Presentation on theme: "Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1."— Presentation transcript:
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1
Who am I? Infosec Professional for 16 years Former roles include: – Penetration tester – Consultant – Engineer – Policy manager – Product manager – People manager For the past 7 years I have been focusing on the problem of integrating intelligence into security The availability of Big Data science and tools has changed the nature of the game…
Historical Use of Threat intelligence Military/LEO – Used as part of the investigative process – Being used to prevent action and outflank attackers Commercial – Historical: Collection – Today: Correlation – Evolution: Prevention
What is Threat Intelligence? It’s not data It’s not artifacts or indicators It’s not logs or events or incidents … It’s a combination of all the things you know It is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.
Three Axioms of solving a security problem The optimal place to solve a security problem – Is never where you found it. – Corollary: And the information for the solution is never in the right form. If it’s happening to you today, – Then it happened to someone else yesterday, and will happen to someone else tomorrow – Corollary: And you probably don’t know them After you figure out what has happened – You’ll find plenty of signs that could have told you it was coming – Corollary: But not all of the signs are in cyberspace, nor available to cyberdefenders 5 Tony Sager, Chief technologist Council on Cyber Security How do you look at Security Problems
Easier said than done… We need to combine events to determine what is related first. For every intrusion event there is an adversary taking a step towards an intended goal by leveraging a particular capability over infrastructure against a victim to produce a result.
A Diamond Event Event AdversaryCapabilityVictimInfrastructure Meta Features Timestamp Phase Result Direction Methodology Resources
The Adversary Adversary Operator Adversary Customer There exists a set of adversaries (insiders, outsiders, individuals, groups, and organizations) which seek to compromise computer systems or networks to further their intent and satisfy their needs.
Capability Capability Capacity Adversary Arsenal Command and Control The capability feature describes the tools or techniques of the adversary used in the event and includes all means to affect the victim from the most manual “unsophisticated” methods (e.g., manual password guessing) to the most sophisticated automated techniques.
Infrastructure Type 1 Type 2 Service Provider The infrastructure feature describes the physical and/or logical communication structures the adversary uses to deliver a capability, maintain control of capabilities (e.g., command-and-control/C2), and effect results from the victim (e.g., exfiltrate data)..
Victim Victim Persona Victim Asset A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used.
Building a diamond event Typically you don’t have all of the items above You need to generate these items using analytic process. Traditionally we would use technical indicators to identify attack and exploitation By correlating that information to known infrastructure leveraged by adversaries you can pivot back to the typical victim and vulnerabilities exploited
Storage of information Database of common intelligence terms and structures Use languages like STIX, TAXII, etc. to more easily share intelligence through community partnerships Create meta data tagging systems for your intelligence
Further Reading Gartner’s definition on Threat Intelligence Anything by Tony Sager (The three laws are his….) Lockheed Martin Paper on the Attack and Kill Chain in Cyberspace Harvard paper on Asymmetrical Attacks in Cyberspace