Lancope, Inc., profile picture
Uploaded byLancope, Inc.
PDF, PPTX711 views

So You Want a Threat Intelligence Function (But Were Afraid to Ask)

Gavin Reid, Vice President of Threat Intelligence at Lancope, shares insights on the state of cybersecurity in 2015, highlighting the importance of threat intelligence in identifying and responding to advanced threats. He emphasizes the role of indicators of compromise (IOCs) in tracing cyber attacks and understanding their impact. The document also discusses the need for context and operational strategies to effectively utilize threat intelligence data.

Embed presentation

Download as PDF, PPTX
Threat Intelligence? Gavin Reid VP Threat Intelligence Lancope
© 2015 Lancope, Inc. All rights reserved. About the Presenter • Gavin Reid is Vice President of Threat Intelligence at Lancope, With over 25 years of experience in threat intelligence, Reid was a driving force behind the development of big data analytics and threat identification. • While serving at Cisco Systems as director of threat research for Security Intelligence Operations, he led a team that developed new data analytics technologies to detect and remediate advanced cybersecurity threats. • Reid also created and led Cisco’s Computer Security Incident Response Team (CSIRT), a global organization of information security professionals responsible for monitoring, investigating and responding to cybersecurity incidents. • In addition to his time at Cisco, Reid also served as the vice president of threat intelligence at Fidelity Investments and oversaw IT security at NASA’s Johnson Space Center.
© 2015 Lancope, Inc. All rights reserved. Where are we with security in 2015?
© 2015 Lancope, Inc. All rights reserved. The state of the industry…
© 2015 Lancope, Inc. All rights reserved. The state of the industry…
© 2015 Lancope, Inc. All rights reserved. The state of the industry…
© 2015 Lancope, Inc. All rights reserved. What we need to do differently…
© 2015 Lancope, Inc. All rights reserved. What is threat? What is intelligence?
© 2015 Lancope, Inc. All rights reserved. What can threat intelligence help you with? Are we part of x new hack? If the hackers reuse infra will notice and be able to take advantage of that? Is this file malicious? What has this IP done in the past? How did we get infected? Are we compromised? How do we know if we are completely clean of compromise?
© 2015 Lancope, Inc. All rights reserved. Indicators of Compromise… Site C CLOUD Internet Data Center Site B Site A • Observables • Measurable events • Stateful properties “An IOC is an observable artifact of an intrusion on a host or network. Analysts can use it to trace the steps of an attack and identify what was affected, how long it was active or if there are any persisting elements of the intrusion.”
© 2015 Lancope, Inc. All rights reserved. What is an indicator? * Full list at http://openioc.org/terms/Current.iocterms
© 2015 Lancope, Inc. All rights reserved. IP with no (or invalid) context… 8.8.8.8
© 2015 Lancope, Inc. All rights reserved. IP with context… Attachment MD5s: b4fe7224da594703e78d62d9cb85c5f4c3 a00c36ea51040c3a10c557154bc7b15b9 acbcd65555398a7e3fd0f0a389cf9582b7 5b4f8855dbe555bff080c57808aBe699ba 4855340adf5c9d7092e9df08b Payload URLs: hxxp://internetz1[.]com/03/39.exe hxxp://gggrp[.]com/03/59.exe hxxp://fefg[.]com/03/39.exe hxxp://woofe[.]com/03/39.exe hxxp://contestswin[.]net/03/39.exe Payload MD5: 5e91af2e44c17de55134ff935c0f30f1 C2: 130.0.133[.]35 Malware: Dridex Attachment File Name: RZZA3440.doc
© 2015 Lancope, Inc. All rights reserved. Feeds…
© 2015 Lancope, Inc. All rights reserved. Sources… Industry Orgs Secret Groups Vendor Threat Intel First Party Data Government Orgs Peer Groups Open Source CIRTS ISACS
© 2015 Lancope, Inc. All rights reserved. What IS context? Start time? End time? Impact? Data restriction? Who found it? (contact) How was it found? Related activity? Description? Confidence?
© 2015 Lancope, Inc. All rights reserved. Data Enrichment… Whois GeoLocation Reputation History Hash PDNS VirusTotal Sandboxing Confidence
© 2015 Lancope, Inc. All rights reserved. Types of ingestion… STIX Email lists Machine Manual TAXI PDF alerts Phone call from other IRT CSV JASON
© 2015 Lancope, Inc. All rights reserved. Operationalizing… Data Source Feed Manager Comparison Engine Internal Data
© 2015 Lancope, Inc. All rights reserved. Decision Is there a match? IDS/IPS HIDS NetFlow … Splice/Splunk SIM, Logger Soltra ThreatConnect Crits Internet Identity iSight Partners ZuesTracker CriticalStack Operationalizing… Data Source Feed Manager Comparison Engine Internal Data Subscribed Feeds
© 2015 Lancope, Inc. All rights reserved. Data Jockey… Getting data ready vs. Working on data
© 2015 Lancope, Inc. All rights reserved. 01010 10010 11 01010 10010 11 01010 10010 11 01010 10010 11 Can you protect what you can’t see?
© 2015 Lancope, Inc. All rights reserved. Concerns… False Positives No or Poor context Time Inability to Operationalize Only gives a 48hr head start Issue with Sharing
© 2015 Lancope, Inc. All rights reserved. IOC Lifecycle… Create IOCs Deploy IOCs Identify Affected Systems Collect Data Analyze Data
© 2015 Lancope, Inc. All rights reserved. Make sure you have deliverables… Beyond needle and haystack Prove the negative Deliver daily, weekly, monthly Lead the organizations perspective on threat
© 2015 Lancope, Inc. All rights reserved. Bringing it Together Investigator finds new malware in word doc used in spearphish – hashes file 7c47ff87c0frca93e135c9acffee48d3f – Sandboxes and Finds c2 Query TI dbase (Intel 471) finds that same file/C2 has been used before by a specific hacker group X Group X uses various hacker forums, IRC, samples , URLS and C2’s Check nF for IRC connections to server. Runs the new IOCS into comparison engine and finds other infections – helping organization completely understand and fix the problem
© 2015 Lancope, Inc. All rights reserved. Thanks!

