data driven threat intelligence metrics on indicator
play

Data-Driven Threat Intelligence: Metrics on Indicator Dissemination - PowerPoint PPT Presentation

Apr 16, 2023 •15 likes •585 views

Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) AlexandreSieira Alex Pinto CTO Chief Data Scientist Niddel MLSec Project @AlexandreSieira @alexcpsec @NiddelCorp @MLSecProject Agenda Cyber

  1. Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing (#ddti) AlexandreSieira Alex Pinto CTO Chief Data Scientist Niddel MLSec Project @AlexandreSieira @alexcpsec @NiddelCorp @MLSecProject

  2. Agenda • Cyber War… Threat Intel – What is it good for? • Combine and TIQ-test • Measuring indicators • Threat Intelligence Sharing • Future research direction (i.e. will work for data) HT to @RCISCwendy

  3. Presentation Metrics!! 50-ish Slides 3 Key Takeaways 2 Heartfelt and genuine defenses of Threat Intelligence Providers 1 Prediction on “The Future of Threat Intelligence Sharing”

  4. What is TI good for (1) Attribution

  5. What is TI good for anyway? TY to @bfist for his work on http://sony.attributed.to

  6. What is TI good for (2) – Cyber Maps!! TY to @hrbrmstr for his work on https://github.com/hrbrmstr/pewpew

  7. What is TI good for anyway? • (3) How about actual defense? Strategic and tactical: planning • Technical indicators: DFIR and monitoring •

  8. Affirming the Consequent Fallacy 1. If A, then B. 1. Evil malware talks to 8.8.8.8. 2. B. 2. I see traffic to 8.8.8.8. 3. Therefore, A. 3. ZOMG, APT!!!

  9. But this is a Data-Driven talk!

  10. Combine and TIQ-Test • Combine (https://github.com/mlsecproject/combine) Gathers TI data (ip/host) from Internet and local files • Normalizes the data and enriches it (AS / Geo / pDNS) • Can export to CSV, “tiq-test format” and CRITs • Coming Soon™: CybOX / STIX / SILK /ArcSight CEF • • TIQ-Test (https://github.com/mlsecproject/tiq-test) Runs statistical summaries and tests on TI feeds • Generates charts based on the tests and summaries • Written in R (because you should learn a stat language) •

  11. • https://github.com/mlsecproject/tiq-test-Summer2015

  13. Using TIQ-TEST – Feeds Selected • Dataset was separated into “inbound” and “outbound” TY to @kafeine and John Bambenek for access to their feeds

  14. Using TIQ-TEST – Data Prep • Extract the “raw” information from indicator feeds • Both IP addresses and hostnames were extracted

  15. Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: Active IP addresses for the respective date (“A” query) • Passive DNS from Farsight Security (DNSDB) • • For each IP record (including the ones from hostnames): Add asnumber and asname (from MaxMind ASN DB) • Add country (from MaxMind GeoLite DB) • Add rhost (again from DNSDB) – most popular “PTR” •

  16. Using TIQ-TEST – Data Prep Done

  17. Novelty Test Measuring added and dropped indicators

  18. Novelty Test - Inbound

  19. Aging Test Is anyone cleaning this mess up eventually?

  20. INBOUND

  21. OUTBOUND

  22. Population Test • Let us use the ASN and GeoIP databases that we used to enrich our data as a reference of the “true” population. • But, but, human beings are unpredictable! We will never be able to forecast this!

