Data-DrivenThreatIntelligence:MetricsonIndicatorDisseminationandSharing

(#ddti)

AlexPintoChiefDataScientist

MLSec Project@alexcpsec

@MLSecProject

AlexandreSieiraCTONiddel

@AlexandreSieira@NiddelCorp

• Previouslyon#ddti• ChallengesatTISharing• MeasuringTISharing• TheFutureofSharing

Agenda

Thisisadata-drivenwebinar!Pleasecheckyouranecdotesatthedoor

Previouslyon#ddti• UsefulMethodsandMeasurementsforHandlingIndicators• AnalysisofThreatIntelligenceFeeds• Indirectly,amethodologyforanalyzingTIProviders

• Combine(https://github.com/mlsecproject/combine)• GathersTIdata(ip/host)fromInternetandlocalfiles

• TIQ-Test(https://github.com/mlsecproject/tiq-test)• RunsstatisticalsummariesandtestsonTIfeeds

TIQ-TEST- TonsofThreat-yTests

• NOVELTY – Howoftendothefeedsupdatethemselves?• AGING – Howlongdoesanindicatorsitonafeed?• POPULATION – Howdoesthispopulationdistributioncomparetomydata?

• OVERLAP– Howdotheindicatorscomparetotheonesyougot?

• UNIQUENESS – Howmanyindicatorsarefoundonlyononefeed?

Puttingthisthreatinteldatatowork

OverlapTestMoredataisfine,butmakesure

itisdifferent

OverlapTest- Outbound

UniquenessTestCanwetellifweareclosetofinding*all*thethreats?

Ihatequotingmyself,but…

KeyTakeaway#1

MORE!=BETTERThreatIntelligenceIndicatorFeeds

ThreatIntelligenceProgram

ConstructiveFeedbackfromtheInternet:

“TISharingisTOTALLYgoingtosolvethis”

Right,folks?Right?

TISharingSolutionPlan:

1. ThebestThreatIntelligenceistheonethatyouanalyzefromyourownincidents(homegrown/organicintelligence)

2. Thereisstrengthinnumbers– verticalherdimmunity!

3. ????????

4. PROFIT!!(oratleastSECURITY!!)

Oratleastaroughstrawman

IfCONSUMINGisforthe1%,whatisthepercentageoforganizationsabletoPRODUCE?

Issue1- BYOTI

Issue2- HerdImmunity

Source:www.vaccines.gov

• Wemaybeabletodetectmore”virusstrains”togetherbutweare*terrible*atinoculation.

• Thethingswedetectthemostmutatetoofast(PyramidofPain)

• Whodidn’tgetimmunized,stillgetssick(FOMO-TI)

TheCognitiveDissonancesofTISharing

Everybody shouldshare! TheCIRCLEOFTRUST

Doyoutrustthegroupenoughtoconsume?

TheTwoSidesoftheTrustCoin

Doyoutrustthegroupenoughtoshare?

Howaboutmeasuringit?WewouldliketothankthekindcontributionofdatafromthefinefolksatFacebookThreatExchange andThreatConnect

…andalsothesharingcommunitiesthatchosetoremainanonymous.Youknowwhoyouare,andwe❤ youtoo.

OVERLAPSLIDE

OVERLAPSLIDE

UNIQUENESSSLIDE

Lookslikewewouldgetsimilarqualityona”good”ThreatIntelligenceSharingPlatformaswewouldon

a”paidfeed"

ActivityMetricIsthereanyactualsharinggoing

on?

Updatefrequencychart

High10saverage Low100saverage

Large– 10.000smembers Small– High10smembers

LargeCommunityisroughly36x

biggerthanSmallCommunity

DiversityMetricCheckyoursharingprivilege

Roughly10%oftheorganizationsshare

dataintothecommunity

Someorganizationsareclearlyinabetterpositionoperationallyandlegallytoshare.Andthatis

expectedduetoourpremises.

FeedbackMetricButisthedataanygood?

FeedbackMetric• Almostnosupportonautomation-drivenplatforms• Someallowyoutoleave”comments”or”newdescriptors”fortheIOCs– evenbycountingthoseverylow%inrelationtonewshareddata

• Analyst-drivenenvironmentsallowforcollaborationone-mailsandforumpoststodescribeandrefinestrategiesandbestpractices.

• Howcanwemakethiscollaborationworkonautomation-drivenplatforms?

TrustMetricArewehelpingallthecommunity

orjustafeworgsatatime?

TrustMetric• Theroughestimateseemstobethatmorethan50%of”sharing”(IOCs,messages,etc)happensin”privategroups”insidetheinfrastructureofthesharingplatform

• Allcommunitieshavethem:• PartoftheDNAoftheIC/clearedcommunity• Offsetsthetrustequation,butdefeatsthe”herdimmunity”argument• UsuallyMANDATORYoncollaborationwithLEA

• Butthenthe”good”dataisnothelping”thecommunity”isthereanywaywecanreconcile?

TheFutureofSharingAttheveryleastmyhumble

opinionJ

#squadgoalsIncreasetheTRUST

amongpeers

ReducetheTECHNICALBARRIERforsharinguseful

information

TRUST:Anonymity+GoodCuration

Somesharingcommunitiesacceptanonymoussubmissionsthattheythencurateanddisseminate

toallorganizations

IOCs

Feedback

TelemetryLESSMATURE

MOREMATURE

❤ andapologiesto@DavidJBianco

TECHNICALBARRIER:”PyramidofSharing”

Takeaways

• IntelligenceSharingisaveryanalyst-centricactivitythatwehavebeentaskedwithscalingout

• Datacanbeasgoodasapaidfeed,butyouhavetobeintherightcirclesoftrust

• Doesnotsolveanalystshortageandmakingtheindicators/strategiesoperationalintoyourenvironment

Thanks!

• Q&A?• Feedback!

”Themeasureofintelligenceistheabilitytochange."- AlbertEinstein

AlexPinto@alexcpsec

@MLSecProject

Alexandre Sieira@AlexandreSieira@NiddelCorp