Beyond Matching: Applying Data Science Techniques to IOC-Based Detection – CTI SUMMIT 2017

Share it with your friends Like

Thanks! Share it with your friends!


There is no doubt that indicators of compromise (IOCs) are here to stay. However, even the most mature incident response (IR) teams are currently mainly focused on matching known indicators to their captured traffic or logs. The real “eureka” moments of using threat intelligence mostly come out of analyst intuition. You know, the ones that are almost impossible to hire. In this session, we show you how you can apply descriptive statistics, graph theory, and non-linear scoring techniques on the relationships of known network IOCs to log data. Learn how to use those techniques to empower IR teams to encode analyst intuition into repeatable data techniques that can be used to simplify the triage stage and get actionable information with minimal human interaction. With these results, we can make IR teams more productive as soon as the initial triage stages, by providing them data products that provide a “sixth sense” on what events are the ones worth analyst time. They also make painfully evident which IOC feeds an organization consume that are being helpful to their detection process and which ones are not. This presentation will showcase open-source tools that will be able to demonstrate the concepts form the talk on freely available IOC feeds and enrichment sources, and that can be easily expandable to paid or private sources an organization might have access to.

Alex Pinto (@alexcpsec), Chief Data Scientist, Niddel

Alex Pinto is the Chief Data Scientist of Niddel and the lead of MLSec Project. He is currently dedicating his waking hours to the development of machine learning algorithms and data science techniques to automate threat hunting (I know) and the making threat intelligence “actionable” (I know, I know). If you care about certifications at all, Alex is currently a CISSP-ISSAP, CISA, CISM, and PMP.


Write a comment