Building an Open Source Threat Intelligence Program

[Music] yeah so I flew in yesterday from Minnesota I left at noon yesterday I got in at 9:00 and woke up because I decided it was going to be fun good idea around 3:30 4:00 in the morning so if I fall asleep up here I do not suffer from narcolepsy but maybe today we're going to talk about open source threat intelligence um from a programmatic aspect and when I say programmatic I don't necessarily mean on the same level in detail that that Andrew gave this morning um around threat intelligence um I'm looking at it from a a business persp perspective and being able to answer some of the questions that businesses have around why threat intelligence is

important so a little bit about about myself and who I am um I'm originally an Iowa farm boy I had way too much time on my hands and wound up in this little information security Community which was rather interesting I am a geek even though I am a Management Consultant which means I'll take your watch and then charge you to tell tell you how much time that what time it is I am a geek about 10 years ago I hit my Apex of my technical career and I had to make that decision between going Technical and staying technical or going management consulting I went management I don't use an e-reader because I'm old and I like to touch

books and write notes and stuff this is a source of contention with my wife and I because every time we move she has to pack this I am prior military I spent 10 years active duty in the Navy do we have any other veterans in the room ladies and gentlemen thank you very much for your service now as I'm in information security I'm also a geek and I'm a science fiction fan I'm the guy in the white can you find me now the one thing that that I hate doing is I hate coming to conferences and normally when I work with folks I am I'm work with Auditors and Senior Executives that like to see you know

pretty dashboards and they like to see an alphabet behind your name I hate going to security conferences and seeing all the certifications because really I want to know what somebody can actually do what have they done as a practitioner so one board or one evening I got bored and started working my Scrabble magic to find out what exactly my certification actually spelled and it looks like part of it is off the side however if you realign my certification and I actually come out with GIC it crimes which being in infos I thought that that that was pretty cool so what we're going to talk about today is information security how many of you guys have seen this

before sexy explosions right this looks really cool this is what we put up in our in our sock when our Executives walk in to make us look like we're actually being productive right so great you know ooh ah amazing and they give us budget and then they go away and leave us alone so we can actually do our job so this all started actually um as a as a as a uh response to somebody who accused me of being a fud Peddler and we'll get to that in a bit but what I ended up deciding is when I started developing this and started building this as a both a technical and a management program had to answer some

basic questions so from a business perspective what if I could get out in front of malware distribution anybody ever have to do with deal with malware couple of hands really okay cool you know bulk spamming nuisance scanners command and control aspects anybody ever deal with that thing called uh fishing well these are all great and if we could get out in front of that we can do some really great things to help our businesses so quick today what we're going to do is we're going to go over the Genesis of the organiz how I built this program and how this presentation came to be and this is an evolving uh presentation that's changed a little bit

since since previous uh seminar or different conferences but we'll cover the the Genesis fud anybody in here ever been accused of being a fud nobody what does that mean fear uncertainty and doubt the sky is falling you're a narcissistic vulnerability pimp none of these I just have words very similar you know we we tell our Executives we tell our management that this is bad stuff that's happening we should be prepared they don't understand it we have to be able to make that link to them and be able to build that case the statement that got me started with this was my comment around the internet of bad things that's that's a thing now the internet of things you

know you plug your light bulb in and now you can control it from 3,000 miles away because that is just cool right like we have iPads building a threat intelligence program what it actually means beyond the bits and bites then some of my initial development and then the business value that this brings to an organization so in the beginning we had the internet and Al Gore said it was good so going back over some of my notes from as far back as as 2010 some of the things that started coming up were for a security practitioner who is as jaded as I am after doing this for almost 25 years you know who would attack us we're

in Ohio really is that a good defense who would attack us we we make clothes again these are things that Business Leaders Executives and management were telling me and making the statements when I said we need to start protecting our organization a healthc care provider we are too small to be on anybody's radar what does that even mean you're on the internet we have nothing that anybody would want now this is an interesting one because if you're in business and that's your defense how are you in business we don't have a large footprint this was actually from a payment processor anybody in here and use credit cards little plastic things do you think criminal organizations would like to have

those could be so that got me asking one very very drawn question or making an actual statement Whiskey Tango and if anybody's in here in the military we know what the next one's going to be but we're going to go right back to the whiskey because I'm going to need to drink then of course one day I got accused of being a fud Peddler now I know as a practitioner bad things happen on the internet they happen in business they happen in real life however I didn't have any of the information available so I started going back to the initial questions did people really believe that internet based attacks were not a threat were they not of concern to