More Related Content

PDF
Using Your Network as a Sensor for Enhanced Visibility and Security
byLancope, Inc.
 
PPTX
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
byLancope, Inc.
 
PPTX
Extending Network Visibility: Down to the Endpoint
byLancope, Inc.
 
PDF
Solving the Visibility Gap for Effective Security
byLancope, Inc.
 
PPTX
What's New in StealthWatch v6.5
byLancope, Inc.
 
PPTX
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
byLancope, Inc.
 
PPTX
Combating Insider Threats – Protecting Your Agency from the Inside Out
byLancope, Inc.
 
PDF
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
byLancope, Inc.
 
Using Your Network as a Sensor for Enhanced Visibility and Security
byLancope, Inc.
 
Detecting Threats: A Look at the Verizon DBIR and StealthWatch
byLancope, Inc.
 
Extending Network Visibility: Down to the Endpoint
byLancope, Inc.
 
Solving the Visibility Gap for Effective Security
byLancope, Inc.
 
What's New in StealthWatch v6.5
byLancope, Inc.
 
Save Your Network – Protecting Manufacturing Data from Deadly Breaches
byLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
byLancope, Inc.
 
Cisco CSIRT Case Study: Forensic Investigations with NetFlow
byLancope, Inc.
 

What's hot

PPTX
Insider threats webinar 01.28.15
byLancope, Inc.
 
PDF
DNS Measurement Activity on ITB 2010
byAffan Basalamah
 
PDF
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
byAPNIC
 
PDF
Are you ready for the next attack? Reviewing the SP Security Checklist
byMyNOG
 
PDF
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
byBeyondTrust
 
PPTX
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
bySWITCHPOINT NV/SA
 
PDF
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
PPTX
IoT Security - Preparing for the Worst
bySatria Ady Pradana
 
PDF
Attacks on Critical Infrastructure: Insights from the “Big Board”
byPriyanka Aash
 
PDF
Tools Of The Hardware Hacking Trade Final
byPriyanka Aash
 
PDF
Palo Alto Networks Sponsor Session
bySplunk
 
PPTX
Protecting Financial Networks from Cyber Crime
byLancope, Inc.
 
