Friday, March 22, 2013

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.

     Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your company. The key focus of CTI is people, not computers. The problem is actually too complex for technology to solve and requires human analysis. Computers are only tools. The goal of the summit is to educate people on the basic principles of CTI and what the components are. Based on that, I believe they achieved their objectives.

     Greg Rattray led off with his keynote: "Evolution of Cyber Threats and Cyber Threat Intelligence". He wrote Strategic Warfare in Cyberspace 12 years ago and its still relevant today. He referenced a 1991 study that concluded it is impossible to defend a system from an advanced and motivated adversary. Even back then, they knew problems would arise. He reiterated that its not a technology problem, but an adversary problem. Throughout history, espionage has always been a constant. Pre-Internet everything was Public Switched Telephone Network(PSTN) and Signals Intelligence(SIGINT) and Counter SIGINT was the dominant battlefield. The NSA Orange book help lay the foundation for secure computing. In the 1990s, there was more speculation on the national security impact of Computer Network Operations(CNO) and Information Warfare(IW). The use of IW in the 1st Gulf War set the standard other countries are trying to emulate. At time it was predicted that in 10-12 years nation state cyber attacks would emerge. That turned out to be fairly accurate. Journalists have also done a fantastic job of doing attribution of the attacks versus the victims whom typically focus on cleanup. Solar Sunrise was a notable hacking event in 1998 involving an US-based Israeli lead hacking group of teenagers infiltrating many government agencies and EDUs. Moonlight Maze was another news worthy incident never confirmed, but believed to be Russian in origin. With the EP3 collision there was also new focus on patriotic non-government hacking. JTF-CND was one the first network defense groups that started to do predictive analysis. A dark period in cyber occurred after 9-11, when there was a major shift in focus to counter terrorism and supporting Centcom. Cyber took a backseat for a long time. A new area of concern was raised when a Chinese company(China Netcom) tried to buy Global Crossing, which threatened the telecommunications infrastructure and supply chain. Many of the threat assessments of the time were skewed because they focused only on the top tier cyber personnel and not the overall programs. This led to the Intelligence Community (IC) not believing China(CN) was as advanced as they actually were. Eventually we had the rise of APT, and improved attribution capability, and new focus on ICS/SCADA. Today we are in a era of rising fear. To be clear espionage is not an attack or cyber war. However, threats like stuxnet, shamoon, and flame have cause major disruptions. The cyber neighborhood is getting rough, especially for banking and critical infrastructure. DDoS attacks while previously written off, are becoming more agile from the attackers side and are wasting away CIRT resources. He stressed that we need to be careful how we categorize risk and be methodical. Information sharing is improving and we are on the right path. He is a strong advocate for commercial services and doesn't necessarily believe government is the solution. Advises you to attack the various stages of the kill chain to disrupt the adversary, even if you can't do all of them. What's missing today is that cyber teams don't talk to the business operations teams about operational risk. We need full spectrum geeks who are analytical, but still know the business environment and strategic impact. He suggests that we avoid the militarization of cyber space as this will just escalate our problems. He recommended a book called Eating Soup with a Knife. He believes that signal(RF) jamming, while mostly applied to aircraft and boats today, will be applied in cyber conflicts. He also advises leveraging a global outlook, and not clouding your judgement with US-centric viewpoints. In conclusion, he said that to stay competitive we must continue to learn and collaborate  In follow up Q&A, it was stated that the media is perpetuating misconceptions by calling espionage cyberwar or cyberattack. The topic of government purchase of exploits came up. Greg believes in the law of supply and demand, and that if the demand goes down, so will the supply.

