Crowd-Sourced Threat Intelligence

Crowd-Sourced Threat Intelligence

About me

- Director, AlienVault Labs

- Security Research- Malware Analysis- Incident response

The attacker’s advantage

• They only need to be successful once

• Determined, skilled and often funded adversaries

• Custom malware, 0days, multiple attack vectors, social engineering

• Persistent

The defender’s disadvantage

• They can’t make a mistake• Understaffed, jack of all trades, underfunded• Increasing complex IT infrastructure:– Moving to the cloud– Virtualization– Bring your own device

• Prevention controls fail to block everything• Hundreds of systems and vulnerabilities to

patch

What is Threat Intelligence?

• Information about malicious actors

• Helps you make better decisions about defense

• Examples: IP addresses, Domains, URL’s, File Hashes, TTP’s, victim’s industries, countries..

How can I use Threat Intelligence?

• Detect what my prevention technologies fail to block

• Security planning, threat assessment

• Improves incident response / Triage

• Decide which vulnerabilities should I patch first

State of the art

• Most sharing is unstructured & human-to-human

• Closed groups

• Actual standards require knowledge, resources and time to integrate the data

Standards & Tools

• IODEF: Incident Object Description Exchange Format

• MITRE:– STIX: Structured Threat Information eXpression– TAXXII: Trusted Automated eXchange of Indicator

Information – MAEC, CAPEC, CyBOX

• CIF: Collective Intelligence Framework

Collective Intelligence Framework

The Threat Intelligence Pyramid of Pain

The Power of the “Crowd” for Threat Detection

Cyber criminals are using (and reusing) the same exploits against others (and you).

Sharing (and receiving) collaborative threat intelligence makes us all more secure.

Using this data, detect, flag and block attackers using indicators (Threat Intel)

Disrupt the Incident response cycle

Detect

Respond

Prevent

A traditional cycle …1. Prevents known threats.2. Detects new threats in the

environment.3. Respond to the threats –

as they happen.

This isolated closed loop offers no opportunity to learn from what others have experienced

….no advance notice

Traditional Response

First Street Credit Union Alpha Insurance Group John Elway

Auto NationRegional Pacific

Telecom Marginal Food Products





Attack





Attack

Detect





Attack

DetectRespond





Attack

DetectRespond

OTX Enables Preventative Response

Through an automated, real-

time, threat exchange framework

A Real-Time Threat Exchange framework




Attack

Detect

Open Threat Exchange

Puts Preventative Response Measures in Place Through Shared Experience

A Real-Time Threat Exchange framework




Attack

Detect


Protects Others in the Network With the Preventative Response Measures

Benefits of open Threat Exchange

Shifts the advantage from the attacker to the defender

Open and free to everyone

Each member benefits from the incidents of all other members

Automated sharing of threat data

Open Source Security Information Management

OSSIM/USM

ASSET DISCOVERY• Active Network Scanning• Passive Network Scanning• Asset Inventory• Host-based Software

Inventory

VULNERABILITY ASSESSMENT• Continuous

Vulnerability Monitoring• Authenticated /

Unauthenticated Active Scanning

BEHAVIORAL MONITORING• Log Collection• Netflow Analysis• Service Availability Monitoring

SECURITY INTELLIGENCE• SIEM Event Correlation• Incident Response

THREAT DETECTION• Network IDS• Host IDS• Wireless IDS• File Integrity Monitoring

USM Product Capabilities


Thank you!!

@jaimeblascob

http://www.alienvault.com/open-threat-exchange/blog

Technology

Crowd-Sourced Threat Intelligence