data driven threat intelligence metrics on indicator
play

Data-Driven Threat Intelligence: Metrics on Indicator Dissemination - PowerPoint PPT Presentation

Apr 16, 2023 •15 likes •585 views

Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) AlexandreSieira Alex Pinto CTO Chief Data Scientist Niddel MLSec Project @AlexandreSieira @alexcpsec @NiddelCorp @MLSecProject Agenda Cyber

  1. Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) AlexandreSieira Alex Pinto CTO Chief Data Scientist Niddel MLSec Project @AlexandreSieira @alexcpsec @NiddelCorp @MLSecProject

  2. Agenda • Cyber War… Threat Intel – What is it good for? • Combine and TIQ-test • Measuring indicators • Threat Intelligence Sharing • Future research direction (i.e. will work for data) HT to @RCISCwendy

  3. Presentation Metrics!! 50-ish Slides 3 Key Takeaways 2 Heartfelt and genuine defenses of Threat Intelligence Providers 1 Prediction on “The Future of Threat Intelligence Sharing”

  4. What is TI good for (1) Attribution

  5. What is TI good for anyway? TY to @bfist for his work on http://sony.attributed.to

  6. What is TI good for (2) – Cyber Maps!! TY to @hrbrmstr for his work on https://github.com/hrbrmstr/pewpew

  7. What is TI good for anyway? • (3) How about actual defense? Strategic and tactical: planning • Technical indicators: DFIR and monitoring •

  8. Affirming the Consequent Fallacy 1. If A, then B. 1. Evil malware talks to 8.8.8.8. 2. B. 2. I see traffic to 8.8.8.8. 3. Therefore, A. 3. ZOMG, APT!!!

  9. But this is a Data-Driven talk!

  10. Combine and TIQ-Test • Combine (https://github.com/mlsecproject/combine) Gathers TI data (ip/host) from Internet and local files • Normalizes the data and enriches it (AS / Geo / pDNS) • Can export to CSV, “tiq-test format” and CRITs • Coming Soon™: CybOX / STIX / SILK /ArcSight CEF • • TIQ-Test (https://github.com/mlsecproject/tiq-test) Runs statistical summaries and tests on TI feeds • Generates charts based on the tests and summaries • Written in R (because you should learn a stat language) •

  11. • https://github.com/mlsecproject/tiq-test-Summer2015

  13. Using TIQ-TEST – Feeds Selected • Dataset was separated into “inbound” and “outbound” TY to @kafeine and John Bambenek for access to their feeds

  14. Using TIQ-TEST – Data Prep • Extract the “raw” information from indicator feeds • Both IP addresses and hostnames were extracted

  15. Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: Active IP addresses for the respective date (“A” query) • Passive DNS from Farsight Security (DNSDB) • • For each IP record (including the ones from hostnames): Add asnumber and asname (from MaxMind ASN DB) • Add country (from MaxMind GeoLite DB) • Add rhost (again from DNSDB) – most popular “PTR” •

  16. Using TIQ-TEST – Data Prep Done

  17. Novelty Test Measuring added and dropped indicators

  18. Novelty Test - Inbound

  19. Aging Test Is anyone cleaning this mess up eventually?

  20. INBOUND

  21. OUTBOUND

  22. Population Test • Let us use the ASN and GeoIP databases that we used to enrich our data as a reference of the “true” population. • But, but, human beings are unpredictable! We will never be able to forecast this!

  24. Is your sampling poll as random as you think?

  25. Can we get a better look? • Statistical inference-based comparison models (hypothesis testing) Exact binomial tests (when we have the “true” pop) • Chi-squared proportion tests (similar to • independence tests)

  27. Overlap Test More data can be better, but make sure it is not the same data

  28. Overlap Test - Inbound

  29. Overlap Test - Outbound

  30. Uniqueness Test

  31. Uniqueness Test • “Domain-based indicators are unique to one list between 96.16% and 97.37%” • “IP-based indicators are unique to one list between 82.46% and 95.24% of the time”

  33. I hate quoting myself, but…

  34. Key Takeaway #1 Key Takeaway #1 MORE != BETTER Threat Intelligence Threat Intelligence Indicator Feeds Program

  35. Intermission

  37. Key Takeaway #2

  38. Key Takeaway #1 "These are the problems Threat Intelligence Sharing is here to solve!” Right?

  39. Herd Immunity, is it? Source: www.vaccines.gov

  40. Herd Immunity… … would imply that others in your sharing community being immune to malware A meant you wouldn’t get it even if you were still vulnerable to it.

  41. Threat Intelligence Sharing • How many indicators are being shared? • How many members do actually share and how many just leech? • Can we measure that? What a super-deeee-duper idea!

  42. Threat Intelligence Sharing We would like to thank the kind contribution of data from the fine folks at Facebook Threat Exchange and Threat Connect… … and also the sharing communities that chose to remain anonymous. You know who you are, and we ❤ you too.

