Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep •...
Transcript of Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep •...
![Page 1: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/1.jpg)
Data-DrivenThreatIntelligence:MetricsonIndicatorDisseminationandSharing
(#ddti)
AlexPintoChiefDataScientist
MLSec Project@alexcpsec
@MLSecProject
AlexandreSieiraCTONiddel
@AlexandreSieira@NiddelCorp
![Page 2: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/2.jpg)
• CyberWar… ThreatIntel–Whatisitgoodfor?
• CombineandTIQ-test• Measuringindicators• ThreatIntelligenceSharing• Futureresearchdirection(i.e.willworkfordata)
Agenda
HTto@RCISCwendy
![Page 3: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/3.jpg)
50-ishSlides3KeyTakeaways
2HeartfeltandgenuinedefensesofThreatIntelligenceProviders
1Predictionon“TheFutureofThreatIntelligenceSharing”
PresentationMetrics!!
![Page 4: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/4.jpg)
WhatisTIgoodfor(1)Attribution
![Page 5: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/5.jpg)
WhatisTIgoodforanyway?
TYto@bfist forhisworkonhttp://sony.attributed.to
![Page 6: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/6.jpg)
WhatisTIgoodfor(2)– CyberMaps!!
TYto@hrbrmstr forhisworkonhttps://github.com/hrbrmstr/pewpew
![Page 7: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/7.jpg)
WhatisTIgoodforanyway?
• (3)Howaboutactualdefense?• Strategicandtactical:planning• Technicalindicators:DFIRandmonitoring
![Page 8: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/8.jpg)
AffirmingtheConsequentFallacy
1. IfA,thenB.2. B.3. Therefore,A.
1. Evilmalwaretalksto8.8.8.8.2. Iseetrafficto8.8.8.8.3. ZOMG,APT!!!
![Page 9: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/9.jpg)
ButthisisaData-Driventalk!
![Page 10: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/10.jpg)
CombineandTIQ-Test• Combine(https://github.com/mlsecproject/combine)• GathersTIdata(ip/host)fromInternetandlocalfiles• Normalizesthedataandenrichesit(AS/Geo/pDNS)• CanexporttoCSV,“tiq-testformat”andCRITs• ComingSoon™:CybOX /STIX/SILK/ArcSight CEF
• TIQ-Test(https://github.com/mlsecproject/tiq-test)• RunsstatisticalsummariesandtestsonTIfeeds• Generateschartsbasedonthetestsandsummaries• WritteninR(becauseyoushouldlearnastatlanguage)
![Page 11: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/11.jpg)
• https://github.com/mlsecproject/tiq-test-Summer2015
![Page 12: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/12.jpg)
![Page 13: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/13.jpg)
UsingTIQ-TEST– FeedsSelected• Datasetwasseparatedinto“inbound”and“outbound”
TYto@kafeine andJohnBambenek foraccesstotheirfeeds
![Page 14: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/14.jpg)
UsingTIQ-TEST– DataPrep• Extractthe“raw”informationfromindicatorfeeds• BothIPaddressesandhostnameswereextracted
![Page 15: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/15.jpg)
UsingTIQ-TEST– DataPrep• ConvertthehostnamedatatoIPaddresses:• ActiveIPaddressesfortherespectivedate(“A”query)• PassiveDNSfromFarsight Security(DNSDB)
• ForeachIPrecord(includingtheonesfromhostnames):• Addasnumber andasname (fromMaxMind ASNDB)• Addcountry (fromMaxMind GeoLite DB)• Addrhost (againfromDNSDB)– mostpopular“PTR”
![Page 16: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/16.jpg)
UsingTIQ-TEST– DataPrepDone
![Page 17: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/17.jpg)
NoveltyTestMeasuringaddedanddropped
indicators
![Page 18: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/18.jpg)
NoveltyTest- Inbound
![Page 19: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/19.jpg)
AgingTestIsanyonecleaningthismessup
eventually?
![Page 20: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/20.jpg)
INBOUND
![Page 21: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/21.jpg)
OUTBOUND
![Page 22: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/22.jpg)
PopulationTest• LetususetheASNandGeoIP databasesthatweusedtoenrichourdataasareferenceofthe“true”population.
• But,but,humanbeingsareunpredictable!Wewillneverbeabletoforecastthis!
![Page 23: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/23.jpg)
![Page 24: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/24.jpg)
Isyoursamplingpollasrandomasyouthink?