them again who would attack us again the question of we're too or the statement of we're too small not having a large footprint why would anybody attack us so my perception is that everybody was wearing rose-colored glasses that I was talking to or maybe I needed to find a new career path so for me that became very clear what I needed to do I was going to approach it from a very standard aspect going to put Oswald out on the internet and I was going to document what happened to him document and basically track what happens from the time a system goes up online till the time it gets compromised so on a Saturday afternoon

having a little bit of spare time I threw it up online but the question remained is who would take the bait so I was only running actually two Services I was running SSH and I was running an Apache web server they were not hardened but they were also not left to default so little bit minor modifications to actually replicate a real server so 34 minutes after the first server came online is when I saw the the first attack but that's okay because they're from South Korea and they're our allies and we we can trust that right so the first web attack came in a couple uh came in just a little over a day later but that's okay cuz they're

from Texas and it could have been Jason who was trolling me but again I had to ask the question you know why after just a very short time were was this system being attacked now I come from the the aspect of you know the the system was put out there but it was not ited to you know it wasn't given to Google it wasn't given to Yahoo Alta Vista is that even a search engine anymore no um it was not part of any existing domain infrastructure so it wasn't tied to anybody that would you know it could correlate back to it wasn't a new server that had come online but most importantly I just put it up online for

that share purpose plus after reading some of the logs I'm almost certain and I'm not a web app pen tester by trade but I'm kind of certain that's not normal um anybody in here and do web app pen tests somebody is that Norm is that a normal get get no so after about 30 days of just monitoring and I don't know how well you can see this the the red indicates secure shell attempts and where they came in I did a little bit of iping again I wanted to get a a idea of where these attacks were coming from and how after just putting the system up online and this was just a residential IP to start off

with so we have all these things going on but I live in Columbus Ohio and this all could be coincidence because we have some very large corporations in Columbus so it could be that you know A1 Mook my residential IP for Nationwide right I hear that they're a little bit more skilled or that the Soviet crime syndicate thought that that maybe I was you know Limited Brands because coincidence happened unfortunately I I don't believe that but here was the other aspect and and Andrew hit on this this morning when he started talking about the when he gave us his information around the honeypots honey pots are very addictive he was demonstrating the the the kippo aspect

well I ended up coming across not only kippo which by the way is really fun to sit there on a Saturday night and watch some of the activity that goes on um but I also came across the the diona honey pot which allows you to run every type of service pretty much that you could want to configure now what was really funny is when I originally did this I had to make a decision whether or not I was going to tailor it and make it look like a Windows system whether I was going to make it look like a a Unix system I got lazy and just left everything on what's that don't even notice they

didn't even notice yes they because we run SSH servers services on our Windows platforms right right but one of the things that was really unique about both kippo and with Diono is it allows to collect things like honey uh malware samples because they will shoot everything at you um you get to record all the sessions and you'll be able to get to see what they what the attackers are attempting to do with it now keeping in mind that I am a science fiction geek one of the things that I asked myself is what could I do with all this information that that they were so lovingly giving us well keep what you kill so from a business aspect I was

able to gain intelligence around you know where the attacks were originating from whether they were automated or if there was an actual person behind it and again kippo is great for a automated watching a a automated script run but it's even better when you sit there and you start seeing somebody backspace because then it's like oh man if I was on the terminal I could you know start a talk session with them and and hey welcome you're going to be in a presentation soon do you want attribution can I use you I could also start tracking the historical progression of bad how many times am I seeing this system how many times is it coming up what ports is it

targeting is a part of something bigger but I could also see you know what is it that they they were trying to do now again because I am lazy um I have the benefit I work with my partner um Gentleman by name of Jake Williams who is a reverse engineer freak um he loves to reverse engineer stuff and because I'm lazy I'll be like hey here's some code that got through that nothing else caught let's use this in our attack and Pen place so that way we don't have to come up with anything new and he's like no we can't do that I'll be like please but we can also start cataloging malicious software that way when we're responding

to an incident for for our organizations we can actually start seeing have we seen this somewhere else so on to the internet of bad things so when the internet originally started off it was started off as a little underfunded project out of California very small easy to control and this is what where we've come at today now in 3 four years from now when we get IPv6 and our washing machines and our toasters are launching DDOS attacks this is going to be a lot bigger but then once we had the this commercial uh development of the internet it didn't take much time to to see the criminalization aspect and we started seeing things like this you know we can make money