  43. Threat Intelligence Sharing – Data From a period of 2015-03-01 to 2015-05-31: - Number of Indicators Shared § Per day § Per member Not sharing this data – privacy concerns for the members and communities

  44. Update frequency chart

  47. OVERLAP SLIDE

  48. OVERLAP SLIDE

  49. UNIQUENESS SLIDE

  50. MATURITY?

  51. “Reddit of Threat Intelligence”?

  53. Key Takeaway #1 'How can sharing make me better understand what are attacks that “are targeted” and what are “commodity”?'

  54. Key Takeaway #3 Key Takeaway #1 (Also Prediction #1) TELEMETRY > CONTENT

  55. More Takeaways (I lied) • Analyze your data. Extract more value from it! • If you ABSOLUTELY HAVE TO buy Threat Intelligence or data, evaluate it first. • Try the sample data, replicate the experiments: • https://github.com/mlsecproject/tiq-test-Summer2015 • http://rpubs.com/alexcpsec/tiq-test-Summer2015 • Share data with us. I’ll make sure it gets proper exercise!

  57. Thanks! Alex Pinto Alexandre Sieira • Q&A? @alexcpsec @AlexandreSieira • Feedback! @MLSecProject @NiddelCorp ”The measure of intelligence is the ability to change." - Albert Einstein

Recommend

Threat Intelligence Jeremy Batterman Global Leader Threat Intelligence GREM, EnCE, GCFA, MBA 3

Threat Intelligence Jeremy Batterman Global Leader Threat Intelligence GREM, EnCE, GCFA, MBA 3

Threat Intelligence Jeremy Batterman Global Leader Threat Intelligence GREM, EnCE, GCFA, MBA 3 October 2018 What is Intelligence Convincing evidence Probable cause, beyond a reasonable doubt, or preponderance of

646 views • 25 slides
Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost January 12, 2016 whoami Jason Trost VP of Threat Research @ ThreatStream Previously at Sandia, DoD, Booz Allen, Endgame Inc. Background

473 views • 28 slides
THE ANATOMY OF CYBER THREAT INTELLIGENCE (CTI) Noureen Njoroge OVERVIEW Define Cyber Threat

THE ANATOMY OF CYBER THREAT INTELLIGENCE (CTI) Noureen Njoroge OVERVIEW Define Cyber Threat

THE ANATOMY OF CYBER THREAT INTELLIGENCE (CTI) Noureen Njoroge OVERVIEW Define Cyber Threat Intelligence (CTI) Define Cyber Intelligence (CI) Understand the importance of CTI to an organization Components of Threat Sources of

197 views • 19 slides
Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland National Cybersecurity and Communications Integration Center Security whoami Cyber Threat Analyst at Northrop Grumman Performed wide range of

550 views • 20 slides
Strategic Intelligence: Data-driven Business Growth Liz Graham, VP Sales & Service Agenda

Strategic Intelligence: Data-driven Business Growth Liz Graham, VP Sales & Service Agenda

Strategic Intelligence: Data-driven Business Growth Liz Graham, VP Sales & Service Agenda Wayfair overview Why Maine? Data-driven growth Advertising & repeat customer growth Specialized sales, targeted marketing

497 views • 28 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
Metrics-Driven Design In Gods we trust, all others bring data. by Joshua Porter Dustin Curtis

Metrics-Driven Design In Gods we trust, all others bring data. by Joshua Porter Dustin Curtis

Metrics-Driven Design In Gods we trust, all others bring data. by Joshua Porter Dustin Curtis Twitter copy test was hugely popular, showing widespread interest in testing. @bokardo Small changes in copy can have large effects.

738 views • 52 slides
DataBIN Data-Driven Secure Business Intelligence Devdatt Dubhashi David

DataBIN Data-Driven Secure Business Intelligence Devdatt Dubhashi David

DataBIN Data-Driven Secure Business Intelligence Devdatt Dubhashi David Sands Major Challenges How do we automatically extract meaningful info from unstructured text,

819 views • 19 slides
DoD in a Data-Driven Age Lieutenant General Jack Shanahan OUSDI Director for Defense Intelligence

DoD in a Data-Driven Age Lieutenant General Jack Shanahan OUSDI Director for Defense Intelligence

PROTOTYPE WARFARE: DoD in a Data-Driven Age Lieutenant General Jack Shanahan OUSDI Director for Defense Intelligence (Warfighter Support) 1 November 2017 Information Processing Techniques Office (1962) Perceptron (1958) IARPA (2006) MINOS

517 views • 30 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Artificial Intelligence meets Data Driven Astrophysics Kevin Schawinski Institute for Particle

Artificial Intelligence meets Data Driven Astrophysics Kevin Schawinski Institute for Particle

Artificial Intelligence meets Data Driven Astrophysics Kevin Schawinski Institute for Particle Physics and Astrophysics ETH Zurich ETH black hole group @kevinschawinski Grp Bgg Negar Politecnic da Zrig how can machine learning/

