SESSION ID: AIR-W01 Intelligent Threat Intel ‘LEAD’ Framework Filip Stojkovski Threat Intel Manager Adobe #RSAC AIR-W01 Threat Intel - ‘LEAD’ Framework - 101 CTI (Cyber Threat Intelligence) pain points Efficiently and effectively solve the CTI problems. LEADing Threat Intelligence Program Threat Intel Pain Points LEAD CTI Framework Threat Intel Values Threat Intel Pain Points - Requirements No clear CTI Requirements = Time Bomb Source Ref: https://www.sans.org/reading-room/whitepapers/threats/paper/38790 AIR-W01 AIR-W01 Threat Intel Pain Points - Data Satisfaction with CTI Analytics Cleanliness and quality of data Context Comprehensiveness of coverage Automation and integration of CTI information with detection and response systems Location-based visibility Identification and removal of expired indicators of compromise (IoCs) and other old data Machine learning Source Ref: https://www.sans.org/reading-room/whitepapers/threats/paper/38790 Not Satisfied 34.3% 37.4% 35.4% 37.4% 39.4% 42.5% 47.6% 55.9% List of the biggest pain points for CTI The Threat Intel Problems AIR-W01 AIR-W01 The Non-Essential Problem MUST HAVE MUST HAVE MUST HAVE NICE TO HAVE MUST HAVE Ref: https://www.sans.org/reading-room/whitepapers/ActiveDefense/sliding-scale-cyber-security-36240 The Threat Intel Data AIR-W01 #RSAC Solving the CTI Problem AIR-W01 How To Solve The TI Problem RELEVANT EFFICIENT ANALYST DRIVEN DELIVERABLE AIR-W01 ‘LEAD’ Framework Structure RELEVANT Threat Profile + TI Program Requirements EFFICIENT TI Scoring + TI Categorization ANALYST DRIVEN Feedback Loop + Machine Learning DELIVERABLE Standardized TI Data + Metrics RELEVANT- Creating Threat Profile AIR-W01 RELEVANT – TI Program Requirements AIR-W01 AIR-W01 RELEVANT – Non-IR TI Consumers E-commerce (Fraudulent Payments) Code repositories (0-day exploits) Customer Content Moderation Piracy EFFICIENT - TI Scoring & Categorization Scoring >>> AIR-W01 <<< Categorization ANALYST DRIVEN - Feedback loop Automation Orchestration AIR-W01 ANALYST DRIVEN - Feedback loop & Machine Learning AIR-W01 ANALYST DRIVEN - Machine Learning Use-cases Dynamic TI Apply ML on Feedback Loop for automated scoring and categorization Data Mining Predict Adversary TTPs and Infrastructure AIR-W01 DELIVERABLE - Standardized Threat Intel Format AIR-W01 AIR-W01 DELIVERABLE - Metrics Actor Driven Actor Driven metrics will betray you on the long run. How and Where Start by how and where is used Threat Intelligence. Audience Tactical / Operational / Strategic #RSAC LEAD CTI Framework Key Takeaways
2020_USA20_AIR-W01_01_Intelligent-Threat-Intel-LEAD-Framework
