Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.

Slides:

Advertisements

Similar presentations

ETHICAL HACKING A LICENCE TO HACK

Advertisements

Chapter 7: Influencing decision-makers. Important notes These slides are not a replacement for the text Please use these slides as a starting point for.

The Basics of Information Systems

1. 2  Collecting information on border control database  Information from border interception cases (incident report)  Intelligence from foreign Intel.

S3-1 © 2001 Carnegie Mellon University OCTAVE SM Process 3 Identify Staff Knowledge Software Engineering Institute Carnegie Mellon University Pittsburgh,

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Malware\Host Analysis for Level 1 Analysts “Decrease exposure time from detection to eradication” Garrett Schubert – EMC Corporation Critical Incident.

The Cyber Threat Intelligence Experts

USMC Veteran – 2651 Secure Comms/Intel SysAdmin +14 Years in Information Technology/Security Specialties: Incident Response/Forensics Threat Intelligence.

Dark Reading Threat Intelligence Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

Analyzing the Business Case

National Institute of Standards and Technology Computer Security Division Information Technology Laboratory Threat Information Sharing; Perspectives, Strategies,

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

Mel Pless, Sr. Director, Solutions Consulting Guidance Software, Inc. Let’s Get Right To The Endpoint Leveraging Endpoint Data to Expose,

Criminal Justice Administration and Affiliated Programs Dr. William Sondervan Executive Director.

Privileged and Confidential Strategic Approach to Asset Management Presented to October Urban Water Council Regional Seminar.

Correlations, Alarms and Policies

Technician Module 2 Unit 8 Slide 1 MODULE 2 UNIT 8 Prevention, Intelligence & Deterrence.

11 Canal Center Plaza, Alexandria, VA T F Enterprise Computing Conference (ECC) Workshop Alma R. Cole,

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Principles of Information Systems, Sixth Edition Systems Design, Implementation, Maintenance, and Review Chapter 13.

© 2010 Verizon. All Rights Reserved. PTE / DBIR.

Security Innovation & Startup. OPEN THREAT EXCHANGE (OTX): THE HISTORY AND FUTURE OF OPEN THREAT INTELLIGENCE COMMUNITY ALIENVAULT OTX.

Putting It All Together: The Intelligence Cycle Chapter 7 ©2013, Taylor & Francis.

Knowing What You Missed Forensic Techniques for Investigating Network Traffic.

The Real Deal With SIM/SEM The Promise of Security Information / Event Management Scott Sidel Sr. Security Manager Computer Sciences Corp.

Ali Alhamdan, PhD National Information Center Ministry of Interior

Consistency in Reporting Data Breaches

Royal Canadian Mounted Police

Information, Analysis, and Knowledge Management in the Baldrige Criteria Examines how an organization selects, gathers, analyzes, manages, and improves.

Principles of Information Systems, Sixth Edition 1 Systems Design, Implementation, Maintenance, and Review Chapter 13.

BAE Systems Small Business Program

Empowering Organisations to Thrive in the Face of Cyber Attacks An introduction to Resilient Systems Paul Ayers – General Manager, EMEA Chris Neely - Director.

Connected Security Your best defense against advanced threats Anne Aarness – Intel Security.

Kent & Essex Serious Crime Directorate Cyber Crime – Current/Future Capabilities.

Ned Einsig III.  Domestic Intelligence & Security Service of the United States  Prime Federal Law Enforcement Organization  Jurisdiction on over 200.

Cognitive & Organizational Challenges of Big Data in Cyber Defence. YALAVARTHI ANUSHA 1.

Enterprise’ Ever-Evolving Challenge & Constraints Dealing with BYOD Challenges Enable Compliance to Regulations Stay Current with New Consumption Models.

How to Make Cyber Threat Intelligence Actionable

Why SIEM – Why Security Intelligence??

Best Cyber Security Practices for Counties An introduction to cybersecurity framework.

ILP model- Montenegro OSCE Annual Police Experts Meeting

Visual Analytics for Cyber Defense Decision-Making Anita D’Amico, Ph.D. Secure Decisions division of Applied Visions, Inc.

Charles Herring Project Lead WitFoo July 14, 2016 Removing InfoSec Noise with Law Enforcement Paradigms Detective Bill Ritch Law Enforcement Advisor WitFoo.

Cyber Security Phillip Davies Head of Content, Cyber and Investigations.

Surveillance and Security Systems Cyber Security Integration.

Cyber Threat Intelligence Program Primer

Hurricanes, Earthquakes, and Threat Intelligence

Centralized Security Event Management

Cybersecurity - What’s Next? June 2017

HOW MUCH RISK IS ASSOCIATED WITH IT HYGIENE USING FAIR?

Cyber Security: State of the Nation

DISA Global Operations

Intelligence Driven Defense, The Next Generation SOC

CYBER THREAT INTELLIGENCE

Cyber Threat Intelligence Sharing Standards-based Repository

Let’s go Threat Hunting

Shifting from “Incident” to “Continuous” Response

Evolution Of Cybersecurity

Enhanced alerting and collaborative incident management

Computer Emergency Response Team

Overview UA has formed is forming a Security Operations Center (SOC) with Students supporting Tier 1 Activities. The SOC provides benefits to the University.