  24. Is your sampling poll as random as you think?

  25. Can we get a better look? • Statistical inference-based comparison models (hypothesis testing) Exact binomial tests (when we have the “true” pop) • Chi-squared proportion tests (similar to • independence tests)

  27. Overlap Test More data can be better, but make sure it is not the same data

  28. Overlap Test - Inbound

  29. Overlap Test - Outbound

  30. Uniqueness Test

  31. Uniqueness Test • “Domain-based indicators are unique to one list between 96.16% and 97.37%” • “IP-based indicators are unique to one list between 82.46% and 95.24% of the time”

  33. I hate quoting myself, but…

  34. Key Takeaway #1 Key Takeaway #1 MORE != BETTER Threat Intelligence Threat Intelligence Indicator Feeds Program

  35. Intermission

  37. Key Takeaway #2

  38. Key Takeaway #1 "These are the problems Threat Intelligence Sharing is here to solve!” Right?

  39. Herd Immunity, is it? Source: www.vaccines.gov

  40. Herd Immunity… … would imply that others in your sharing community being immune to malware A meant you wouldn’t get it even if you were still vulnerable to it.

  41. Threat Intelligence Sharing • How many indicators are being shared? • How many members do actually share and how many just leech? • Can we measure that? What a super-deeee-duper idea!

  42. Threat Intelligence Sharing We would like to thank the kind contribution of data from the fine folks at Facebook Threat Exchange and Threat Connect… … and also the sharing communities that chose to remain anonymous. You know who you are, and we ❤ you too.

  43. Threat Intelligence Sharing – Data From a period of 2015-03-01 to 2015-05-31: - Number of Indicators Shared § Per day § Per member Not sharing this data – privacy concerns for the members and communities

  44. Update frequency chart

  47. OVERLAP SLIDE

  48. OVERLAP SLIDE

  49. UNIQUENESS SLIDE

  50. MATURITY?

  51. “Reddit of Threat Intelligence”?

  53. Key Takeaway #1 'How can sharing make me better understand what are attacks that “are targeted” and what are “commodity”?'

  54. Key Takeaway #3 Key Takeaway #1 (Also Prediction #1) TELEMETRY > CONTENT

  55. More Takeaways (I lied) • Analyze your data. Extract more value from it! • If you ABSOLUTELY HAVE TO buy Threat Intelligence or data, evaluate it first. • Try the sample data, replicate the experiments: • https://github.com/mlsecproject/tiq-test-Summer2015 • http://rpubs.com/alexcpsec/tiq-test-Summer2015 • Share data with us. I’ll make sure it gets proper exercise!

  57. Thanks! Alex Pinto Alexandre Sieira • Q&A? @alexcpsec @AlexandreSieira • Feedback! @MLSecProject @NiddelCorp ”The measure of intelligence is the ability to change." - Albert Einstein

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Threat Intelligence Jeremy Batterman Global Leader Threat Intelligence GREM, EnCE, GCFA, MBA 3

Threat Intelligence Jeremy Batterman Global Leader Threat Intelligence GREM, EnCE, GCFA, MBA 3

Threat Intelligence Jeremy Batterman Global Leader Threat Intelligence GREM, EnCE, GCFA, MBA 3 October 2018 What is Intelligence Convincing evidence Probable cause, beyond a reasonable doubt, or preponderance of

646 views • 25 slides
Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost

Distributed Sensor Data Contextualization at Scale for Threat Intelligence Analysis Jason Trost January 12, 2016 whoami Jason Trost VP of Threat Research @ ThreatStream Previously at Sandia, DoD, Booz Allen, Endgame Inc. Background

473 views • 28 slides
THE ANATOMY OF CYBER THREAT INTELLIGENCE (CTI) Noureen Njoroge OVERVIEW Define Cyber Threat

THE ANATOMY OF CYBER THREAT INTELLIGENCE (CTI) Noureen Njoroge OVERVIEW Define Cyber Threat

THE ANATOMY OF CYBER THREAT INTELLIGENCE (CTI) Noureen Njoroge OVERVIEW Define Cyber Threat Intelligence (CTI) Define Cyber Intelligence (CI) Understand the importance of CTI to an organization Components of Threat Sources of

197 views • 19 slides
Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland

Intelligence Driven Malware Analysis (IDMA) Malicious Profiling 14 January 2015 Homeland National Cybersecurity and Communications Integration Center Security whoami Cyber Threat Analyst at Northrop Grumman Performed wide range of

