Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Building Effective Threat Intelligence Sharing

Scott J. Roberts
July 23, 2017
Technology
1
110

Building Effective Threat Intelligence Sharing

A SANS Webex I did... awhile ago?

Scott J. Roberts

July 23, 2017
Tweet

More Decks by Scott J. Roberts

See All by Scott J. Roberts
Tortured Responders Dept - Scott & Rebekah's Edition
sroberts
0
94
Skynet the CTI Intern: Building Effective Machine Augmented Intelligence
sroberts
0
67
DRIVING INTELLIGENCE WITH MITRE ATT&CK: LEVERAGING LIMITED RESOURCES TO BUILD AN EVOLVING THREAT REPOSITORY
sroberts
0
31
Exploring Threat Intelligence: Insights and Tools from Vertex Synapse
sroberts
0
23
Homemade Ramen & Threat Intelligence
sroberts
2
490
Introduction to Open Source Security Tools
sroberts
3
4.8k
Japanese Manufacturing, Killer Robots, & Effective Incident Handling
sroberts
0
110
Crisis Communication for Incident Response
sroberts
1
320
Hipster DFIR on OSX - BSidesCincy
sroberts
3
3.2k

Other Decks in Technology

See All in Technology
強いチームと開発生産性
onk
PRO
35
12k
Engineer Career Talk
lycorp_recruit_jp
0
190
Security-JAWS【第35回】勉強会クラウドにおけるマルウェアやコンテンツ改ざんへの対策
4su_para
0
180
20241120_JAWS_東京_ランチタイムLT#17_AWS認定全冠の先へ
tsumita
2
300
Zennのパフォーマンスモニタリングでやっていること
ryosukeigarashi
0
210
TypeScript、上達の瞬間
sadnessojisan
46
14k
SDN の Hype Cycle を 一通り経験してみて思うこと / Going through the Hype Cycle of SDN
mshindo
1
120
[CV勉強会@関東 ECCV2024 読み会] オンラインマッピング x トラッキング MapTracker: Tracking with Strided Memory Fusion for Consistent Vector HD Mapping (Chen+, ECCV24)
abemii
0
230
OS 標準のデザインシステムを超えて - より柔軟な Flutter テーマ管理 | FlutterKaigi 2024
ronnnnn
1
300
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
200
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
390
障害対応指揮の意思決定と情報共有における価値観 / Waroom Meetup #2
arthur1
5
490

Featured

See All Featured
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k
YesSQL, Process and Tooling at Scale
rocio
169
14k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
Thoughts on Productivity
jonyablonski
67
4.3k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Building Your Own Lightsaber
phodgson
103
6.1k
Helping Users Find Their Own Way: Creating Modern Search Experiences
danielanewman
29
2.3k
4 Signs Your Business is Dying
shpigford
180
21k
Scaling GitHub
holman
458
140k
GitHub's CSS Performance
jonrohan
1030
460k
Gamification - CAS2011
davidbonilla
80
5k

Transcript

  1. Building Effective CTI Sharing

  2. Scott J Roberts

  3. Comments? Use #ctisharing and/or @sroberts

  4. Table Stakes

  5. Talk to Legal

  6. TLP https://www.us-cert.gov/tlp

  7. • WWWWH&W • Example: My Story • What To Do

    Next?

  8. Why?

  9. Your Security Will Improve

  10. You Will Improve Others Security

  11. Share More Get More

  12. A rising tide raises all boats

  13. When?

  14. Ingestion vs. Production

  15. When You’re Ready to Act

  16. When You’re Ready to Reciprocate

  17. When You Can Be Confident

  18. Who?

  19. Formal Groups

  20. Open Source Groups

  21. Informal Groups

  22. BONUS: Orgs With Similar Technology...

  23. BONUS: Competitors

  24. What?

  25. Indicators of Compromise

  26. Tactics, Techniques, & Procedures

  27. Reports

  28. Techniques, Methods, & Capabilities

  29. (Legally Required) Pyramid of Pain https://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html

  30. Sharing Hierarchy of Value* * The Author acknowledges this is

    a rip off

  31. How?

  32. Don’t Ask to Join

  33. Be Trusting

  34. Be Trustworthy

  35. Be Action Oriented

  36. BONUS: The Best Groups Have A Written Set of Expectations

    & Procedures

  37. Where?

  38. Mailing Lists

  39. Chat

  40. Semi Structured

  41. Threat Intelligence Platform

  42. Hybrid

  43. Example: My Story

  44. This is Kyle @kylemaxwell

  45. Kyle & I started a Slack

  46. We Invited Folks We Knew Shared Tools & Techniques We

    Invited More Folks

  47. Kyle Invited Mark @markpars0ns

  48. Mark Invited Me to Another Slack

  49. Met New Folks Shared Intelligence Collaborated On Investigations Demonstrated Value

    to My Boss

  50. So I Invited My Coworker John @swannysec

  51. What To Do Next?

  52. What To Do Next • • • • • •

  53. Go Make Friends & Share Intelligence

  54. Join Me @ SANS Rocky Mountain 2017 for FOR578