One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 1222817 |
| Date de publication | 2019-07-25 13:00:00 (vue: 2019-07-25 16:01:00) |
| Titre | Can you trust threat intelligence from threat sharing communities? | AT&T ThreatTraq |
| Texte | Every week the AT&T Chief Security Office produces a series called ThreatTraq with helpful information and news commentary for InfoSec practitioners and researchers. I really enjoy them; you can subscribe to the Youtube channel to stay updated. This is a transcript of a recent feature on ThreatTraq. The video features Jaime Blasco, VP and Chief Scientist, AlienVault, Stan Nurilov, Lead Member of Technical Staff, AT&T, and Joe Harten, Director Technical Security. Stan: Jaime. I think you have a very interesting topic today about threat intelligence. Jaime: Yes, we want to talk about how threat intelligence is critical for threat detection and incident response, but then when this threat intelligence and the threat actors try to match those indicators and that information that is being shared, it can actually be bad for companies. So we are going to share some of the experiences we have had with managing the Open Threat Exchange (OTX) - one of the biggest threat sharing communities out there. Stan: Jaime mentioned that they have so many threat indicators and so much threat intelligence as part of OTX, the platform. Jaime: We know attackers monitor these platforms and are adjusting tactics and techniques and probably the infrastructure based on public reaction to cyber security companies sharing their activities in blog posts and other reporting. An example is in September 2017, we saw APT28, and it became harder to track because we were using some of the infrastructure and some of the techniques that were publicly known. And another cyber security company published content about that and then APT28 became much more difficult to track. The other example is APT1. If you remember the APT1 report in 2013 that Mandiant published, that made the group basically disappear from the face of earth, right? We didn't see them for a while and then they changed the infrastructure and they changed a lot of the tools that they were using, and then they came back in 2014. So we can see that that threat actor disappeared for a while, changed and rebuilt, and then they came back. We also know that attackers can try to publish false information in this platform, so that's why it's important that not only those platforms are automated, but also there are human analysts that can verify that information. Joe: It seems like you have to have a process of validating the intelligence, right? I think part of it is you don't want to take this intelligence at face value without having some expertise of your own that asks, is this valid? Is this a false positive? Is this planted by the adversary in order to throw off the scent? I think it's one of those things where you can't automatically trust - threat intelligence. You have to do some of your own diligence to validate the intelligence, make sure it makes sense, make sure it's still fresh, it's still good. This is something we're working on internally - creating those other layers to validate and create better value of our threat intelligence. Jaime: The other issue I wanted to bring to the table is what we call false flag operations - that's when an adversary or a threat actor studies another threat actor and tries to emulate their behavior. So when companies try to do at |
| Envoyé | Oui |
| Condensat | and another changed one there they're this threat we what 2013 2014 2017 about activities actor actors actually adjusting adversaries adversary alienvault align all also also what always analysts analyzing and it and then and they another any apt1 apt28 are area art as jaime asks at&t attackers attribution automated automatically back bad banks based basically be bad became because before behavior behind being better biggest blasco blog bring but call called came campaigns can can't catch certain changed chief claim clear commentary communities companies company confirm content cool could create better creating credit crime critical cyber describe detection detectives didn't different difficult diligence director technical disappear disappeared disclose discussion don't earth easy else emulate enjoy every example exchange experiences expertise extremely face factors false feature features find finding flag flags fresh from get going good group guy had happened hard harder harten have haven't having head helpful here how human important in september incident response indicators information infosec infrastructure intelligence interesting internally is a is what issue it's jaime jaime: joe joe: kind know know from known layers lazarus lead like long look lot made make makes malware managing mandiant published many match member mentioned minute monitor more motivations much news no one nobody not nurilov of an off office old one only open operations order other otx out over own part particular past piece planted planting platform platforms positive posts practitioners probably process produces public publicly publish published publishing quite reaction really rebuilt recent recommend red refer remember report reporting researchers right russian same saw say saying scene scent science scientist security see seems seen sense series share shared sharing some something staff stan stan: stay studies subscribe sure table tactic tactics take talk targeting technical technique techniques tend than a thanks that that's that as that attackers that lazarus the youtube channel them them; then there's these they're thing things think this in those threat threattraq throw time time there to confuse to cyber to have today tools topic track transcript transpired trick tries to trust try trying understand updated use using usually valid validate validating value verify very video wait want wanted way we're week weird well what when where why without working worthy your |
| Tags | Malware Threat Studies Guideline |
| Stories | APT 38 APT 28 APT 1 |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.