Upload
others
View
29
Download
0
Embed Size (px)
Citation preview
Data-DrivenThreatIntelligence:MetricsonIndicatorDisseminationandSharing
(#ddti)
AlexPintoChiefDataScientist
MLSec Project/Niddel@alexcpsec
@MLSecProject /Niddel
• WhatisTIgoodfor?• CombineandTIQ-test• MeasuringIndicators• ThreatIntelligenceSharing• Futureresearchdirection(i.e.willworkfordata)
Agenda
HTto@RCISCwendy
WhatisTIgoodfor(1)Attribution
WhatisTIgoodforanyway?
TYto@bfist forhisworkonhttp://sony.attributed.to
WhatisTIgoodfor(2)– CyberMaps!!
TYto@hrbrmstr forhisworkonhttps://github.com/hrbrmstr/pewpew
WhatisTIgoodforanyway?• (3)Howaboutactualdefense?• Strategicvs.tacticalvs.operational:planning• Technicalindicators:DFIRandmonitoring
AffirmingtheConsequentFallacy
1. IfA,thenB.2. B.3. Therefore,A.
1. Evilmalwaretalksto8.8.8.8.2. Iseetrafficto8.8.8.8.3. ZOMG,APT!!!
Thisisadata-driventalk!Pleasecheckyouranecdotesatthedoor
CombineandTIQ-Test• Combine(https://github.com/mlsecproject/combine)• GathersTIdata(ip/host)fromInternetandlocalfiles• Normalizesthedataandenrichesit(AS/Geo/pDNS)• CanexporttoCSV,“tiq-testformat”andCRITs• h/t@kylemaxwell,@sconzo,@c0wl
• TIQ-Test(https://github.com/mlsecproject/tiq-test)• RunsstatisticalsummariesandtestsonTIfeeds• Generateschartsbasedonthetestsandsummaries• WritteninR(becauseyoushouldlearnastatlanguage)• h/t@hrbrmstr
SuddenlyDatahttps://github.com/mlsecproject/tiq-test-Summer-2015
UsingTIQ-TEST– FeedsSelected• Datasetwasseparatedinto“inbound”and“outbound”
TYto@kafeine andJohnBambenek foraccesstotheirfeeds
DataFormatforTIQ-TEST
TonsofThreat-yTests
• NOVELTY – Howoftendothefeedsupdatethemselves?• AGING – Howlongdoesanindicatorsitonafeed?• POPULATION – Howdoesthispopulationdistributioncomparetomydata?
• OVERLAP– Howdotheindicatorscomparetotheonesyougot?
• UNIQUENESS – Howmanyindicatorsarefoundonlyononefeed?
Puttingthisthreatdatatowork
TonsofThreat-yTests
• NOVELTY – Howoftendothefeedsupdatethemselves?• AGING – Howlongdoesanindicatorsitonafeed?• POPULATION – Howdoesthispopulationdistributioncomparetomydata?
• OVERLAP– Howdotheindicatorscomparetotheonesyougot?
• UNIQUENESS – Howmanyindicatorsarefoundonlyononefeed?
Puttingthisthreatdatatowork
OverlapTestMoredataisfine,butmakesure
itisdifferent
OverlapTest- Inbound
OverlapTest- Outbound
UniquenessTestHowmanyfishREALLYarethereatthesea?
Ihatequotingmyself,but…
KeyTakeaway#1
MORE!=BETTERThreatIntelligenceIndicatorFeeds
ThreatIntelligenceProgram
“TISharingisTOTALLYgoingtosolvethis”
Right,people?Right?
HerdImmunity,isit?
Source:www.vaccines.gov
ThreatIntelligenceSharingWewouldliketothankthekindcontributionofdatafromthefinefolksatFacebookThreatExchangeandThreatConnect…
…andalsothesharingcommunitiesthatchosetoremainanonymous.Youknowwhoyouare,andwe❤ youtoo.
ThreatIntelligenceSharing– Data
Fromaperiodof2015-03-01to2015-05-31:- NumberofIndicatorsShared
§ Perday§ Permember
Notsharingthisdata– privacyconcernsforthemembersandcommunities
OVERLAPSLIDE
OVERLAPSLIDE
UNIQUENESSSLIDE
TheCognitiveDissonancesofTISharing
Everybody shouldshare! TheCIRCLEOFTRUST
Whatdoyoushare?
Whatdoyouconsume?
TheTwoSidesofTrust
ActivityTestIsthereanyactualsharinggoing
on?
Updatefrequencychart
High10saverage Low100saverage
Large– 10.000smembers Small– High10smembers
DiversityTestCheckyoursharingprivilege
RecallTestButisthedataanygood?
Whatdoesgoodcurationlookslike?
KarmaandAnonymity
KeyTakeaway#1
'Howcansharingmakemebetterunderstandwhatare
attacksthat“aretargeted”andwhatare“commodity”?'
Telemetry>AnalysisNoteveryoneshouldneedtoknowhowtohunttomakeameaningfulcontribution
MoreTakeaways
• Analyzeyourdata.Extractmorevaluefromit!• IfyouABSOLUTELYHAVETObuyThreatIntelligenceordata,evaluateitfirst.
• Trythesampledata,replicatetheexperiments:• https://github.com/mlsecproject/tiq-test-Summer2015• http://rpubs.com/alexcpsec/tiq-test-Summer2015
• Sharedatawithus.I’llmakesureitgetsproperexercise!
Thanks!
• Q&A?• Feedback!
”Themeasureofintelligenceistheabilitytochange."- AlbertEinstein
AlexPinto@alexcpsec
@MLSecProject /@NiddelCorp