Register now for our upcoming December Secure Code Summit! Register Here
Shopping Cart

No products in the cart.

How To Use Threat Intelligence

How To Use Threat Intelligence

This webcast was originally published on April 16, 2018.

In this video, John discuss the intricacies and challenges of threat intelligence feeds. He delves into the effectiveness of these feeds and how they can often be outdated or misused within security frameworks. The conversation also explores alternative strategies for utilizing threat intelligence more effectively, emphasizing a structured, architectural approach rather than chasing individual threats.

  • Threat intelligence feeds and their reliance on outdated risk concepts can be problematic, as they may not adapt quickly enough to the evolving nature of modern cyber threats.
  • The effectiveness of threat intelligence feeds is questionable, as they often provide stale information, making them less useful for real-time threat detection and response.
  • Proper use of threat intelligence involves integrating it systematically into security architecture rather than using it for ad-hoc threat actor identification and chasing.

Highlights

Full Video

Transcript

John Strand

It’s now 11:00 mountain standard time. Is it in fact, 11:00 did I change my time zone? No, it is.

Sierra Ward

It is. Hi, I’m Sierra. This is John.

John Strand

Hi.

Sierra Ward

And, we’re here for the webcast today. It’s with John about threat intelligence feeds. Maybe he changes his mind.

John Strand

No, possible. It’s possible. It’s possible.

Sierra Ward

So if you have questions, go ahead and, type them into the question box, and I’ll be answering them. And then when he takes a breath for air, I’ll try and sneak in and ask him.

John Strand

Well, I can see them. I really like this new setup, the camera and everything. It’s great. So, as Sierra mentioned, we’re going to be talking about threat intelligence and threat intelligence speeds and things of that nature.

And have I actually changed my mind? Yes. No. Kind of. I don’t know. It’s complicated. but I do want to start out and kind of reiterate why I hate threat intelligence feeds, because out of all the positions I have in security, I think this is probably the one that’s the most confrontational.

Whenever I’m discussing my views on pen testing or security, because a lot of security is motherhood and apple pie. People should patch their stuff, train their people, equip their people, have socks with their adequate staff.

No one is going to disagree with that insecurity. But as soon as I start talking about threat intelligence, it’s like it was when I started talking about data loss prevention eight years ago. people get all up in arms about it because I think that we have a lot emotionally invested with these new technologies and these new ideas.

So I want to discuss where my position is coming from. Not necessarily to say, you’re wrong. And I have a habit of saying that, give me your opinion, and I’ll be sure to tell you why you’re wrong. And that’s just facetious, and that’s kind of joking.

But I want to explain where my position is coming from so that you kind of understand where I’m at first, a lot of threat intelligence kind of, in my view, preys on outdated concepts of risk.

So when human beings look at risk, we tend to learn about risk from the idea of the frying pan was hot, or we learned that something was risky by eating something.

Thousands and thousands of years ago, one of the people in our tribe died and were like, we’re not going to eat that mushroom again. And the human psyche is completely, completely hardwired to try to identify negative things, to identify risks, and then avoid those risks, whether it’s sharks, whether it’s bears, whether it’s, platypuses, and don’t get bit by a platypus because they’re venomous.

But we learn that these things are dangerous and we avoid them, and that equips us very well when we’re in nature, right? Because in nature, the idea of risks, and more importantly, the threats, they don’t change very quickly.

If you eat a, fish and you die from that fish, that fish is going to continue being poisonous in the foreseeable future. And the fish that you do eat that didn’t kill anybody and made you healthy, that’s not going to kill you anytime soon.

So things don’t change dramatically in a state of nature. So as human beings, whenever we try to buy products and we think of terms, I think in terms of risk, the idea of blacklisting makes sense to us.

And the earlier technologies for antivirus were very much heavily based upon the blacklist approach, because it makes sense. If you’re trying to reach for a solution to a problem, you’re going to reach for the mental models that worked in the past.

So when we had viruses on computers, the idea of writing software to identify and avoid that risk makes perfect sense at a base human level. Same thing with threat intelligence feeds.

The idea that you can purchase a threat intelligence feed and then someone will tell you about risks and more importantly, threat actors, and then you’ll be able to identify and avoid those threat actors plays at a very base level.

But this is outdated by centuries. The reason why is imagine in modern it, if we’re trying to use an analogy, that you ate a mushroom on day one, and then someone died in your tribe, and then the next day it looks like a t bone steak that’s just sizzling and so delicious.

You eat that steak and then that kills you. We have risks, and more importantly, we have threat actors that can generate attacks, they can generate spear fishing that are constantly evolving in order to get around our outdated sense of blacklisting and outdated sense of risks.

So at its core, that’s why I hate threat intelligence. And the earlier days of threat intelligence, that’s exactly how it was, in fact, being marketed.

Also, when you’re looking at, by the time you receive, an, alert through a threat intelligence feed, the attackers most likely had already moved. They’ve moved their ip addresses, they’ve moved their domains.

They changed the way that their executables actually work. The attacks evolve very, very, very quickly. So we need to be able to, watch that closely.

And I believe we have a question, because now I can see it.

Sierra Ward

do you have thoughts on, misp malware information sharing platform?

John Strand

I really don’t much care for the idea of sharing information about malware, and I’m going to talk about that right here on this slide. So let’s walk through why I think this is a problem. So let’s say that you purchase threat, intelligence feed from a managed security service provider, and they give you a hot tip on some malware that is being seen.

Well, more than likely, that hot tip is over 24 hours old, and an organization could sit down and say, we’re going to develop a yara rule in order to detect that malware in our organization.

I know Yara can be used for a lot more complicated threat analysis and identifying atomic indicators of compromise, but let’s just stick with the malware analogy in the malware example. So we write this new signature for malware that somebody says through one of our, different feeds that we have that’s out there.

So now we push that rule across our entire organization, trying to identify that malware in our organization. Why would you do this? This is absolutely insane.

And think about it back up for a couple of seconds. If you have a small team of, four or five people and you’re purchasing threat intelligence feeds and you think that you can write a Yara rule to detect that across your organization, that is insane because that is literally what your av vendor should be doing.

That is literally what your anti spam appliance should be doing. That is literally what your firewall should be doing. In short, you cannot do something consistently over time and do a better job than the vendors that have thousands of people that are writing these signatures every single day.

