Presentation is loading. Please wait.

Presentation is loading. Please wait.

Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.

Published byAnissa Flynn Modified over 9 years ago

Similar presentations

Presentation on theme: "Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014."— Presentation transcript:

1 Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014

2 Quick Survey  How many of you have threat intelligence teams?  How many of you use threat intelligence as part of your security operation? 2 | ©2014, Palo Alto Networks. Confidential and Proprietary.

3 Agenda Who Am I Me + Unit 42 What is Threat Intelligence Role and Value How to Intelligence Cycle Building the Team 3 | ©2014, Palo Alto Networks. Confidential and Proprietary.

4 Who  Head of Unit 42 – Palo Alto Networks Threat Intelligence Team  Formerly Sr. Manager with Verisign’s iDefense Threat Intelligence service.  Specialize in Cyber Crime and Espionage  Mission: Analyze the data available to Palo Alto Networks to identify adversaries, their motivations and resources to better understand the threats our customers face. 4 | ©2014, Palo Alto Networks. Confidential and Proprietary. CSO CEO

5 What is Threat Intelligence? “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.” - Rob McMillan - Gartner 5 | ©2014, Palo Alto Networks. Confidential and Proprietary. 212.83.131.214 is Bad On May 6, 2014, 212.83.131.214 hosted a command and control server for the NetWire RAT on TCP port 3360 in association with an attack from Nigerian cyber criminals… ✓ X

6 What can a Threat Intel do for your company? Supply Context Resources and Motivations Targeting and History Identify Risks High Priority Targets Resource Allocation Support Incident Response Tactics, Tools and Procedures Indicators 6 | ©2014, Palo Alto Networks. Confidential and Proprietary.

7 Intelligence Team Considerations ConsumersCustomer Operations Products  Customer: Who’s paying the bills?  Consumer: Who’s reading/processing the products?  Products: How do you deliver the intelligence?  Operations: How do you collect information and turn it into intelligence? 7 | ©2014, Palo Alto Networks. Confidential and Proprietary.

8 Customer and Consumers  Customer  Set’s high level priorities  Understand capabilities/limitations  Attribution, Counter Intel, Brute Squad  Consumer  Uses intel products  InfoSec/CSIRT  Legal/Finance/CorpComms  Marketing/Sales 8 | ©2014, Palo Alto Networks. Confidential and Proprietary.

9 Products  Periodicals  Summaries and trends.  Alerts  Active events requiring action  Requests for Information (RFI)  Specific needs of a consumer  Data Feeds  Actionable, including context. 9 | ©2014, Palo Alto Networks. Confidential and Proprietary.

10 The Intelligence Cycle DirectionCollectionProcessingAnalysisDissemination 10 | ©2014, Palo Alto Networks. Confidential and Proprietary. Well-established Widely use by civilian/military intelligence and law enforcement Cycle includes feedback

11 The Intelligence Cycle - Direction DirectionCollectionProcessingAnalysisDissemination Customer sets high level priorities and mission “Support CSIRT with intelligence on adversaries attacking our organization.” Refined to series of questions to pursue. Understand limitations Defines data and capabilities necessary to accomplish mission. 11 | ©2014, Palo Alto Networks. Confidential and Proprietary.

12 The Intelligence Cycle - Collection DirectionCollectionProcessingAnalysisDissemination Collect information from sources necessary to meet requirements Internal Systems SIEM, Log Management, Org Charts IPS/NGFW/Sandbox External Data Open Source Paid Intelligence Feeds Industry Groups Gap Analysis 12 | ©2014, Palo Alto Networks. Confidential and Proprietary.

13 The Intelligence Cycle - Processing 13 | ©2014, Palo Alto Networks. Confidential and Proprietary. DirectionCollectionProcessingAnalysisDissemination  Use technology to convert raw information into analyst workflow  Many sources, many formats.  Automate as much as possible.

