Quality Over Quantity: Determining Your CTI Detection Efficacy presented at FIRSTCyberThreatIntelligenceSymposium 2019

by David J. Bianco,

Summary : You’ve collected a lot of IOCs, but is your Cyber Threat Intelligence (CTI) process serving you well? Quantity alone doesn’t tell the whole story. What kinds of intel are you collecting and how useful is it for identifying incidents? What are your strongest areas and where are your gaps? Do you know enough about your priority threats to feel confident in your detection stance against them? These are hard questions to answer, and there’s little existing guidance for answering them.Taking a case study approach, this session will teach attendees how to use models such as the MITRE ATT&CK framework and the Pyramid of Pain to analyze and visualize the quality of their collected CTI information, not just it’s quantity.Attendees will learn:How to load, normalize, and merge IOC data from disparate sources in your environment to make it ready for analysisHow to enrich the data with information from the Pyramid of Pain and the ATT&CK frameworkHow to visualize your collected threat intel to validate your collection strategy, to identify CTI strengths, and to prioritize closing collection gapsWhy you should do these things on a regular basis