Jaime Blasco of AlienVault with Kyle Smith, OWASP Austin Chapter President
Jaime spoke at the Austin OWASP chapter meeting on 5/27. He is a security researcher with broad experience in network security and malware analysis. The last OWASP meeting Jaime presented at was in Barcelona sixyears ago, when he was doing penetration testing.
The slide deck Jaime presented is here.
Jaime mentioned some open source tools. They are here. He also mentioned and demo'd a specific crowd-sourced threat intelligence system, Open Threat Exchange (OTX) - you can learn more or join it here
Some interesting points that came up:
- The main difference between an attacker and a defender is that the attacker only has to be successful once, whereas the defender can't make mistakes. Attackers are also quite willing to be persistent until they hit a vulnerability.
- Threat intelligence is defined as information about malicious actors. Examples are IP addresses, domain names, URLs, file hashes of malware, technology/tools/procedures of attackers (TTP), victim industry and countries. It's hard to distinguish between attackers and sys admins because they use a lot of the same tools
- Threat intelligence is useful for: detecting when prevention technology fails, performing red team activiites, improving incident response and triage, and deciding which vulnerabilities you should fix first.
- Most real threat intelligence sharing now is unstructured and human-human. There are some closed industry groups, like finance, that have more structured threat sharing.
- There are some standards emerging. Collective Intelligence Framework is a significant one, combining public and private feed. including OTX.
- It is possible to "trick" threat intelligence systems by reporting false malicious activity. It's important to not only have detection algorithms to prevent this, but to also have human analysts reviewing the threat intelligence on a regular basis. AlienVault does this with OTX.