Although that is a mistake that you being say, oh, I can do better. I can fix this.

Sierra Ward

I’m above average.

John Strand

I’m above average. I’m a genius. I’m a certifiable genius, and everyone should listen to me. No, no, no. You can’t compete with the idea of crowdsourcing. You are not going to compete with McAfee’s team.

that’s writing signatures, or Symantec or Sophos team. That’s writing signatures. And if you think for 2 seconds that they’re not subscribing to those feeds and actively writing signatures for those indicators of compromise, you’re deluding yourself.

So really, if you have something where your security offenders do not successfully detect an attack at your organization, this is not something that your team should be, be doing.

That’s what you’re hiring vendors to do for you. If there is an attack and you are successful in writing a signature, because I have people that say, oh, well, I wrote my own signature this one time, and it worked.

Therefore, your entire argument is bong. Therefore, I’m brilliant and I’m a genius. Never told you on my iq. if that happens and you are successful, that isn’t so much a testament of your, of your success, even though that is skillful.

And I’ll talk about how that skill can be used successfully here in just a moment. But what it actually shows is that your vendors have failed, because if you get a threat intelligence feed and you write a signature for it, and you beat your vendor, be it McAfee, Symantec, silence, crowdstrike.

Many of these vendors have their own threat intelligence feeds. If you’re beating your vendor, then that really says more about the vendor than it says about the maturity of a threat intelligence program.

So we had another question come up. It says, okay, then, which is always a good way to start.

Sierra Ward

Frederick says, what about tax II and Stix?

John Strand

Taxi and Stix, yeah.

Sierra Ward

Which isn’t a purchase option, but open source, or is that basically this presentation?

John Strand

That’s basically this presentation. Actually, it’s a previous presentation that I talked about, those standards and in fact, that open source sharing of information, I believe that there’s value to that. I’ll get to that here in a second.

But if you’re trying to take, those taxi and those stick signatures, those Yara rules that are being generated, and you’re trying to actively identify those malware specimens in your organization, it’s time to step back, take a deep, deep, deep breath, and try to ask yourself, can I do this more effectively than my firewall vendor, my av vendor, my vendor that’s working on the perimeter protections.

Sierra Ward

Of my environment, aren’t you also supposed to be doing other things? Like, this is funner, this is fun for work, right?

John Strand

No, no, no. For technical people to sit down and say, I’m going to write a Yara rule. Now I’m coming at this. Now I’m changing perspective to a techy geeky rule to get a new piece of malware, to reverse engineer that malware, to develop your own rule and search.

That feels awesome. Yeah. That is very, very, very. A very stable genius. That’s good. A stable genius is a fantastic genius. Unfortunately, I don’t come across many of those.

So my point on this is, if you’re spending all of your time trying to write these signatures, odds are your vendor is doing the exact same thing. And further, you can talk to your vendors and ask them, what are they ingesting?

And they should be able to tell you. So we got some more questions.

Sierra Ward

So Phillip says, okay, but your cash cow tipping exercises have led me to believe that we cannot trust av vendors. Why should we trust them for iocs?

John Strand

I think that whenever we’re talking about the mass iocs that are out there, like, if you’re talking about your general botnets, your general malware, I think that they have their place. So I’ve many times mentioned in the sacred cash cow tipping webcast that antivirus can in fact, be bypassed.

That is an absolute truth. And what that’s being done to show is not that they’re worthless. And saying, what we need to do? We need to have everyone become their own antivirus shops and writing their own signatures.

That was never the lesson for us. But the lesson was when we’re looking at antivirus vendors, antivirus in and of itself is not the only security control that you need to have in your architecture.

It is just one part of your architecture as a whole.

Sierra Ward

Can’t just set it and walk away.

John Strand

Yeah, you can’t just set it. Forget it. Like Ron Poppile. So Kevin’s got some questions.

Sierra Ward

Kevin says, is your concern that companies would blindly block aisle iocs from threatbeat?

John Strand

Yes, I think that would be one of my concerns. But my main concern is the team spends a tremendous amount of time trying to write their own rules from threat feeds. And I’m going to talk about how to use threat intelligence feeds properly here in just a couple of minutes.

So what did Matt say?

Sierra Ward

what about using the threat intel for detection in an automated fashion for an additional layer, like comparing to network traffic?

John Strand

Whenever you’re talking about network traffic and looking for those behavioral anomalies, I believe that there is some value in that. But I still come back to you are doing the job of what your firewall vendor should already be doing.

Now. Your firewall vendor should be writing signatures. Snort signatures. Here, take just a deep breath and see how many signatures are written per day, and then ask yourself, can we actually do a better job of that than the vendors that we’re actually seeing?

Sierra Ward

David says a feed that provided iocs can be useful for determining if you are pwned by looking at past logs, t -30 days or so. Historical log searches for iocs.

John Strand

Yep. And I would agree with that point. What do we got from Christopher, too?

Sierra Ward

Okay, Christopher, so while I agree with you and av passive defense vendors should be catching most signature based stuff, do you not see at least some element of overlap feeds that can provide an enrichment scoping standpoint?

John Strand

Awesome question, and that’s a great, great point. And that’s actually one of the main reasons why I started going against threat intelligence feeds. A number of years ago, Verizon took all the different threat intelligence feeds and they overlapped them to see how much overlap these different threat intelligence vendors came up with.

Now, the idea would be that if we’re all catching the real attack traffic that’s out there, there should be a lot of overlap. They came up with 5% overlap. And rather than saying, hey, we’ve got a fundamental problem in the way that we’re approaching threat intelligence feeds, the recommendation in that particular report was, you should just buy all of the threat intelligence feeds to have complete coverage.

So even by checking overlap across the different vendors, you’re not seeing a consistency across the board. Now, I’ve got a question here from Mike that I love.

Thoughts on forensics 578, which is, I believe, Mike, that is the threat intelligence class that you’re talking about. Yes, yes. There is no place in that class.

And let me be very clear. When Rebecca is writing that class, and then also rob, Emily, we like to call him little Rob. There’s no place in that course where they tell you to buy a feed and simply plug it into your environment and walk away.

That is a six day class on how to do threat intelligence feeds correctly in your organization. And at no point do they actually say, pull, peel, set it, and forget it. Hit the easy button and walk away.

