There is no doubt that indicators of compromise (IOCs) are here to stay. However, at the moment, even the most mature incident response (IR) teams are mainly focused on matching known indicators to their captured traffic or logs. The real eureka moments of using threat intelligence mostly come from the intuition of analysts. You know, the ones that are almost impossible to hire.
Alex Pinto demonstrates how to apply descriptive statistics, graph theory, and nonlinear scoring techniques on the relationships of known network IOCs to log data and how to use those techniques to empower IR teams to encode analyst intuition into repeatable data techniques that can be used to simplify the triage stage and get actionable information with minimal human interaction. Alex also showcases open source tools that can be easily expandable to paid or private sources an organization might have access to.
With these results, you can make IR teams more productive as soon as the initial triage stages by providing them data products that provide a sixth sense on which events are worth an analyst’s time. They also make painfully evident which IOC feeds are helpful to their detection process and which ones are not.
Alex Pinto is the chief data scientist of Niddel and the lead for the MLSec Project. Alex is currently dedicating his waking hours to the development of machine learning algorithms and data science techniques to automate threat hunting (I know) and making threat intelligence “actionable” (I know, I know). If you care about certifications at all, Alex is currently a CISSP-ISSAP, CISA, CISM, and PMP. He was also a PCI-QSA for almost seven years but is a mostly ok person in spite of that.
©2016, O’Reilly UK Ltd • (800) 889-8969 or (707) 827-7019 • Monday-Friday 7:30am-5pm PT • All trademarks and registered trademarks appearing on oreilly.com are the property of their respective owners. • firstname.lastname@example.org