Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give...
Transcript of Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give...
![Page 1: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/1.jpg)
Cyber Threat Intelligence, the key to the SOC of the Future
Bret Jordan CISSP
Director Office of the CTO - Symantec
![Page 2: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/2.jpg)
Problem #1
Networks are getting breached on a daily basis using TTPs
that are months or years old
Copyright © 2018 Bret Jordan. All rights reserved.
2
![Page 3: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/3.jpg)
Problem #2
Threat actors are advancing at a positivenon-linear rate relative to cyber defense
Copyright © 2018 Bret Jordan. All rights reserved.
3
![Page 4: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/4.jpg)
Problem #3
Organizations are increasingly unable to adequately respond to
modern threats, vulnerabilities, and risks
Copyright © 2018 Bret Jordan. All rights reserved.
4
![Page 5: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/5.jpg)
Problem #4
Currently we run the risk of losing the cyber war globally, and everyone is
affected!
Copyright © 2018 Bret Jordan. All rights reserved.
5
![Page 6: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/6.jpg)
WHYis cyber defense failing?
Copyright © 2018 Bret Jordan. All rights reserved. 6
![Page 7: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/7.jpg)
There are always gaps and vulnerabilities
Copyright © 2018 Bret Jordan. All rights reserved.
7
![Page 8: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/8.jpg)
Traditional defense is inward focused
• Find all vulnerabilities
• Patch all vulnerabilities
• Magically secure
Copyright © 2018 Bret Jordan. All rights reserved.
8
![Page 9: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/9.jpg)
Everything is outside the perimeter
• Users, Systems, and Content
• No single network perimeter to protect
• Organizations no longer own
– All end points
– The entire network
– All servers
– The content
Copyright © 2018 Bret Jordan. All rights reserved.
9
![Page 10: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/10.jpg)
Attacks are big business
• Attacks and campaigns are very profitable
• More valuable data at stake than ever before
– Compromise and steal
– Hold for ransom
• Detection is measured in terms of months or years
• One organization's defense stays their defense
Copyright © 2018 Bret Jordan. All rights reserved.
10
![Page 11: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/11.jpg)
WHATcan we do about it?
Copyright © 2018 Bret Jordan. All rights reserved. 11
![Page 12: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/12.jpg)
What can we do today?
• Understand the adversary
• We need to respond more quickly
• Shift burden of cost to the adversary
• Enable herd immunity
Copyright © 2018 Bret Jordan. All rights reserved.
12
![Page 13: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/13.jpg)
Ask ourselves the question
How can my detection today aid your prevention tomorrow?
Copyright © 2018 Bret Jordan. All rights reserved.
13
![Page 14: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/14.jpg)
We need information sharing
• Broad ecosystems and trust groups
• Sharing Actionable CTI automatically
• Across verticals and public / private sectors
• Not just IPs and URLs
• Near real-time
Copyright © 2018 Bret Jordan. All rights reserved.
14
![Page 15: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/15.jpg)
Advantages of sharing CTI
• Gain proactive defense
• Reduce long-term risk
• Potentially lower your cyber insurance premiums
• Enable herd immunity
• Improve operational understanding of threats
• Increase the capabilities of SOC team members
Copyright © 2018 Bret Jordan. All rights reserved.
15
![Page 16: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/16.jpg)
HOWcan STIX & TAXII help
Copyright © 2018 Bret Jordan. All rights reserved. 16
![Page 17: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/17.jpg)
What is STIX?
• Graph based model for documenting threats with clear semantics
– The model is described in JSON
• Includes a feature rich indicator patterning grammar
– Allows both conditional and temporal logic
• Enables organizations to:– Learn from others
– Share what they have learned
– Understand how to defend the network
Copyright © 2018 Bret Jordan. All rights reserved.
17
![Page 18: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/18.jpg)
Current Status of STIX
• STIX 2.0 was finalized in July of 2017–Many vendors and organizations are actively using it today
• The technical committee is actively working STIX 2.1 which will add some valuable features to the core specification– Translations and multiple languages
– Confidence
–Opinions
–Notes
–Malware and Infrastructure
• Interoperability Specifications
Copyright © 2018 Bret Jordan. All rights reserved.
18
![Page 19: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/19.jpg)
The problems STIX solves
• Who is responsible for the attack?
– Threat Actors
– Intrusion Sets
– Campaigns
– Identity
Copyright © 2018 Bret Jordan. All rights reserved.
19
![Page 20: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/20.jpg)
The problems STIX solves (cont.)
• How are they doing it, what is their modus operandi?
– Attack Pattern
–Malware / Infrastructure
– Tools
– Vulnerability
Copyright © 2018 Bret Jordan. All rights reserved.
20
![Page 21: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/21.jpg)
The problems STIX solves (cont.)
• How do you detect it and stop it?
– Indicator
–Observed Data
– Sighting
– Course of Action
Copyright © 2018 Bret Jordan. All rights reserved.
21
![Page 22: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/22.jpg)
The STIX way
Copyright © 2018 Bret Jordan. All rights reserved.
22
![Page 23: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/23.jpg)
What is TAXII?
• A turn-key solution for devices to share threat intelligence
• Uses HTTPs and REST to transport CTI
• Supports the creation of multiple trust groups
• Currently supports Request – Response interactions
• Future support for Publish – Subscribe channels
Copyright © 2018 Bret Jordan. All rights reserved.
23
![Page 24: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/24.jpg)
Resourcesto play with
Copyright © 2018 Bret Jordan. All rights reserved. 24
![Page 25: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/25.jpg)
Gaining context through visualizations
Copyright © 2017 Bret Jordan. All rights reserved.
25
![Page 26: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/26.jpg)
Gaining context through visualizations
Copyright © 2017 Bret Jordan. All rights reserved.
26
![Page 27: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/27.jpg)
Conclusionthings to think about
Copyright © 2018 Bret Jordan. All rights reserved. 27
![Page 28: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/28.jpg)
Threat Intelligence can…
• Give you a rich source of IOCs to block
• Help you better understand emerging threats
• Provide insight in to an attack to help you with incident response
• Tell you what to go look for based on what you have seen or found
• Help you understand what additional problems you may have
• Tell you how a given campaign or attack is being conducted
• Tell you what types of vulnerabilities and systems a given campaign is targeting
Copyright © 2018 Bret Jordan. All rights reserved.
28
![Page 29: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/29.jpg)
The future
Why is this so important for the ITU and telecoms across the globe?
Copyright © 2018 Bret Jordan. All rights reserved.
29
![Page 30: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/30.jpg)
The dream
This dream of herd immunity is onlypossible when we share CTI
in an automated machine-to-machinestructured format
Copyright © 2018 Bret Jordan. All rights reserved.
30
![Page 31: Cyber Threat Intelligence, the key to the SOC of the Future · Threat Intelligence can… •Give you a rich source of IOCs to block •Help you better understand emerging threats](https://reader033.fdocuments.us/reader033/viewer/2022060508/5f24041bbab60315bb0f0d07/html5/thumbnails/31.jpg)
Q&A
31Copyright © 2018 Bret Jordan. All rights reserved.