     Rick Holland presented "If it Bleeds, We Can Kill It: Leveraging CTI to take the fight to the adversary". He used a Predator theme, which was awesome. He led off by stating that tools and big data are not your savior  He defined CTI as information about external threat actors and active external threats. He referenced the Order of Battle and learning what an adversary looks like. When looking at Intel providers ask them what makes their service unique? Do they have the same indicators that everyone has. In the Intelligence Cycle, its critical to achieve dissemination and get the information to the stakeholders. Otherwise all that work is for not. Always leverage Alternate Analysis: question your judgement & assumptions and apply a high level of rigor to your analysis. Vendors typically don't do this. He made a recommendation for Clancy book - Threat Vector. He also referenced Active Defense Harbinger Edition (ADHD), an active defense toolkit promoted by PaulDotCom. Always focus first on what assets need to be protected. Enable IR teams autonomy to make critical decisions. It takes a long time for an in house intel team to mature, so you must get and maintain your executive buy in. He made a great point that as you thwart the adversary, the adversary adapts. Whereas Dutch(Schwarzenegger) in Predator used mud to hide from the Predator, the next generation predator could detect that and the game changed. Intel sources can be internal, government (DHS, FBI, etc), industry (partners, ISACs, vertical orgs), and providers (iSight, LookingGlass, iDefense, RSA, Seculert). He mentioned that OpenIOC is being picked up by FireEye and PaloAlto. Also a mention of Mitre Cybox & STIX. In conclusion, CTI is a marathon, not a sprint. I couldn't agree more. We need to end the shiny object syndrome in general.

     There was a panel on Best Practices in CTI including Rich Barger, Shane Huntley, Chris Sperry, Aaron Wade, and Mike Cloppert. The opening remark was Intel needs to have a customer. You need to know who you support and why? Follow the basic model: Collect -> Analyze -> Disseminate. Present data that can be used to make decisions, not screenshots of IDApro(analyst pr0n). Organizations are their own best source of intel. You need to extract all intel from your own attacks, create threat profiles, and intel priorities. However know your limits. How usable is the intel? Consider the volume, because you have to be able to process and store it. The pivot analysis approach: move across data sets and leverage business knowledge. Capture how adversary behaves in each stage of the campaign. Threat researchers need to understand which attacks are likely based on real intel-driven data, not some esoteric theoretical  attack. Aurora forced Google to make a major change from windows, and other platforms. Now that has come full circle and Mac threats have increased. Success is measured in blocks and thwarted attacks. You have to limit CTI efforts to crown jewels, you can't cover everything. You always want first order data, in order to verify analysis. My favorite quote was by Aaron Wade: "Intelligence without context is just data". You need to go back and ask for more information and not trust by default. OSINT can be good, but an internal investment in a threat intelligence team is still ideal. Any hop point monitoring should be done within the law. You should also should coordinate with other organizations hitting the same hop point. There was a repeated theme of a big boys club, develop sharing agreements with organizations that are mature. A major lessons learned is NOT to rush to attribution based on a single source. It is extremely hard to recover from bad intel reports. Its important to assign confidence ratings  to analysis to maintain credibility. You should be familiar with the Intelligence Gain/Loss Equation. How risk tolerant is your organization? Can they wait and see to derive more intel or do they adhere to the knee jerk approach.

     Mike Gordon presented "Building and Operating a Cyber Threat Intelligence Team". This was a very polished, well delivered presentation and it felt like it was one he had given to his leadership. I think its clear LM-CIRT is the team everyone wants to emulate. LM sees 1.75 Billion sensor events/day, 30 million emails/week, 1.2 million blocked web requests and holds 1 month of full  pcap and operates 572 facilities in 63 countries. There team is broken into 4 units: Investigations (Forensics, eDiscovery), Intrusions (APT, Intel Fusion), CyberCrime (Insider Threat, Commodity Attacks), and Engineering (IT Support). Their model includes Corporate Culture, User Education (Awareness, Training, Security Testing, Metrics, Analysis), Defendable Networks (Reduce gateways, infrastructure hardening, threat driven program), and Trade craft (Intel, Incident Response . They mock phish all 120K of their users, including the CEO. The 1st fail results in training and retesting. The 2nd fail results in a call with their management. The 3rd fail results in some form of HR discipline. I thought that was incredible and indicative of the executive support they have. At some point in their history, they concluded that vendor driven response wasn't good enough. Commercial offerings could not keep up with the pace of threats. They embraced creating their own custom tools. He coined the term memorializing indicators so you don't forget about them, their context and associated metadata. Track your attacks over time and the patterns can reveal a campaign. Intrusions expose behaviors, behaviors suggest linkages,  linkages reveal patterns, patterns inform actions, actions determine success. You can measure your success based on how much was stopped due to internal vs. external intel. To track work load, keep count on the number of intel reports that are processed per month. Three models presented were: Tsunami Warning (info sharing, intel consumption, group detection), Farmers Almanac (Campaign tracking, trending, forecasting), and  Actual Early Warning (LE & IC have actual knowledge of pending attack). I wish I had taken some pictures of his slides as they were chock full of good concepts and metrics. Hopefully they are shared out at some point.

