Building a Threat Intel Team
Ryan Olson
Director of Threat Intelligence
October, 2014
Quick Survey

How many of you have threat intelligence teams?

How many of you use threat intelligence as part of your security operation?
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Agenda
Who
Am I
Me + Unit
42
What is
Threat
Intelligence
Role and
Value
How to
Intelligence
Cycle
Building the
Team
3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Who

Head of Unit 42 – Palo Alto Networks
Threat Intelligence Team
 Formerly Sr. Manager with Verisign’s
iDefense Threat Intelligence service.

Specialize in Cyber Crime and
Espionage

Mission: Analyze the data available to
Palo Alto Networks to identify
adversaries, their motivations and
resources to better understand the
threats our customers face.
4 | ©2014, Palo Alto Networks. Confidential and Proprietary.
CEO
CSO
What is Threat Intelligence?
“Evidence-based knowledge,
including context, mechanisms,
indicators, implications and
actionable advice, about an
existing or emerging menace or
hazard to assets that can be used
to inform decisions regarding the
subject's response to that menace
or hazard.”
- Rob McMillan - Gartner
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
212.83.131.214 is Bad
X
✓
On May 6, 2014, 212.83.131.214
hosted a command and control
server for the NetWire RAT on
TCP port 3360 in association
with an attack from Nigerian
cyber criminals…
What can a Threat Intel do for your company?
Supply Context
• Resources and
Motivations
• Targeting and
History
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Identify Risks
• High Priority
Targets
• Resource
Allocation
Support Incident
Response
• Tactics, Tools
and
Procedures
• Indicators
Intelligence Team Considerations

Customer: Who’s paying the bills?

Consumer: Who’s
reading/processing the products?
Consumers

Products: How do you deliver the
intelligence?

Operations: How do you collect
information and turn it into
intelligence?
Operations
Customer
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Products
Customer and Consumers

Customer
 Set’s high level priorities
 Understand capabilities/limitations
 Attribution, Counter Intel, Brute
Squad

Consumer




Uses intel products
InfoSec/CSIRT
Legal/Finance/CorpComms
Marketing/Sales
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Products

Periodicals
 Summaries and trends.

Alerts
 Active events requiring action

Requests for Information (RFI)
 Specific needs of a consumer

Data Feeds
 Actionable, including context.
9 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The Intelligence Cycle
• Well-established
• Widely use by civilian/military
intelligence and law enforcement
Direction
Dissemination
Collection
• Cycle includes feedback
Analysis
10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Processing
The Intelligence Cycle - Direction
• Customer sets high level priorities
and mission
•
“Support CSIRT with intelligence on
adversaries attacking our
organization.”
• Refined to series of questions to
pursue.
•
Direction
Dissemination
Collection
Understand limitations
• Defines data and capabilities
necessary to accomplish mission.
11 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Analysis
Processing
The Intelligence Cycle - Collection
• Collect information from sources
necessary to meet requirements
Direction
• Internal Systems
•
•
SIEM, Log Management, Org
Charts
IPS/NGFW/Sandbox
Dissemination
Collection
• External Data
•
•
•
•
Open Source
Paid Intelligence Feeds
Industry Groups
Gap Analysis
12 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Analysis
Processing
The Intelligence Cycle - Processing

Use technology to convert raw
information into analyst workflow

Many sources, many formats.

Automate as much as possible.
Direction
Dissemination
Analysis
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Collection
Processing
The Intelligence Cycle - Analysis
• Where information becomes
intelligence.
Direction
• Clear away noise, identify what’s
important, support decision makers.
• Have the right capabilities
•
•
•
•
Dissemination
Collection
Network
Malware
Forensics
Geo-political
Analysis
14 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Processing
The Intelligence Cycle - Dissemination
•
Keep consumer in mind.
•
Clear and concise.
•
Answer isn’t always simple, but should
be comprehensible.
•
Dissemination
Collection
Timely delivery
•
•
Direction
Before it’s useless
Consumable (Machine or Human)
15 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Analysis
Processing
The Intelligence Cycle – Direction (Again)
• What did you learn?
• Did the product meet requirements?
• Do we need new
sources/capabilities?
Direction
Dissemination
Collection
• Do we need to investigate
something new?
Analysis
16 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Processing
Before You Start

Do you have the following under
control?
 Incident Response
 Patching
 Network Visibility

Identify your customer and mission.

Identify your consumers (be creative)

Evaluate existing staff
 Institutional knowledge is important
 You probably don’t have everything you
need.
17 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Resources

Rick Holland: “Five Steps To Build An Effective Threat Intelligence Capability”

Martin Petersen: “What I Learned in 40 Years of Doing Intelligence Analysis
for US Foreign Policymakers”

Unit 42 – White papers, blog, tools.
•
•
•
http://www.coresecurity.com/system/files/attachments/2013/04/RickHollandFiveStepstoBuild.pdf
https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csistudies/studies/vol.-55-no.-1/what-i-learned-in-40-years-of-doing-intelligence-analysis-for-usforeign-policymakers.html
https://paloaltonetworks.com/threat-research.html
18 | ©2014, Palo Alto Networks. Confidential and Proprietary.
19 | ©2014, Palo Alto Networks. Confidential and Proprietary.