Build the right Threat Intelligence Team

27
Build the right Threat Intelligence team James Dietle @jamesdietle [email protected] www.mindtrinket.com

Transcript of Build the right Threat Intelligence Team

Page 1: Build the right Threat Intelligence Team

Build the right Threat Intelligence team

James Dietle@[email protected]

Page 2: Build the right Threat Intelligence Team

You need to develop people to have an

understanding of how bad guys operate to protect your friends, family, and company.

Page 3: Build the right Threat Intelligence Team

Intelligence is:

Information used to make a decision.

Page 4: Build the right Threat Intelligence Team

Threat Intelligence is:

Information about adversaries which is used

to make a decision.

Page 5: Build the right Threat Intelligence Team

Information Received

Info

Info

Analyst

Information

Decision

Decision

Decision

IntelligenceAnalyst

Feed

Page 6: Build the right Threat Intelligence Team

Information Received

Info

Info

Analyst

Information

Decision

Decision

Decision

IntelligenceAnalyst

Feed

Page 7: Build the right Threat Intelligence Team

In the past information was expensive

Page 8: Build the right Threat Intelligence Team

Now information is cheap

Page 9: Build the right Threat Intelligence Team

Where can we get it?• Open source• Proprietary Feeds• Social Media sites• Twitter• Researcher Sites• You-Tube• Podcasts• Special Sites• Deep Web

Page 10: Build the right Threat Intelligence Team

Threat Actors

• Hacktivists• Criminals• Insider threats• Competitors• Advanced Persistent Threats (APT)

Page 11: Build the right Threat Intelligence Team

Indicators/Pyramid of Pain

Page 12: Build the right Threat Intelligence Team

Information Received

Info

Info

Analyst

Information

Decision

Decision

Decision

IntelligenceAnalyst

Feed

Page 13: Build the right Threat Intelligence Team

What makes intel good or bad?

• Actionable: Can make a decision with it?• Certainty: How likely it is to happen?• Timeliness: Can we mitigate damage?

Page 14: Build the right Threat Intelligence Team

Good!

Bad!

Page 15: Build the right Threat Intelligence Team

Know yourself, Optimize the info

Page 16: Build the right Threat Intelligence Team

Qualitative– The network is safe– The sky is blue– Bueller is a righteous dude

Quantitative– Missing 9 2 days of class– 28 Incidents last year– Saved $100 of recovery for every

dollar on security

Page 17: Build the right Threat Intelligence Team

LVL Plan Personnel Increased Spending

Additional Benefit

1 No Plan IT professionals

2 No Plan + Dedicated Security

3 Simple Plan

+ experienced Security

4 Better Plan

+ dedicated intel analyst

5 Amazing Plan

+ dedicated intel team

Page 18: Build the right Threat Intelligence Team

Finding the right people• Build internally– Look for passionate employees– First line of defense

• Hire experienced people– Look early

• Hire Vendors– Check their work

Page 19: Build the right Threat Intelligence Team

Train people• Security Conferences• Meet-ups• Hands on experience• Training/Certifications• Online training• Vendors

Page 20: Build the right Threat Intelligence Team

Function

Device

No Separation

Time

Help desk Security Architecture Application

Page 21: Build the right Threat Intelligence Team

Information Received

Info

Info

Analyst

Information

Decision

Decision

Decision

IntelligenceAnalyst

Feed

Page 22: Build the right Threat Intelligence Team

Distribution of your good intel

• To your peers!• Personal Visits/Talks• Email• Texts• Pamphlets• Distribution lists• Taxii/STIX

Page 23: Build the right Threat Intelligence Team

Which Intel to action

Page 24: Build the right Threat Intelligence Team

Incident Response• Responders are the best people to give

intelligence to and be close friends with. • They are closest to the action and are most

likely to benefit from it. • Refine feeds

Page 25: Build the right Threat Intelligence Team

War Gaming

Page 26: Build the right Threat Intelligence Team

Information Received

Info

Info

Analyst

Information

Decision

Decision

Decision

IntelligenceAnalyst

Feed

Page 27: Build the right Threat Intelligence Team

Questions?

James Dietle@jamesdietle

[email protected]