data-driven threat intelligence: metrics on indicator … · 2018-05-11 · data-driven threat...
TRANSCRIPT
Data-DrivenThreatIntelligence:MetricsonIndicatorDisseminationandSharing
(#ddti)
AlexPintoChiefDataScientist
MLSec Project@alexcpsec
@MLSecProject
AlexandreSieiraCTONiddel
@AlexandreSieira@NiddelCorp
• Previouslyon#ddti• ChallengesatTISharing• MeasuringTISharing• TheFutureofSharing
Agenda
Thisisadata-drivenwebinar!Pleasecheckyouranecdotesatthedoor
Previouslyon#ddti• UsefulMethodsandMeasurementsforHandlingIndicators• AnalysisofThreatIntelligenceFeeds• Indirectly,amethodologyforanalyzingTIProviders
• Combine(https://github.com/mlsecproject/combine)• GathersTIdata(ip/host)fromInternetandlocalfiles
• TIQ-Test(https://github.com/mlsecproject/tiq-test)• RunsstatisticalsummariesandtestsonTIfeeds
TIQ-TEST- TonsofThreat-yTests
• NOVELTY – Howoftendothefeedsupdatethemselves?• AGING – Howlongdoesanindicatorsitonafeed?• POPULATION – Howdoesthispopulationdistributioncomparetomydata?
• OVERLAP– Howdotheindicatorscomparetotheonesyougot?
• UNIQUENESS – Howmanyindicatorsarefoundonlyononefeed?
Puttingthisthreatinteldatatowork
OverlapTestMoredataisfine,butmakesure
itisdifferent
OverlapTest- Outbound
UniquenessTestCanwetellifweareclosetofinding*all*thethreats?
Ihatequotingmyself,but…
KeyTakeaway#1
MORE!=BETTERThreatIntelligenceIndicatorFeeds
ThreatIntelligenceProgram
ConstructiveFeedbackfromtheInternet:
“TISharingisTOTALLYgoingtosolvethis”
Right,folks?Right?
TISharingSolutionPlan:
1. ThebestThreatIntelligenceistheonethatyouanalyzefromyourownincidents(homegrown/organicintelligence)
2. Thereisstrengthinnumbers– verticalherdimmunity!
3. ????????
4. PROFIT!!(oratleastSECURITY!!)
Oratleastaroughstrawman
IfCONSUMINGisforthe1%,whatisthepercentageoforganizationsabletoPRODUCE?
Issue1- BYOTI
Issue2- HerdImmunity
Source:www.vaccines.gov
• Wemaybeabletodetectmore”virusstrains”togetherbutweare*terrible*atinoculation.
• Thethingswedetectthemostmutatetoofast(PyramidofPain)
• Whodidn’tgetimmunized,stillgetssick(FOMO-TI)
TheCognitiveDissonancesofTISharing
Everybody shouldshare! TheCIRCLEOFTRUST
Doyoutrustthegroupenoughtoconsume?
TheTwoSidesoftheTrustCoin
Doyoutrustthegroupenoughtoshare?
Howaboutmeasuringit?WewouldliketothankthekindcontributionofdatafromthefinefolksatFacebookThreatExchange andThreatConnect
…andalsothesharingcommunitiesthatchosetoremainanonymous.Youknowwhoyouare,andwe❤ youtoo.
OVERLAPSLIDE
OVERLAPSLIDE
UNIQUENESSSLIDE
Lookslikewewouldgetsimilarqualityona”good”ThreatIntelligenceSharingPlatformaswewouldon
a”paidfeed"
ActivityMetricIsthereanyactualsharinggoing
on?
Updatefrequencychart
High10saverage Low100saverage
Large– 10.000smembers Small– High10smembers
LargeCommunityisroughly36x
biggerthanSmallCommunity
DiversityMetricCheckyoursharingprivilege
Roughly10%oftheorganizationsshare
dataintothecommunity
Someorganizationsareclearlyinabetterpositionoperationallyandlegallytoshare.Andthatis
expectedduetoourpremises.
FeedbackMetricButisthedataanygood?
FeedbackMetric• Almostnosupportonautomation-drivenplatforms• Someallowyoutoleave”comments”or”newdescriptors”fortheIOCs– evenbycountingthoseverylow%inrelationtonewshareddata
• Analyst-drivenenvironmentsallowforcollaborationone-mailsandforumpoststodescribeandrefinestrategiesandbestpractices.
• Howcanwemakethiscollaborationworkonautomation-drivenplatforms?
TrustMetricArewehelpingallthecommunity
orjustafeworgsatatime?
TrustMetric• Theroughestimateseemstobethatmorethan50%of”sharing”(IOCs,messages,etc)happensin”privategroups”insidetheinfrastructureofthesharingplatform
• Allcommunitieshavethem:• PartoftheDNAoftheIC/clearedcommunity• Offsetsthetrustequation,butdefeatsthe”herdimmunity”argument• UsuallyMANDATORYoncollaborationwithLEA
• Butthenthe”good”dataisnothelping”thecommunity”isthereanywaywecanreconcile?
TheFutureofSharingAttheveryleastmyhumble
opinionJ
#squadgoalsIncreasetheTRUST
amongpeers
ReducetheTECHNICALBARRIERforsharinguseful
information
TRUST:Anonymity+GoodCuration
Somesharingcommunitiesacceptanonymoussubmissionsthattheythencurateanddisseminate
toallorganizations
IOCs
Feedback
TelemetryLESSMATURE
MOREMATURE
❤ andapologiesto@DavidJBianco
TECHNICALBARRIER:”PyramidofSharing”
Takeaways
• IntelligenceSharingisaveryanalyst-centricactivitythatwehavebeentaskedwithscalingout
• Datacanbeasgoodasapaidfeed,butyouhavetobeintherightcirclesoftrust
• Doesnotsolveanalystshortageandmakingtheindicators/strategiesoperationalintoyourenvironment
Thanks!
• Q&A?• Feedback!
”Themeasureofintelligenceistheabilitytochange."- AlbertEinstein
AlexPinto@alexcpsec
@MLSecProject
Alexandre Sieira@AlexandreSieira@NiddelCorp