Presentation is loading. Please wait.

Presentation is loading. Please wait.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Similar presentations

Presentation on theme: "Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1."— Presentation transcript:

1 Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1

2 Who am I? Infosec Professional for 16 years Former roles include: – Penetration tester – Consultant – Engineer – Policy manager – Product manager – People manager For the past 7 years I have been focusing on the problem of integrating intelligence into security The availability of Big Data science and tools has changed the nature of the game…

3 Historical Use of Threat intelligence Military/LEO – Used as part of the investigative process – Being used to prevent action and outflank attackers Commercial – Historical: Collection – Today: Correlation – Evolution: Prevention

4 What is Threat Intelligence? It’s not data It’s not artifacts or indicators It’s not logs or events or incidents … It’s a combination of all the things you know It is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.

5 Three Axioms of solving a security problem The optimal place to solve a security problem – Is never where you found it. – Corollary: And the information for the solution is never in the right form. If it’s happening to you today, – Then it happened to someone else yesterday, and will happen to someone else tomorrow – Corollary: And you probably don’t know them After you figure out what has happened – You’ll find plenty of signs that could have told you it was coming – Corollary: But not all of the signs are in cyberspace, nor available to cyberdefenders 5 Tony Sager, Chief technologist Council on Cyber Security How do you look at Security Problems

6 The Attack Chain

7 The Kill Chain

8 Easier said than done… We need to combine events to determine what is related first. For every intrusion event there is an adversary taking a step towards an intended goal by leveraging a particular capability over infrastructure against a victim to produce a result.

9 A Diamond Event Event AdversaryCapabilityVictimInfrastructure Meta Features Timestamp Phase Result Direction Methodology Resources

10 The Adversary Adversary Operator Adversary Customer There exists a set of adversaries (insiders, outsiders, individuals, groups, and organizations) which seek to compromise computer systems or networks to further their intent and satisfy their needs.

11 Capability Capability Capacity Adversary Arsenal Command and Control The capability feature describes the tools or techniques of the adversary used in the event and includes all means to affect the victim from the most manual “unsophisticated” methods (e.g., manual password guessing) to the most sophisticated automated techniques.

12 Infrastructure Type 1 Type 2 Service Provider The infrastructure feature describes the physical and/or logical communication structures the adversary uses to deliver a capability, maintain control of capabilities (e.g., command-and-control/C2), and effect results from the victim (e.g., exfiltrate data)..

13 Victim Victim Persona Victim Asset A victim is the target of the adversary and against whom vulnerabilities and exposures are exploited and capabilities used.

14 Building a diamond event Typically you don’t have all of the items above You need to generate these items using analytic process. Traditionally we would use technical indicators to identify attack and exploitation By correlating that information to known infrastructure leveraged by adversaries you can pivot back to the typical victim and vulnerabilities exploited

15 Approach types Victim Centered Capability Centered Infrastructure Centered Adversary Centered Social-Political Centered Technology Centered

16 Activity Mapping

17 Storage of information Database of common intelligence terms and structures Use languages like STIX, TAXII, etc. to more easily share intelligence through community partnerships Create meta data tagging systems for your intelligence

18 Further Reading Gartner’s definition on Threat Intelligence Anything by Tony Sager (The three laws are his….) Lockheed Martin Paper on the Attack and Kill Chain in Cyberspace Harvard paper on Asymmetrical Attacks in Cyberspace

19 Thank you! Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. Tim Gallo @TimJGallo 19

Download ppt "Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1."

Similar presentations

Ads by Google