Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
THREAT INTELLIGENCE IN A NUTSHELL:FROM INTELLIGENCE TO EXPLOITATION
Abdel Sy FaneChicago CyberSecurity Meetup – President
Application Security Manager - Allstate
WHAT IS THREAT-INTEL (TI)?
• Collecting Informa tion on your a dversa ries (Threa t-Actors)• Defining who they a re a nd wha t they’re ca pa ble of (Threa t Modeling)
• Ha cktivist, APT Groups, Na tion Sta tes, Ha ckers (driven by money or cha os)
• Cura ting the Da ta (there ’s tons of da ta out there !)• Contextua lize & Visua lize Threa t Actors
• Security Inte lligence Tools (Ga ther & Ana lyze Threa ts)
WHAT IS THREAT MODELING & WHY IS IT IMPORTANT?
MODELING FOR INTELLIGENCE
• Know Your Orga niza tion• Wha t is your orga niza tion’s role in the industry?
• Know Your Infra structure• Wha t a sse ts do you need to protect?
• Know Your Actors• Which ba d a ctor is most like ly to come a fte r your a sse ts?
• Know Your Tools• How a re you going to ga the r threa t da ta & a na lyze it?
WHAT IS THREAT DATA, INFORMATION & INTELLIGENCE?
• Unusua l Network Tra ffic• Log-In Red Fla gs• Geogra phica l Irregula rities• Web Tra ffic with Unhuma n
Beha vior • Anoma lies in Privileged User
Account Activity• Other Indica tors of Compromise
(IOC )
THREAT INTEL, FEEDS & PLATFORMS
• Threa t Da ta Feeds• Pros:
• Good sta rting point for Threa t Inte l (Threa t Da ta is knowledge but not power)• Tons of OpenSource Feeds (FREE!)• Department of Homeland Security's (DHS) Enhanced Cybersecurity Services (ECS)
• Knowledge shared among organizations and govt. entities (also FREE!)
• Cons:• Data Feed alone cannot answer any vital questions regarding the threat• Data overload• Relevant intel can only be extracted by human (time consuming)
THREAT INTEL, FEEDS & PLATFORMS (CONT.)
• Huma n Inte lligence (HUMINT)• Pros:
• Collecting Threa t Inte lligence from huma n a nd ma chine sources• Rich in de ta ils a nd loca ted in a sea rcha ble DB• Contextua lized da ta preva lent to your orga niza tion
• Cons:• Time:
• Time consuming to collect da ta from multiple sources• Time consuming for huma n to a na lyze a nd corre la te the da ta• Time consuming for huma n to connect the threa t to your specific orga niza tion/industry
THREAT INTEL, FEEDS & PLATFORMS (CONT.)
• Threa t Inte lligence Pla tforms• Pros:
• Help orga nize threa t da ta feeds (up to thousa nds of feeds)• Centra lized feeds you’re subscribed to
• Contextua lize a nd visua lize da ta a nd corre la ting/integra ting to other security pla tforms, i.e . SIEMs
• Prioritize wha t ma tte rs a nd se tup a le rts• Cons:
• Configure threa t da ta feeds• Only a s good a s the da ta coming in (feeds)• Ca n be costly
OPENSOURCE THREAT INTELLIGENCE
• Write APIs to collect da ta from public ly a va ila ble sources• Security News
• Security Blogs
• Security Forums
• Security Resea rches
• Socia l Media• Twitte r – tinfolea k (Github)
• Check out Awesome-Threa t-Inte lligence (Github)
NOTABLE OPEN SOURCE THREAT INTELLIGENCE RESOURCES
• vFeed (Github)
• MISP - Ma lwa re Informa tion Sha ring Pla tform a nd Threa t Sha ring (Github)
• AlienVa ult - provides open a ccess to a globa l community of threa t resea rchers a nd security professiona ls
DEMO
• Goa ls:• Find a vulnera bility reported by vendor (CVE, CWE, CPE, OVAL, CAPEC, CVSS,
WASC)
• Find a nd corre la te a vulnera bility to a threa t da ta
• Use the threa t inte lligence to exploit the reported vulnera bility
THANK YOU!
The Team:Abdel Sy FaneEmily StammAndrea Kim
ChicagoSecurity.Org Meetup.com/ChicagoSecurity