PPT
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
byPraetorian
 
PDF
Exploring Risk and Mapping the Internet of Things with Autonomous Drones
byPraetorian
 
PDF
SDN and Security: A Marriage Made in Heaven. Or Not.
byPriyanka Aash
 
PPTX
Introducing Savvius Vigil
bySavvius, Inc
 
PDF
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
PDF
Sqrrl May Webinar: Data-Centric Security
bySqrrl
 
PPTX
Splunk Webinar: Splunk App for Palo Alto Networks
byGeorg Knon
 
PDF
What Happens Before the Kill Chain
byOpenDNS
 
Insider threats webinar 01.28.15
byLancope, Inc.
 
DNS Measurement Activity on ITB 2010
byAffan Basalamah
 
Bhutan Cybersecurity Week 2021: APNIC vulnerability reporting program
byAPNIC
 
Are you ready for the next attack? Reviewing the SP Security Checklist
byMyNOG
 
Defense in Depth: Implementing a Layered Privileged Password Security Strategy
byBeyondTrust
 
SOPHOS presentation used during the SWITCHPOINT NV/SA Quarterly Experience Da...
bySWITCHPOINT NV/SA
 
BSidesLV 2018 - Katie Nickels and John Wunder - ATT&CKing the Status Quo
byKatie Nickels
 
IoT Security - Preparing for the Worst
bySatria Ady Pradana
 
Attacks on Critical Infrastructure: Insights from the “Big Board”
byPriyanka Aash
 
Tools Of The Hardware Hacking Trade Final
byPriyanka Aash
 
Palo Alto Networks Sponsor Session
bySplunk
 
Protecting Financial Networks from Cyber Crime
byLancope, Inc.
 
Top 9 Critical Findings - Dramatically Improve Your Organization's Security
byPraetorian
 
Exploring Risk and Mapping the Internet of Things with Autonomous Drones
byPraetorian
 
SDN and Security: A Marriage Made in Heaven. Or Not.
byPriyanka Aash
 
Introducing Savvius Vigil
bySavvius, Inc
 
Threat-Based Adversary Emulation with MITRE ATT&CK
byKatie Nickels
 
Sqrrl May Webinar: Data-Centric Security
bySqrrl
 
Splunk Webinar: Splunk App for Palo Alto Networks
byGeorg Knon
 
What Happens Before the Kill Chain
byOpenDNS
 

Viewers also liked

PDF
StackOverflow
bySusam Pal
 
PPTX
SCADA Security: The Five Stages of Cyber Grief
byLancope, Inc.
 
PDF
The Seven Deadly Sins of Incident Response
byLancope, Inc.
 
PDF
Top 10 Security Vulnerabilities (2006)
bySusam Pal
 
PDF
Cisco Threat Defense (Cisco Stealthwatch)
byCisco Russia
 
PDF
StealthWatch & Point-of-Sale (POS) Malware
byLancope, Inc.
 
PPTX
The Internet of Everything is Here
byLancope, Inc.
 
PPTX
Combating Insider Threats – Protecting Your Agency from the Inside Out
byLancope, Inc.
 
PPTX
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
byLancope, Inc.
 
PPTX
DDos Attacks and Web Threats: How to Protect Your Site & Information
byjenkoon
 
PDF
RSA NetWitness Log Decoder
bySusam Pal
 
PDF
Fire Eye Appliance Quick Start
byContent Rules, Inc.
 
PDF
5 Signs you have an Insider Threat
byLancope, Inc.
 
PDF
RSA: Security Analytics Architecture for APT
byLee Wei Yeong
 
PDF
Network Security and Visibility through NetFlow
byLancope, Inc.
 
StackOverflow
bySusam Pal
 
SCADA Security: The Five Stages of Cyber Grief
byLancope, Inc.
 
The Seven Deadly Sins of Incident Response
byLancope, Inc.
 
Top 10 Security Vulnerabilities (2006)
bySusam Pal
 
Cisco Threat Defense (Cisco Stealthwatch)
byCisco Russia
 
StealthWatch & Point-of-Sale (POS) Malware
byLancope, Inc.
 
The Internet of Everything is Here
byLancope, Inc.
 
Combating Insider Threats – Protecting Your Agency from the Inside Out
byLancope, Inc.
 
Intelligent Segmentation: Protecting the Enterprise with StealthWatch, Cisco ...
byLancope, Inc.
 
DDos Attacks and Web Threats: How to Protect Your Site & Information
byjenkoon
 
RSA NetWitness Log Decoder
bySusam Pal
 
Fire Eye Appliance Quick Start
byContent Rules, Inc.
 
