Explore the intricacies of evaluating threat intelligence feeds in this 56-minute conference talk from BSidesLV 2014. Delve into the mathematics behind IP addresses, metrics, and raw data analysis. Learn about inbound vs outbound experiments with IP addresses and DNS, and discover why mapping may not be the most effective approach. Examine three crucial tests: information asymmetry, novelty, and overlap. Investigate population testing, hypothesis testing, and confidence intervals for comparing different data sets. Gain insights on commercial feeds, false positives, and key takeaways to enhance your cybersecurity strategy. Engage with the speakers during the Q&A session to further your understanding of threat intelligence feed evaluation.
Overview
Syllabus
Intro
Who are we
What is threat intelligence
The math talk
IP addresses
Metrics
Raw data
Inbound vs Outbound
Experiments with IP Addresses
Experiments with DNS
Dont do maps
Three tests
Information asymmetry
Novelty tests
Daily or hourly
Overlap test
Outbound test
Population test
True population
Public outbound
Hypothesis testing
Confidence intervals
Comparing different populations
Google
GPL
Combine
Main Takeaway
QA
Commercial feeds
False positives
Taught by
BSidesLV