![Page 25: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/25.jpg)
Canwegetabetterlook?• Statisticalinference-basedcomparisonmodels(hypothesistesting)• Exactbinomialtests(whenwehavethe“true”pop)• Chi-squaredproportiontests(similartoindependence tests)
![Page 26: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/26.jpg)
![Page 27: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/27.jpg)
OverlapTestMoredatacanbebetter,butmake
sureitisnotthesamedata
![Page 28: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/28.jpg)
OverlapTest- Inbound
![Page 29: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/29.jpg)
OverlapTest- Outbound
![Page 30: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/30.jpg)
UniquenessTest
![Page 31: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/31.jpg)
UniquenessTest
• “Domain-basedindicatorsareuniquetoonelistbetween96.16%and97.37%”
• “IP-basedindicatorsareuniquetoonelistbetween82.46%and95.24%ofthetime”
![Page 32: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/32.jpg)
![Page 33: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/33.jpg)
Ihatequotingmyself,but…
![Page 34: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/34.jpg)
KeyTakeaway#1
MORE!=BETTERThreatIntelligenceIndicatorFeeds
ThreatIntelligenceProgram
KeyTakeaway#1
![Page 35: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/35.jpg)
Intermission
![Page 36: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/36.jpg)
![Page 37: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/37.jpg)
KeyTakeaway#2
![Page 38: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/38.jpg)
KeyTakeaway#1"ThesearetheproblemsThreatIntelligenceSharingishereto
solve!”
Right?
![Page 39: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/39.jpg)
HerdImmunity,isit?
Source:www.vaccines.gov
![Page 40: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/40.jpg)
HerdImmunity…
…wouldimplythatothersinyoursharingcommunitybeingimmunetomalwareAmeantyouwouldn’tgetitevenifyouwerestillvulnerable toit.
![Page 41: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/41.jpg)
ThreatIntelligenceSharing
• Howmanyindicatorsarebeingshared?
• Howmanymembersdoactuallyshareandhowmanyjustleech?
• Canwemeasurethat?Whatasuper-deeee-duperidea!
![Page 42: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/42.jpg)
ThreatIntelligenceSharingWewouldliketothankthekindcontributionofdatafromthefinefolksatFacebookThreatExchangeandThreatConnect…
…andalsothesharingcommunitiesthatchosetoremainanonymous.Youknowwhoyouare,andwe❤ youtoo.
![Page 43: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/43.jpg)
ThreatIntelligenceSharing– Data
Fromaperiodof2015-03-01to2015-05-31:- NumberofIndicatorsShared
§ Perday§ Permember
Notsharingthisdata– privacyconcernsforthemembersandcommunities
![Page 44: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/44.jpg)
Updatefrequencychart
![Page 45: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/45.jpg)
![Page 46: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/46.jpg)
![Page 47: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/47.jpg)
OVERLAPSLIDE
![Page 48: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/48.jpg)
OVERLAPSLIDE
![Page 49: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/49.jpg)
UNIQUENESSSLIDE
![Page 50: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/50.jpg)
MATURITY?
![Page 51: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/51.jpg)
“Reddit ofThreat
Intelligence”?
![Page 52: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/52.jpg)
![Page 53: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/53.jpg)
KeyTakeaway#1
'Howcansharingmakemebetterunderstandwhatare
attacksthat“aretargeted”andwhatare“commodity”?'
![Page 54: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/54.jpg)
KeyTakeaway#1
TELEMETRY>CONTENT
KeyTakeaway#3(AlsoPrediction#1)
![Page 55: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/55.jpg)
MoreTakeaways(Ilied)
• Analyzeyourdata.Extractmorevaluefromit!• IfyouABSOLUTELYHAVETObuyThreatIntelligenceordata,evaluateitfirst.
• Trythesampledata,replicatetheexperiments:• https://github.com/mlsecproject/tiq-test-Summer2015• http://rpubs.com/alexcpsec/tiq-test-Summer2015
• Sharedatawithus.I’llmakesureitgetsproperexercise!
![Page 56: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/56.jpg)
![Page 57: Data-Driven Threat Intelligence: Metrics on Indicator ... · Using TIQ-TEST – Data Prep • Convert the hostname data to IP addresses: • Active IP addresses for the respective](https://reader030.fdocuments.us/reader030/viewer/2022040610/5ed1c8168ab2ad16625171a8/html5/thumbnails/57.jpg)
Thanks!
• Q&A?• Feedback!
”Themeasureofintelligenceistheabilitytochange."- AlbertEinstein
AlexPinto@alexcpsec
@MLSecProject
Alexandre Sieira@AlexandreSieira@NiddelCorp