[Dailydave] The Blue Pill of Threat Intelligence

Zack Payton zpayton at gmail.com
Wed Oct 15 23:22:31 EDT 2014


Happens all the time, we call it shiny object syndrome.
Some sexy new concept emerges claiming to be a silver bullet and the whole
industry shifts.  I hear about people wanting to get access to threat intel
w/o even being able to do basic logging/patching/firewall management.  In
reality, the majority of the work is setting up your environments to data
collectors with appropriate sources.  Most people go down the road of
trying to shoehorn in some product that's going to solve all of your
problems and I think that is the fork in the road Dave was referring to: do
they lock the threat feeds into their products and force customers into
long purchase cycles or do they merely sell or trade the feeds and allow
customers to make their own choices about what to do with that data.

If you can't tell, I'm a fan of the latter approach as I think everybody
wins (aside from the product vendors' margins).  It opens up the freedom to
use feeds from one vendor with the tech from another.  What about small
shops that don't have a software product and only sell feeds?  Will they
get locked out when Bit9 replaces AV?  Will they support 3rd party feeds?

I love the idea of TAXI exchanges though I think the STIX format is lacking
though I know they are working hard to improve it.  I've been tossing the
idea around of having collectors that pub/sub things to internal TAXI
exchanges that get fed through your event handling frameworks so that we
can constantly add different IoCs and anomaly models on the fly.
Communication models and KFF databases should ideally be built
automatically as code is promoted from load test / QA into production.
Unfortunately, most people aren't ready for that because they claim they
can't afford to have true test environments but I would imagine the reality
is that they could spend far less on security if you were to have adequate
test environments to build their baselines for much better behavioral
analysis rather than a signature based model which economics dictate will
inevitably fail.

Z

On Wed, Oct 15, 2014 at 5:45 PM, al bell <ab4250 at gmail.com> wrote:

> I wonder how many organizations go down the (expensive and time consuming)
> road of consuming external threat feeds before they have fully instrumented
> their own internal high fidelity threat feeds.
>
>
> Al
>
> On Wed, Oct 15, 2014 at 11:53 AM, Zack <zpayton at gmail.com> wrote:
>
>> Let me start with the statement that I have mad love for Dave.  While I
>> loved the article Dave and mostly agree with you, I wanted to note a few
>> things.  To be completely fair, your article was written by someone selling
>> something that competes for budget dollars with av products and this email
>> post is written by someone who consumes consumes data feeds from an array
>> of 'sensors' whether those sensors are vuln reports written by offensive
>> security teams, AV logs, or threat intelligence feeds from various groups
>> (IRC channels of actors / private TAXI exchanges).
>>
>> In your article you state that threat intel is sold on a per host basis
>> and requires an agent.  While this is true in some cases (I'm looking at
>> you carbon black / bit9), I really see them more as an agent that sources
>> indicators aggregated from private and public sources.  The point, dear
>> reader, is don't misconstrue threat intel from products.  Threat intel is a
>> data stream (though the feed itself can be a product) of information
>> valuable to your Situational Awareness.  If some vendor wants to include
>> the automata that acts on that data stream well that's another fucking
>> product.
>>
>> Ultimately, data relevant to your environment is valuable and as Dave
>> hinted at, some of the best threat intelligence comes from your own data
>> sources: DNS queries, process hashes, netflow data,
>> authentication/authorization audit logs, proxy logs.  Those are all high
>> value threat feeds because they 100% apply to you.  Threat intel coming
>> from external parties can be valuable as well but is more noisy: how many
>> of those 100,000,000 known C2 domains are you really gonna see on your
>> network?
>>
>> No data stream is gonna be complete and correlating multiple streams
>> together based on what's available and valuable to your environment is
>> key.   Personally I find that modeling your normal usage patterns and
>> alerting based on anomaly to be less noisy but I also find value in lists
>> of known bad domains / ip / whatever.
>>
>> In the end, using these feeds to ply your SA impacts judgment (automated
>> or manual) and everything else in your ecosystem is just a data stream you
>> use to augment your perception.  I advocate mastering your least noisy
>> streams first and try to see each intel feed / data stream as just another
>> input.  The value of data streams coming from AV is rapidly diminishing if
>> not already so noisy as to be useless.
>>
>> I saw a talk in Vegas about measuring the IQ of your threat feeds and
>> while the talk wasn't that groundbreaking it did leave some interesting
>> food for thought: mainly diffing various intel feeds to get a fuzzy feeling
>> of unique content.  Running through the mental exercise I realized that
>> your internal data feeds are going to have a lot more unique content that
>> is directly applicable to you meanwhile more than 99% of data from most
>> external sources were never applicable.
>>
>> Z
>>
>> > On Oct 15, 2014, at 8:59 AM, Dave Aitel <dave at immunityinc.com> wrote:
>> >
>> >
>> http://www.fierceitsecurity.com/story/threat-intelligence-problem/2014-10-13
>> >
>> > In this article I go over "Threat Intelligence". And I'm a little hard
>> > on it because I think it has to make a choice, and soon. In one hand, is
>> > a pill that takes it down the road to AV-like financial success, but
>> > strategic failure. And in the other hand, the current models are only
>> > stepping stones towards offerings that provide true strategic
>> > situational awareness to their clients, so their clients can build
>> > customized incident response programs that really work.
>> >
>> > Honestly, I think because of the way VC-funded firms work, we may end up
>> > taking the blue pill, which is unfortunately for companies, but good for
>> > those of us doing offense.
>> >
>> > -dave
>> >
>> >
>> > _______________________________________________
>> > Dailydave mailing list
>> > Dailydave at lists.immunityinc.com
>> > https://lists.immunityinc.com/mailman/listinfo/dailydave
>> _______________________________________________
>> Dailydave mailing list
>> Dailydave at lists.immunityinc.com
>> https://lists.immunityinc.com/mailman/listinfo/dailydave
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20141015/459ab143/attachment-0001.html>


More information about the Dailydave mailing list