5 Signs you have an Insider Threat
byLancope, Inc.
 
RSA: Security Analytics Architecture for APT
byLee Wei Yeong
 
Network Security and Visibility through NetFlow
byLancope, Inc.
 

Similar to So You Want a Threat Intelligence Function (But Were Afraid to Ask)

PDF
IOCs Are Dead—Long Live IOCs!
byPriyanka Aash
 
PDF
CONFidence2015: Real World Threat Hunting - Martin Nystrom
byPROIDEA
 
PDF
Road map for actionable threat intelligence
byabhisheksinghcs
 
PPTX
Save Your Network – Protecting Healthcare Data from Deadly Breaches
byLancope, Inc.
 
PDF
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
byNorth Texas Chapter of the ISSA
 
PPTX
07 - Indicators and Intelligence .pptx new
byssuser18349f1
 
PPTX
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
byForgeRock
 
PDF
Security - intelligence - maturity-model-ciso-whitepaper
byCMR WORLD TECH
 
PDF
Caccia alle Minacce: Intelligence e Hunting nel cyberspace
bySpeck&Tech
 
PPTX
Security Operation Center Presentat.pptx
byImranKhan441149
 
PDF
Needs of a Modern Incident Response Program
byLancope, Inc.
 
PDF
Cisco, Sourcefire and Lancope - Better Together
byLancope, Inc.
 
PPTX
Operational Security Intelligence
bySplunk
 
PPTX
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
bysixdub
 
PDF
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
byJoAnna Cheshire
 
PDF
Exploring the Defender's Advantage
byRaffael Marty
 
PPTX
Operationalizing Security Intelligence
bySplunk
 
PDF
Cyber Threat Intelligence
byseadeloitte
 
PPTX
IOCs for modern threat landscape-slideshare
bySai Kesavamatham
 
PDF
Threat Intelligence 101 - Steve Lodin - Submitted
bySteve Lodin
 
IOCs Are Dead—Long Live IOCs!
byPriyanka Aash
 
CONFidence2015: Real World Threat Hunting - Martin Nystrom
byPROIDEA
 
Road map for actionable threat intelligence
byabhisheksinghcs
 
Save Your Network – Protecting Healthcare Data from Deadly Breaches
byLancope, Inc.
 
Ntxissacsc5 blue 3-shifting from incident to continuous response bill white
byNorth Texas Chapter of the ISSA
 
07 - Indicators and Intelligence .pptx new
byssuser18349f1
 
REAL-TIME THREAT INTELLIGENCE FOR TRUSTED RELATIONSHIPS
byForgeRock
 
Security - intelligence - maturity-model-ciso-whitepaper
byCMR WORLD TECH
 
Caccia alle Minacce: Intelligence e Hunting nel cyberspace
bySpeck&Tech
 
Security Operation Center Presentat.pptx
byImranKhan441149
 
Needs of a Modern Incident Response Program
byLancope, Inc.
 
Cisco, Sourcefire and Lancope - Better Together
byLancope, Inc.
 
Operational Security Intelligence
bySplunk
 
Abusing "Accepted Risk" With 3rd Party C2 - HackMiamiCon5
bysixdub
 
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
byJoAnna Cheshire
 
Exploring the Defender's Advantage
byRaffael Marty
 
Operationalizing Security Intelligence
bySplunk
 
Cyber Threat Intelligence
byseadeloitte
 
IOCs for modern threat landscape-slideshare
bySai Kesavamatham
 
Threat Intelligence 101 - Steve Lodin - Submitted
bySteve Lodin
 

More from Lancope, Inc.

PPTX
Protecting the Crown Jewels from Devastating Data Breaches
byLancope, Inc.
 
PDF
The Library of Sparta
byLancope, Inc.
 
PPTX
Looking for the weird webinar 09.24.14
byLancope, Inc.
 
PDF
SCADA Security: The Five Stages of Cyber Grief
byLancope, Inc.
 
PPTX
Reverse Engineering Malware: A look inside Operation Tovar
byLancope, Inc.
 
PPTX
Data center webinar_v2_1
byLancope, Inc.
 
PPTX
Insider threat v3
byLancope, Inc.
 
PDF
The Critical Security Controls and the StealthWatch System
byLancope, Inc.
 
