Skip to main content

2020 SANS CTI Summit Notes


Unfortunately due to some back surgery I was not able to attend the SANS CTI summit this year, however I always try to take advantage of the great content SANS makes available. To help me out in synthesizing the information, I combined the context provided by those that were live tweeting which is useful when reviewing the slide decks. Hope you find this useful and well done @rickholland, @PDXbek, and @likethecoins, another great year of great content!

Day 1

Secret Squirrels and Flashlights: Legal Risks and Threat Intelligence
@CristinGoodwin Assistant General Counsel for Customer Security and Trust, Microsoft
  • Boundaries and strategies to help analysts identify and manage legal risks while hunting, investigating, and responding
  • "Have a principled approach to sharing, so when the crisis comes you don’t have to panic.”
  • "What we call common in #threatinel sharing is what a litigation attorney calls a nightmare”
  • When engaging with law enforcement, you are a confidential informant. You & your counsel need to be aware of this. “The gov can be forced to disclose the identity of confidential sources or the contents of their comms”
  • Cristin’s getting into some of the problems that come with traffic light protocol and the law/government. Under the law information is either confidential or it isn’t.
  • Understand whose incident it is - Customer, Company, third party
  • “Incident response is information sharing under stress.”
  • Microsoft does 2 types of nation state disruption: 1) Legal (seizing & sinkholing of domains) Actors: Thallium, Strontium, Phosphorous, Barium. 2) Technical disruption. Shutting down of accounts. Actor exampe: Zinc.
  • “Make your lawyer a member of your TI team. That way when you call them, they know how to respond.”
The Threat Intelligence EASY Button
@chriscochrcyber Intel Lead at Netflix
  • He talks about starting out and building a CTI team. He recommends starting by eliciting requirements - not coming in with what you THINK the requirements should be. Talk to people in your org
  • spent about 60 days traveling the country talking to his Netflix stateholders. He built relationships with them.
  • "You are going to sit down with stakeholders & they don’t know what they need.” Help them understand what they need.
  • “Assess Collection Plan” identify your internal and external information sources, as reqs changes reassess your collection. Collection plan is like a business plan. Forumulate your thoughts.
  • “Strive for impact” We don’t want to write reports that no one is going to run.
  • "Yield to feedback” You may have disagreements w stakeholders , explain your approach and LISTEN to them.
Mexico Under Siege: A Look at Threat Activity South of the Border
Matt Bromiley and Enrique Vaamonde
  • Secret Squirrel?
Threat Intelligence and the Limits of Malware Analysis
@jfslowik Intel at Dragos
  • Malware Analysis Goals: functionality and purpose, design and structure, signatures and detection
  • Where you get your malware samples is important to analysis and dictates what you will be able to do with that sample - design & structure vs. signature & detection
  • limitations of malware-focused intel. Provides little more than "shadows on the wall" wrt intent, capability and behavior
  • An explanation for why pivoting on tools alone can be misleading. It’s unlikely that an operator is spending all of their time writing a new tool and likely has a quartermaster
  • APT as bureaucracy - They have structure and teams that operationalize the tools built or bought by others. Distinguishing between tools and actors is essential
  • APTs aren't monolithic threat actors. They build, pick & choose tools as they see fit. There are development actors, planning actors, and operations actors. They aren't always the same.
  • Malware analysis represents just 1 area of analysis. We have to keep that in mind. It is an important tool, but if it is the only tool, we have to understand its limitations. Logs, artifacts, network traffic give bigger picture
  • Some great comments on using proper analytic language. Don’t tell people that you’re certain in you’re conclusions when you’re just going off a single malware samples.
  • Too often, it seems like ISACS exist to be IOC shops⁩
Automation: The Wonderful Wizard of CTI (Or is It?)
@Sarah_yoder and Jackie Lasky from MITRE
  • Mapping (TRAM) is a tool to aid analyst in mapping finished reports to ATT&CK
  • https://github.com/mitre-attack/tram
  • Mapping behaviors in Threat Intel reports can b time consuming & labor intensive.
  • The current model is running at 60% accuracy. This will hopefully improve over time with more feedback and more data. There’s still a role for humans
Hack the Reader: Writing Effective Threat Reports
@lennyzeltser SANS Instructor
  • You must present your ideas on the reader's terms
  • Use every opportunity you have to sneak your ideas into where your reader will actually look - including the table of contents!
  • How many orgs have looked to complement their traditional intel reporting with other formats? For example, a 2-3 minute video that summarizes the assessment? Some of your stake holders might respond better to video.
  • “Be ruthless with your own writing” Cull out at least 20% of your content. You will have unecessary words
  • https://zeltser.com/media/docs/rating-sheet-threat-reports-info.pdf
CTI Summit Analysis Workshop
Katie Nickels & Christian Paredes
  • EC-RIA - Event, Context, Risk, Impact, Actions