550 views • 20 slides
Strategic Intelligence: Data-driven Business Growth Liz Graham, VP Sales & Service Agenda

Strategic Intelligence: Data-driven Business Growth Liz Graham, VP Sales & Service Agenda

Strategic Intelligence: Data-driven Business Growth Liz Graham, VP Sales & Service Agenda Wayfair overview Why Maine? Data-driven growth Advertising & repeat customer growth Specialized sales, targeted marketing

497 views • 28 slides
Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger

PUBLIC Agenda What is Cyber Threat Intelligence (CTI) Sandbox Malware analysis Debugger Malware analysis Static RE with IDA pro Arme suisse EPFL 2019 2 Base daide au commandement BAC Applied Cyber Threat Intelligence

765 views • 63 slides
Metrics-Driven Design In Gods we trust, all others bring data. by Joshua Porter Dustin Curtis

Metrics-Driven Design In Gods we trust, all others bring data. by Joshua Porter Dustin Curtis

Metrics-Driven Design In Gods we trust, all others bring data. by Joshua Porter Dustin Curtis Twitter copy test was hugely popular, showing widespread interest in testing. @bokardo Small changes in copy can have large effects.

738 views • 52 slides
DataBIN Data-Driven Secure Business Intelligence Devdatt Dubhashi David

DataBIN Data-Driven Secure Business Intelligence Devdatt Dubhashi David

DataBIN Data-Driven Secure Business Intelligence Devdatt Dubhashi David Sands Major Challenges How do we automatically extract meaningful info from unstructured text,

819 views • 19 slides
DoD in a Data-Driven Age Lieutenant General Jack Shanahan OUSDI Director for Defense Intelligence

DoD in a Data-Driven Age Lieutenant General Jack Shanahan OUSDI Director for Defense Intelligence

PROTOTYPE WARFARE: DoD in a Data-Driven Age Lieutenant General Jack Shanahan OUSDI Director for Defense Intelligence (Warfighter Support) 1 November 2017 Information Processing Techniques Office (1962) Perceptron (1958) IARPA (2006) MINOS

517 views • 30 slides
Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los

Offensive Threat Modeling for Attackers turning threat modeling on its head Rafal M. Los Chief Security Evangelist HP Software Shane MacDougall Principal Tactical Intelligence Modern threat modeling is a defensive response to

783 views • 52 slides
Artificial Intelligence meets Data Driven Astrophysics Kevin Schawinski Institute for Particle

Artificial Intelligence meets Data Driven Astrophysics Kevin Schawinski Institute for Particle

Artificial Intelligence meets Data Driven Astrophysics Kevin Schawinski Institute for Particle Physics and Astrophysics ETH Zurich ETH black hole group @kevinschawinski Grp Bgg Negar Politecnic da Zrig how can machine learning/

614 views • 39 slides
MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat

MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat

MRO Security Advisory Council (SAC) Webinar One Companys Path to Establishing Threat Intelligence and Hunting Jamie Buening, Manager, Threat Intelligence and Hunting, MISO August 21, 2019 MRO SAC Update Technical Training and Social

478 views • 45 slides
Measuring Intangible Assets (IP & Data) for the Knowledge-based and Data-driven Economy Jim

Measuring Intangible Assets (IP & Data) for the Knowledge-based and Data-driven Economy Jim

Measuring Intangible Assets (IP & Data) for the Knowledge-based and Data-driven Economy Jim Balsillie Chair and Co-founder of CIGI IMF Statistical Forum November 20, 2018 Big Data, Artificial Intelligence and Machine-learning Challenges

342 views • 13 slides
Embracing the Age of Intelligence Data-driven decision making in an agile organisation April 2018

Embracing the Age of Intelligence Data-driven decision making in an agile organisation April 2018

Embracing the Age of Intelligence Data-driven decision making in an agile organisation April 2018 Andrew Sales - CA Technologies Borja Soler - Fourth CA Technologies (Formerly Rally) CA Technologies offers software and services solutions that

