Download - Crowd-Sourced Threat Intelligence
![Page 1: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/1.jpg)
Crowd-Sourced Threat Intelligence
![Page 2: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/2.jpg)
About me
- Director, AlienVault Labs
- Security Research- Malware Analysis- Incident response
![Page 3: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/3.jpg)
The attacker’s advantage
• They only need to be successful once
• Determined, skilled and often funded adversaries
• Custom malware, 0days, multiple attack vectors, social engineering
• Persistent
![Page 4: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/4.jpg)
The defender’s disadvantage
• They can’t make a mistake• Understaffed, jack of all trades, underfunded• Increasing complex IT infrastructure:– Moving to the cloud– Virtualization– Bring your own device
• Prevention controls fail to block everything• Hundreds of systems and vulnerabilities to
patch
![Page 5: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/5.jpg)
What is Threat Intelligence?
• Information about malicious actors
• Helps you make better decisions about defense
• Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..
![Page 6: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/6.jpg)
How can I use Threat Intelligence?
• Detect what my prevention technologies fail to block
• Security planning, threat assessment
• Improves incident response / Triage
• Decide which vulnerabilities should I patch first
![Page 7: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/7.jpg)
State of the art
• Most sharing is unstructured & human-to-human
• Closed groups
• Actual standards require knowledge, resources and time to integrate the data
![Page 8: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/8.jpg)
Standards & Tools
• IODEF: Incident Object Description Exchange Format
• MITRE:– STIX: Structured Threat Information eXpression– TAXXII: Trusted Automated eXchange of Indicator
Information – MAEC, CAPEC, CyBOX
• CIF: Collective Intelligence Framework
![Page 9: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/9.jpg)
Collective Intelligence Framework
![Page 10: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/10.jpg)
The Threat Intelligence Pyramid of Pain
![Page 11: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/11.jpg)
The Power of the “Crowd” for Threat Detection
Cyber criminals are using (and reusing) the same exploits against others (and you).
Sharing (and receiving) collaborative threat intelligence makes us all more secure.
Using this data, detect, flag and block attackers using indicators (Threat Intel)
![Page 12: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/12.jpg)
Disrupt the Incident response cycle
Detect
Respond
Prevent
A traditional cycle …1. Prevents known threats.2. Detects new threats in the
environment.3. Respond to the threats –
as they happen.
This isolated closed loop offers no opportunity to learn from what others have experienced
….no advance notice
![Page 13: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/13.jpg)
Traditional Response
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
![Page 14: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/14.jpg)
Traditional Response
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Attack
![Page 15: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/15.jpg)
Traditional Response
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Attack
Detect
![Page 16: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/16.jpg)
Traditional Response
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Attack
DetectRespond
![Page 17: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/17.jpg)
Traditional Response
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Attack
DetectRespond
![Page 18: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/18.jpg)
OTX Enables Preventative Response
Through an automated, real-
time, threat exchange framework
![Page 19: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/19.jpg)
A Real-Time Threat Exchange framework
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Attack
Detect
Open Threat Exchange
Puts Preventative Response Measures in Place Through Shared Experience
![Page 20: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/20.jpg)
A Real-Time Threat Exchange framework
First Street Credit Union Alpha Insurance Group John Elway
Auto NationRegional Pacific
Telecom Marginal Food Products
Attack
Detect
Open Threat Exchange
Protects Others in the Network With the Preventative Response Measures
![Page 21: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/21.jpg)
Benefits of open Threat Exchange
Shifts the advantage from the attacker to the defender
Open and free to everyone
Each member benefits from the incidents of all other members
Automated sharing of threat data
![Page 22: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/22.jpg)
Open Source Security Information Management
OSSIM/USM
ASSET DISCOVERY• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software
Inventory
VULNERABILITY ASSESSMENT• Continuous
Vulnerability Monitoring• Authenticated /
Unauthenticated Active Scanning
BEHAVIORAL MONITORING• Log Collection• Netflow Analysis• Service Availability Monitoring
SECURITY INTELLIGENCE• SIEM Event Correlation• Incident Response
THREAT DETECTION• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring
USM Product Capabilities
![Page 23: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/23.jpg)
Open Threat Exchange
![Page 24: Crowd-Sourced Threat Intelligence](https://reader033.vdocuments.mx/reader033/viewer/2022061218/54b6f3c14a7959d0658b459a/html5/thumbnails/24.jpg)
Thank you!!
@jaimeblascob
http://www.alienvault.com/open-threat-exchange/blog