Day 2

Achieving Effective Attribution: A Case Study on ICS Threats
@RobertMLee, Dragos Founder
  • In addition to sharpie mastery, Rob has a strong neck beard game
  • “most people are tracking developer teams.” Talking about accidentally grouping multiple groups because of a single developer.
  • Get the value of attribution without doing attribution.
  • all CTI sources can be problematic for attribution by themselves
  • talking about by TTPS are bad for attribution due to proliferation
  • Rule 1. Everyone sucks at Intelligence requirements.
  • Collect what you need for the detections you're running.
  • Build your model first, then run your cases/intrusions. Not the reverse.
  • Pursue in order, Completeness, Accuracy, Relevance, and Timeliness

Cyber Order of Battle: Revealing the Composition, Disposition, and Strength of MuddyWater
Konrad Holter and Curtis Hansen, PWC
  • Secret Squirrel?
Every Breath You Take: A CTI Review of Stalkerware
Xena Olen aka @ch33r10
  • This is so important and one of the ways CTI/DFIR can make a real difference in individual lives beyond securing corporations and governments.
  • The @MITREattack "Mobile Matrices" can be used for the tactics and techniques of stalkerware. http://bit.ly/2NO1Fsb
  • The Predator in Your Pocket A Multidisciplinary Assessment of the Stalkerware Application Industry" http://bit.ly/36bEP3Z
  • Talking about how similar some of the behaviors around stalkware can be to mobile techniques used by state actors.
  • Some hacktivists really hate stalkerware vendors and breach them over and over again.”
  • 13.5% of your employees have impacted by stalkerware at some point in their lives.”
  • "Operation: Safe Escape” http://bit.ly/2RcdfiS
  • Your normal IR playbook can kill people when dealing with intimate partner surveillance. “Enable 2FA right away” in the absence of other planning may trigger violence. Typical threat models don’t apply.
  • Careful threat modelling is essential; as with dissidents, war zones, other things most of us have no experience being or being in, you _may_ not be the best person to do that
Collection Overload: Understanding and Managing Collection to Support Threat Intelligence Analysis
Sherman Chu, @aperturenoise, NYC Cybercom
  • Circular reporting - when a piece of info seems to come from multiople sources, but actually comes from a single source
  • Sherman is talking about a number of the number of potential problems that can come up in collection, from mistaking a single source for multiple sources, to collection biases, to overload from excessive collection.
  • establish a Minimum Viable Collection
  • If it doesn’t bring you joy, stop collecting it. Getting down to the the right, manageable sources can be as important as acquiring them.
  • Base your collection plan on your requirements.
Strategic Takeaways: Forging Compelling Narratives with Cyber Threat Intelligence
Abdulrahman Alsuhaimi @aasuh88, Saudi Aramco
  • Relevance is the most important thing to remember when compiling a Cyber Threat Brief
  • Different models have strengths and weakness. Here he’s talking about how the Kill Chain can be the most effective to communicate to seniors
  • Over a key word in reporting. Don’t Over report Don’t over scare and don’t go overboard! Some pitfalls to avoid when compiling a report!
  • Especially liked @aasuh88’s point on standardizing and defining your numbers here. It’s important for another analyst to be able to be consistent when someone leaves.

