Scaling Threat Intelligence Practices with AutomationReturn to TOC presented at FIRST 2014

by Douglas Wilson,

Summary : Despite being one of the latest industry buzzwords, properly executed threat intelligence programs are a key tool in empowering network defenders and leveling the playing field against modern threat actors.
Most organizations are currently focused on the idea of building the puzzle pieces of an intelligence program, but without a clear view of how to put them together once built. Taking into account how the pieces are going to fit and interact with others as you build them rather than after the fact will allow for a smoother assembly; and ultimately yield a whole that is greater than the sum of its parts.
Building on last year's FIRST presentation where Mr. Wilson focused specifically on threat intelligence sharing, Mr. Wilson will discuss the challenges that Mandiant has faced with scaling a threat intelligence practice as a whole. Using standard methods of recording and communicating threat indicators (such as the open source OpenIOC standard) are but one piece of the puzzle -- automation needs to be spread across all viable tasks in the intelligence life cycle. To deal with the volume of data available with modern malware and the resources available to modern threat actors, an enterprise needs to not only learn threat intelligence, but how to scale it as well.
This presentation will walk through what an organization needs to do to adopt a generic intelligence life cycle, and will then talk about how Mandiant has implemented specific customizations in process and automation to fill needs as the volume of intelligence sources has exploded. These may not be the same for all enterprises, but lessons learned from these examples could be used to customize an intelligence life cycle for your enterprise's specific needs.
This presentation will also explore the all-important idea of context, and preserving it in your Intelligence life cycle. Detection can occur at various points in the attacker life cycle. In most cases, once detection happens, network defenders are left to ask "now what do we do?" A mature threat intelligence system not only gives the context of the detection, but then links to other intelligence documents that suggest further investigation and courses of action, allowing the knowledge of subject matter experts to empower defenders throughout an enterprise, and even defenders in partner organizations that threat intelligence is shared with.
Attendees should leave with an overview of what is required to establish a viable threat intelligence life cycle, some of the challenges in scaling threat intelligence to the volume of information available in the modern threat environment, and paths to solutions that have worked for an industry leading incident response company.