woohoo has anybody ever seen any of these types of emails that came in that have come in spam email do you guys want to know who the game changer was in all of this nuni kumbat Tambo the Nigerian prince now if you're not aware of the fact no matter how often I see it I still see people still clicking the link and giving them money you do not inherit the fortune I'm I'm tot's real totes real so let's talk about actually building a threat intelligence program now before we get into it let me let me talk a little bit about what it's not it's not just Google okay it's not the internet it's not bits and bites of IP addresses

and domains it's not collecting stuff and not know or not doing anything with it a lot of our organizations we tend to be data hoarders right we have vast tons of data but we don't do anything with it same thing with threat intelligence if you don't if you're not doing anything with it it's no good producing content that yields nothing of value now when we when I started this off we we saw the presentation of you know the Norse threat status of the internet the the war games panel right does that buy your organization or does that buy you any specific value other than keeping you amused when you might be slightly intoxicated due to

an adult beverage what's the beverage support for the budget supports the budget it's not meant to be a replacement for boots on the ground our security practitioners who are out there that are in the trenches they they still need to be there threat intelligence is good this is been meant to be a business enabler an operational enabler as well is definitely not meant to be a replacement for network monitoring so you don't have to be a country and have billions of dollars to be able to have your own threat intelligence program it helps it keeps you out of trouble with the wife or the husband if you decide to do this on your own and we'll get to how I got in

trouble later but what you do need is leadership's commitment and understanding they need to understand that the threat to them is real whether it's the intellectual property that that is managed and maintained by the organization whether it's consumer data that they manage anybody in here and deal with PCI couple health records intellectual property couple these are all things that depending upon the threat actor these are the things that they're going to look at monetizing because the way an attacker looks at our our assets and our systems within our business is totally different than the way our Business Leaders look at them it's a seven-stage process with one very specific goal to help leadership make an informed

decision and we do that so that way we can have a strategic advantage that way we can take some action and this life cycle runs all the way through and it is a life cycle and it's in circle for a reason because it's ongoing this is not a oneandone type of of program in fact are are there any vendors in the room if I P somebody off anybody that sells boxes okay so after a couple of these conferences I've had people people who've actually come up and said hey this is really great can I buy the box that this comes on thread intelligence programs have to be built specific to your organization there is no box in fact if the vendor

comes up to you and says we have a threat intelligence program for you run because your business is going to be different than somebody else's and they'll sit there and say well we can sell you a feed of IP addresses and domains that's not thread intelligence that's reputational database or reputational uh screening so when we talk about the intelligence Universe it's comprised of multiple facets what we're going to focus on today are going to be those around human internet and automated systems now automated when I'm talking in this context is going to be specific to the organization's infrastructure so things that are internal and organic to your organization so one of the things that we need need to make sure is you know

when we're planning this out is what is it that we want to accomplish what do we want to be able to do well ideally we want to be able to make Intelligent Decisions even though sometimes it seems like folks just don't really want to make a good decision being able to provide them the information will help them make a a well-informed decision now if you've ever dealt with the internet anybody in here and deal with that interweb thing I hear it's a fad flash in the pan maybe we can get information from all over the place the key aspect is going to be getting it and pulling it out of those those little pockets and islands and being able to

turn it into something that we can consume as an organization and excuse me and that is usable to us so from a collection standpoint we want to make sure that we have access to it well there are a number of places on the interweb I'm not counting AOL that we can pull information from but some of the things that we have to be cognizant of is you know things like is it timely are we confident that the information that we're pulling is actually accurate is it being generated by a automated feed out of an appliance somewhere or is somebody actually analyzing it does it have the sufficient detail that we need to be able to make

decisions on is it just a list of IP addresses well if it is is that enough information well if we just blindly block something that may have significant impact that may be beneficial for a a financial institution that's Regional that has no business talking to China but what about a academic institution that's sharing research overseas now you've just blocked them and you've become that security guy that just stopped me from doing business and security we have that that reputation already of of we're the ones who are the the business prohibitors you always tell us no we don't want to be that and is it relevant so the types of sources that we can get you can pay for them there's

