Data-Driven Threat Intelligence: Metrics on Indicator ......Data-Driven Threat Intelligence: Metrics...

Data-DrivenThreatIntelligence:MetricsonIndicatorDisseminationandSharing

(#ddti)

AlexPintoChiefDataScientist

MLSec Project/Niddel@alexcpsec

@MLSecProject /Niddel

• WhatisTIgoodfor?• CombineandTIQ-test• MeasuringIndicators• ThreatIntelligenceSharing• Futureresearchdirection(i.e.willworkfordata)

Agenda

HTto@RCISCwendy

WhatisTIgoodfor(1)Attribution

WhatisTIgoodforanyway?

TYto@bfist forhisworkonhttp://sony.attributed.to

WhatisTIgoodfor(2)– CyberMaps!!

TYto@hrbrmstr forhisworkonhttps://github.com/hrbrmstr/pewpew

WhatisTIgoodforanyway?• (3)Howaboutactualdefense?• Strategicvs.tacticalvs.operational:planning• Technicalindicators:DFIRandmonitoring

AffirmingtheConsequentFallacy

1. IfA,thenB.2. B.3. Therefore,A.

1. Evilmalwaretalksto8.8.8.8.2. Iseetrafficto8.8.8.8.3. ZOMG,APT!!!

Thisisadata-driventalk!Pleasecheckyouranecdotesatthedoor

CombineandTIQ-Test• Combine(https://github.com/mlsecproject/combine)• GathersTIdata(ip/host)fromInternetandlocalfiles• Normalizesthedataandenrichesit(AS/Geo/pDNS)• CanexporttoCSV,“tiq-testformat”andCRITs• h/t@kylemaxwell,@sconzo,@c0wl

• TIQ-Test(https://github.com/mlsecproject/tiq-test)• RunsstatisticalsummariesandtestsonTIfeeds• Generateschartsbasedonthetestsandsummaries• WritteninR(becauseyoushouldlearnastatlanguage)• h/t@hrbrmstr

SuddenlyDatahttps://github.com/mlsecproject/tiq-test-Summer-2015

UsingTIQ-TEST– FeedsSelected• Datasetwasseparatedinto“inbound”and“outbound”

TYto@kafeine andJohnBambenek foraccesstotheirfeeds

DataFormatforTIQ-TEST

TonsofThreat-yTests

• NOVELTY – Howoftendothefeedsupdatethemselves?• AGING – Howlongdoesanindicatorsitonafeed?• POPULATION – Howdoesthispopulationdistributioncomparetomydata?

• OVERLAP– Howdotheindicatorscomparetotheonesyougot?

• UNIQUENESS – Howmanyindicatorsarefoundonlyononefeed?

Puttingthisthreatdatatowork

TonsofThreat-yTests

• NOVELTY – Howoftendothefeedsupdatethemselves?• AGING – Howlongdoesanindicatorsitonafeed?• POPULATION – Howdoesthispopulationdistributioncomparetomydata?

• OVERLAP– Howdotheindicatorscomparetotheonesyougot?

• UNIQUENESS – Howmanyindicatorsarefoundonlyononefeed?

Puttingthisthreatdatatowork

OverlapTestMoredataisfine,butmakesure

itisdifferent

OverlapTest- Inbound

OverlapTest- Outbound

UniquenessTestHowmanyfishREALLYarethereatthesea?

Ihatequotingmyself,but…

KeyTakeaway#1

MORE!=BETTERThreatIntelligenceIndicatorFeeds

ThreatIntelligenceProgram

“TISharingisTOTALLYgoingtosolvethis”

Right,people?Right?

HerdImmunity,isit?

Source:www.vaccines.gov

ThreatIntelligenceSharingWewouldliketothankthekindcontributionofdatafromthefinefolksatFacebookThreatExchangeandThreatConnect…

…andalsothesharingcommunitiesthatchosetoremainanonymous.Youknowwhoyouare,andwe❤ youtoo.

ThreatIntelligenceSharing– Data

Fromaperiodof2015-03-01to2015-05-31:- NumberofIndicatorsShared

§ Perday§ Permember

Notsharingthisdata– privacyconcernsforthemembersandcommunities

OVERLAPSLIDE

UNIQUENESSSLIDE

TheCognitiveDissonancesofTISharing

Everybody shouldshare! TheCIRCLEOFTRUST

Whatdoyoushare?

Whatdoyouconsume?