Otherwise it would be a very, very, very short class.

Sierra Ward

Kevin asks, how do you feel about open source feeds? Because I’m cheap.

John Strand

Because you’re cheap. I think there is value in that, and I’ll talk about that value in those types of feeds and how we can use them correctly here in just a couple of seconds.

Sierra Ward

Then John said, not all intel feeds are created equal. We subscribe to an ISAC intel feed and often find indicators that our security vendors won’t have for days or weeks.

John Strand

In some situations. Yes. Now, those, whenever you actually get into, like, fs, ISAC, very, very, very specific feeds for very specific market verticals are actually pretty effective. But the general feeds that you purchase and say, I’m an insurance company, not really nearly as effective or focused.

So now that we’ve kind of set up with my, why, I think there’s ways of doing it wrong. The other way that I think that people do it wrong is they do it specifically because they feel like they’re involved in some type of knowledge group that you have to be elite to actually be a part of.

So, oh, we got this threat intelligence fee that we pay $100,000 and we got this one story about this one organization that was compromised. It’s not a club. It’s not something that you purchase to actually get membership of that club.

And further, you can never purchase intelligence, ever. You’re just simply purchasing data. And how you actually handle that data is where the actual value starts to come from as well.

So what, we got 5% from the pay for feeds? Yeah, pay for feeds.

Sierra Ward

Yeah, open feeds. For open feeds.

John Strand

I think they actually overlapped a whole bunch of all the different feeds, and they were only getting 5% overlap, which is terrifying. Horrible, horrible. All right, additional how to do it wrong. Now, this is different from a lot of people, what they’re talking about.

Oh, my God. Fs Isac, which a lot of people say is the best feed. We just had somebody that says they hate it. And that brings up another point. Every time someone says a particular feed is good, I get five people saying the feed is absolute, complete garbage as well.

Then there’s another person, a completely different person, that just said that this other threat intelligence feed is absolute crap as well. So here you got another problem. We have a ton of people that get these feeds, and they don’t actually see a lot of value in those feeds, and that’s what we’re running into.

So why would you spend hundreds of thousands of dollars trying to purchase feeds, doing something in your organization which honestly your security vendors should be doing? Going back to the comment that we just had a little bit earlier where they said, well, we’ve had feeds where our vendor didn’t detect anything for days.

That’s not talking about the value of feeds. That’s talking about the failure of your security vendor at the endpoint or at the edge of your network? So I hope that you can start seeing that as a problem.

Right. It’s not something that you should be tasked with to generate better blacklist. You have that little part in the back of your head as a human that’s telling you that’s the way that you handle this threat.

Don’t do that. Whenever you’re talking about dynamic threats that change over time, simply trying to quantify those threats on your own as an individual is a tremendous waste of time.

Trying to get a vendor to actually start incorporating those at a large scale has value, but it isn’t the only thing you should be doing from a security architecture perspective, so.

Oh, my God, they’re still coming back. Well, geez, they’re just crazy.

Sierra Ward

If it comes up, how, do.

John Strand

I do it wrong? We just had a lot of people light up about every single feed and how bad they suck. and I’m coming back to that because there is value, folks. How to do it wrong. Like I said, thinking that you can go online and you can go to a special place online where all of the bad actors get together on the dark web and they talk about hacking your network.

No, there is no Star wars cantina where a bunch of attackers get together. We sit around and play Minecraft, maybe, and have conversations about what organization we’re going to attack.

Least of all. That’s not what they’re doing with organized crime. That’s not what they’re doing whenever you’re talking about nation state attacks. That’s really not. We’re talking about when organizations are basically targeted by an advanced adversary that’s coming at their organization.

It does. Doesn’t work that way, okay? You just can’t go hang out in bad places. It’s like the joke I have here. Hey, guys, anyone know about attacks against DoD? No.

Right? And also, if they’re watching for. If they’re watching Fortran and anonymous, 99% of what’s going on, there is a bunch of boastful talking that doesn’t mean anything anyway.

Now, there are exceptions. Ddos planning. If there is an organization like an anonymous op that’s coming up and they’re talking about targeting your financial institution, you absolutely want to learn about that ahead of time.

And those absolutely will be whipped up. Usually by the time they started whipping up the fur of all the idiots on four chan, at that point, it’s probably too late. And it’s usually coupled with another attack and the final exception, watching for leaked credentials, much like what Troy Hunt is doing right now with have I been pwned.

There is a lot of value of checking for any new credentials that have been compromised from your organization on third party websites. Once again, that’s not a secret hidden cantina.

Sierra Ward

Rich said, I don’t always threat feed, but when I do, it’s with my dark web friends.

John Strand

Yes. And don’t forget, Rich, you got to do it only with blockchain.

Sierra Ward

Blockchain on the blockchain. TDos chatter is going to be extremely relevant to me in about two weeks.

John Strand

Why would you say that? That creates all kinds of weird things in my head. Christopher, DDoS is going to be extremely relevant in about two weeks. Like, what are you. That doesn’t give me warm fuzzies.

That statement can go all kinds of different ways.

Sierra Ward

Don’t do it. Don’t do it.

John Strand

So let’s take a deep breath, and let’s talk about how to do it right. And also, there’s a, there’s another big reason why I’m not too excited about threat intelligence feeds. Of all of our customers, of all the people I talked to with ions, I have had maybe one person come to me and I tell this story here and basically talk about threat intelligence feeds and how they use them in an intelligent fashion.

That was interesting to me, and I’m going to talk about that here in just a couple of seconds. So we’re going to take a deep breath. Let’s talk about how to do it right first and foremost, huh?

Let’s do. So problem statement. If we’re going to take threat intelligence feeds and we actually want to test an organization, how can we do that in such a way that makes sense in our organization?

Because right now, what most people are talking about when they use threat intelligence feeds, they’re doing this whack a mole where a new threat actor shows up and they’re like, oh, take care of that threat actor. And they scramble to take care of that threat actor.

Oh, another one popped up. Oh, we’re going to take care of that one. And they start running around and they start going crazy. And there’s a better way to actually do this where you can actually come across it systematically and you can prioritize.

All right, so let’s jump in once again. I know it’s impossible for me to get through a talk anymore and not talk about this. Right here, the mitre threat technique matrix.

