Protecting the Herd—Why Information Sharing Matters: Detect '18 Presentation Series | Anomali


Protecting the Herd—Why Information Sharing Matters

After you have watched this Webinar, please feel free to contact us with any questions you may have at


Good afternoon, everyone.

My name is Roberto Sanchez.

I'm here with Anomali.

I'm a pretty recent hire.

I lead what we call the Anomali threat analysis center.

So we do a lot of support for the ISAC I think we're at 15 plus now.

So we provide a lot of tailored, intelligent support and facilitation of the ISAC leadership so they can help boost their collaboration amongst their customer base, as well as provide any operational trends.

Currently it's just two people right now supporting a globally dispersed ISAC membership.

So myself and my colleague Marc Green out of Belfast.

So if you guys are part of any ISACs, if you haven't heard about us or seen our faces, just know that we're still making our rounds.

The group is still relatively new.

So about Anomali.

This was kind of our tag slide.

We're-- it's a proven capability.

That's why we try to promote ourselves out to the ISACs, and give our platform free, or relatively free, just depending on the type of service that the particular ISAC needs.

Such as like in our Middle Eastern partners take full advantage of even our commercial integration.

So they kind of do like a group deal where oftentimes they pay for commercial fees or whatnot as a group, and try to get discounted rates.

Here on the US side, even in Europe, I don't really see a lot of group commercial feeds, everyone getting together.

But we provide our platform free of service for everyone, of course with limitations on the platform.

So if you guys are a part of ISACs, and you have seen ThreatStream, just know that that's not the full range of the capabilities of the platform or the company.

It's there more just to help facilitate the group.

Obviously we're trusted.

Once again, like I said, we're 15 ISACs right now, currently growing.

I think by the end of the year will be a maybe 20 plus.

And what we provide specifically right here at the community is here at the A-TAC we provide monthly roundtables.

I know a lot of the mature ISAC, such as like FS-ISAC, already has kind of like a monthly or quarterly or even sometimes other ad hoc type of presentations.

But for the newer ISACs that are very immature, such as once again like in the Middle East or in Europe as well, we try to bring in a number of our key partners.

So we bring in like Flashpoint, Intel sell 471, Cofense, Symantec, Visa.

And then they provide their own unique perspective on the threat landscape as it pertains to the industry vertical.

And then another key thing that we like to promote too in those monthly round tables, it's no sales.

It's let the performance and the quality of your product speak to the audience, and then that will sell your product, right?

We want to give you an audience.

Since we have good partnerships, give them an audience, and let their product speak for themselves.

Another thing that we're actively trying to revamp.

If you have access to ThreatStream, especially the premium version of ThreatStream, we have Anomali University.

So Anomali University provides a lot of how to guides, visual aids for how to manipulate the platform, and try to get a little bit more functionality out of the platform.

So we're currently working on a number of workflows, and trying to get those use cases.

And kind of bring them out to more of the video depiction of those manual use cases.

So those should be coming out fairly soon.

Anomali Forum once again.

Anomali Forum traditionally it was more designed for customer service.

More of interactive type of forum to talk about bug fixes.

A-TAC we're trying to incorporate a little bit more of a technical talk.

So if you're an ISAC and a sharing item doesn't really meet the criteria of intelligence report, if there is a forum or if there's a item that you want to share such as you found out a new [?

OSEN ?] technique.

Or you discovered this new underground forum, or this new threat actor.

That really, once again, doesn't really rate an intelligence report like a threat bulletin.

Then just provided on the forum.

People can exchange information, and then we can help also facilitate and guide that discussion as well.

And investigations and threat bulletins, combining those.

So we do a lot of tailored investigations for our ISAC partners.

Most recently, we came out with an election security report, along with our marketing team, looking at the various 50 states, five territories.

Looking at their online voting registration system, as well as their secretary of states or board of elections, depending on the makeup of that particular state, to see if they were spoofable.

So we provide one offs like that as well.

Once again, just engaging with ISAC leadership.

Seeing what is needed for that particular audience.

And we're more than happy to put together tailored reports.

So A-TAC now.

Once again, what is it composed of?

I already spoke to two of those elements.

So the Anomali University in a forum, the roundtables and meet-ups.

Here's a visual of our partnerships.

Once again, we bring in different partners for different audiences.

We do have a partnership with Kaspersky on the US side.