Stop Tilting at Windmills: Three Key Lessons that CTI Teams Should Learn from the Past
Andreas Sfakianakis, @asfakian
  • “We often connect better with the tactical stakeholders because we understand their needs, but we sometimes struggle to connect with other stakeholders”
  • Unless you're grounded in your customer requirements and responsive to customer feedback, your #ThreatIntel will at best be irrelevant, at worst useless.
  • Andreas has all the sources for this awesome talk on a GitHub page - https://github.com/sfakiana/SANS-CTI-Summit-2020
  • Andreas is talking about the different roles in an organization that interact with intelligence, their differing requirements, and how we’re often equipped to deal naturally just with tactical stakeholders.
  • #ThreatIntel strategy: where possible, map reporting items and sections to intelligence requirements. Helps ground reporting in customer needs, and enables metrics and success tracking.
  • @asfakian makes a good point about the necessity of constant, timely feedback in #ThreatIntel. This is work for Intel _consumers_: if you want good, relevant, actionable products, you must be engaged with your providers.
  • If it's more than one page, they won't read it." @asfakian on executive reports.
  • “Write it or didn't happen. Happy reporting”
  • On CTI analyst training - "we focus too much on technical competencies."

The Importance of Cultural and Social Intelligence
Gerard Johansen, Cisco
  • understanding the cultural and social underpinnings of attacker behaviors can help organizations get a more complete picture of the threat environment and provide additional context to threat intelligence
  • Culture Intelligence allows us to gain a wider view of adversary or partner. China and Russia two major players where culture come into play.
  • Gerard is digging into one of my favorite cognitive biases, mirror imaging. It’s easy and dangerous to assume that another culture thinks like us. We need to use analysis techniques that let us overcome this bias.
  • Cultural intelligence provides some insight into the long-term goals of an adversary."

CTI to Go: Your Takeaways and To Do List
Rick Holland @rickhholland Digital Shadows

Comments

Popular posts from this blog

SANS Cyber Threat Intelligence Summit 2013

     I recently attended the first SANS CTI Summit in Washington DC. While there was plenty of brain power in the room, and good discussions were to be had, overall it was just ok. There was a big focus on what CTI is and why you should be doing it, or at least consuming it. There wasn't enough discussion, aside from one talk, on how you should be doing it. It basically reinforced my beliefs that this is still very much a small, closed off club of insiders, where nobody is sharing tradecraft. I love that SANS is getting involved in this space though, and it sounds like Mike Cloppert will be writing a SANS course on Threat Intelligence in the future. I would very much be interested in that and I expect it would sell out quickly.      Mike Cloppert opened the day by discussing the old vulnerability centric approach focused on reducing attack surface as opposed to the new threat centric model focused on reducing the risk of the actual threats affecting your ...

European DFIR Summit 2018 Review

On Monday October 1st, I attended the European edition of the SANS DFIR Summit in Prague. Normally I try to attend this in Austin, however this year I couldn't make it so attended this one later in the year instead. I took a couple days PTO just to spend some time seeing the sights and it was cool getting to take time visiting the historical sights, instead of my typical shut in routine. If you have time, I would highly recommend this and definitely book a night time river cruise. Also worth noting, the new Spiderman movie was filming last week which was kinda cool. A few other recommendations I would make, would be to stay closer to the city center and take the subway daily. This has the added benefit of staying at a nicer, more western hotel (eg Marriott, Hilton), but also being near the old town square. I'm staying at the Angelo Hotel, but the training is actually split between two hotels and I don't get the benefit of being able to quickly jet up th...