This is threat intelligence done right. Okay, so how does, how do we actually make this so it’s useful in an organization? So instead of trying to identify every single different type of threat actor that exists and trying to detect that specific threat actor, the attackers are using the exact same techniques.

They may try variations on these techniques, but the overall techniques that they’re using are being used again and again and again in different combinations.

Okay. They’re being used in different combinations. So whenever an attacker looks at their strategy for trying to attack an organization, for additional access in a computer system, they may use standard malware as a macro, they may use a DDE script.

They may try to get someone to click a link and capture credentials through, two factor authentication for like Gmail or something like that. But they’ll use these same types of techniques with slight variations.

Once they get on a network, they’re going to start doing things like lateral movement using the exact same techniques, identifying SMB shares moving laterally in your organization with those SMB shares, trying to use kerberosing techniques.

They’re going to use the exact same techniques again and again and again. Now, the possible combinations of all the techniques that you have, something like a mitre, ATT and CK framework, is almost infinite.

And that is the key problem of trying to identify atomic, indicators of compromise for specific threat actors and why it is complete garbage to do so.

Because we’re not seeing attackers come up with brand new techniques all the way across the board that we’ve never seen before.

Sierra Ward

They don’t need to.

John Strand

They don’t need to because the traditional techniques that they use all the time they work and why change?

Sierra Ward

So why would they put a.

John Strand

Lot of work, they may put a lot of work to changing their executable or changing their initial exploit, or maybe even a zero day. But once they’re on that system, the lateral movement can still be detected.

It can absolutely still be detected. So that’s why when you’re looking at trying to write specific signatures, somebody mentioned earlier, they’re like, well, what if an attack hurt?

We had a, we had a place where there was malware that we detected an organization with a threat intelligence feed the vendors didn’t detect for a long time. Okay, but your security architecture shouldn’t be built on just that signature based detection for the malware.

There should be c two detection in your organization. There should be lateral movement detection in your organization. There should be behavioral analytics in your organization. You shouldn’t be relying on just that one simple blacklist approach.

And if you start changing the way that you handle threat intelligence feeds to identify individual threat actors and shift that to actually looking at it from its totality and trying to find vendors that can help you identify, identify entire categories of what attackers generally do.

It changes your whole perception on how you use threat intelligence feeds. Instead of taking the idea of blacklisting and developing a blacklist, we take part of this blacklist and send it to our firewall, another blacklist that goes to our sim, another blacklist that goes to our intrusion detection system.

Now you’re systematically catching categories of attacks and techniques. That’s how you can use threat intelligence in such a way that is effective. Thought we had a question come up, or was it already just comments?

Okay, cool.

Sierra Ward

Flush them back to everybody so they can see it. You’re bringing hilarious comments.

John Strand

So now we have tools and we have a framework, finally, when we’re talking about threat intelligence, that we can start seeing these consistencies and patterns, and more importantly, we can start testing these consistencies and patterns in our organization systematically across our entire architecture instead of trying to find an individual threat actor in our organization.

And that is a key differentiator on how we can use threat intelligence in such a way that we can get value out of it. We have tools like Caldera, we have tools like Unfetter, and we also have a number of different, scripts.

The atomic red team from Red Canary, Ubers meta, and the awesome threat detection sheet. These two things, threat hunting and threat intelligence, inherently need to feed each other.

But the approach that we take across the board needs to be consistent and structural m something. We’re looking for individual threat actors in our organization, but instead trying to test our organization across the board and see what types of techniques we can actually detect.

So getting caught, we’ve talked about this, and this is actually my favorite picture of, any of the pictures that we’ve had for years. so we’ve got a couple of.

Sierra Ward

Different things John said. Yeah, I struggle with finding logs and use cases within the matrix.

John Strand

that’s great, because if you actually want that, when you’re talking about different logs, we’re actually starting to get that type of functionality tied back to the, matrix.

Let me go jump off screen real quick. Yes, I’m using edge, but I use chrome for my day to day work and I use a different browser as well. So, JP Cert, there you go.

They’ve had a lot of research recently, over the past couple, of months, and if you guys can go out on Twitter and give them a shout out as well. So here’s one of the examples. Like you’re talking specifically about your sim.

Event alert. event alert. So they had this amazing write up on detecting lateral movement through tracking of specific event logs in an organization, instead of actually tracking every single event log that an organization can have, which would be terabytes of logs at the end of a week.

They say, these are the event logs that actually matter with these specific techniques. So let me open up the PDF here real quick. Here we go.

So they walk through and they say, here’s the event logs you look for, and here’s how you can implement sysmon to detect these types of attacks. And then also we’ve got seven two, how to enable an audit policy.

Do you want me to send this to you or push it out to everybody?

Sierra Ward

I am sending it out here.

John Strand

I did. Ok, we got everyone out there.

Sierra Ward

Yeah.

John Strand

Cool. Now we’re talking about how we can fundamentally change our security architecture. In this example, like the question that was just asked, an event logging to be able to detect a large number of different types of attacks that would exist.

So if I scroll down to the bottom, here are the different tools that they use. Command execution for psexec WMiC scheduled tasks begin x Windows RM Windows RsT and bits for transfer of patches.

Now when you’re looking at these techniques that are used, you’re not actually trying to develop a specific blacklist for a specific attacker, but you’re basically taking an entire category of different techniques that attackers use for lateral movement and developing a baseline of understanding for the event logs that are actually used for that type of detection in your organization.

So somebody mentioned sec 511 by Seth Meisner and Eric Conrad. Absolutely. Also Justin, I think his name is Henderson, has an event logging class.

that is absolutely amazing for doing these types of detects and he’s changing the entire game of event logging instead of log everything and let your Sim sort it out.

How can we actually develop our event logging in such a way that we can start detecting it as well? So you got all these different techniques for command execution, password and hashtag malicious communication, remote login, pass the hash escalating system, capturing domain administrator accounts using accounts, deleting evidence.

They took all of these different techniques and then they said these are the event logs, let me scroll down. These are the event logs that you can use to identify these specific techniques.

it’s in here, but they went through the actual specific event logs and I can’t figure out, but it’s part of this, part of this. I had it up for my sans class. So now if we take that back to the mitre, ATT and CK matrix and we go to the technique matrix, we can now cross reference that and say our SIM solution.