614 views • 39 slides
MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat

MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat

MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat Intelligence and Hunting Jamie Buening, Manager, Threat Intelligence and Hunting, MISO August 21, 2019 MRO SAC Update Technical Training and Social

478 views • 45 slides
Measuring Intangible Assets (IP & Data) for the Knowledge-based and Data-driven Economy Jim

Measuring Intangible Assets (IP & Data) for the Knowledge-based and Data-driven Economy Jim

Measuring Intangible Assets (IP & Data) for the Knowledge-based and Data-driven Economy Jim Balsillie Chair and Co-founder of CIGI IMF Statistical Forum November 20, 2018 Big Data, Artificial Intelligence and Machine-learning Challenges

342 views • 13 slides
Embracing the Age of Intelligence Data-driven decision making in an agile organisation April 2018

Embracing the Age of Intelligence Data-driven decision making in an agile organisation April 2018

Embracing the Age of Intelligence Data-driven decision making in an agile organisation April 2018 Andrew Sales - CA Technologies Borja Soler - Fourth CA Technologies (Formerly Rally) CA Technologies offers software and services solutions that

1.21k views • 29 slides
The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response Michael Melore, CISSP IBM Cyber Security Advisor @MichaelMelore June 2018 May 2018 May 2018 Threat Hunting Workflow Cognitive Advanced Analytics

443 views • 15 slides
Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430)

Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430)

Introduction Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430) Inquisitive people, unintentional blunders Hackers driven by technical challenges Disgruntled employees or

357 views • 23 slides
1 Data-dr Data-driven philosophy n philosophy Data-dr Data-driven: push n: push 7 8

1 Data-dr Data-driven philosophy n philosophy Data-dr Data-driven: push n: push 7 8

What What is is a a senso sensor network? network? 2 Tiny, untethered nodes with severe resource constraints Sensors, e.g., light, moisture, Tiny CPU and memory Da Data ta-Driven Pr -Driven Proc ocessing essing

177 views • 7 slides
Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling

Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling

Implementing Consequence-Driven Cybersecurity with Continuous ICS Monitoring & Threat Modeling Phil Neray, VP of Industrial Cybersecurity Agenda NotPetya: How a Single Piece of Code Crashed the World (Wired) VPNFilter Update

610 views • 24 slides
Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies,

Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies,

Bridging Security In Intelligence: Hacking, g, Threat Hunting, g, AI, I, Behavioral Anomalies, and In Incident Response Dangerous Toys USB Device Impersonators USB Killers Man in the Middle Faceplates Wireless Pineapples Payload Phone

727 views • 30 slides
Categories of indicators Methodology Data Indicator Compound indicator Available Available

Categories of indicators Methodology Data Indicator Compound indicator Available Available

Categories of indicators Methodology Data Indicator Compound indicator Available Available Category Category I : Indicators for which a methodology exists, or has been proposed, Y Y 1 and for which data are already widely available in a

319 views • 8 slides
BD assessment proposal for data/assessment visualization tool Georg Martin & Kaire Torn

BD assessment proposal for data/assessment visualization tool Georg Martin & Kaire Torn

BD assessment proposal for data/assessment visualization tool Georg Martin & Kaire Torn Estonian Marine Institute, University of Tartu Schematic presentation of BD assessment workspace Indicator data: Indicator data: Indicator data:

469 views • 22 slides
Th The ABC BCs of of ICS Th Threat Act ctiv ivit ity y Grou oups Au August st 2 26, 2

Th The ABC BCs of of ICS Th Threat Act ctiv ivit ity y Grou oups Au August st 2 26, 2

Th The ABC BCs of of ICS Th Threat Act ctiv ivit ity y Grou oups Au August st 2 26, 2 2020 Sergio Caltagirone Dave Bittner VP Threat Intelligence Producer & Host Dragos The CyberWire Podcast Before we get started - The

874 views • 17 slides
Delivering Intelligence from space Crop Forecasting Pipeline Monitoring Market Intelligence

Delivering Intelligence from space Crop Forecasting Pipeline Monitoring Market Intelligence

Delivering Intelligence from space Crop Forecasting Pipeline Monitoring Market Intelligence Gathering Plane & Ship Tracking 3 Distributed Data Engineering - Lessons 4 Distributed Data Engineering - Lessons 1. Metrics 5 Distributed

553 views • 53 slides
The Metrics Design Pattern Metrics Driven Development Stephanie Kaiser & Horia Dragomir

The Metrics Design Pattern Metrics Driven Development Stephanie Kaiser & Horia Dragomir

The Metrics Design Pattern Metrics Driven Development Stephanie Kaiser & Horia Dragomir Stephanie Kaiser & Horia Dragomir wooga wooga The Metrics Design Pattern A story about a game Monster World DAU 1.200.000 1.000.000 800.000

827 views • 64 slides

More recommend