TheTwoSidesofTrust

ActivityTestIsthereanyactualsharinggoing

Updatefrequencychart

High10saverage Low100saverage

Large– 10.000smembers Small– High10smembers

DiversityTestCheckyoursharingprivilege

RecallTestButisthedataanygood?

Whatdoesgoodcurationlookslike?

KarmaandAnonymity

KeyTakeaway#1

'Howcansharingmakemebetterunderstandwhatare

attacksthat“aretargeted”andwhatare“commodity”?'

Telemetry>AnalysisNoteveryoneshouldneedtoknowhowtohunttomakeameaningfulcontribution

MoreTakeaways

• Analyzeyourdata.Extractmorevaluefromit!• IfyouABSOLUTELYHAVETObuyThreatIntelligenceordata,evaluateitfirst.

• Trythesampledata,replicatetheexperiments:• https://github.com/mlsecproject/tiq-test-Summer2015• http://rpubs.com/alexcpsec/tiq-test-Summer2015

• Sharedatawithus.I’llmakesureitgetsproperexercise!

Thanks!

• Q&A?• Feedback!

”Themeasureofintelligenceistheabilitytochange."- AlbertEinstein

AlexPinto@alexcpsec

@MLSecProject /@NiddelCorp

Data-Driven Threat Intelligence: Metrics on Indicator ......Data-Driven Threat Intelligence: Metrics...

Documents

DOE Safety Metrics Indicator Program (SMIP) Fiscal Year

Performance Metrics Central User Guide - · PDF fileOperational Indicator Metrics List ... Your Performance Metrics Central User Guide provides detailed information about how to use

1 OS II: Dependability & Trust Threat Modeling & Security Metrics Dependable Embedded Systems & SW Group Prof. Neeraj

An Insider Threat Indicator Ontology

Webroot Perspective · 2018-09-27 · 4 Webroot Perspective The statistics in this report are based on threat intelligence metrics automatically captured, analyzed, and contextualized

WwwTASK.to © Toronto Area Security Klatch 2007 Threat Modeling With STRIDE and DREAD Chuck Ben-Tzur Security Consultant Sentry Metrics March 27, 2007

Introduction to Altmetric for Institutions Training Nov 15 Schulich.pdfalt + metrics Complementary to traditional citation metrics Score is an indicator and the underlying, qualitative

Learning Metrics Task Force - Brookings Institution Metrics Task Force ... The matrix includes a set of seven core thematic ... The outcomes indicator are based on the three core dimensions

Patient Safety Indicator 04 (PSI 04) Death Rate among ... › Downloads › ... · pneumonia, sepsis, shock/cardiac arrest, or gastrointestinal hemorrhage/acute ulcer). Includes metrics

Citizenship Likely an Unreliable Indicator of Terrorist ... › irp › eprint › dhs-7countries.pdfCilizclIship Likely an Unreliable ו,ndicator ofl'errorj!lt Threat r() t וfe United

Software Metrics - ida.liu.seTDDC88/theory/12Metrics-before.pdf · Software metrics • Usage-based metrics • Verification & Validation metrics • Volume metrics • Structural

Standardized Threat Indicators Indicator Export Adversary Analysis (Pivoting) Private and Community Incident Correlation ThreatConnect Intelligence Research

Module 2 Developing Metrics and Indicators · Developing Metrics and Indicators . End of Module Objective ... Key performance indicator (KPI) is a business metric used to evaluate

chemistry.ucsd.educhemistry.ucsd.edu/.../aerotekopenings9-5-17.docx · Web view$17-30/hr DOE. From the hiring ... summarize and report key performance indicator data and metrics

deSherbinin et al 2013 IndicatorsInPractice finalDefinition of Environmental Indicator and Environmental Index We use “ environmental indicator ” to mean metrics derived from observation

Data$DrivenThreatIntelligence:Metrics … · 2018-05-11 · Data$DrivenThreatIntelligence:Metrics onIndicatorDisseminationandSharing* (#ddti) Alex%Pinto Chief%Data%Scientist%

Good Practice Performance Indicators Engineering Practices Working Group Performance Indicator Sub-Group Engineering Performance Metrics D. C. Lowe October

EEI Leading Indicator Study - Esafetyline s/eeiFall2013... · Although Leading Indicators drive both lagging indicator metrics, some correlate differently Metric Most Frequent Leading

@MarSChauvin metrics to show how threat intel works How to ... · How to Get Promoted: Developing metrics to show how threat intel works Toni Gidwani Director of Research @t_gidwani

Cyber threat intelligence: maturity and metrics