We now have the proper event logs that we need to be able to detect that initial execution and lateral movement within our organization and even some of them associated with credential access.

So instead of trying to find one specific combination of these techniques, you can now start taking out entire classes of lateral movement by using the proper event logging and also coupling that with like a robust user behavioral analytics platform and using firewalls to restrict that lateral movement.

That’s what we’re talking about we’re changing security architecture. We’re not trying to find specific threat actors. So we got some questions here.

Sierra Ward

Nick says, how do you define the term threat intelligence?

John Strand

Threat intelligence is exactly what we just got done talking about. In all honesty, Nick did ask that question before we started talking about the mitre, ATT and CK matrix. But when you’re taking the threat techniques that general groups of categories are using and reusing again and again and again and again and again, and you’re systematically changing your architecture in your organization, then you’re using threat intelligence, you’re making intelligent structural decisions on your organization as a whole.

Sierra Ward

And George says, how do you illustrate when you do not block? So it is read for loud, but it can be detected? List the time it takes to detect an alert.

John Strand

Yes, and I think that that’s important. And Jorge, is actually another sans instructor. Fantastic. sans instructor, by the way. And, that’s an excellent question.

In fact, when we talk about getting caught, we have a series of different techniques. We can get into a lot more detail whenever we’re doing assessments and organizations. And there’s tools that automate a lot of this.

But what we actually do now is we actually give a full gap analysis when we do this type of, detection. And I think that, like, red was completely missed. Then you have purple means that there was an artifact that was created, but wasn’t actually generated, an alert.

Sorry, I’m talking to you and I’m.

Sierra Ward

Watching you watch them.

John Strand

So this is the type of gap analysis that you can now start doing once again, instead of trying to detect one specific type of threat. Actually, now we can systematically test a wide variety of different techniques using automated tools, and we can adequately identify what is being alerted on properly, what other events being generated, but there’s no alerts being, generated from those events that are coming into our SiM.

And what types of technologies can we plug into our organization to actually close the gaps in our security architecture? That’s what we need to be looking at for threat intelligence is how can we systematically change our architectures to detect wide categories of attacks rather than trying to identify specific attackers?

So, any other questions?

Sierra Ward

Brandon says turning on logging is the first step. I think most organizations flop on getting the endpoint logs from client endpoints to the scene without going over your license limit. Next webcast idea how to deploy WEF to get those logs.

John Strand

So we actually had a webcast that we did a while ago where we talked about Sysmon and event forwarding, with, Derek banks. So if we can find that, if we just go to our blog, do a search on Sysmon, it should be, I think it’s the only hit on, Sysmon and how we can actually get those logs and then using Windows event forwarding properly to capture that.

And that might be something we can get Justin on from sans to come in and talk about that, because he talks about it quite a bit as well.

Sierra Ward

Cool.

John Strand

so I know that this is somewhat confrontational, and I also understand that I’m fighting constantly with the way that we look at risk and the way specifically we’re taking that equation of risk and trying to identify threats.

We want to identify, categorize, neutralize individual threat actors. But the problem is we’ve been doing that for so long from a blacklisting detection capability, and this ties yet again back to sacred cash cow tipping, that individual blacklist attacks do not, shall not, will never work in our organization.

And it seems like the solution around AV blacklisting not working was we had a lot of vendors that scrambled to create a much larger and much more dynamic blacklisting approach in our organizations.

Once again, talking about Rob Lee’s class, talking about Rebecca, who’s a co author, who’s written the book on threat intelligence. They are not writing books or writing a class about purchasing a threat intelligence fee.

And then magic happens in your organization. I’ve read.

Sierra Ward

That’d be nice.

John Strand

Rebecca’s book. I recommend Rebecca’s book. It’s one of those books that she signed for me. And I’m like all geeky that I have this book because nowhere in there does it actually say that. So please understand that just purchasing a feed and expecting someone to implement it across your organization and develop security, it doesn’t work that way.

It has not worked that way. It won’t move forward.

Sierra Ward

What’s the title of the book?

John Strand

Oh, I can pull up the book. I think it’s just, like threat intelligence, actually.

Sierra Ward

And what’s her name?

John Strand

Rebecca Brown. okay, so, absolutely. She’s one of the co authors of the threat intelligence class at Santa’s with Rob. Emily. And I love Rob.

I love everything he’s done with that class. There’s a couple of small things like Rob and I disagree on, but most of those are definitions and academic things, but it’s usually violent agreement. And I can’t recommend that class enough because it’s approaching these threat intelligence views in the right way, not just buying a fee.

Sierra Ward

And Christopher also points out that it’s about, consuming and also creating. So, yeah, the class is about both.

John Strand

And that creation is big. And I’m going to get to that here in a second. I’m going to create. I’m going to talk about that here in just a couple of seconds.

Sierra Ward

And here’s the link to the book that I’m shooting out to you guys, though.

John Strand

Thank you so much. And give her a shout on Twitter. She’s kind of in that category of Casey Smith. Casey Smith is someone everyone should be following on Twitter for bypassing security products. And Rebecca is somebody everyone should be following on Twitter.

And then also rob Emily for, threat intelligence. And Rob, is at dragos, security specifically for Scada ics systems. And Rebecca is at rapid seven, I believe.

So two great people. So, key takeaways we need to be moving away from. Can we be hacked to what can we detect structurally across our entire organization? And now, now we have a framework to do this.

We didn’t have a framework until Mitre came out. And I honestly believe that that techniques matrix was actually a byproduct. Because if you actually go to the mitre, ATT and CK framework and you look at it, they break down all the different threat actors, the different tools and techniques that they use.

I think that was the initial goal of the Mitre framework, and I think the techniques matrix was a byproduct. But now the techniques matrix has been the main focus for many security professionals that are out there today that are doing this and trying to develop better architectures across their environment.

And we have a large number of tools in their infancy that can actually automate this. So we find those gaps, do gap analysis and fill them. And threat intelligence is a huge part pulling information about what we’re seeing systematically across the board, what are our attackers doing, what things are repeating again and again, which things are rhyming, and what different detective controls can we put in place architecturally to stop them, and then also do detects on them as well.

