Ryan Olson Director of Threat Intelligence October, 2014
Download
Report
Transcript Ryan Olson Director of Threat Intelligence October, 2014
Building a Threat Intel Team
Ryan Olson
Director of Threat Intelligence
October, 2014
Quick Survey
How many of you have threat intelligence teams?
How many of you use threat intelligence as part of your security operation?
2 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Agenda
Who
Am I
Me + Unit
42
What is
Threat
Intelligence
Role and
Value
How to
Intelligence
Cycle
Building the
Team
3 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Who
Head of Unit 42 – Palo Alto Networks
Threat Intelligence Team
Formerly Sr. Manager with Verisign’s
iDefense Threat Intelligence service.
Specialize in Cyber Crime and
Espionage
Mission: Analyze the data available to
Palo Alto Networks to identify
adversaries, their motivations and
resources to better understand the
threats our customers face.
4 | ©2014, Palo Alto Networks. Confidential and Proprietary.
CEO
CSO
What is Threat Intelligence?
“Evidence-based knowledge,
including context, mechanisms,
indicators, implications and
actionable advice, about an
existing or emerging menace or
hazard to assets that can be used
to inform decisions regarding the
subject's response to that menace
or hazard.”
- Rob McMillan - Gartner
5 | ©2014, Palo Alto Networks. Confidential and Proprietary.
212.83.131.214 is Bad
X
✓
On May 6, 2014, 212.83.131.214
hosted a command and control
server for the NetWire RAT on
TCP port 3360 in association
with an attack from Nigerian
cyber criminals…
What can a Threat Intel do for your company?
Supply Context
• Resources and
Motivations
• Targeting and
History
6 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Identify Risks
• High Priority
Targets
• Resource
Allocation
Support Incident
Response
• Tactics, Tools
and
Procedures
• Indicators
Intelligence Team Considerations
Customer: Who’s paying the bills?
Consumer: Who’s
reading/processing the products?
Consumers
Products: How do you deliver the
intelligence?
Operations: How do you collect
information and turn it into
intelligence?
Operations
Customer
7 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Products
Customer and Consumers
Customer
Set’s high level priorities
Understand capabilities/limitations
Attribution, Counter Intel, Brute
Squad
Consumer
Uses intel products
InfoSec/CSIRT
Legal/Finance/CorpComms
Marketing/Sales
8 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Products
Periodicals
Summaries and trends.
Alerts
Active events requiring action
Requests for Information (RFI)
Specific needs of a consumer
Data Feeds
Actionable, including context.
9 | ©2014, Palo Alto Networks. Confidential and Proprietary.
The Intelligence Cycle
• Well-established
• Widely use by civilian/military
intelligence and law enforcement
Direction
Dissemination
Collection
• Cycle includes feedback
Analysis
10 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Processing
The Intelligence Cycle - Direction
• Customer sets high level priorities
and mission
•
“Support CSIRT with intelligence on
adversaries attacking our
organization.”
• Refined to series of questions to
pursue.
•
Direction
Dissemination
Collection
Understand limitations
• Defines data and capabilities
necessary to accomplish mission.
11 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Analysis
Processing
The Intelligence Cycle - Collection
• Collect information from sources
necessary to meet requirements
Direction
• Internal Systems
•
•
SIEM, Log Management, Org
Charts
IPS/NGFW/Sandbox
Dissemination
Collection
• External Data
•
•
•
•
Open Source
Paid Intelligence Feeds
Industry Groups
Gap Analysis
12 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Analysis
Processing
The Intelligence Cycle - Processing
Use technology to convert raw
information into analyst workflow
Many sources, many formats.
Automate as much as possible.
Direction
Dissemination
Analysis
13 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Collection
Processing
The Intelligence Cycle - Analysis
• Where information becomes
intelligence.
Direction
• Clear away noise, identify what’s
important, support decision makers.
• Have the right capabilities
•
•
•
•
Dissemination
Collection
Network
Malware
Forensics
Geo-political
Analysis
14 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Processing
The Intelligence Cycle - Dissemination
•
Keep consumer in mind.
•
Clear and concise.
•
Answer isn’t always simple, but should
be comprehensible.
•
Dissemination
Collection
Timely delivery
•
•
Direction
Before it’s useless
Consumable (Machine or Human)
15 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Analysis
Processing
The Intelligence Cycle – Direction (Again)
• What did you learn?
• Did the product meet requirements?
• Do we need new
sources/capabilities?
Direction
Dissemination
Collection
• Do we need to investigate
something new?
Analysis
16 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Processing
Before You Start
Do you have the following under
control?
Incident Response
Patching
Network Visibility
Identify your customer and mission.
Identify your consumers (be creative)
Evaluate existing staff
Institutional knowledge is important
You probably don’t have everything you
need.
17 | ©2014, Palo Alto Networks. Confidential and Proprietary.
Resources
Rick Holland: “Five Steps To Build An Effective Threat Intelligence Capability”
Martin Petersen: “What I Learned in 40 Years of Doing Intelligence Analysis
for US Foreign Policymakers”
Unit 42 – White papers, blog, tools.
•
•
•
http://www.coresecurity.com/system/files/attachments/2013/04/RickHollandFiveStepstoBuild.pdf
https://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publications/csistudies/studies/vol.-55-no.-1/what-i-learned-in-40-years-of-doing-intelligence-analysis-for-usforeign-policymakers.html
https://paloaltonetworks.com/threat-research.html
18 | ©2014, Palo Alto Networks. Confidential and Proprietary.
19 | ©2014, Palo Alto Networks. Confidential and Proprietary.