Presentation is loading. Please wait.

Presentation is loading. Please wait.

How to Make Cyber Threat Intelligence Actionable

Published byEmerald Phelps Modified over 8 years ago

Similar presentations

Presentation on theme: "How to Make Cyber Threat Intelligence Actionable"— Presentation transcript:

1 How to Make Cyber Threat Intelligence Actionable
Ft. Gordon Cyber Security & Technology Day Ryan O’Daniel CISSP Systems Engineer | FireEye Federal Team March 10, 2016

2 Introductions Agenda Who am I? What is Threat Intel
Systems Engineer Support DoD & IC Before working at FireEye I supported: IC Customer DIA Army What is Threat Intel Why Intelligence is Essential What’s your Outlook FireEye Threat Intelligence Making Threat Intelligence Actionable I Making Threat Intelligence Actionable II Q & A

3 What Is Threat Intel? Threat Actors Threat Sponsors Regional Trends
Malware Families Botnets & E-Crime Industry Threats Financial Threat Actors Tactics, Techniques, and Procedures Organizations routinely struggle to understand and prioritize which cyber threats pose the greatest risk to them. New threats appear daily and create fire drills for security teams who must quickly determine what they can do to protect themselves. Executives and business line owners pepper security organization with queries on whether their organization is “covered” from these threats. At FireEye, we provide decision makers with the context they need at the technical, strategic and operational levels to make actionable assessments. We intend for threat intelligence to provide security teams with the intelligence and context necessary to deal with security incidents and understand what threats may be coming down the pike. It is the relevant threat data and analysis integrated with analytical tools to help identify, prioritize and respond to high priority threats. This context and analysis augments the alerts customers get from their various appliances. Threat Intelligence is: Visibility on threat actors, malware, exploits Tactical: TTPs, indicators, artifacts Strategic: TTPs over time, industries targeted, data stolen, analysis of motivations and who benefits, attacker infrastructure

4 WHY INTELLIGENCE IS ESSENTIAL
Evolving Threat Landscape Professional Attackers: Determined-Organized-Well Funded Persistent Tactics: Targeted-Innovative-Customized Sophisticated Tools: Multi-Flow Exploits-Sandbox Detection-Obfuscation Security Posture Must Focus on Threats, Not Malware Tactical Intelligence: Detect and Prevent Contextual Intelligence: Inform Your Response Strategic Intelligence: Proactively Stay Ahead of Attackers 80% 68% Observed malware that shows up once Observed malware that appears in only one organization As you can see from the slide, cyber intelligence is essential. The evolving and future threat landscape is composed of professional attackers with persistent tactics and sophisticated tools. This reality won’t de-escalate anytime soon. To meet these challenges, security posture must address the actual threats, not just malware We use the term “intelligence” to describe the analysis and evaluation of data pertaining to cyber threats, and the assessments we make based on a combination of data, people, and technology. In the context of cybersecurity, intelligence can be as granular as our assessment that a particular threat group uses a certain IP address, or as general as to why threat actors are targeting defense contractors, or healthcare insurance companies. Cyber intelligence in the hands of the IT security team can help network defenders take action to protect their networks. In the boardroom and on the battlefield, cyber intelligence provides leaders with the context with which to make strategic decisions and investments.

5 FireEye: An Intelligent Combination
Forward looking, high fidelity, adversary focused intelligence and actionable advice A global intelligence collection presence tracking adversaries and operating infrastructure Intel-led capability development services Comprehensive API to consume intelligence across security infrastructure Adversary iSIGHT Forward-Look 24x7x365 visibility through 6 worldwide SOCs 45 BILLION URLS analyzed each month 340 MILLION correlation relationships defined 212 PETABYTES sensor traffic analyzed each month FireEye DTi Actionable Intelligence Breach Data 100k Hours incident response per year Major headline breach response 300+ Threat groups tracked 200+ consultants Victim Mandiant Post-Breach Centralized Access to FireEye Intelligence Share learned institutional knowledge based on years of collection Share comprehensive cyber intelligence all in one place Perform Rigorous Attribution & Track Threat Groups Allow FireEye to make authoritative attribution assessments (e.g., APT1) Track group tactics based on organized and verifiable data Provide Context to Cyber Events Help FireEye & clients understand threat actor motivations Identify trends within & across each industry Enhance Corporate Knowledge and Disseminate Share FireEye expertise internally and with trusted partners Disseminate intelligence to business units and clients/customers