public there's free free is in beer free beer is good are we that tired free beer is good but you also have a human aspect to it as well information exchanges um organizations such as bsides where you're sharing and collaborating on information the contacts that you make you may have a you may have a a network that includes your competitors in business but being able to share and exchange some information with them heyy listen we're an insurance agency we just saw this type of attack occur against us you may want to prepare for it and then your automated side firewalls honeypots IDs IPS all the standard technical stuff that that we've worked with previously it's going to come in all

types of formats everything from from RSS feeds to rsync to to getting that phone call hey we just saw this and when I say that it comes in all types it comes in all types I love text anybody in here love text text is a beautiful thing so a lot of these are are fairly open and and able to to be easily accessible so why don't we use these to to benefit

us do we all have all the resources we need in our security departments is this something that we should be concerned about again it all depends I say yes having a threat intelligence program allows to make int decisions especially when you start talking specific to criminal and nation state Level Threats but I will tell you parse it get the information out that you need that is that is applicable to you normalize it and get it moving validate the information are you seeing this just from one source that could be an outlier or it could be a red herring assess it make sure that it is what you think it is and not just a stray

attack putting it into categories is it a fishing campaign is it a known command and control is it something else being able to say exactly what it's going after or what it what it's aligned to will allow you to help your organization defend its intellectual property or find out if you start seeing a specific threat actor that you know is going after card holder data you you might want to step your your defenses up if you see a specific threat actor that's known for going after manufacturing materials and you're not in manufacturing you may not be as concerned being able to categorize it will help in the the aspect of getting the information out there when we produce threat

intelligence one of the key aspects that we have to make sure is that we can act on it who's ever received a vulnerability assessment report that's like 2500 pages long can we do anything with that I would disagree we can do something with that we can check a box we can make a nice little bonfire we can make a brooch we can make a hat but it has to be actionable we have to be able to do something we should also consider the whole the the the entire Enterprise if you have a a one one office in one location you may have some some some challenges here but if you have a Enterprise that spans

multiple regions or multiple continents what you see in one you can easily leverage that to protect others within your organization within the infrastructure it's got to be flexible to the business needs why because geopolitical and and locational uh politics change on a rapid basis company directions will change within something like a pharmaceutical company they may be very very hot about protecting their intellectual property up until when when that product releases right because once it goes public people are going to be able to get it and then they'll start reverse engineering it and building their own so you must be be able to remain flexible now when it comes to disseminating threat intelligence information within the organization

really there's only two types of consumers uhoh I just got the battery low so pardon me we have two types of consumers of threat intelligence you have the actual business which I'll delve into later on in the presentation and then the technical side which is where a lot of us feel more comfortable at right we like dealing with bits and bites and not so much with people

now I feel really bad because I'm sitting here trying to get my power cord into a Mac I've been in management too

long there we go so from the technical side what can we do well we can affect changes within our our ACLS make changes to firewalls update signatures manipulate our local DNS so that way information going out we can actually control whether or not it goes out to a command known command and control we can apply email filters prevent those spam campaigns from from impacting our users anybody ever work on a help desk where you get that phone call of hey I got this email and I clicked the link is that bad is that a fun call to ever want to get because that usually means that your weekend is shot at that point so threat intelligence allows us to take

take some Preparatory actions that way we can get out in front of some of these threats we can preemptively mitigate okay so great we got comprom we have a compromised host in the environment but now we're able to implement a black hole that prevents them from communicating out so now we can we can focus there we can do enhanced monitoring if we see an uptick in and spikes in to different areas we can address or we can we can start looking for very specific patterns and looking for very specific things is that a good thing if you see the trains light coming at you when you're on the train tracks is that a good thing because it tells us

that we're able to get off the train tracks right also it allows for a very focused response now when we start talking about incident response and in forensics why is that important having a focused response capability anybody fueler fueler from a business aspect if we're able to to provide a a Precision pinpoint response to something what have we just done saving money saving money thank you not Saving Private Ryan saving money so when I started all of this coming up with the the definitions or the the actual program from the technical side one of the things I started looking at was you know how am I going to do this I don't want to do this on on

without a budget or because I told my wife honey I'm not going to spend any money this time as you can tell by the rack at the very beginning that lasted all of a week so I started looking out there and of course you know you're you're Linux and BSD distributions are are we familiar with Linux okay I have to make sure because normally when I talk to Auditors are like there's something other than Windows robust platform support I love this because people ask me well what the hell does that actually mean it means it'll run on Old Hardware which I like because old Hardware is cheap not only is it cheap but from a