Usually the audience doesn't want to engage with Kaspersky.

However, out in Europe and the Middle East, Kaspersky is seen very as a very valuable security vendor.

Once again, one of our key partners.

So we also bring them in, and they provide their own unique insight on APTs.

Another category that we do our best practices and lessons learned.

We try to facilitate that amongst the groups.

So for instance, if it's a FS-ISAC that has some type of best practice, or they've learned something from a breach response and they shared it amongst their community.

We can take that, once again coordinating where they're ISAC leadership, and cut that across the rest of the ISAC.

So that not only that particular vertical is benefiting from that information, but the rest of the security community as is as well.

And like I said, investigations and industry specific reporting.

We're coming out with a number of new products as well to speak to the industries.

And we don't only just do it for like the US and Europe.

We also do-- we've got one pending right now for Germany.

We've got one pending for Latin America.

So it's pretty-- it's pretty broad scope.

And it just depends on our audience.

What they what they request is what drives our reporting, or our collection and reporting.

So A-TAC and ISACs in general.

So usually what was the challenge of information sharing, and then how did you overcome it.

So traditionally, the challenge with information sharing was how do you protect privacy, right?

You don't want to spill that if you had-- it you were attacked in some phishing campaign that your actual organization was attacked right?

You usually try to minimize that information such as like a major financial institution versus a Bank of America.

So things like that, protecting privacy.

And also too, if it's a phishing campaign, obviously that's a-- you have a sender and receiver.

The sender is usually hostile.

Receivers usually are employee.

You want to protect that employee's information, and not disclose that they were actually phished.

Other legal and organizational restrictions.

Once again, just depending on industry you're in, you may have some extreme government regulatory requirements.

So I come across this a lot with a lot of our airline membership.

There's a extremely strict government regulations where, like a FS-ISAC said would have different requirements.

So how do you get around that, and how do you maintain within those boundaries so you don't get penalized as a company for disclosing information you should not have.

And then risk of disclosing any thing of sensitive nature, right?

And the information sharing community.

Once again, there is always that risk that you don't want to share because you don't want to give your competitor an advantage over your business.

And also, you know you don't want to give away intellectual property or anything like that.

So the solution that we tried to do here at Anomali, and that we try to facilitate with the A-TAC is having that one central repository.

That single pane of glass, with ThreatStream.

And then having-- we process that information versus just putting out raw information, right?

So what that really is saying is, is there's going to be a number of filters in there.

That information is going to have some type of matching behind it.

So kind of give a confidence level versus just throwing out a number of indicators, which can lead to a lot of false positives.

So we try to process it as best as possible, and display only the high fidelity indicators to the audience.

Trusted circles.

Once again, this helps us out with-- helps us and the community out with maintaining security and privacy.

So with the trusted circles, obviously if you have a data point, intel report you want to share that out with one of your partners.

However, you don't want to share it out with your entire audience, you can put it in a trusted circle, and you could just share between yourself and let's say one of your partners with an ISAC.

TLP, traffic light protocol.

So that's-- we use the traffic light protocol.

It's already baked in within ThreatStream, and hopefully a lot of ISACs are using that type of security classification, as well as handling procedures.

And then we'd like to emphasize that the gatekeeper is not an Anomali, right?

So ISACs acts, although they're using our technology to facilitate their relationships, we're not the gatekeeper.

ISAC leadership is, right?

We're facilitators.

Our technology facilitates that information sharing.

And then A-TAC also helps facilitate that collaboration amongst the group, right?

We're not-- we're not domain.

We're not the main effort if you will.

We are a supportive element for the ISACs.

I like to draw those distinctions because oftentimes when we do get requests as A-TAC, we might get a request from an ISAC member versus the ISAC leadership.

And we just have to politely tell them coordinate with your ISAC leadership.

Between A-TAC and [AUDIO OUT] leadership, we will coordinate.

If it meets a reporting criteria that we can actually handle, or should the ISAC leadership handle, and then we support them on the intel requirement.

I also want to throw all we have on-premise options.

I know a lot of people use our SaaS.

But if you have a-- if you're starting a new information sharing group, whether it's industry-wide or whether you have a multinational corporation and you're trying to start one internally.

We can provide up in on-prem option.

This is very, very popular out in the Middle East for our Middle Eastern partners since they have a lot of government regulations that require their data to stay within the confines of their country.

