Operationalizing Threat Intelligence
How to Craft a Program and Operationalize Outcomes
Bryan LeePalo Alto Networks
BRYAN LEE | THREAT RESEARCHER
Expertise in nation state sponsored activity and security operations
Wide range of experiences within NASA ranging from real time monitoring to operational architecture
LIFE THE UNIVERSE EVERYTHING
PROTECT THE INTERNETTHE MISSION
World dominaMake the world a safer place
HUNTERS REVERSERS TOOLS
Experts in hunting and collection of unknown
threats
Experts in complete reverse engineering of malware using code
analysis
Responsible for development of tools and mechanisms in support of the team
Know yourself, know your enemy, and you shall win a hundred battles without loss
-Sun Tzu, The Art of War
What is threat intelligence?
Collection, processing, and storing of adversary and organizational
data
Provide context to threat indicator data to produce assessments relevant to the organization
Understand the adversary
Understand our own environment
Better assess and mitigate risk
ARCHITECTURE PASSIVE DEFENSE
ACTIVE DEFENSE
THREAT INTELLIGENCE OFFENSE
Source: Robert M. Lee, The Sliding Scale of Security
THREAT INTELLIGENCE
ACTIVE DEFENSE THREAT INTELLIGENCE
Countering active threats via monitoring and response
Consumer of threat intelligence
Application of data to threats relevant to the organization
Generate data to fill knowledge gaps for threats
Producer of threat intelligence
Assessment of data to produce new information relevant to the organization and adversaries
Automation
Humans
DataEstablish comprehensive internal and external data streams
Automate collection, processing, and storing of data streams
Provide access to human analysts for assessment
Ad-hoc analysisBasic data collection
No automation
Basic frameworkMapped data sources
Some automation
Documented frameworkMapped and vetted sources
Full automationHuman interdiction available
Stage One Stage Two Stage Three
Threat intelligence is not a silver bullet
Case study:Sofacy
Russian based Espionage motivated
Multi-year operationAlso known asFancy BearAPT28Pawn StormSTRONTIUMSednit
Sofacy
XTunnelAzzyKomplexSofacyCarberpXAgentXSQWERDealersChoiceAssociated tools
DealersChoice
Used phishing attacks targeting multiple industry verticals
Phishing emails contained legitimate
looking Microsoft Word documents
Two versions discovered, both using Flash exploits to install
malware
Used a specific registry key native to Microsoft
Office to maintain persistence
Assess target priorities
Understand technological risk
Evaluate defensive measures
Do we have Flash in our environment? What is our patch level?
Are we able to neutralize at multiple stages of the attack life cycle?
Are we amongst the targeted industries?
The Sofacy group, also known as Fancy Bear, APT28, Pawn Storm, STRONTIUM, and Sednit, has recently been discovered using a tool called DealersChoice to target multiple industry verticals via phishing attacks
DealersChoice appears to be delivered via Microsoft Word documents containing embedded malicious Adobe Flash files. Three users have received these emails
Our organization currently has 1,250 installations of Adobe Flash, with a 33% patch rate to the current version. Two of the three targeted victims were not patched.
Network perimeter as well as endpoint protections have been deployed
If there is no struggle, there is no progress
-Frederick Douglass
Understand the difference
Get the best talent
Some is better than none
Threat data is not threat intelligenceAutomation alone is not the answerThreat intelligence is not all or nothing
Rethink security
The case for intelligence driven operations
24