PDF
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
byLancope, Inc.
 
Protecting the Crown Jewels from Devastating Data Breaches
byLancope, Inc.
 
The Library of Sparta
byLancope, Inc.
 
Looking for the weird webinar 09.24.14
byLancope, Inc.
 
SCADA Security: The Five Stages of Cyber Grief
byLancope, Inc.
 
Reverse Engineering Malware: A look inside Operation Tovar
byLancope, Inc.
 
Data center webinar_v2_1
byLancope, Inc.
 
Insider threat v3
byLancope, Inc.
 
The Critical Security Controls and the StealthWatch System
byLancope, Inc.
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
byLancope, Inc.
 

Recently uploaded

PDF
Linux Professional Institute LPIC-1 Exam.pdf
byLinuxCert Guru
 
PDF
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
PDF
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
PDF
OutSystsems User Group Brabant November 2025
bymail496323
 
PDF
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
PPTX
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
PPTX
Explaining ourselves – people, computers and AI
byAlan Dix
 
PDF
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
PDF
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
PDF
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
PDF
Linux Foundation Certified System Administrator (LFCS) Exam.pdf
byLinuxCert Guru
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PDF
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
PDF
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
PPTX
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
PDF
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
PDF
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PDF
Building Powerful Web Apps to Improve Productivity and Engagement - Esri UK W...
byEsri UK
 
PDF
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 
Linux Professional Institute LPIC-1 Exam.pdf
byLinuxCert Guru
 
SELinux Policy Management in RHEL - RHCSA+.pdf
byLinuxCert Guru
 
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
OutSystsems User Group Brabant November 2025
bymail496323
 
Running Non-Cloud-Native Databases in Cloud-Native Environments_ Challenges a...
byAlkin Tezuysal
 
Support, Monitoring, Continuous Improvement & Scaling Agentic Automation [3/3]
byUiPathCommunity
 
Explaining ourselves – people, computers and AI
byAlan Dix
 
KMWorld - KM & AI Bring Collectivity, Nostalgia, & Selectivity
byJonathan Ralton
 
IDSECCONF2025 - Nosa Shandy - Discovering and Disclosing Privacy Vulnerabilit...
byidsecconf
 
IDSECCONF2025 - Budi Rahardjo - Cyber Security and AI.pdf
byidsecconf
 
Linux Foundation Certified System Administrator (LFCS) Exam.pdf
byLinuxCert Guru
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
Top Crypto Supers 15th Report November 2025
byStephen Perrenod
 
SELinux Basics: Managing SELinux Modes and Context - RHCSA+.pdf
byLinuxCert Guru
 
Opening Plenary - Esri UK Welsh Conference 2025
byEsri UK
 
UnityNet AI Induced Harm & Youth Protection Position Statement 2025-11-15
byLHelferty
 
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
Building Powerful Web Apps to Improve Productivity and Engagement - Esri UK W...
byEsri UK
 
THE THREATS OF INSTABILITY IN BRAZIL'S INTERCONNECTED ELECTRICAL SYSTEM AND H...
byFaga1939
 

So You Want a Threat Intelligence Function (But Were Afraid to Ask)