All right, so doing it the right way, part two. so long story. also in that class, they were talking about it from 578. They have some really, really cool things on actually writing signatures.

So I got into a conversation with a student of mine in, I want to say Toronto, the, ions forum in Toronto. And he came over and he started talking about how they use threat intelligence techniques in their organization.

And I thought it was brilliant. The way that they use threat intelligence is this organization was targeted by very high profile nation state and organized crime appetite adversaries that were writing brand new attacks at their organization, and they weren’t showing up on threat intelligence feeds.

So what they were doing is once they detected that attack, because they didn’t just do straight signature based detection, unlike one of these techniques, they actually were able to do signature based detection across the entire category.

Like if they would have a firewall hit for lateral movement, they would identify the executable that tried to access the system with a firewall that was enabled. They would analyze that executable. And he said there was a lot of situations where the signature for that executable did not exist.

No one anywhere had seen that executable at all. But the important takeaway was their architecture was built in such a way that they were still able to detect it.

They weren’t trying to write blacklists for absolutely everything. So what they then did is they looked at the overall techniques that that attacker was using that methodology. And instead of basically saying this one signature that was being thrown into our organization, we now can look at how did this email come in?

Where did this email come in from? What were some strings in the email? And they were able to develop their own customized threat intelligence against their organization. This may seem like a distinction without a difference, but it’s huge.

The difference between using threat intelligence correctly and incorrectly is trying to purchase it en masse from a third party that is already out of date, that used against other organizations, which I vehemently disagree with.

To actually detecting attacks in your organization and then taking that threat intelligence and being able to write your own signatures because your vendors have never seen it before.

So that would be a gap. So by the time you submit an executable, the vendors are going to have some time to actually generate that signature. Firewall vendors are going to take some time to write a signature for it. This is a way that they were actually protecting themselves in that gap of detecting the attack that no one had seen before, because it was just for their one organization and the time it took to actually implement architectural, changes in their organization to detect it, this was awesome.

And this makes sense to me. When you’re building your own Yara rules, you’re creating your own threat intelligence against your own organization. That’s magic. And for large scale organizations like DoD level organizations, you can reuse that Yara rule across the multiple different market verticals or the multiple different business units across your organization as a whole.

The other reason that I think is also important is there are situations, and this gets a bit weird, especially with DoD, where you will want to detect an adversary without sending the information to a security vendor to write a signature.

So, to give you an example, if you have an adversary that is attacking you and they’re a very targeted adversary, as soon as you submit your signatures, as soon as you submit your behavioral profiles to a threat intelligence vendor or an AV vendor or any security vendors, they’re going to write signatures to detect that.

As soon as that happens, then the adversary knows that that particular technique has been burnt and they’re going to morph and change what they’re doing in their techniques, in their malware that they’re actually creating in order to bypass.

So there are examples that we’ve worked with customers, will they use their internal threat intelligence to write rules to detect and stop attacks without actually sharing outside vendors?

Because they want to keep that adversary reusing that exact same technique for as long as humanly possible. Once they share it out, they know it’s burned.

Sierra Ward

We’re good.

John Strand

Wow.

Sierra Ward

I’m just. Don’t you get distracted?

John Strand

Don’t worry about that. I see that you’re actually answering.

Sierra Ward

I am. I am.

John Strand

Sierra. Be a whole pen tester here in just a little bit.

Sierra Ward

Not really. I am learning a lot, though.

John Strand

Doing it right. Part three. There are going to be times where you’re going to have anomalies at your organization. You’re going to have executables that no one has seen before. You’re going to have situations where you’re going to have command and control, going to weird parts of the Internet.

And there are amazing research locations online where you can pull down information about IP addresses, asns, different, network blocks associated with kind of asns, and you can actually identify good neighborhoods, bad neighborhoods.

Is there any historical changes, to this particular setup? So let me give you an example. Let’s say an adversary is using multiple domains to try to launch multiple different types of attacks, but they always go back to the exact same range of IP addresses.

While the domains are shifting, the signatures are based on domain. The IP address may be static, or it may be a somewhat fixed set associated with an ASN as part of BGP.

So you can do threat intelligence by looking up the traffic that you’re seeing to a large number of different websites to identify different patterns, for that traffic and looking for potential anomalies.

So there’s great threat intelligence that you can pull down open source and you can utilize their information. I think, virustotal is probably one of the biggest examples of threat intelligence feeds that we kind of take for granted.

You can submit hashes to virustotal and virustotal can see if any of the antivirus vendors that are out there have seen a signature for that particular executable in the past that is in fact open source threat intelligence.

And integrating with that is actually a very good thing as well. So, core questions to close. As I said, this is going to be a short one, and I fully expect we’re going to have a lot of questions.

So key those questions up when you look at threat intelligence. the key questions, two questions that you need to ask yourself, and I’ve repeated this a multitude of times in this webcast, does your threat intelligence help improve, change your architecture?

If you’re using threat intelligence to improve your architecture, by taking systematically and implementing firewall restrictions in your organizations from host to host to host, by implementing VLans, by implementing user behavioral analytics, by taking JP Certs research and tuning your SIM to actually detect the event logs that are generally used with the different attack techniques and tools that adversaries are using, you’re doing it right.

Congratulations. However, if you’re going through and you’re using threat intelligence to identify individual adversaries and then chasing those adversaries across your organization, you are doing it wrong.

And to take that to another step, if you actually start hunting adversaries in your organizations and you are successful in finding them, that is not a referendum on the value of threat intelligence.

That is basically a referendum against your security vendor, whatever security vendor that you’re using. That means that specific detective control is currently failing in your organization.

And this goes back, I hate to say this, six sigma. When you’re looking at CMMI, when you’re looking at six sigma, we’re looking at maturity of processes in organization.

If your organization requires the herculean efforts of an individual or handful of individuals, you’re at level one. That is not repeatable, that is not reproducible, and more importantly, it is not sustainable.

Moving forward into the future, if you start developing an architecture that gives you more opportunities to actually detect these adversaries and what they’re actually using in their different techniques structurally, then you’re using it correctly and you’re moving up the maturity model once again.

I can’t believe I actually use that, but that analogy actually works because I have far too many security professionals who are brilliant at what they do saying, yeah, well, I received a feed, I created a yara rule, and we caught it in my environment.

