How to Make Cyber Threat Intelligence Actionable Ft. Gordon Cyber Security & Technology Day Ryan O’Daniel CISSP Systems Engineer | FireEye Federal Team March 10, 2016 Copyright © 2015, FireEye, Copyright Inc. All©rights 2015,reserved. FireEye,CONFIDENTIAL Inc. All rights reserved. CONFIDENTIAL 1 Introductions Who am I? Agenda What is Threat Intel Systems Engineer Why Intelligence is Essential Support DoD & IC What’s your Outlook Before working at FireEye I supported: FireEye Threat Intelligence IC Customer Making Threat Intelligence Actionable I DIA Making Threat Intelligence Actionable II Army Q&A Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 2 What Is Threat Intel? Threat Actors Threat Sponsors Regional Trends Malware Families Botnets & E-Crime Industry Threats Financial Threat Actors Tactics, Techniques, and Procedures Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 3 3 WHY INTELLIGENCE IS ESSENTIAL Evolving Threat Landscape - Professional Attackers: Determined-Organized-Well Funded - Persistent Tactics: Targeted-Innovative-Customized - Sophisticated Tools: Multi-Flow Exploits-Sandbox Detection-Obfuscation Security Posture Must Focus on Threats, Not Malware - Tactical Intelligence: Detect and Prevent - Contextual Intelligence: Inform Your Response - Strategic Intelligence: Proactively Stay Ahead of Attackers 80% Observed malware that shows up once 68% Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Observed malware that appears in only one organization 4 FireEye: An Intelligent Combination iSIGHT Forward-Look Data FireEye DTi Mandiant Post-Breach Forward looking, high fidelity, adversary focused intelligence and actionable advice A global intelligence collection presence tracking adversaries and operating infrastructure Intel-led capability development services Comprehensive API to consume intelligence across security infrastructure Adversary 24x7x365 visibility through 6 worldwide SOCs 45 BILLION URLS analyzed each month 340 MILLION correlation relationships defined 212 PETABYTES sensor traffic analyzed each month 100k Hours incident response per year Major headline breach response 300+ Threat groups tracked 200+ consultants Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Breach Actionable Intelligence Victim 5 FIREEYE THREAT INTELLIGENCE 11M+ VM detonations per hour deployed worldwide, sharing threat intel back 100+ consulting engagements “close to breach” Intel Database, patented 115 million node graphbased engine, mines data with 600 terabytes of storage, and 500M+ captured network streams 30+ threat groups tracked in addition to 400+ cells of uncategorized origin 100+ vendors in one of the largest global malware and intel exchange networks 100+ FireEye as a Service customers Malware triaging systems uses proprietary sandboxing, machine learning, and genotyping tech to identify new samples of interest and to automatically extract indicators 17+ compromised computers check in with FE each hour 15+ 24x7 400,000 current industry-specific threat profiles with 10 recurring monthly snapshots and quarterly threat trend reports Monitoring attacker command and control servers Unique malware samples gathered every day Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL Team of 45+ intelligence analysts and foreign policy experts from NSA, CIA, DIA, FBI and military putting intelligence into context 20M Zero-Day exploits discoveries since 2013 External data collection 41K Stolen files comprised from GB of compressed data Landmark report which shifted the industry dialog: Exposing APT1 1 6 How to Make Cyber Threat Intelligence Actionable • Know your industry • Go beyond tactical intelligence • Understand why you’re being attacked • Use intelligence as a strategy to know when you must take action • Allow intelligence to guide you on how to respond to threats • Use intelligence to operate proactively and anticipate likely cyber threats. Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 8 How to Make Cyber Threat Intelligence Actionable • Participate in and contribute to Community Threat Intelligence • • Share Automate & orchestrate • Wrap intelligence around your notifications. • Enrich your alerts Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 9 Copyright © 2015, FireEye, Inc. All rights reserved. CONFIDENTIAL 10
© Copyright 2026 Paperzz