Data-Driven Threat Intelligence: Metrics on Indicator Dissemination and Sharing

Presented at Black Hat USA 2015, Aug. 5, 2015, 1:50 p.m. (50 minutes)

For the past 18 months, Niddel have been collecting threat intelligence indicator data from multiple sources in order to make sense of the ecosystem and try to find a measure of efficiency or quality in these feeds. This initiative culminated in the creation of Combine and TIQ-test, two of the open source projects from MLSec Project. These projects have been improved upon for the last year and are able to gather and compare data from multiple Threat Intelligence sources on the Internet.

We take this analysis a step further and extract insights form more than 12 months of collected threat intel data to verify the overlap and uniqueness of those sources. If we are able to find enough overlap, there could be a strategy that could put together to acquire an optimal number of feeds, but as Niddel demonstrated on the 2015 Verizon DBIR, that is not the case.

We also gathered aggregated usage information from intelligence sharing communities in order to determine if the added interest and "push" towards sharing is really being followed by the companies and if its adoption is putting us in the right track to close these gaps.

Join us in an data-driven analysis of over an year of collected Threat Intelligence indicators and their sharing communities!

Presenters:

• Alexandre Sieira - Niddel
  Alex Sieira is the CTO of Niddel and a principal at MLSec Project for the last year. He has over 12 years dedicated to information security consulting, managed security services and R&D teams. He is an MBA, CISSP, CISA, besides some other product-specific acronyms. Alex has experience with a great range of security technology and standards, and has gained many gray hairs establishing SOC and SIEM services for large enterprises. He is currently focused on building the information security product his past self would have killed for.
• Alex Pinto - Niddel
  Alex Pinto is the Chief Data Scientist of Niddel and the lead of MLSec Project. He is currently dedicating his waking hours to the development of machine learning algorithms and data science techniques to support the information security monitoring practice. So far, he has presented the results of his research at multiple conferences, such as Black Hat USA, DEFCON, BSidesLV, BayThreat and ISC2 Security Congress.He has almost 15 years dedicated to all-things information security, and 3 years in Data Science related work. If you are into certifications, Alex is currently a CISSP-ISSAP, CISA, CISM, and PMP. He was also a PCI-QSA for almost 7 years, but is almost fully recovered from that.

Links:

• https://www.blackhat.com/us-15/briefings.html#data-driven-threat-intelligence-metrics-on-indicator-dissemination-and-sharing
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Data Driven Threat Intelligence Metrics On Indicator Dissemination And Sharing.srt (subtitles)
• https://infocon.org/cons/Black Hat/Black Hat USA/Black Hat USA 2015/video/Black Hat USA 2015 - Data Driven Threat Intelligence Metrics On Indicator Dissemination And Sharing.mp4
• https://www.youtube.com/watch?v=6JMEKnes-w0
• https://www.blackhat.com/docs/us-15/materials/us-15-Pinto-Data-Driven-Threat-Intelligence-Metrics-On-Indicator-Dissemination-And-Sharing.pdf

Similar Presentations:

• THOTCON 0x7 (2016) / Sharing is Caring: Understanding and measuring Threat Intelligence Sharing Effectiveness
• BSidesSF 2016 / Sharing is Caring: Understanding and measuring Threat Intelligence Sharing Effectiveness
• DEF CON 22 (2014) / Measuring the IQ of your Threat Intelligence feeds