  • 1.
    Threat Intelligence? Gavin Reid VPThreat Intelligence Lancope
  • 2.
    © 2015 Lancope,Inc. All rights reserved. About the Presenter • Gavin Reid is Vice President of Threat Intelligence at Lancope, With over 25 years of experience in threat intelligence, Reid was a driving force behind the development of big data analytics and threat identification. • While serving at Cisco Systems as director of threat research for Security Intelligence Operations, he led a team that developed new data analytics technologies to detect and remediate advanced cybersecurity threats. • Reid also created and led Cisco’s Computer Security Incident Response Team (CSIRT), a global organization of information security professionals responsible for monitoring, investigating and responding to cybersecurity incidents. • In addition to his time at Cisco, Reid also served as the vice president of threat intelligence at Fidelity Investments and oversaw IT security at NASA’s Johnson Space Center.
  • 3.
    © 2015 Lancope,Inc. All rights reserved. Where are we with security in 2015?
  • 4.
    © 2015 Lancope,Inc. All rights reserved. The state of the industry…
  • 5.
    © 2015 Lancope,Inc. All rights reserved. The state of the industry…
  • 6.
    © 2015 Lancope,Inc. All rights reserved. The state of the industry…
  • 7.
    © 2015 Lancope,Inc. All rights reserved. What we need to do differently…
  • 8.
    © 2015 Lancope,Inc. All rights reserved. What is threat? What is intelligence?
  • 9.
    © 2015 Lancope,Inc. All rights reserved. What can threat intelligence help you with? Are we part of x new hack? If the hackers reuse infra will notice and be able to take advantage of that? Is this file malicious? What has this IP done in the past? How did we get infected? Are we compromised? How do we know if we are completely clean of compromise?
  • 10.
    © 2015 Lancope,Inc. All rights reserved. Indicators of Compromise… Site C CLOUD Internet Data Center Site B Site A • Observables • Measurable events • Stateful properties “An IOC is an observable artifact of an intrusion on a host or network. Analysts can use it to trace the steps of an attack and identify what was affected, how long it was active or if there are any persisting elements of the intrusion.”
  • 11.
    © 2015 Lancope,Inc. All rights reserved. What is an indicator? * Full list at http://openioc.org/terms/Current.iocterms
  • 12.
    © 2015 Lancope,Inc. All rights reserved. IP with no (or invalid) context… 8.8.8.8
  • 13.
    © 2015 Lancope,Inc. All rights reserved. IP with context… Attachment MD5s: b4fe7224da594703e78d62d9cb85c5f4c3 a00c36ea51040c3a10c557154bc7b15b9 acbcd65555398a7e3fd0f0a389cf9582b7 5b4f8855dbe555bff080c57808aBe699ba 4855340adf5c9d7092e9df08b Payload URLs: hxxp://internetz1[.]com/03/39.exe hxxp://gggrp[.]com/03/59.exe hxxp://fefg[.]com/03/39.exe hxxp://woofe[.]com/03/39.exe hxxp://contestswin[.]net/03/39.exe Payload MD5: 5e91af2e44c17de55134ff935c0f30f1 C2: 130.0.133[.]35 Malware: Dridex Attachment File Name: RZZA3440.doc
  • 14.
    © 2015 Lancope,Inc. All rights reserved. Feeds…
  • 15.
    © 2015 Lancope,Inc. All rights reserved. Sources… Industry Orgs Secret Groups Vendor Threat Intel First Party Data Government Orgs Peer Groups Open Source CIRTS ISACS
  • 16.
    © 2015 Lancope,Inc. All rights reserved. What IS context? Start time? End time? Impact? Data restriction? Who found it? (contact) How was it found? Related activity? Description? Confidence?
  • 17.
    © 2015 Lancope,Inc. All rights reserved. Data Enrichment… Whois GeoLocation Reputation History Hash PDNS VirusTotal Sandboxing Confidence
  • 18.
    © 2015 Lancope,Inc. All rights reserved. Types of ingestion… STIX Email lists Machine Manual TAXI PDF alerts Phone call from other IRT CSV JASON
  • 19.
    © 2015 Lancope,Inc. All rights reserved. Operationalizing… Data Source Feed Manager Comparison Engine Internal Data
  • 20.
    © 2015 Lancope,Inc. All rights reserved. Decision Is there a match? IDS/IPS HIDS NetFlow … Splice/Splunk SIM, Logger Soltra ThreatConnect Crits Internet Identity iSight Partners ZuesTracker CriticalStack Operationalizing… Data Source Feed Manager Comparison Engine Internal Data Subscribed Feeds
  • 21.
    © 2015 Lancope,Inc. All rights reserved. Data Jockey… Getting data ready vs. Working on data
  • 22.
    © 2015 Lancope,Inc. All rights reserved. 01010 10010 11 01010 10010 11 01010 10010 11 01010 10010 11 Can you protect what you can’t see?
  • 23.
    © 2015 Lancope,Inc. All rights reserved. Concerns… False Positives No or Poor context Time Inability to Operationalize Only gives a 48hr head start Issue with Sharing
  • 24.
    © 2015 Lancope,Inc. All rights reserved. IOC Lifecycle… Create IOCs Deploy IOCs Identify Affected Systems Collect Data Analyze Data
  • 25.
    © 2015 Lancope,Inc. All rights reserved. Make sure you have deliverables… Beyond needle and haystack Prove the negative Deliver daily, weekly, monthly Lead the organizations perspective on threat
  • 26.
    © 2015 Lancope,Inc. All rights reserved. Bringing it Together Investigator finds new malware in word doc used in spearphish – hashes file 7c47ff87c0frca93e135c9acffee48d3f – Sandboxes and Finds c2 Query TI dbase (Intel 471) finds that same file/C2 has been used before by a specific hacker group X Group X uses various hacker forums, IRC, samples , URLS and C2’s Check nF for IRC connections to server. Runs the new IOCS into comparison engine and finds other infections – helping organization completely understand and fix the problem
  • 27.
    © 2015 Lancope,Inc. All rights reserved. Thanks!

