Intelligence Driven Defense: Successfully Embedding Cyber Threat Intel in Security Operations

“I thought all I had to do was show the data and people would understand. It doesn’t work. You have to tell a story” – Cliff Stoll.

Easier said than done, right? Being able to tell a compelling story that can answer key questions like: who is attacking us, what is their motivation, were they here before, how do they operate, what is the impact to our business, and will they come back, should be one of the ultimate goals of any effective blue team. However, being successful at embedding cyber threat intel in SecOps require something else: maintaining a solid understanding of the environment we are defending, as well as a systematic way to identify and prioritize applicable threats and assess impact, so we can respond appropriately to these attacks.

In this talk, Ismael Valenzuela, Certified SANS Instructor and GSE #132, will share lessons learned and practical tips on how blue teams can not only consume but also produce actionable and contextual threat intelligence using tools, processes, models and taxonomies that are available to the community.

Slides:


Speaking at BlackHat USA 2018

What is best that speaking at BlackHat USA? Doing it twice! I’m excited to announce that I’ll be speaking at BH USA for the 3rd time in the last 3 years. This time, in addition to speaking on how to integrate cyber threat intelligence in Security Operations with my colleague and friend Christiaan Beek, I’ll be presenting the latest version of my rastrea2r open source project at BlackHat Arsenal.

If you’re at BH USA this year, please stop by and say hi!

 

 

 

 

 

 

 

 

BlackHat USA 2018 – https://www.blackhat.com/us-18/presenters/Ismael-Valenzuela.html

BlackHat USA 2017 – https://www.blackhat.com/us-17/sponsored-sessions/Ismael-Valenzuela.html

BlackHat USA 2016 – https://www.blackhat.com/us-16/presenters/Ismael-Valenzuela.html

Disrupting the Disruptors: How to Threat Hunt Like a Pro

Read my article on how to threat hunt like a pro on Recorded Future’s blog:

https://www.recordedfuture.com/cyber-threat-hunting/

Here’s an excerpt of this article:

As the saying goes, the best defense is a good offense. When it comes to cybersecurity, that means shifting from merely responding to intrusions and attacks to actively searching out threats and destroying them. Having the capacity and know-how to make this stance shift is a key element of a mature information security operations center (SOC), says Ismael Valenzuela, who recently gave a presentation on threat hunting at RFUN 2017.

Valenzuela has worked in cybersecurity for decades and has been a member of the Foundstone team at McAfee for six years, performing incident response in the United States, Europe, and the Middle East. He is also a SANS-certified instructor who has taught classes on continuous monitoring, forensics, and security operations for the past seven years.

During his presentation, Valenzuela talked extensively about the difference between incident response and threat hunting, focusing on the qualities that a SOC needs to effectively hunt threats and some of the challenges they face, as well as what he called the three big “knows” that every SOC should focus on: knowing your enemy, knowing your network, and knowing your tools. He concluded his talk with a look at how automation, artificial intelligence, and machine learning are impacting the field, arguing that they are ultimately just new tools that can supplement, but never replace, a team of experienced humans.