That’s amazing. That’s technically something that you should be very proud of, but you should shouldn’t be doing that every day as part of your job. You’re doing security wrong.

And like I said, amazing skills. And you can leverage those skills whenever you have the really advanced, elite stuff that no one has ever seen before come into your organization, use those skills.

But if you’re receiving your threat intelligence feeds and you pick out of 500 different techniques, one or two to search for, and you’re catching it, that’s a referendum against your architecture and what you have implemented. It has nothing to do with you or your skills because that is not sustainable moving forward.

So I hope that doesn’t offend too many people because like I said, mad respect for the skills to be able to do that, but I hope you understand that that’s not something that’s repeatable across your entire organization.

All right, so, okay.

Sierra Ward

Scott says, I’m a newbie and wanting to start working with doing this stuff, but I need a 101 version for this topic.

John Strand

for this topic, I’d recommend Rebecca’s book, a fantastic book for getting started. We shared that link out. and if you want to get started actually doing this and you can get some training, 610 at Sans.

And also the threat intelligence class at Sans is probably the absolute best way to get started because they’ll teach you how to do it right without just trying to be a raw consumer and hunting for adversaries in your network.

Sierra Ward

Okay, Frederick said on the previous slide, what did CVL stand for?

John Strand

Oh, that stands for composite blocking list. that’s actually a website. These are all websites. So you have ipo, void, composite blocking list, alien vault, barracuda. There’s a bunch of different vendors.

I just went and grabbed screenshots, but these are public repositories where you can plug in an IP address or a domain, and you can get threat intelligence about that IP address or that domain and what they’ve actually seen before.

Sierra Ward

Eddie says, who should own or drive threat intelligence? Operations, architecture, engineering, management.

John Strand

Personally, management is always going to be involved, right? Like, if you do not have high level buy in support from management, but ultimately, threat intelligence should be driving your architecture. It should not be driving your day to day operations unless something hideous happens in your organization, but it should be driven by architecture.

Once again, we’re not trying to find individual adversaries. We’re trying to find ways that we can modify our total architecture in our organization.

Sierra Ward

and Ian says, when your data set is too large to rely on any vendor on the market and your tool set is restricted almost exclusively to open source tools and frameworks. Are we forced to throw all of your recommendations regarding vendors out the window?

John Strand

No, no, no, because remember, good security is about architecture. let me actually, I have a slide on this, but I’m going to recreate it here real quick on the fly because I think that that’s an important question.

It’s PowerPoint Engineering 101. So let’s say that we have an asset in our organization. Let’s just do an endpoint. So I’m going to take this and I’m going to go endpoint.

I’m going to change it to white. There we go. So I have an endpoint. So if you are stuck with open source tools and you’re stuck with open source techniques, what are all the different ways, architecturally that we can protect our endpoint to be able to detect these style of attacks in our organization and block these types of attacks in organization?

Well, what we can do is we can fundamentally change the way we look at defense in depth and we can start taking things like, what are the different detective mechanisms that exist for the specific endpoint?

So I’m going to kill the fill, no fill. And then I’m going to generate a new line and I’m going to go line. And I want it to be a white line. There we go. So I’m going to say endpoint protection.

we’re going to choose our avoidance. All right. Oops. Those people are like, I can’t believe he’s doing this with PowerPoint.

Sierra Ward

Look, I think in PowerPoint, PowerPoint is his favorite. I noticed you’re not using Google Slides.

John Strand

No, I’m not using it. No. Actually the original slide deck that I pulled was a shared presentation that I did with ions and Bhis. So this is the deck I’m using. All right, so now we have AV as an endpoint detection.

I don’t care how poor your organization is, you need to have antivirus in your organization. Right. But that’s not the only detective control that you need to have, for detecting something at the endpoint.

So with your endpoint, you can also use, I’m, creating a Vin diagram here. You can also use Netflow analysis.

And with Netflow you could put into this entire category. You can use, pro and you can use bro for an example.

And that’s free, right? And almost all of your firewalls support that. And you can use onion. I’m not going to put the security onion because that’s a lot to type. Then for your endpoint, you can take all of those different event ids that JP sir created.

And you can create a really, really nice, sort of, I’ll just do this, pull these out like that. You can create a really, really nice sim collection rules, using something like soft elk and you can use your elastisearch stack which is free.

And you can actually develop better sim alerts as well.

Sierra Ward

Oh good, Skype has been updated.

John Strand

That’s great. That’s just what I was looking for. And you can take this overlap and this isn’t something that you have to buy products for. I would even go so far as you could say, let’s throw in another one.

Let’s throw in the sim. Over here we got Netflow and then I can grab another circle and I’m going to throw in endpoint, firewalling. So over here now I’ve got endpoint firewalls and that doesn’t cost you any money either.

you can enable your endpoint firewall so workstations cannot talk to you. so we got endpoints.

Okay, like that, we’ll put that over here and then I could do additional circles around it. Let’s say that you had a sim and you’re going to do network segmentation in addition to the firewalls.

So over here you’re going to take networks and you’re going to segment the networks as well, looking for lateral movement. Or you could do let’s do UVA with JP certs.

Can’t remember what it’s called, but they just released a tool a while ago that allows you to identify user behavioral analytics. So what you’re developing very quickly here, whether or not you’re purchasing a product or not, is you’re developing structural techniques to develop capabilities to detect the actual attacks that you’re seeing threat actors actually work through in your organization.

So you’re not detecting a single threat actor, but you’re developing an architecture in your organization to be able to detect and react specific attacks, specific categories of attacks, not specific threat actors.

That was a really long answer and I went into full PowerPoint engineering. Did that answer your question?

Sierra Ward

Well, we’ll see. But Earl has another thought. How can I tell management to slow down? We have a threat team now and don’t know a list of our assets for hardware and software. How can we keep our stuff safe if we don’t know where everything exists?

Collecting all the logs, is it a baseline with Windows security application logs, Linux audit logs? A good starting place.

John Strand

All right. 20 critical controls, like, we’ve talked about this many times. So in audit scripts, if you go here, and I’ve talked about this in a number of different, webcasts in the past.

In audit scripts, the first, not even in audit scripts, the 20 critical controls. First two controls are, one, inventory your hardware. Number two, inventory your software. If you don’t know what you have, you cannot protect it.