business perspective how many organizations have closets or or old offices that they use to Stage the hardware before they get rid of it if they get rid of it again we like to hoard things things also Unix has a lot of these these easy to ous Native tools like you know a said Pearl python all easy right very easy to automate there is no shortage of tools that you can throw onto to a a NYX distribution very highly customizable so what I ended up doing with the the diona Honeypot and the kippo Honeypot when I built this out is I ended up making little VMS or putting them on very small appliances and shipping them out or

having people download them so I started reaching out to my network um throughout and ended up getting about 15 different systems out now the one you see in Iowa is actually my grandmother and I had her download this which after 20 years of telling her not to click a link having to tell her to go click the link I got 15 minutes worth of my grandmother's you've been telling me not to click the link for the rest of you last I'm your grandson and her next question I love this one how do I know that wow I need to go home more but I had this distributed Network where I had 15 different honey pots in

geographical or geographically dispersed which caused a new problem so I had to get all the information back to one central location which I called the Hive anybody know where this is from Resident Evil okay good you can all keep your geek card so when I was dealing with this geographically dispersed area I and needed to come up with some you know Common naming conventions give them unique identifiers create a point where I could actually collect all the information and start massaging it locally so that way I could actually turn it into something actionable also used it as a way to manage how I manage my honeypots so then I got this idea and this was great because I don't know how

you can see that not very well um threat and tell people must like Neo because didn't Andrew have the same issue this morning yeah so this was great until I had a colleague of mine who leaned over one day and he goes Ed this is great he goes and he goes I know you like text and you you're fine at a command line most of us are are pretty good at a command line we're not afraid of it have you ever tried to set an executive down behind a dark shining blankie no it doesn't work so he's like okay so how are you going to f F that cool we'll come up with the dashboard of

things bad things because management we understand this right pie charts line graphs and that that's bad stuff so I was able to to also pull this in and I was able to to segment it now what's important is I was pulling information from from various sources but I was keeping it in the context of the the honeypots that I had so I knew which ones were emulating a Windows platform which ones were supposed to be uh emulating a a Unix only platform so I was able to actually context and and conture the information specific to me so I can take this information and I can sit there and say o okay this is very specific to to this system and so I've

taken the sexy explosions that the Norse gods have given us from the land of ice and snow and I've actually turned it into something that is relevant to me and my organization so ultimately what the framework consists of when I started this proof of concept that cost me no money that required me to go to Jared after several months of doing this started being able to produce some some very interesting things so you know of course bad IP addresses and bad URLs wo great reputational but I could also start looking at thread actor attribution and now when I'm saying attribution I don't mean to a specific organization I'm not talking Ching or AP1 I can there and say

this is a nation state level attack this is a criminal attack this is very specific because they would do different things on the system they'd leave different artifacts behind again one of the benefits of working with my partner is because he's able to get to that level of detail we could identify specific things to see what was going on behind the scenes we could also identify common threat actors in fact and I don't have it in the the this presentation um but we were able to actually identify eight very specific targets that were hitting all of the the honeypots at one time which was not was the outlier we out of the several thousand that had

been hitting on a regular basis these eight had been hitting just those honeypots instead of just you know hitting one at a

time so now I was able to take action on bad things so now this is why I had to go to Jared because I'm on the sixth generation of this no cost project of mine um and I really had to go to Jared because I was pulling in about 7 to 920 Megs per hour which any anybody in here and watch Netflix my wife loves Netflix because she can watch you know Orange is the New Black and she can catch up all the other things yeah so I had to explain this to her on more than one occasion at which point I ended up having to get a second IP or a second drop at the the

house so now I was able to look at this and say okay great we have two aspects two Dimensions that I can work within I can work within the Strategic aspect you know see who was interested in little on me start developing attack profiles identify different types of Badness whether they were opportunity scan scanners malware somebody who was just sitting there banging on a keyboard and found my IP address plan mitigation efforts but I was also able to take the the information gathered from those honey pots pull that back in and start doing some things that I could actually take action on great I see it now I can do something with it of course have to draw maps and

dashboards so ran this total from 90 systems now the 90 systems here are are comprised of of a lot of virtual systems as well as some of my home systems as well as as I found out some of my children's systems um I've got four children ranging in age from four years old which is the a to the soon to be 20 won't get out of my house yet because she's still in college and I promised her as long as she was in college I would take care of room and board so over a 3-month period I was able to pull all this information together because one of the things I do is I'm a