14 The Intelligence Cycle - Analysis DirectionCollectionProcessingAnalysisDissemination Where information becomes intelligence. Clear away noise, identify what’s important, support decision makers. Have the right capabilities Network Malware Forensics Geo-political 14 | ©2014, Palo Alto Networks. Confidential and Proprietary.

15 The Intelligence Cycle - Dissemination DirectionCollectionProcessingAnalysisDissemination 15 | ©2014, Palo Alto Networks. Confidential and Proprietary. Keep consumer in mind. Clear and concise. Answer isn’t always simple, but should be comprehensible. Timely delivery Before it’s useless Consumable (Machine or Human)

16 The Intelligence Cycle – Direction (Again) DirectionCollectionProcessingAnalysisDissemination What did you learn? Did the product meet requirements? Do we need new sources/capabilities? Do we need to investigate something new? 16 | ©2014, Palo Alto Networks. Confidential and Proprietary.

17 Before You Start  Do you have the following under control?  Incident Response  Patching  Network Visibility  Identify your customer and mission.  Identify your consumers (be creative)  Evaluate existing staff  Institutional knowledge is important  You probably don’t have everything you need. 17 | ©2014, Palo Alto Networks. Confidential and Proprietary.

18 Resources  Rick Holland: “Five Steps To Build An Effective Threat Intelligence Capability”  Martin Petersen: “What I Learned in 40 Years of Doing Intelligence Analysis for US Foreign Policymakers”  Unit 42 – White papers, blog, tools. 18 | ©2014, Palo Alto Networks. Confidential and Proprietary. http://www.coresecurity.com/system/files/attachments/2013/04/RickHollandFiveStepstoBuild.pdf https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi- studies/studies/vol.-55-no.-1/what-i-learned-in-40-years-of-doing-intelligence-analysis-for-us- foreign-policymakers.htmlhttps://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi- studies/studies/vol.-55-no.-1/what-i-learned-in-40-years-of-doing-intelligence-analysis-for-us- foreign-policymakers.html https://paloaltonetworks.com/threat-research.html

19 19 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Download ppt "Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014."

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

ETHICAL HACKING A LICENCE TO HACK
Chapter 7: Influencing decision-makers. Important notes These slides are not a replacement for the text Please use these slides as a starting point for.

Chapter 7: Influencing decision-makers. Important notes These slides are not a replacement for the text Please use these slides as a starting point for.
The Basics of Information Systems

The Basics of Information Systems
1. 2  Collecting information on border control database  Information from border interception cases (incident report)  Intelligence from foreign Intel.

1. 2  Collecting information on border control database  Information from border interception cases (incident report)  Intelligence from foreign Intel.
S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.

Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.
The Cyber Threat Intelligence Experts

The Cyber Threat Intelligence Experts
USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence.

USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence.
Dark Reading Threat Intelligence Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.

Dark Reading Threat Intelligence Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
Analyzing the Business Case

Analyzing the Business Case
National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
Www.encase.com Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,
Criminal Justice Administration and Affiliated Programs Dr. William Sondervan Executive Director.

Criminal Justice Administration and Affiliated Programs Dr. William Sondervan Executive Director.
Privileged and Confidential Strategic Approach to Asset Management Presented to October 2004 2004 Urban Water Council Regional Seminar.

Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.
Correlations, Alarms and Policies

Correlations, Alarms and Policies
Technician Module 2 Unit 8 Slide 1 MODULE 2 UNIT 8 Prevention, Intelligence & Deterrence.

Technician Module 2 Unit 8 Slide 1 MODULE 2 UNIT 8 Prevention, Intelligence & Deterrence.
11 Canal Center Plaza, Alexandria, VA 22314 T 800.663.7138 F 703.684.5189 www.robbinsgioia.com Enterprise Computing Conference (ECC) Workshop Alma R. Cole,

11 Canal Center Plaza, Alexandria, VA T F Enterprise Computing Conference (ECC) Workshop Alma R. Cole,

Similar presentations

Ads by Google