There's more to good threat intelligence than lists of domains or IPs, and it's useful for more than just finding bad actors in your environment. What if I told you that you could use threat intelligence not only to get better at detecting and responding to incidents, but also to make your attackers' lives significantly more difficult, to drive up the costs of their operations and to potentially make it so expensive to operate against you that they give up? Sound too good to be true?
In this talk, I'll cover a practical, proven framework for applying threat intel to incident detection and response. The framework's centerpiece is the Pyramid of Pain. The result of nearly 5 years experience directing the global detection program for a Fortune 5 company, the Pyramid is a blueprint for turning your incident response capability into an offensive weapon to cause pain for your attackers.
************
Presented at RVAsec 2014: rvasec.com/
00:05:00 - The speaker discusses his approach to enterprise security monitoring, which involves filtering all data through a layer of threat intelligence collected and analyzed by an intelligence group.
00:10:00 - The speaker describes the process of detection and response in a large organization, highlighting the importance of intelligence flowing in both directions to continually refine the process.
00:15:00 - The speaker discusses the process of analyzing data and determining which pieces are important for detection. Indicators are pieces of data that point to a conclusion, but they do not validate or vet the conclusion.
00:20:00 - Bianco emphasizes the importance of effective detection and response capabilities and gives an example of how a Fortune 5 company enforced a policy that any detected incidents must be contained within one hour.
00:25:00 - The Pyramid of Pain measures the usefulness of different types of intelligence based on how much pain they bring to the adversary when detected and responded to quickly.
00:30:00 - The speaker discusses how IP addresses and domains can be easily changed, making it challenging to capture them all. He highlights the importance of being aware of the various ways domains can be expressed.
00:35:00 - The artifacts layer of intel-driven detection and response includes network, host-based, and log-based artifacts, which can help identify distinctive patterns to identify the malware samples and the nature of the cyber attack.
00:40:00 - Implementing Intel-Driven Detection and Response can detect an adversary's toolset and customize detection layers to detect and respond to these tools. The Pyramid of Pain framework can increase an adversary's cost of operations.
00:45:00 - Disrupting TTPs can increase an adversary's cost and make them question their commitment to operating in a specific environment. Bianco explains the differences between TTPs and tactics and techniques and encourages attendees to use the Pyramid of Pain when gathering intelligence to inform their decisions.