So they usually offer the on-prem option versus the SaaS.

And then obviously to the auditing functionality.

That helps out one of two ways that we look at it for the auditing is the traditional auditing, right?

Who's violating the terms of the agreement.

But then the other thing too, more at the A-TAC level, we look at some of the auditing functionality to see who's actually sharing.

Who's freeloading.

Who's actually been a good contributor.

Who's being a good ISAC member.

Oftentimes, we will find the organization that is sharing the most, and then try to engage with them directly and say, why is it do you think that your community is not sharing.

How can we better help out?

Do you guys actually have-- we have one ISAC member that is actually now a healthcare ISAC or H-ISAC.

They just changed their name.

They're kind of like very bullish, and they were providing a lot of information.

And I got with they're head of threat Intel.

And he actually told me that the reason his organization shares a lot is more from a supervisory management incentive level where he actually baked in performance objectives of his employees to start sharing, right?

So as soon as he did that, incentivized the employees to find items to share, in order to obviously meet their objectives.

Yes sure.

So protecting herd, right?

Why is information sharing-- why does it really matter?

So I try to break it down into four components.

So amongst the group it creates a shared situational awareness.

So obviously if you are a big corporation I always like to use the Chevron, Exxon Mobil, right?

Working the oil gas industry, energy companies.

If Chevron gets attacked by an APT, or they're doing some type of oil exploration in some type of country that somebody might not be aware of.

Maybe at Chevron, although they might compete at the network level, if they get attacked by cyber espionage actor, really at the network level they should not be competing.

They should actually be extremely cooperative in order to mitigate any type of risk that one company would-- one company has over the other.

So it goes with the tag line from-- what we took from the Center for Internet Security.

It's like one organization's detection becomes another's prevention, right?

If You work in the AV industry before, or have knowledge of AV industry, that works really well with ISACs, right?

That tagline because a lot of stuff is heuristic-based.

So if it's heuristic-based, that means someone got attacked in order for them to have that malware to reverse engineer in order to create a signature.

Same exact concept with the ISACs.

Someone gets attacked, don't let the entire community get attacked.

So a heightened state-- heightened understanding of cyberthreats.

This goes hand-in-hand with sheer situational awareness.

However, what I often like to promote is kind of getting out of that IOC state of mind where you're just focusing on IP, domains, URLs.

What type of behaviors are actually hitting your environment?

So you could go ahead and try to get left of the boom.

So if you share that you're getting hit with a lot of botnet activity.

Let's say one organization has already conducted an analysis, and says that botnet activity is actually associated with bulletproof hosting providers.

If you have that information, go ahead and share it out with everyone to that to block those domains, IPs from actually hitting their infrastructure.

Shared intelligence costs.

This is one that I actually see in the Middle East a little bit more is where oftentimes some organizations might struggle for talent.

So they might do some type of chargeback.

So let's say one organization has a pretty stellar [?

mal ?] reverse engineer, but let's say he's not getting employed very often.

So they'll get together at an ISACs and actually share malware amongst each other, send it out to that one employee that can actually reverse engineer it.

They will put together a report and then share amongst the group.

And then with this shared in intelligence cost, is actually the account chargeback.

It's that if that employee is let's say salaries like three or four different organizations, they'll actually share a percentage of the cost of that individual salary so that the entire group benefits.

So what type of information should be-- should the group start sharing?

Observerables, I think that's usually like a given.

So like the domains, IPs, URLs, file hashes even MUTech objects.

The thing often that I do not see, which I actually highlighted in the red, is attributing factors, right?

So if you get attacked by a botnet, if you get-- your infrastructure gets compromised.

Maybe someone got a phishing email, and they actually clicked on a hyperlink.

Sometimes the group members will share that information like, oh phishing campaign.

So let's say for instance a trick by a malspam campaign was using swift themed subject lines.

Usually that information gets passed amongst a group, right?

But what does not get passed is if you-- if one of your employees actually clicked on that hyperlink.

Or actually downloaded a macro-enabled Word document, right?

That information isn't shared, right?

So what actually contributed for your network to be compromised?

And then what measures did you take in order to remediate that threat?

That information oftentimes is not shared.

Trying to promote that you can still maintain the sensitivity of the data, and sanitize the report to contribute to the community as best as possible.