Editor's Notes

  • #4 We are not possibly where we want to be Even though we have had first conferences, IDS&SIMS, 2015 is shaping up to be the worst ever for Cybercrime (and no site of the summit yet) we are all at risk from adversaries both criminal and state controlled, both foreign and domestic, in ways that were unthinkable before the Information Age. 2014 Target Home Depot & Sony (synomus with consumer sales) 2015 Anthem BlueCross IRS and Office of personal management
  • #5 We have a bunch of orgs who are part of the problem – with an ostrich like approach to security they do only what is mandated and have not invested appropriately to protect their organizations Its really not hard - find out what you MUST protect, protect the living daylights out of that, don’t make it easy to access, make it hard and log the living daylights out of all access. This ISN’T new Here is an irish tower from the middle ages. They spent a fair bit of the community resources(and years) in building, they put the cool shit up in the top and pulled the ladders up when not in use. Ok- I am over stating this – we have got really really good and scaling current security solutions over huge enterprises (right?)
  • #6 We have a bunch of orgs who are part of the problem – with an ostrich like approach to security they do only what is mandated and have not invested appropriately to protect their organizations Its really not hard - find out what you MUST protect, protect the living daylights out of that, don’t make it easy to access, make it hard and log the living daylights out of all access. This ISN’T new Here is an irish tower from the middle ages. They spent a fair bit of the community resources(and years) in building, they put the cool shit up in the top and pulled the ladders up when not in use. Ok- I am over stating this – we have got really really good and scaling current security solutions over huge enterprises (right?)
  • #8  So what do we need to do differently Protect what needs protection and really protect no ½ asses Log the living daylights out of access to above Resource this appropriately People People People
  • #9 Threat intelligence – like Cyber has come to mean everything and nothing, what is it really?’ Hackers are lazy like most people they will reuse techniques and infrastructure if they can   Originally the purview of the military @ .gov’s orgs are now starting to implement - Starting to understand that its only due diligence to check for TTP and infra reuse Savy companies are paying attention to what the threat actors are doing / how they are doing it / what infra they are using - to use reuse of TTP/OICs as a detection method -- Even smarter orgs are basing their security arch on actual / not theoretical attacks – an amazing way to prioritize resources Attribution – right level – difference between advanced and scripted
  • #12  You could give most organizations the goose that lays the golden threat intelligence egg – wouldn’t help them – you have to be instrumented to be able to quickly and completely take advantage indicators, most orgs are not. If you can’t use the data you get with a lifecycle managed approach – it won’t do you much good – The big problem organizations have with threat intelligence today is how to easily manage the huge amounts data they have internally to compare - with intelligence they receive. First comparing all to all, then anything new, then expiring the indicators on predefined schedules 
  • #13  How it it done? As well as mailing lists and community organizational sharing (like FIRST) Often takes the form of feeds – open, private and all over the map in efficacy When talking to your feed vendors ask 3 questions How much of your feed is new? How much is expired How much is uniquely created content Then its up to you to track that yourself – super important
  • #14 How much time do you want to spend on getting the data available/ready for comparisons vs actually working on the data No perfect solutions – dependencies hell with cifs, crits getting better and a very smooth solera/splice/splunk combo Mostly it will be 90/10 or 70/30 or maybe if your really luck 50/50 – work on moving the needle to 10% data jockey and 90% analysis – it won’t start that way
  • #15 often good TI only gives you a 48 HR head start inherent issue with sharing public/private feeds are not meant for your org - meant for all customers So what do you do to fix this??? Create your own 1st party research (pulling malware samples, searching the internet for bad sites, ways you can get exposure to unique attacks)