1.21k views • 29 slides
The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response

The New Security Frontier: Threat Hunting, Augmented Intelligence, and Automated Response Michael Melore, CISSP IBM Cyber Security Advisor @MichaelMelore June 2018 May 2018 May 2018 Threat Hunting Workflow Cognitive Advanced Analytics

443 views • 15 slides
Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430)

Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430)

Introduction Threat Models CS 5431 February 10, 2017 Threat Models Threats (CS 5430) Inquisitive people, unintentional blunders Hackers driven by technical challenges Disgruntled employees or

357 views • 23 slides
Khartoum, Nov 2012 Leo Vegoda Overview 2012 Customer Survey Results Updating IANA Special

Khartoum, Nov 2012 Leo Vegoda Overview 2012 Customer Survey Results Updating IANA Special

IANA Update @ AFRINIC 17 Khartoum, Nov 2012 Leo Vegoda Overview 2012 Customer Survey Results Updating IANA Special IPv4 & IPv6 Registries New Global Policy Implementation Key Signing Ceremonies AS Number Management 2

536 views • 15 slides
APNIC Update Anton Strydom Friday, 4 December 2015 AFRINIC 23 (Pointe Noire, Congo) Issue Date:

APNIC Update Anton Strydom Friday, 4 December 2015 AFRINIC 23 (Pointe Noire, Congo) Issue Date:

APNIC Update Anton Strydom Friday, 4 December 2015 AFRINIC 23 (Pointe Noire, Congo) Issue Date: 10 November 2015 Revision: [01] APNICs Vision A global, open, stable, and secure Internet that serves the entire Asia Pacific community 2

649 views • 29 slides
Unit testing and mocking with cmocka Unit testing and mocking with cmocka SambaXP 2018 SambaXP

Unit testing and mocking with cmocka Unit testing and mocking with cmocka SambaXP 2018 SambaXP

Unit testing and mocking with cmocka Unit testing and mocking with cmocka SambaXP 2018 SambaXP 2018 Andreas Schneider Red Hat Samba Maintainer About me About me Free and Open Source Software Developer: cmocka - a unit testing framework for

1.27k views • 40 slides
Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007,

Netflow, Flow-tools tutorial Gaurab Raj Upadhaya SANOG X Workshop : 29 September -7 August 2007, New Delhi Agenda Agenda bashing Do you want to see the labs, or want to discuss issues Netflow What it is and how it works

1.1k views • 91 slides
Group-A Q1 current best prac2ce Star2ng from some

Group-A Q1 current best prac2ce Star2ng from some

Group-A Q1 current best prac2ce Star2ng from some common molecular representa2on with bond orders, configura2on on chiral centers (e.g. ChemDraw, SMILES)

302 views • 15 slides
Native or External? Lessons learned implementing cryptography for VisualWorks Martin Kobetic

Native or External? Lessons learned implementing cryptography for VisualWorks Martin Kobetic

Native or External? Lessons learned implementing cryptography for VisualWorks Martin Kobetic Cincom Smalltalk Engineering ESUG 2011 Let's implement SSL! DES, MD5, SHA, RSA, DSA, RC4, X.509, ASN.1, DER, ... * SSL 3.0, RSA, DES, RC4, basic

369 views • 17 slides
ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org

ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org

ARTEMIS: Neutralizing BGP Hijacking within a Minute Alberto Dainotti alberto@caida.org Center for Applied Internet Data Analysis University of California, San Diego Joint work with: Pavlos Sermpezis, Vasileios Kotronis, Petros

375 views • 23 slides
Security Measures in OpenSSH Damien Miller djm@openbsd.org Introduction Describe the

Security Measures in OpenSSH Damien Miller djm@openbsd.org Introduction Describe the

Security Measures in OpenSSH Damien Miller djm@openbsd.org Introduction Describe the security measures in OpenSSH What they are How we implemented them How well they work Why? OpenSSH is an

359 views • 32 slides

More recommend