Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

the Presentation

Threat Intelligence Use
in Information Security:
History, Theory and
Practice
Tim Gallo
Cyber Security Field Engineering
1
Who am I?
• Infosec Professional for 16 years
• Former roles include:
–
–
–
–
–
–
Penetration tester
Consultant
Engineer
Policy manager
Product manager
People manager
• For the past 7 years I have been focusing on the problem of
integrating intelligence into security
• The availability of Big Data science and tools has changed the nature
of the game…
Historical Use of Threat intelligence
• Military/LEO
– Used as part of the
investigative process
– Being used to prevent
action and outflank
attackers
• Commercial
– Historical: Collection
– Today: Correlation
– Evolution: Prevention
What is Threat Intelligence?
It• It’s
is evidence-based
knowledge, including
not data
• It’s not artifacts
or indicatorsindicators, implications
context,
mechanisms,
• It’s not logs or events or incidents
and actionable advice, about an existing or
emerging
menace
orthe
hazard
to assets
… It’s a combination
of all
things you
know that can
be used to inform decisions regarding the
subject's response to that menace or hazard.
How do you look at Security Problems
Three Axioms of solving a security problem
The optimal place to solve a security problem
– Is never where you found it.
– Corollary: And the information for the solution is never in the right form.
If it’s happening to you today,
– Then it happened to someone else yesterday, and will happen to someone else tomorrow
– Corollary: And you probably don’t know them
After you figure out what has happened
– You’ll find plenty of signs that could have told you it was coming
– Corollary: But not all of the signs are in cyberspace, nor available to cyberdefenders
Tony Sager,
Chief technologist Council on Cyber
Security
5
The Attack Chain
Reconnaissance
Discovery
Incursion
Exfiltration
Capture
The Kill Chain
Reconnaissance
Discovery
Incursion
Exfiltration
Capture
Easier said than done…
• We need to combine events to determine what is related first.
• For every intrusion event there is an adversary taking a step
towards an intended goal by leveraging a particular capability
over infrastructure against a victim to produce a result.
A Diamond Event
Infrastructure
Adversary
Event
Capability
Meta
Features
Timestamp
Phase
Result
Victim
Direction
Methodology
Resources
The Adversary
There exists a set of adversaries (insiders, outsiders, individuals, groups,
and organizations) which seek to compromise computer systems or
networks to further their intent and satisfy their needs.
• Adversary Operator
• Adversary Customer
Capability
The capability feature describes the tools or techniques of the adversary used in
the event and includes all means to affect the victim from the most manual
“unsophisticated” methods (e.g., manual password guessing) to the most
sophisticated automated techniques.
• Capability Capacity
• Adversary Arsenal
• Command and Control
Infrastructure
The infrastructure feature describes the physical and/or logical communication structures
the adversary uses to deliver a capability, maintain control of capabilities (e.g.,
command-and-control/C2), and effect results from the victim (e.g., exfiltrate data)..
• Type 1
• Type 2
• Service Provider
Victim
A victim is the target of the adversary and against whom vulnerabilities and
exposures are exploited and capabilities used.
• Victim Persona
• Victim Asset
Building a diamond event
• Typically you don’t have all of the items above
• You need to generate these items using analytic process .
• Traditionally we would use technical indicators to identify attack
and exploitation
• By correlating that information to known infrastructure leveraged
by adversaries you can pivot back to the typical victim and
vulnerabilities exploited
Approach types
• Victim Centered
• Capability Centered
• Infrastructure Centered
• Adversary Centered
• Social-Political Centered
• Technology Centered
Activity Mapping
Storage of information
• Database of common intelligence terms and structures
• Use languages like STIX, TAXII, etc. to more easily share
intelligence through community partnerships
• Create meta data tagging systems for your intelligence
Further Reading
• Gartner’s definition on Threat Intelligence
• Anything by Tony Sager (The three laws are his….)
• Lockheed Martin Paper on the Attack and Kill Chain in
Cyberspace
• Harvard paper on Asymmetrical Attacks in Cyberspace
Thank you!
Tim Gallo
Tim_Gallo@symantec.com
@TimJGallo
Copyright © 2014 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its
affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners.
This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or
implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice.
19
Related documents
Citation: Ellen E. Sward, Values, Ideology, and the Evolution of the
Citation: Ellen E. Sward, Values, Ideology, and the Evolution of the
Click here to the Presentation
Click here to the Presentation
M0214-06PLM-10-10-01
M0214-06PLM-10-10-01
guidelines for cvsc monitoring of subgrantees
guidelines for cvsc monitoring of subgrantees
the adversary system
the adversary system
Where are we with health intelligence?
Where are we with health intelligence?
Chap001
Chap001
joannestyles
joannestyles
FCT11 - Peretz Gurel Athena
FCT11 - Peretz Gurel Athena
Back to game board
Back to game board
Stanford ISL Colloquium, UC Berkeley Seminar, Bell Labs
Stanford ISL Colloquium, UC Berkeley Seminar, Bell Labs
Slides
Slides
Download