logging fiend and log everything is good well what I discovered when I started going through was that 28 bad domains had been identified through various threaten through various sources independent of my honeypots independent of what the the direct systems that I had control over um when I found out some of them were were based upon the fact that they were short URLs which I had built a rule to say if it's a short URL flag it because I wanted to go be have the ability to go back in and do some analysis around it however when all said and done three required additional looking into and they were rather unique because they were Drive buys and embedded ey frames

that would take you multiple deep into other uh domains when it came to IP addresses I found 446 calls out to something that was questionable and when I traced it down my lovely soon to be 20-year-old daughter had some really interesting web visiting habits which then spawned a discussion around the expectation of privacy in the maab household and a a little bit of Education around the fact that packets don't lie and daddy monitors everything but back to the original questions so the who when and why who would attack us we're in Ohio well what I was able to discover was that if you're on the internet you're a Target and now I have quantifiable information that I can sit

there and go yeah okay so where's the guy who accused me of fud okay here's pointy stick stab stab stab not uh not big enough to be on anybody's radar not a large footprint there is no such thing there is no such thing if you have an IP address with a service listening or even if it's not listening it is subject to being probed scanned violated and other things why would anybody attack us again this goes back to a Concept of criminal currency that the way we view our assets the way our executive leadership and our our managers view them is totally different than the way that a criminal organization will look at them they're going to look at it as

far as not what information they may necessarily be able to take off but what information they can sell off or how they can use it to make money whether that's through Bitcoin turning your systems into to slaves to bitcoin to setting up a a web server and hosting uh malicious software spam relays you name it they're going to find a way to make money off of you so ultimately coming back into the the fact of what did I what I accomplished again being able to go through and quantify bad things on the internet that's a that's a shocker to everybody in here and right if you're on the internet you are a Target and the ability that you can

leverage public sources to increase your security posture now from the business side of the house and I I will get all serious here in a second threat intelligence can be leveraged in a business aspect because now you can start a assessing some very specific things who is coming after me why are they coming after me where are they coming from now anybody ever been overseas specifically like to to China okay where's Jason at back what do they have in the airports in the executive lounges that are free for use wi free Wi-Fi as well as what not I heard you kind of do social no they they have free photocopiers so I I tell people you know

when when you're traveling overseas you know if it's free and it sounds too good to be free don't don't use it and I I've briefed a number of Executives on this and one morning I get a phone call from from one of my clients and they're like Ed you were right okay about what oh they had free free copers in the airport lounge what did you copy oh I didn't copy anything what did you copy really serious I didn't what did you copy well it wasn't anything critical it was only our forecast for for next quarter um everything that can collect information is going to be used and leveraged it may not be something that

they act on immediately but they will gather it being able to answer how and uh how they're coming after me and how to be able to protect yourself these are other areas that you can actually look at so we get into the aspect of why why now why is it now that we're only hearing about threat intelligence and why is it the the new buzzword of the industry and I'm waiting for the next gen threat inel anti-ap thing to come out across because I know it's coming well the reason is is because we're we're starting to see more and more sophisticated attacks and they are going after the purpose of making money um or in some cases cases of nation states

they are actually going after gaining a Competitive Edge um we need to be able to learn how to protect ourselves one of the ways we can do that is see the oncoming train these threats are nothing new criminals have been stealing since the dawn of time Nation states have been spying and conducting Espionage since the the beginning of time this is nothing new they will require that we change the way that we operate oh I am running

behind the loss of our brand image that was my timer how much time do I have 5 minutes I should be able to do 10 slides in 5 minutes so the the impact of our our brand image and the loss of Competitive Edge can actually be the cost or cost a lot more than the actual incident itself incidents take time to recover more so the the brain image of the incident do you think Target and Home Depot are having really good time right now Goodwill JP Morgan Chase you know that's going to take a lot of time also the the Hol Hol Hollywood romanticized hacker doesn't exist anymore in that this isn't who's breaking into our

systems and pilfering our data and when I was talking earlier about the criminal currency if have you guys seen this before Brian Krebs put this out he let me use this th this is the value of a hacked PC to a criminal and we see multiple Dimensions across the board on why a criminal would want to have your asset you may be you may think that your assets are worthless to anybody except for your organization because you're unique a criminal is going to look at it and try and figure out a way to make money off of it so they may turn around and turn it into a kitty porn website how would you like to come in on a