     My favorite talk of the day was hands down, Reid Gilman's "Creating Threat Intelligence: Tools to Manage and Leverage Active Threat Intelligence". The company MITRE is a non-profit, dedicated to federal research. Reid works in MITRE's Cyber Threat Analysis Cell. Some of his keys to success are:
1 - CTI  Program - multi-sourced, disciplined warning process, know your enemy in your sector
2 - Strong Malware Analysis program
3 - Dev Ops - a staff of solid programmers, to create custom tools
4 - Incident Response baked into defensive posture aka Assumption of Breach
5 - Workforce culture of Security Awareness

CRITS(Collaborative Research Into Threats) - track adversary artifacts over time. The demo was very impressive, due to its feature set. This tool looks more user friendly then many others I have seen.(MongoDB)

ChopShop - understand how adversaries use tools. The demo included live decoding of gh0st c2 channel. Chopshop has standard libraries like timestamp extraction and XOR decoding for pcaps.
He mentioned that its important to not confuse operator actions vs automated actions.
TTPs: Targeting, Tools, Infrastructure, Kill Chain
Campaign: Intrusion Attempts + TTPs over time
(github - mitre-chopshop,,,,,

     Next was the panel "Delivering Actionable CTI as a Solution" with Bejtlich, Destefano, Meyers, Ramsey. Overall this was kind of a slow point in the day, as there wasn't as much energy or enthusiasm. Adam Meyers discussed analyzing and categorizing the human element of malware, such as coding techniques and use of language. It was mentioned that you need to measure the value of sources by how much it reduces your time to detect. John Ramsey had some axioms: "keeping them out is cheaper than getting them out" and "running a cybersecurity group without threat intelligence is like running a business without an income statement". Both of those hit home with me. And Richard Bejtlich had the best joke of the summit by offering to outsource intelligence to Mercyhurst Institute (see Jeff Carr debacle).

Most of the Sans 360 talks, weren't to substantial. And how could they be in 6 mins. My favorites were:

Attribution: Holy Grail or Waste. Billy Leonard covered critical aspects of attribution:

  • how they operate
  • who and how they target
  • what tools, order of use, how they customize
  • how the move laterally
  • when do they operate
  • how do they take your data
  • are they good? 
He also brought up the timely term "badtribution".

Exercising Analytic Discipline by Patton Adams. He didn't use any slides (Patton++). He discussed 5 key imperatives:
1 - relevance to business
2 - good communication channel with leadership
3 - Confidence - Investigate, Analyze, Don't repeat
4 - Clarity - write for your audience
5 - Timeliness - good intel, can't be late, create a template to be more efficient

Crowdsourcing Threat Intelligence - Adam Vincent, see He did a nice walk through of how their business evolved.

Curating Indicators by Doug Wilson - "humans are always the limiting factor, you need to automate and empower"

Battlefield Intel - Anup Ghosh. Invincea looks promising as it runs certain app in virtual container and gathers indicators. I wish this would get integrated into AV and not require a separate agent.

Detection Timeline - Julie Ryan - She was hilarious and to the point. A good way to end the agenda.

Rob Lee and Mike Cloppert closed it out after this. They did a great job putting this together, and I'm glad I was able to attend.  I look forward to another future summit called APPLIED Cyber Threat Intelligence 2014.


  1. Hi Cyberg - wanted to get in touch with you to see if you'd be interested in reporting from one of our Cyber events. If you'd like to discuss, please email me directly at - thanks

  2. Thanks for the summary on this event. I wanted to attend but was not able to. Your write up certainly provided a great account of the summit and some resources to track down. Well done and thanks again!