1 / 9

Intel Framework

Intel Framework. What is intelligence?. Intel framework defines intelligence as an atomic bit of data with associated metadata Things you want to know about!. 2. Motivations. Intelligence based searching is incredibly common Through abstraction we can expand the utilization of intelligence

fausta
Download Presentation

Intel Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Intel Framework

  2. What is intelligence? Intel framework defines intelligence as an atomic bit of data with associated metadata Things you want to know about! 2

  3. Motivations • Intelligence based searching is incredibly common • Through abstraction we can expand the utilization of intelligence • Creating a format for importing intelligence makes Bro target-able for intelligence providers 3

  4. How common is it? • Numerous open intelligence feeds • Numerous security industry reports • Numerous private intelligence sharing communities • Many organizations are building their own internal intelligence teams 4

  5. Benefits of Abstraction? • Reduce • If multiple feeds have the same data, we don’t need to store it multiple times • Reuse • Look for IP addresses anywhere they show up instead of just in IP headers, etc. • Optimize • There will be memory and performance optimizations we’ll do under the hood 5

  6. Intelligence Format • Bro’s intelligence indicator format is incredibly terse by default but extensible • Data can be stored in a database or text files and updates at runtime 6

  7. Design Limitation • Asynchronous lookups • You can’t use “do I know about this?” in a normal if statement 7

  8. Currently Deployed • 13,469 Indicators across 6 feeds • Running at a few sites • Seems to be working well • Data feeds have issues of lack of context and sometimes old data 8

  9. Questions? • Next we have some exercises that are linked from the agenda 9

More Related