6 FIREEYE THREAT INTELLIGENCE
11M+ VM detonations per hour deployed worldwide, sharing threat intel back 100+ consulting engagements “close to breach” 100+ vendors in one of the largest global malware and intel exchange networks 100+ FireEye as a Service customers External data collection Intel Database, patented 115 million node graph-based engine, mines data with 600 terabytes of storage, and 500M+ captured network streams Malware triaging systems uses proprietary sandboxing, machine learning, and genotyping tech to identify new samples of interest and to automatically extract indicators Team of 45+ intelligence analysts and foreign policy experts from NSA, CIA, DIA, FBI and military putting intelligence into context 30+ 17+ 20M 41K threat groups tracked in addition to 400+ cells of uncategorized origin Zero-Day exploits discoveries since 2013 compromised computers check in with FE each hour Stolen files comprised from GB of compressed data 15+ 24x7 400,000 1 Landmark report which shifted the industry dialog: current industry-specific threat profiles with 10 recurring monthly snapshots and quarterly threat trend reports Monitoring attacker command and control servers Unique malware samples gathered every day FireEye threat Intelligence comes from a variety of sources, including: a global sensor grid made up of deployed FireEye appliances over 100 consulting engagements or incident responses open sources and external partnerships All of this threat intelligence is aggregated into a powerful, proprietary database called Nucleus. The database is managed by FireEye’s threat intelligence analysts. The 45+ analysts produce FIC analytic content and are the same group producing so many public reports receiving media coverage and critical acclaim. The FireEye analytical team has the background and experience necessary to provide credible assessments while following credible processes, thus ensuring clients can have high confidence in the material output of FireEye Intel as seen in the bottom section of this slide. --- About Nucleus --- All of this threat intelligence is aggregated into FireEye’s proprietary Intel database called “Nucleus”. Using its 115 million node, graph based engine, FireEye analysts can model the relationships between groups’ infrastructure and the operations that they conduct from across FireEye’s products and services with high-fidelity and track threat activity –from tools to tactics, operation, mission, and ultimately to sponsor. The observations from Nucleus help us to identify groups and their likely targeting interests. The granular tracking that we use helps create a common operating picture across industries and countries, in entire regions and around the globe. The wealth of information contained within Nucleus – nearly 600 terabytes – not only allows our analysts to track current activitiy, but also facilitates efforts to research and draw connections to past tools and operations. Our intelligence analysts can use the data archived in Nucleus to identify trends in targeting and changes in threat actors’ TTPs. The findings gained from Nucleus are then pushed back out to our products around the globe, where they help protect our customers and inform our partners. Observations from an incident response investigation at one client informs responders in other engagements and fuel detections in our clients’ product sensors. Every FireEye product receives intelligence updates from Nucleus on the latest malware and threat activity. Exposing APT1

7 Nucleus: A Mathematical Graph Database
Unified database of linkages between virtual and physical worlds File MD5 IP FQDN Person Whois Org Location Phone Number

8 How to Make Cyber Threat Intelligence Actionable
Know your industry Go beyond tactical intelligence Understand why you’re being attacked Use intelligence as a strategy to know when you must take action Allow intelligence to guide you on how to respond to threats Use intelligence to operate proactively and anticipate likely cyber threats. Participate in and contribute to Community Threat Intelligence Share Automate & Orchestrate Wrap intelligence around your notifications. Enrich your alerts.

9 How to Make Cyber Threat Intelligence Actionable
Participate in and contribute to Community Threat Intelligence Share Automate & orchestrate Wrap intelligence around your notifications. Enrich your alerts Participate in and contribute to Community Threat Intelligence Share Automate & Orchestrate Wrap intelligence around your notifications. Enrich your alerts.

10

Download ppt "How to Make Cyber Threat Intelligence Actionable"

Similar presentations

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.

1© Copyright 2011 EMC Corporation. All rights reserved. The Future of the Advance Soc 3rd Annual Privacy, Access and Security Congress, Ottawa, 2012 Mike.
Security Life Cycle for Advanced Threats

Security Life Cycle for Advanced Threats
Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.

Threat Intelligence Use in Information Security: History, Theory and Practice Tim Gallo Cyber Security Field Engineering 1.
©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.

©2014 Bit9. All Rights Reserved The Evolution of Endpoint Security: Detecting and Responding to Malware Across the Kill Chain Chris Berninger, Sr. Solutions.
The Cyber Threat Intelligence Experts

The Cyber Threat Intelligence Experts
1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.

1© Copyright 2011 EMC Corporation. All rights reserved. Advanced Persistent Threat Sachin Deshmanya & Srinivas Matta.
Joshua Senzer, CISSP Sr. Systems Engineer – North East Channel

Joshua Senzer, CISSP Sr. Systems Engineer – North East Channel
SPEAKER BLITZ ERIC BROWN Senior Systems Engineer NICK JAVANOVIC DoD Regional Sales Manager.

SPEAKER BLITZ ERIC BROWN Senior Systems Engineer NICK JAVANOVIC DoD Regional Sales Manager.
Copyright 2012 Trend Micro Inc. Raimund Genes, CTO Innovation In Cloud Security.

Copyright 2012 Trend Micro Inc. Raimund Genes, CTO Innovation In Cloud Security.
South Carolina Cyber.

South Carolina Cyber.
Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.

Building a Threat Intel Team Ryan Olson Director of Threat Intelligence October, 2014.
©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.

©2014 Bit9. All Rights Reserved Building a Continuous Response Architecture.
David Flournoy Bit9 Mid-Atlantic Regional Manager

David Flournoy Bit9 Mid-Atlantic Regional Manager
Cyber Security Discussion Craig D’Abreo – VP Security Operations.

Cyber Security Discussion Craig D’Abreo – VP Security Operations.
Threat Intelligence with Open Source tools Cornerstones of

Threat Intelligence with Open Source tools Cornerstones of
© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.

© 2014 Level 3 Communications, LLC. All Rights Reserved. Proprietary and Confidential. Polycom event Security Briefing 12/03/14 Level 3 Managed Security.
IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.

IT-security in the Ubiquitous Computing World Chris Kuo, CISSP, CISA Acer eDC (e-Enabling Data Center) Acer Inc. 2007/3/27.
Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.

Staying Ahead of the Curve in Cyber Security Bill Chang CEO, SingTel Group Enterprise.
11 Canal Center Plaza, Alexandria, VA 22314 T 800.663.7138 F 703.684.5189 www.robbinsgioia.com Enterprise Computing Conference (ECC) Workshop Alma R. Cole,

11 Canal Center Plaza, Alexandria, VA T F Enterprise Computing Conference (ECC) Workshop Alma R. Cole,
Dell Connected Security Solutions Simplify & unify.

Dell Connected Security Solutions Simplify & unify.

Similar presentations

Ads by Google