Topic: Threat Intelligence Ops In-Depth at Massive Enterprise Source: Massive Data Analytic Session of ISC2019 Author: Jeremy Li of Meituan-Dianping Inc.

1. Threat Intelligence Ops In-Depth
at Massive Enterprise
Jeremy Li – Information Security Dept. of Meituan Inc.

2. Intro
• Id: e1knot
• System Infrastructure Security Team of Meituan Inc.
• Systems of Threat Intelligence and Security Awareness Capabilities
• 4-Year+ Threat Intelligence Analytic and Operation Experience
• Speakers at ISC2017, DEFCON China, etc.

3. Agenda
• Threat Types of Systems in Massive Enterprise
• Threat Intelligence Capability Building
• Evaluate Threat Intelligence Capability
• Life-Cycle, Systems and Operation of Threat Intelligence
• Coda

4. Threat Types at Systems in Massive Enterprise
• Massive Business Data: 1B+ Page Views in Core Systems
• Large Business Scale: 1M+ Apps in Systems, 100M+ Lines in Code Repo
• Massive Assets: 1M+ Endpoints, IDC Servers, Software
• Massive Assets Types: 100K+ Types of Middle-Wares and Components
• Massive Alerts: 10K+ Alarms from Different Security Assets
• Situation of Enterprise Security: Incidents with Massive Security Cost

5. Threat Types at Systems in Massive Enterprise
Components
Vuls
Trojan,
Worm,
Botnets
Configs
Corruption
X-Day
Vuls
System Vuls
Logic Vuls
Credentials
Leaked
ACLs Invalid
POI/UGC
Spider
Employee
Compromise
Cheats
App Tamper
Infrastructure System Business System Business Data Grids

6. Threat Intelligence Capability Building
• Solutions can solve your security
problems?
• Threat Intelligence running well
on your Security Infrastructure?
• Threat Intelligence Groups
OKRs/KPIs?

7. Hurts of Threat Intelligence Operation
Fake
Intelligence
Information
Asymmetry
Useless
Intelligence
Information
Lag

8. Threat Intelligence Capability Building
Roles of Threat Intelligence in Enterprise Security?

9. Threat -> TI -> TI Capability
Ability to provide effective and reliable message type or knowledge type data for discovering
potential or emerging threats (including but not limited to business data, systems and infrastructure),
and the data can be highly automated closed-loop processing capability through secure operations For
threat intelligence capabilities, the data provided is called threat intelligence.
—— A Horizon
Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators,
implications and actionable advice, about an existing or emerging menace or hazard to assets that can
be used to inform decisions regarding the subject's response to that menace or hazard.
—— Gartner（2013）

10. Evaluate Threat Intelligence Capability
Low
Latency
High
Accuracy
Full
Operated
Closed-
Loop
• Intelligence
Synchronized asap
• Intelligence Full-
Operated &
Automation Rate
• Intelligence Data
Grids/Channels
Reliable, Confidence,
Integrity
• High Accuracy
Algorithm
• FINTELs Quality
• Providing Instructions
& Functions
• Compatible Methods
for Intelligence Ops
• TODOs & Cases Study
• Improve FINTELs
Quality
FINTEL is for Final Intelligence

11. Evaluate Threat Intelligence Capability
Data Grids Production Platforms Operators
Threat Intelligence Components

12. Threat Intelligence Architecture Building
• 1- Arch：A Threat Intelligence Architecture Compatible with Existing Security System
• 2- Platforms：Notification Platform(MT-Radar) & Management Platform(MT-Nebula)
• 3- Data Grids：Internet Assets Signatures, Vulnerabilities Database, OSINTs
• 4- Channels：HUMINT, Auto-Gathering, 3rd-Party Services, Security Response Center
Intelligence Required!

13. Threat Intelligence Operation Life-Cycle
Intelligence Proposal
•Evaluation
Methods
•Ops Strategy
•Continuity Ops
•Access
Requirements
•Output Methods
Intelligence
Gathering & Analytic
•Data Integrity
•Intelligence
Modeling
•FINTEL
Requirement
•Adjustments &
Refinements
•ML?
Intelligence Delivery
& Operation
•Closed-Loop
Method
•Ops Data
Collection
•Valid FINTELs
•Standard
•Alarms Interactive
Cases Study &
TODOs
•FINTEL Quality
•Problems
Solutions
•Security Special
Items
•DevSecOps
Refinement

14. Threat Intelligence Arch Capability Matrix
TIMC is short for Threat Intelligence Management Center.
Internal
Data
IOC
Black
Channel
Vuls Info OSINTData Grids
Internal Log Sets Threat Intelligence Processing/Aggregation/ProductionProcess
Analytic TI Production Algorithm FINTEL Refinements Adjustment Weight
Operation TI Cases Study
Delivery &
Notification
TI Open Capability Platform
Threats Demands and
Analytics
Data Grids Demands and
Analytics
Response and Closed-
Loop MethodsTI Plans
APIs
MT-Radar
Issue Tickets
TIMC
(MT-Nebula)
HUMINT
Operations
Net-
Disk/GitHub
PDNS

15. Threat Intelligence Gathering & Analytic
OSINT
(Include IOC)
NetDisk/GitHub/
Pastebin
Black Information
Sharing Channel
HUMINT/SRC
Pre-Processing
Key Information
Gathering
Intelligence
Recognition
FINTEL
Refinement
FINTEL Delivery
Pre-Processing TI Data Grids FINTEL Refinements & Optimized Operation
TI Consume
Incident Response
& Recovery
Threat Intelligence Production Model
Real-Time
Compute
Offline
Compute
NLP/OCR
ML
MQ
TI Production Rules Refinements
Datasets
Hybridization

16. Threat Intelligence Gathering & Analytic
• Threat Intelligence Data Grids Contain Network Signature/OSINT DB/Black
Trades Channels
• Fetch Intelligence Entities from Intelligence Data Grids in Using
ML/NLP/OCR
• Optimize & Refine FINTELs for Security Operation
• FINTEL Must be Checked by 3rd Teams for Making Sure of Availability &
Loop-Cycled

17. Threat Intelligence Operation & Delivery
• FINTEL Delivery Rules：
– Highly Readable Contents
– Full Elements for Assessment
– Solutions Provided
– Affections Contained!
– Instructions for Operation

18. Threat Intelligence Notifications & Responses
Threat
Intelligence
Assets
Management
Code Audit
IDS/IDP
Security
Awareness
WAF/FirewallRisks Management SOC
EDR

19. THANK YOU
2019.8.20