So go through the entire, not just go get the threat.

Actually give the capabilities that were employed.

Actually give the mitigation steps that were taken.

And then the preventative measures that were employed after the attacks, such as like investing in a new Next Gen firewall.

Things of that nature.

So here in this slide I kind of want to give a breakdown of one of our Middle Eastern ISACs.

So A-TAC, so myself primarily, Marc was actually engaged in this project.

So the Middle Eastern ISAC, the UBS.

So it's the UBF, the United Banking Federation, out at Dubai.

So they wanted to start sharing amongst each other.

I think initially it was only like five-- five or so ish members.

And then within about six months of primarily Marc providing a lot of the roundtables, a lot of like tailored information or intelligence reports to this audience, they actually skyrocketed up like over 300% is all the participation, right?

So like we started seeing a lot of groups sharing information of like phishing campaigns, right?

In this example up here is one of the groups actually sharing.

Right here is their Next Gen firewall.

So Palo Alto's wildfire, and using our platform to conduct an investigation.

And then sharing the results of that investigation amongst the group.

And then there were actually like, I think it was like three or four partner organizations that were like, oh wow we started seeing this activity in our environment as well.

And then they were able to block it within a very short time frame, which obviously this caused a massive amount a cooperation as a follow on to the event.

Because, especially within that cultural society they-- they're very, very close knit, right?

So once they start seeing someone else sharing, they the floodgates just opened up.

So we're kind of try to take that type of approach here on the U.S.

And Europe side, and hopefully we could replicate the same success.

So just briefly, how can A-TAC help?

So once again for the ISAC leadership, and if you're an ISAC member, I recommend pushing your ISAC leadership to coordinate with the A-TAC.

So how can we help provide trend analysis?

But once again, like I mentioned before, the gatekeeper is the ISAC leadership.

So we coordinate with ISAC leadership, but if we're not provided access to a trusted circle within your ISAC, then obviously we can't provide trend analysis, right?

Because we're not-- we don't have access to the data.

But what we can provide if not given access to that data is industry-specific reporting.

But once again, it's not going to be as tailored as it could be.

If we were provided access to that trusted circle to kind of see that information, and consolidate it for the group, and give that are our assessment on what's actually happening.

Once again, tailored intelligence.

So we could provide that usually through-- like to provide through a form of marketing.

But not, not the traditional marketing that you will see, at least what I think anyways is.

So that tailored intelligence can be, obviously of a let's say of an actor.

Some type of threat actor, or some type of new capability that's out there that we can actually write assessment on.

Or oftentimes, if you were lacking the cooperation that you would like to see within your ISAC, we can come up with a tailored intelligence report based on a certain topic of interests, and then share it out as kind of like a marketing document.

A joint marketing document between Anomali and the ISAC in order to kind of give use cases, give workflows and give kind of like the type of things that you can actually explore if you actually start participating within that group.

And then the services like I mentioned before.

We do a lot of monthly roundtables.

Marc primarily leads this up.

Brings in a number of different partners.

One partner per session.

And once again, it's not salesish.

It's to speak to the threats that are seen amongst that industry vertical.

We run ISAC workshops and site visits.

We did one recently up to Albany prior to us releasing our election security report.

That's another thing too that I probably failed to mention is, if we do produce a report that's going to hit one of the verticals, or it can be seen as sensitive to that community.

We always-- we kind of do the-- what I do-- what I used to do at NSA is give that subject matter section the first right of refusal.

So if we create the report, coordinate with the ISAC and say, can you guys review this.

Give us your feedback, some comments on there.

And if possible, provide a quote once we-- once we submit it out to a marketing document.

Now obviously, there's been times we put out a report or like that's a little sensitive.

We don't really want to put that out there.

Roger that.

We're here to facilitate you guys.

We're not here to step on you guys.

If you guys aren't comfortable with that report, we don't put it out.

Or we might just cannibalize it and so.

By cannibalizing we're just taken out of context, and just keeping the observables.

So we provide services like that as well.

Once again, we're a facilitator.

We're not the main show.

We're an enabler of growth.

And then outreach support.

This is one of the things that we do as well.

If you need training, we're more than happy to go out there and provide training.

Any other outreach say that you need like to increase cooperation amongst your group.

We're more than happy to do that.

We travel pretty significantly.

So yes, thank you for your time.

My email is down at the bottom.

