Presented at
Black Hat Asia 2019,
March 29, 2019, 11:45 a.m.
(60 minutes).
<p>Threat Intelligence is a sound proposition that has its place in a mature security operation. But like so many good concepts in our industry, its path to commercialization has involved commoditization to the point of potentially dangerous over-simplification.</p><p>Intelligence is supposed to be non-obvious, actionable value-added information that is only available through some form of processing and interpretation. In truth, however, the basic premise of most commercial products is that if an entity has been observed acting maliciously in one location, then it should also be expected at other locations and prepared for.</p><p>On this premise, Threat Intelligence feeds are sold at hundreds of thousands of dollars a year.<br><br><strong></strong>Does it work?</p><p>This talk will present an analysis of the ability of Threat Intelligence to predict malicious activity on the Internet.</p><p>Our analysis involves the investigation of over a million Internet threat indicators over a period of six months. Notably, we've used a diverse set of sensors on real-world networks with which to track a range of malicious activities on the Internet, including port scans, web application scans, DoS & DDoS and exploits.</p><p>We track the malicious IP addresses detected, looking at their behavior over time and mapping both 'horizontal' correlations - the ability of one sensor to predict activity on a different sensor, or one target to predict for another target - and 'vertical' correlations - the ability of a sensor to predict persistence or re-appearance of an IP indicator.</p><p>By examining these two set of correlations we believe we can shed some light of the value proposition of basic Threat Intelligence offerings and, in doing so, improve our understanding of their place and value in our security systems and processes.</p>
Presenters:
-
Charl van der Walt
- Founder & Chief Strategy Officer, SensePost SecureData
Charl van der Walt is the original founder of SensePost - a pen testing company in South Africa and in the UK - where he still sits on the board. He has acted in various roles there, including CEO for about five years. After they sold SensePost to SecureData, he took a diverse role with the group that includes leading its research unit, directing security strategy, and leading the "Security Intelligence Unit," which (amongst other things) runs a significant Managed SIEM and Threat Hunting (MDR) Operation. He has spoken on a variety of occasions over the duration of his career, including Black Hat, HITB, Defcon, NATA CCDCOE, BSides, and 44Con.
Links:
Similar Presentations: