "These are theproblems Threat Intelligence Sharing is here to solve!” Right?
- 38. Herd Immunity, isit? Source: www.vaccines.gov
- 39. Herd Immunity… … wouldimply that others in your sharing community being immune to malware A meant you wouldn’t get it even if you were still vulnerable to it.
- 40. Threat Intelligence Sharing •How many indicators are being shared? • How many members do actually share and how many just leech? • Can we measure that? What a super-deeee-duper idea!
- 41. Threat Intelligence Sharing Wewould like to thank the kind contribution of data from the fine folks at Facebook Threat Exchange and Threat Connect… … and also the sharing communities that chose to remain anonymous. You know who you are, and we ❤ you too.
- 42. Threat Intelligence Sharing– Data From a period of 2015-03-01 to 2015-05-31: - Number of Indicators Shared Per day Per member Not sharing this data – privacy concerns for the members and communities
- 49.
- 50.
- 52. 'How can sharingmake me better understand what are attacks that “are targeted” and what are “commodity”?'
- 53. TELEMETRY > CONTENT KeyTakeaway #3 (Also Prediction #1)
- 54. More Takeaways (Ilied) • Analyze your data. Extract more value from it! • If you ABSOLUTELY HAVE TO buy Threat Intelligence or data, evaluate it first. • Try the sample data, replicate the experiments: • https://github.com/mlsecproject/tiq-test-Summer2015 • http://rpubs.com/alexcpsec/tiq-test-Summer2015 • Share data with us. I’ll make sure it gets proper exercise!
- 55. Alex Pinto Chief DataScientist MLSec Project @alexcpsec @MLSecProject Alexandre Sieira CTO Niddel @AlexandreSieira @NiddelCorp ”The measure of intelligence is the ability to change." - Albert Einstein OBRIGADO!
Editor's Notes
- #3 During this presentation I’ll be making a quick introduction on some important concepts and our views on what threat intelligence is and the many useful things that can and cannot be done with it. Then, Mr. Pinto will present a couple of open source tools made available at the MLSec Project GitHub repository and an analysis of the metrics we gathered from a set of publicly available and private threat intelligence feeds.
- #4 During this presentation I’ll be making a quick introduction on some important concepts and our views on what threat intelligence is and the many useful things that can and cannot be done with it. Then, Mr. Pinto will present a couple of open source tools made available at the MLSec Project GitHub repository and an analysis of the metrics we gathered from a set of publicly available and private threat intelligence feeds.
- #5 Based on what you read on the media and one some online marketing material, attribution is one of the sexiest parts about threat intelligence. If you understand your adversaries, their intent and capabilities, there is a lot you can do within your risk management and even business decisions to better prepare yourself. However, if you want to be realistic you’ll have to admit that as in the case demonstrated here, attribution is really hard to do. This reflects both on the cost of of getting good CTI data with attribution. Also it is not reasonable to expect that any significant proportion of attacks out there will be attributed at all, given the sheer amount of smaller threat actors out there.
- #6 This is beautifully illustrated by the Sony breach controversy. So data science to the rescue! The good humored sony.attributed.to website creates plausible attribution reports for the Sony hack. It is based on data sampled from actual attacks data in the VERIS and DBIR databases consistent with how frequently threat actors, locations and methods are actually used.
- #7 One other really common application of threat intelligence is building a threat map. After all, how else will upper management know that your team really has what it takes to prevent pandas, bears and even maybe capybaras from infiltrating your networks? Who knows what those samba-dancing Brazilian hackers are up to, after all? Fear not, now there’s an open source threat map that you can use called Pew pew. And you don’t even need to stand up your own honeypots. Pew pew displays plausible attack patterns that are sampled randomly from public data made available by Arbor Networks. So it is exactly as useful as the real thing.
- #8 But seriously, what about using the threat intelligence data to actually defend organizations? The high level data is awesome to help with the high level decisions, of course. However, how do you go about using the technical indicators? It’s straightforward enough to pull a list of IP addresses, domain names and URLs into SIEMs or IDS rules. As Gavin Reid mentioned in his talk yesterday, this can be a great way to reduce the time it takes to detect a novel threat and bypass the detection, rule writing and policy update cycle of your sensors. However, this has to be done with great care.
- #9 Threat intelligence feeds are mostly providing indicators of things that malware does: for example IP addresses, domain names and URLs they communicate with. Knowing this can be invaluable for all sorts of investigation and forensics activities. But we really believe the holy grail is detection. A breach detection example the fallacy: some malware observed talking to a destination does NOT mean that all communication towards that destination is indicative of malware. Also you need evaluate the quality and the applicability of the indicators you are consuming (and perhaps paying for) to decide which combination of sources is optimal for your organization. Now Mr. Pinto will tell you a bit about two open source projects we develop to help you perform such an evaluation.
- #12 2014 was not a leap year 150k outbound 300k inbound 450k X 365 -> 164,250,000 / 165 MILLION
- #13 28 feeds
- #15 - For the hostname / domains feeds: - We extracted the "active" IP addresses for those hostnames on the dates they were reported (using pDNS from Farsight Security) - Passive DNS query of active "A" responses on the reported day (from 00:00 to 23:59) - For this experiment, we got rid of "non-public IPs" (localhost, RFC1918) - Then for each IP record (including the ones got above) enrich it with: - asnumber and asname (from MaxMind ASN DB) - country (from MaxMind GeoLite DB) - rhost - the more popular reverse DNS entry ("PTR") from passive DNS on that date
- #16 - Then for each IP record (including the ones got above) enrich it with: - asnumber and asname (from MaxMind ASN DB) - country (from MaxMind GeoLite DB) - rhost - the more popular reverse DNS entry ("PTR") from passive DNS on that date - we are not playing around with this on this talk, data is too sparse
- #18 NOVELTY: Always request a trial of the data feed (15/30 days) Measure addition and churn
- #19 OVERLAP
- #20 OVERLAP
- #21 OVERLAP
- #22 POPULATION: We will use the ASN and GEO databases as our population - They should cover all the existing IPv4 space, give or take a few anomalies With this, we can simulate a draw from this population for people that are going to be attacking us because human beings are unpredictable and will never be able to forecast where the attacks are coming from right? :troll: ----- COUNTRY / ASN (graphs of country proportions on different feeds)
- #23 Inbound – Turkey WINS! US is highly above the population average, and CN is slightly below
- #24 ---- HYPOTHESIS TESTING OF PROPORTIONS (explain exact binom test vs. Chi-squared)
- #25 ---- HYPOTHESIS TESTING OF PROPORTIONS (explain exact binom test vs. Chi-squared)
- #26 -> Explain the diferences - These differences describe a higher probability of specific actors targeting you from specific locations (GEO/ASN) in relation to a completely random actor. - Was one of the 1st features I used for MLSec
- #30 Get 100 fish in a pond Tag all Get 100 more fish – how many were tagged? 5?-> 20x more fish
- #35 Intermission
- #44 LARGE is 36x bigger than SMALL
- #49 Could we be in a sharing community and not have paid feeds?