I'd like to open up for any questions at this time.


To what extent do you utilize [INAUDIBLE] platforms to present the information?

Or do you simply provide the information within your own platform and expect ISAC for [INAUDIBLE] to utilize [INAUDIBLE]?

Yes, so I'll just make sure I understand your question correctly.

So other information sharing platforms, so such like AlienVault, crowdsourcing or-- I'm thinking within the context of federal government [INAUDIBLE] sharing environment or cybersecurity sharing platforms [INAUDIBLE].

OK, so yes.

So if our flagship product ThreatStream is resident at that ISAC, then we like to share through our ISAC or through our technology.

And then we promote the members to share their information through there as well.

I know there's a number of ISACs that we have competitive solutions also ingrained within that ISAC community.

But once again, we promote sharing it through our flagship product.

Because usually are in those situations, our flagship product is the main product.

And everything else is kind of underneath the hood to help out with like analytic workflow, or sometimes-- I actually came across a couple of ISAC members that were pretty adamant about their tools, right?

I'm an analyst and researcher, and I love at my tools.

So I can empathize that with that.

However, because of the agreements, that information has to be shared through a ThreatStream.

[INAUDIBLE] Between us and the ISAC.

Between you and the ISAC?


Are there APIs such as we're discussing [INAUDIBLE] that are available to import the data from ThreatStream [INAUDIBLE] more used [INAUDIBLE]..

Yes, so definitely correct me if I'm wrong Alex, but for the most part, our ThreatStream product it has a number of integrations, right?

Like you guys heard in the meetings today.

However, for the ISACs, it's a little bit neutered, right?

And it's neutered for a reason.

I'd like to give kind of a preview of our product, free product, right?

So some of the APIs may not be active.

Once again, it all depends on the ISACs, on the original agreement.

As well as the free ISACs more than likely may not have all that functionality.

But if an ISAC actually pays for premium services, then that commercial version of ThreatStream is that a price is shared amongst the group.

So they would benefit from those different integrations.

I know MS, ISAC, and [AUDIO OUT] ISAC have created a number of I want to say harvesters.

You guys have harvesters or APIs.

So they created some third party APIs that can take that information and adjust it into their IDS or whatever other security technologies they have.

Is that accurate, Alex?


I'll just add one lighter point.

We [INAUDIBLE] to [INAUDIBLE] support to taxing, state taxes product for an exchange.

So all of our ISAC platforms support success.

[INAUDIBLE] as long as your SharePoint or whatever thing you want [INAUDIBLE] right away, and read it, [INAUDIBLE] part of the information via a state's [?

taxing ?] to answer your question [INAUDIBLE]..

The [INAUDIBLE] would be designed to do that.

But a little aware that [INAUDIBLE] would take huge data from [INAUDIBLE] had something [INAUDIBLE] out to a SharePoint platform where instead of it being the nuts and bolts, it's big picture stuff that gets shared [INAUDIBLE] Absolutely.

Have any other question?


What kind of analysis do you provide [INAUDIBLE] So our analysis is typical threat intelligence.

So we operate from a tactical/technical, operational, and strategic levels.

So it really all depends on the requirement.

So let's say for instance at the strategic level, kind of taking an overview of that industry vertical, and the attackers that are targeting various organizations.

The behaviors that those attackers exhibit, and kind of like our strategic outlook on what we think 6, is going to look like targeting that industry.

I just basically [INAUDIBLE] So the way you break it down is what we call IOCs is observables.

So we contextualize that information, right?

So our threat intelligence report is not IPs, domains, URLs, right?

That can be incorporated into a threat intelligence report, but-- So for instance, we did a report for a bank out in was it Dubai or Abu Dhabi.

So we took literally an IP address and contextualized that IP address.

And we were able to actually enumerate that IP address to hosted credential harvesting sites.

Not only targeting that organization, but also a number of other organizations.

Grab snapshots of those credential harvesting sites.

Grabbed HTML code, grab-- What else did we do?

Do like the passive DNS and all of that investigative work, into a nice, clear, concise product.

I think it was about like one to two pages, and then with our recommended actions.

Tailored, recommended actions.

Not anything general like block this IP or something like.

No, we go a little bit more in depth.

So those are the type of reports that we could provide.

So well this concludes my brief.

Thank you everyone for your attention, and hope you guys have a good day.