That’s why we created this framework the way that it was. And I think that telling people to back up and stop playing whack a mole, trying to, stop trying to chase individual adversaries throughout your network, show them the mitre, ATT and CK matrix and ask them how many possible combinations they are.

And then start having conversations about how you can change your architecture in such a way to systematically start detecting large numbers of different techniques. Dude, it’s a tough sell, right?

Because a vendor shows up and they’re basically trying to sell to that very itchy base, chrome, magnum man idea of threats. And it’s very hard to try to evolve beyond that and start looking at things structurally.

So it’s a tough sell. But yeah, show them the 20 critical controls. If you can’t identify what you have, you cannot protect it. And start with like a model like this. So start with the assets that you have.

Can we identify our assets? Can we segment our assets? Can we look at a tax against our assets? And so on?

Sierra Ward

yeah, rich says every organization I’ve worked for or with can’t seem to get one, two and three done well, but want, they want the higher ones.

John Strand

Yeah, because they want to go out and buy a product.

Sierra Ward

Because inventory things is boring and hard to do.

John Strand

And I think we could have a webcast on that topic. Like, how do you do inventory? You can do inventory with bro. Bro will identify via, user agent strings, IP address and software that’s running on the inside of your environment.

You can inventory with Nessus. Nessus actually does a good job pulling information about the assets that it discovers. As far as like the operating system and vendor, you can do inventory with SCCM across your entire environment for software, management.

So there’s a lot of ways that you can use existing technologies that you have. You can implement GR across your entire organization. So, you can also do logon scripts. So as soon as something joins and logs into active directory, you can have it dump the entire software inventory on that system and send it to a centralized server.

There’s so many ways to do this that don’t require you buying a really expensive software package to do it. But, yeah, it’s not sexy. It’s not like. It’s kind of like, we’re telling you, well, in order to keep your room clean, you got to keep it clean every single day.

but kids will dream about a magic robot that cleans their room for them. Now, it’s fictional. It’s never going to happen. But, Dan, they keep dreaming about that, and that’s what management does with security as well.

Sierra Ward

There is a lot of feedback that a webcast on that would be amazing. So we’ll keep it in our hopper. Christopher says Rebecca’s book touches on this, but your best and first source for threat intel should be your tickets, created by the soc and IR team.

If you can make sure data quality there is spot on, you’ll be leagues ahead of the game.

John Strand

I couldn’t say it any better, Christopher. So, yes, agreed.

Sierra Ward

Jeffrey Wright says I’m going to design the magic robot and rule the world.

John Strand

Yeah, well,

Sierra Ward

What was the name of that, Sorry, we got kind of bombed here. What, was the name of the.

John Strand

UVA tool user, behavioral. I got to go to JP cert and look at it. It’s got kind of a weird name.

Sierra Ward

Do it.

John Strand

okay, here we go. Just give me a second. Give me a second. Let me go back. I’ve got to go to their research. Let’s, go to JP Cert. All right, so they have a specific tool for it.

Sierra Ward

John says we have three tools for asset inventory, but no one wants to use them.

John Strand

It’s because they’re not sexy. Logon tracer. That’s the name of the tool. so, logon tracer, ingests your domain controller EVTX files, and it looks for specific event logs that happen in your organization.

And then it does a stacked analysis, and it automatically ranks what systems and which accounts are logged on to the most other systems and accounts to detect that lateral movement. So this is basically doing for free what your sim, UBA platform is doing for, like, $85 an endpoint.

Now, mind you, it’s not real time. You go to ingest your event logs to actually look at it, but it generates pretty reports, and it automatically does the ranking. You can click on any of those accounts, and you. You can see that lateral movement, and it costs you nothing.

Sierra Ward

Also, Frederick says splunk, has a Uva.

John Strand

They do? Yep. Splunk. Actually, every single SIM on the market today has a UBEA user behavioral and entity analytics platform. For looking for behavioral patterns that can be indicative of an attack.

Sierra Ward

and then Ian has another question. He’s curious about your thoughts on AV in production.

John Strand

Always, always use AV in production. Always. Like I said, you can bypass a cure. This is important. So when you’re looking at, like an endpoint, any one of these components can be bypassed.

Any one of these components will be bypassed. So let’s say that somebody says, yes, but we found a piece of malware that none of our AV vendors were able to detect. Therefore, we need threat intelligence feed analysis.

You’re wrong. What you actually need is architecture. Because if the AV detect does not work, then you have overlapping fields of view for your endpoint, for your usual behavioral analytics, your netflow analysis, your Sim, and your endpoint firewalls blocking that segmentation of traffic between your endpoints that should never be talking to each other.

So any one of these can be bypassed, and we need to come to grips with that. But if we develop an architecture appropriately, we’ll develop a series of techniques in our organization to detect multiple categories within threat intelligence from somebody like Mitre to be able to detect those attacks.

So, great question.

Sierra Ward

so I think, despite John saying, this is really short, we actually went long because you had awesome feedback and awesome questions. So thank you for all of your participation. we do want to announce the t shirt winner.

So, the winner is Bob. And I think it’s. Did we spell it right?

John Strand

I think that. I think it’s Bob Cabello.

Sierra Ward

I think so, yeah.

John Strand

and we know who Bob is.

Sierra Ward

Yeah. So, Bob, Bob who? That’s you, Bob. Okay. Email me your size and the best address to send it to you.

John Strand

Sierras co. And, Bob, we can find you.

Sierra Ward

Yeah, so. And then our second winner is Brian Chang. Brian Chang, are you on? Dun dun dun. If you’re not on, we’re going to the next one.

John Strand

On to the next one.

Sierra Ward

all right. Can you buy t shirts? No, you can’t buy t shirts.

John Strand

We could set up a store. Just have her t shirts.

Sierra Ward

Oh, my gosh. Are you kidding me?

John Strand

We don’t have to do it here. Someplace else will build it and ship it to them.

Sierra Ward

Well, maybe that’s something we should look into.

John Strand

Press Tony Mirando with that. I need to go. Everybody. Thank you so much. I got another call to jump on. Let’s get out of here. Take care, everybody.

Sierra Ward

Compliance is sexy.

John Strand

Only compliance.

Sierra Ward

Goodbye.