building a threat intel team ryan olson director of threat intelligence october, 2014
TRANSCRIPT
Building a Threat Intel Team
Ryan Olson
Director of Threat Intelligence
October, 2014
Quick Survey
How many of you have threat intelligence teams?
How many of you use threat intelligence as part of your security operation?
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Agenda
Who Am I
Me + Unit 42
What isThreat
Intelligence
Role and Value
How to Intelligence Cycle
Building the Team
3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Who
Head of Unit 42 – Palo Alto Networks Threat Intelligence Team Formerly Sr. Manager with Verisign’s
iDefense Threat Intelligence service.
Specialize in Cyber Crime and Espionage
Mission: Analyze the data available to Palo Alto Networks to identify adversaries, their motivations and resources to better understand the threats our customers face.
4 | ©2014, Palo Alto Networks. Confidential and Proprietary.
CSO
CEO
What is Threat Intelligence?
“Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.”
- Rob McMillan - Gartner
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
212.83.131.214 is Bad
On May 6, 2014, 212.83.131.214 hosted a command and control server for the NetWire RAT on TCP port 3360 in association with an attack from Nigerian cyber criminals…
✓
X
What can a Threat Intel do for your company?
Supply Context
• Resources and Motivations
• Targeting and History
Identify Risks
• High Priority Targets
• Resource Allocation
Support Incident Response
• Tactics, Tools and Procedures
• Indicators
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Intelligence Team Considerations
Consumers
Customer
Operations
Products
Customer: Who’s paying the bills?
Consumer: Who’s reading/processing the products?
Products: How do you deliver the intelligence?
Operations: How do you collect information and turn it into intelligence?
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Customer and Consumers
Customer Set’s high level priorities Understand capabilities/limitations Attribution, Counter Intel, Brute
Squad
Consumer Uses intel products InfoSec/CSIRT Legal/Finance/CorpComms Marketing/Sales
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Products
Periodicals Summaries and trends.
Alerts Active events requiring action
Requests for Information (RFI) Specific needs of a consumer
Data Feeds Actionable, including context.
9 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The Intelligence Cycle
Direction
Collection
ProcessingAnalysis
Dissemination
10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
• Well-established
• Widely use by civilian/military intelligence and law enforcement
• Cycle includes feedback
The Intelligence Cycle - Direction
Direction
Collection
ProcessingAnalysis
Dissemination
• Customer sets high level priorities and mission
• “Support CSIRT with intelligence on adversaries attacking our organization.”
• Refined to series of questions to pursue.
• Understand limitations
• Defines data and capabilities necessary to accomplish mission.
11 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The Intelligence Cycle - Collection
Direction
Collection
ProcessingAnalysis
Dissemination
• Collect information from sources necessary to meet requirements
• Internal Systems • SIEM, Log Management, Org
Charts• IPS/NGFW/Sandbox
• External Data• Open Source• Paid Intelligence Feeds• Industry Groups
• Gap Analysis
12 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The Intelligence Cycle - Processing
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Direction
Collection
ProcessingAnalysis
Dissemination
Use technology to convert raw information into analyst workflow
Many sources, many formats.
Automate as much as possible.
The Intelligence Cycle - Analysis
Direction
Collection
ProcessingAnalysis
Dissemination
• Where information becomes intelligence.
• Clear away noise, identify what’s important, support decision makers.
• Have the right capabilities• Network• Malware• Forensics• Geo-political
14 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The Intelligence Cycle - Dissemination
Direction
Collection
ProcessingAnalysis
Dissemination
15 | ©2014, Palo Alto Networks. Confidential and Proprietary.
• Keep consumer in mind.
• Clear and concise.
• Answer isn’t always simple, but should be comprehensible.
• Timely delivery• Before it’s useless
• Consumable (Machine or Human)
The Intelligence Cycle – Direction (Again)
Direction
Collection
ProcessingAnalysis
Dissemination
• What did you learn?
• Did the product meet requirements?
• Do we need new sources/capabilities?
• Do we need to investigate something new?
16 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Before You Start
Do you have the following under control? Incident Response Patching Network Visibility
Identify your customer and mission.
Identify your consumers (be creative)
Evaluate existing staff Institutional knowledge is important You probably don’t have everything you
need.
17 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Resources
Rick Holland: “Five Steps To Build An Effective Threat Intelligence Capability”
Martin Petersen: “What I Learned in 40 Years of Doing Intelligence Analysis for US Foreign Policymakers”
Unit 42 – White papers, blog, tools.
18 | ©2014, Palo Alto Networks. Confidential and Proprietary.
• http://www.coresecurity.com/system/files/attachments/2013/04/RickHollandFiveStepstoBuild.pdf• https
://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csi-studies/studies/vol.-55-no.-1/what-i-learned-in-40-years-of-doing-intelligence-analysis-for-us-foreign-policymakers.html
• https://paloaltonetworks.com/threat-research.html
19 | ©2014, Palo Alto Networks. Confidential and Proprietary.