Managing Threat Intelligence
About Me
▪ MSIM – W.P. Carey @ ASU ▪ Network Infrastructure
– Firewalls, Proxy servers, Content filtering – Routing/switching
▪ Server & Storage Infrastructure
– Blade architectures – Virtualization
▪ Cyber Security Threat Mgmt
– Cyber Security Operations – Incident Response
The Challenge
▪ “Threat Intelligence” can—and will—arrive from various sources and exist in many forms
My Goal
▪ Review various avenues of Threat Intelligence ▪ Generate discussion and ideas of how to better
prepare yourself and/or your organization to handle ingesting and responding to Threat Intelligence
Format
▪ Present a possible source of Threat Intel ▪ Discuss challenges it creates
▪ Discuss opportunities it presents ▪ Rinse and repeat
Common Sources for
Threat Intelligence
Internal Tools & Logs
▪ Firewalls ▪ IDS/IPS ▪ Anti-Virus ▪ DLP
▪ System logs (e.g. authentication, file changes, etc.)
Tools & Logs - Challenges
▪ Are you logging enough information? ▪ How much should you keep?
▪ Do you have access to the logs?
▪ How many different systems are there?
▪ How many people dedicated to reviewing logs? ▪ False positives!
Tools & Logs - Opportunities
▪ Centralized Logging / SIEM ▪ Automated alerting
▪ Metrics
▪ Beware of getting bogged down in historical data ▪ Running and archiving reports is a way to keep
Vendors
▪ Product alerts, blogs and bulletins
▪ Symantec Internet Security Threat Report
– http://www.symantec.com/security_response/publications/threatreport.jsp
▪ Verizon Data Breach Investigation Report
– http://www.verizonenterprise.com/DBIR/
▪ McAfee Labs Threat Report
Vendors - Challenges
▪ Keeping up with dozens (if not hundreds) of different vendor product alerts is daunting
▪ Some vendors may not disclose information in a timely manner
▪ Quarterly/Annual reports aren’t helpful for day-to-day operations
Vendor - Opportunities
▪ Train support groups on how to spot and escalate vendor alerts.
▪ Form cyber security workgroups to discuss and report on alerts.
▪ Leverage vulnerability alerting tools
▪ Incorporate vendor cyber security as a measure when evaluating new purchases
▪ Use Quarterly/Annual reports as a way to engage and inform executives and management.
General News
(aka Mainstream Media)▪ CNN ▪ Reuters
▪ ABC/NBC/Fox ▪ TMZ
General News - Challenges
▪ Just kidding about TMZ ▪ May not be timely
▪ May not be accurate
▪ May overhype (or under hype) the importance ▪ Creates many new emails for you!
▪ “Hey, did you hear about Heartbleed?? I saw it on TMZ last night!”
General News – Opportunities
▪ Acknowledge and inform – Don’t mislead ▪ Provide specific context that the news can’t ▪ Redirect people to appropriate sources
Organizations
▪ ACTRA
– Arizona Cyber Threat Response Alliance
– “Collaborative cyber information sharing in a neutral environment of trust”
– https://www.infragard.org/0%2525252F9yysrk2K3Wuaa2YpSwi8ovwSMlKUZyHdn F4Q7g%2525252FBI%2525253D
▪ AZ Infragard
– Information sharing in partnership with the FBI – FBI Liaison Alert System (FLASH)
– Private Industry Notifications (PIN) – http://azinfragard.org/
Organizations (cont’d)
▪ NCFTA
– National Cyber-Forensics & Training Alliance
– “Companies, Government, and Academia working together to neutralize cyber crime.”
– http://www.ncfta.net/
▪ US-CERT
– Computer Emergency Readiness Team
– “US-CERT is the 24-hour operational arm of the Department of Homeland Security's National Cybersecurity and
Communications Integration Center (NCCIC).” – https://www.us-cert.gov
Organizations (cont’d) - ISACS
▪ Information Sharing and Analysis Centers
▪ Created as a result of
Presidential Decision Directive 63 (PDD-63)
in 1998
▪ Focus on Critical Infrastructure
▪ 17 different ISACS
– Energy Sector (ES-ISAC) – Financial Sector (FS-ISAC) – Multi-state ISAC (MS-ISAC) – Supply Chain (SC-ISAC)
– Water (WaterISAC)
Organizations - Challenges
▪ Time, and possibly $, investment
▪ Threat information may not always be relative to your organization
Organizations - Opportunities
▪ Chance to interface with industry peers in similar roles
▪ Industry specific intelligence
▪ Potential for greater levels of trust and information sharing
▪ Possibility of obtaining threat intelligence not available in other channels
Social Media
▪ Facebook ▪ Twitter
– @USCERT_gov
Social Media – Challenges
▪ Unstructured ▪ Effectiveness
Social Media – Opportunities
▪ New ways to communicate with your organization
– Awareness – Training
– Incident Response (with care)
▪ Many organizations are dedicating resources to social media management (delegate!)
The rest of the Internet
▪ National Vulnerability Database
– http://nvd.nist.gov/
▪ Internet Storm Center
– https://isc.sans.edu/
Summary
▪ “Threat Intelligence” can—and will—arrive from various sources and exist in many forms
Questions
▪ What would you like to talk about?