Monday morning and find out that the Secret Service is they're hauling off components of your data center because the IP address is in your DC might be a bad day right stealing Corporate email information that would never happen right our good friends at Adobe made sure that that wasn't going to be a problem anybody got hit with crypto Locker so ransomware can we make money off of that can a criminal organization make money off of that I can guarantee you they have Financial theft breaking into an ATM who brought the ATM this morning to to hack into that I've got to get I love that bring an ATM in you brought it in no oh okay I

think is he still out there with it break into an ATM how often do you get to do something like that that is cool sorry I get giddy on the technical side you know turning systems into to coin miners you know these are things that or that criminal syndicates are looking at doing nation state and threat actors of the the aspect of of reputational hijacking and taking over in organizations of brand who who remembers the the tweet that went out that said two explosions at the White House Obama injured do you know what happened immediately after that with the Dow Jones how many billions of dollars were lost just from a tweet this has gone from being cyber to being

no kidding real world impacting in the in the real world credentials botn Nets got to love them again criminals will find a way to make money off of your assets and it probably isn't going to be the way you think quick overview of of a standard uh attack cycle from the definition of a Target to researching of the Target that is outside of our organization's control the remaining eight areas we actually have control over we can either change or continue to play the victim I love hearing every time we hear a new breach what's the first thing that the the organization says AP right it was an AP attack Home Depot was actually kind of unique cuz

they they've gone through the trifecta first it was an AP attack which I I was like really okay then it was a third party vendor does anybody know what their latest clame of why they were breached Microsoft Windows I was like really serious that's okay so with threat intelligence we're able to to disrupt the attack chain we can get out there and start looking to to see if information if people are actually starting to look from us from known Scanners from opportunistic scanners we might be able to to do that from a delivery aspect we can correlate whether or not we're receiving emails from known fishing campaigns known syndicates has something malicious showed up on our Network that we can doc

that we have documented or that somebody else has seen maybe do you think if the financial institutions had been sharing information around Zeus that it wouldn't have been as impact as they were maybe are we beaconing out to somebody else now when we build this for the business first thing we've got to do is be able to Define that value we've got to gain the executive Buy in and have them understand a lot of times when we go to to management and our leadership and say we need budget we need to spend this we don't often justify or quantify for them the necessity 80% of my time is is normally tied up and associated with

educating leadership and management on why this is important to them this is what they can lose are they okay with that are they okay going back to their board of directors and saying we decided not to protect it because it's not PCI Data or it's not protected data or it's not regulated data again becoming a business enabler how am I doing on time am I over one minute okay seven slides in one minute three of those are going to be informational only becoming the business enabler taking the information we have to help the organization be able to make decisions being able to dis disrupt the adversary protecting our business now we do that by enhancing

those operations that we're already doing increasing situational awareness of the organization who's coming after us why are they coming after us what is it that we have can we protect that a little bit better ultimately this all comes down to and B boils down to when we start looking at maximizing defensive capabilities focused response prioritizing limited resources where's the Big Value ad for the business on all of

this can anybody tell me it's already been said once before Bottom Dollar Bottom Dollar you're going to be like my a student so again providing all of this in in a context that the organization can understand as well as being able to understand that context J King now when I say that what I'm talking about is you have to know your environment how many of you maintain asset inventories a couple can you protect what you don't know about kind

of fair fair enough I I'll give you that normally we want to know what we have on our environment because that's what we can protect if we don't know about it we can't protect it it's going to be that old NT system that's sitting out there still on the internet running IIs that's going to be the the attack vector and we have no visibility into that threat intelligence also plays into your vulnerability and your configuration management aspects if you can Harden systems to protect against specific attack threat actors then you can reduce your threat surface and your threat profile also knowing your your customers and and folks who were actually rely on your network real quick common challenges to

threat intelligence programs the number one being capitalism we're Our Own Worst Enemy and of course our funfilled friends in general and legal counsil right because they're always saying yes let's share all this information we also don't want to be perceived as being weak you know oh okay we got attacked Well everybody's getting attacked um the the criminal underground the criminal syndicates are sharing information with each other and we're having a very difficult time sharing information with our fellow professionals again lack of support of the infrastructure we have to be able to have something so you might need a little bit of a budget um but you don't need multi-billion dollars and you don't need to build a data center out in Utah um to

Do It ultimately it's going to come down to having the support and commitment of the leadership and with that here's my contact information should you have any

questions besides Charleston thank you very much [Applause] than [Applause]