The Basics of Information Systems

Strategic threat assessment

Prevention, Intelligence

Role of US Security and Intelligence Agencies

The Basics of Information Systems

AIR-T11 What We’ve Learned Building a Cyber Security Operation Center: du Case Study Tamer El Refaey Senior Director, Security Monitoring and Operations.

A quick glace at Intelligence Led Risk Management

Presentation transcript:

Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014

Quick Survey  How many of you have threat intelligence teams?  How many of you use threat intelligence as part of your security operation? 2 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Agenda Who Am I Me + Unit 42 What is Threat Intelligence Role and Value How to Intelligence Cycle Building the Team 3 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Who  Head of Unit 42 – Palo Alto Networks Threat Intelligence Team  Formerly Sr. Manager with Verisign’s iDefense Threat Intelligence service.  Specialize in Cyber Crime and Espionage  Mission: Analyze the data available to Palo Alto Networks to identify adversaries, their motivations and resources to better understand the threats our customers face. 4 | ©2014, Palo Alto Networks. Confidential and Proprietary. CSO CEO

What is Threat Intelligence? “Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject's response to that menace or hazard.” - Rob McMillan - Gartner 5 | ©2014, Palo Alto Networks. Confidential and Proprietary is Bad On May 6, 2014, hosted a command and control server for the NetWire RAT on TCP port 3360 in association with an attack from Nigerian cyber criminals… ✓ X

What can a Threat Intel do for your company? Supply Context Resources and Motivations Targeting and History Identify Risks High Priority Targets Resource Allocation Support Incident Response Tactics, Tools and Procedures Indicators 6 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Intelligence Team Considerations ConsumersCustomer Operations Products  Customer: Who’s paying the bills?  Consumer: Who’s reading/processing the products?  Products: How do you deliver the intelligence?  Operations: How do you collect information and turn it into intelligence? 7 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Customer and Consumers  Customer  Set’s high level priorities  Understand capabilities/limitations  Attribution, Counter Intel, Brute Squad  Consumer  Uses intel products  InfoSec/CSIRT  Legal/Finance/CorpComms  Marketing/Sales 8 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Products  Periodicals  Summaries and trends.  Alerts  Active events requiring action  Requests for Information (RFI)  Specific needs of a consumer  Data Feeds  Actionable, including context. 9 | ©2014, Palo Alto Networks. Confidential and Proprietary.

The Intelligence Cycle DirectionCollectionProcessingAnalysisDissemination 10 | ©2014, Palo Alto Networks. Confidential and Proprietary. Well-established Widely use by civilian/military intelligence and law enforcement Cycle includes feedback

The Intelligence Cycle - Direction DirectionCollectionProcessingAnalysisDissemination Customer sets high level priorities and mission “Support CSIRT with intelligence on adversaries attacking our organization.” Refined to series of questions to pursue. Understand limitations Defines data and capabilities necessary to accomplish mission. 11 | ©2014, Palo Alto Networks. Confidential and Proprietary.

The Intelligence Cycle - Collection DirectionCollectionProcessingAnalysisDissemination Collect information from sources necessary to meet requirements Internal Systems SIEM, Log Management, Org Charts IPS/NGFW/Sandbox External Data Open Source Paid Intelligence Feeds Industry Groups Gap Analysis 12 | ©2014, Palo Alto Networks. Confidential and Proprietary.

The Intelligence Cycle - Processing 13 | ©2014, Palo Alto Networks. Confidential and Proprietary. DirectionCollectionProcessingAnalysisDissemination  Use technology to convert raw information into analyst workflow  Many sources, many formats.  Automate as much as possible.

The Intelligence Cycle - Analysis DirectionCollectionProcessingAnalysisDissemination Where information becomes intelligence. Clear away noise, identify what’s important, support decision makers. Have the right capabilities Network Malware Forensics Geo-political 14 | ©2014, Palo Alto Networks. Confidential and Proprietary.

The Intelligence Cycle - Dissemination DirectionCollectionProcessingAnalysisDissemination 15 | ©2014, Palo Alto Networks. Confidential and Proprietary. Keep consumer in mind. Clear and concise. Answer isn’t always simple, but should be comprehensible. Timely delivery Before it’s useless Consumable (Machine or Human)

The Intelligence Cycle – Direction (Again) DirectionCollectionProcessingAnalysisDissemination What did you learn? Did the product meet requirements? Do we need new sources/capabilities? Do we need to investigate something new? 16 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Before You Start  Do you have the following under control?  Incident Response  Patching  Network Visibility  Identify your customer and mission.  Identify your consumers (be creative)  Evaluate existing staff  Institutional knowledge is important  You probably don’t have everything you need. 17 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Resources  Rick Holland: “Five Steps To Build An Effective Threat Intelligence Capability”  Martin Petersen: “What I Learned in 40 Years of Doing Intelligence Analysis for US Foreign Policymakers”  Unit 42 – White papers, blog, tools. 18 | ©2014, Palo Alto Networks. Confidential and Proprietary. studies/studies/vol.-55-no.-1/what-i-learned-in-40-years-of-doing-intelligence-analysis-for-us- foreign-policymakers.htmlhttps:// studies/studies/vol.-55-no.-1/what-i-learned-in-40-years-of-doing-intelligence-analysis-for-us- foreign-policymakers.html

19 | ©2014, Palo Alto Networks. Confidential and Proprietary.