Explore the effectiveness of threat intelligence feeds in this BSidesLV 2014 conference talk. Dive into the concept of measuring the IQ of threat intelligence feeds, covering topics such as the pyramid of pain, mathematical approaches, and various measurement techniques. Learn about experiments with IP addresses and DNS, data set analysis, novelty tests, and information asymmetry. Examine outbound data, population tests, hypothesis testing, and confidence intervals. Gain insights into comparing different populations, GPL, and combining data sources. Conclude with main takeaways and a Q&A session addressing false positives and other critical aspects of threat intelligence evaluation.
Overview
Syllabus
Intro
who are we
lets go
the basics
the pyramid of pain
math talk
can we measure this
IP addresses
Can we measure
What are we measuring
Separate inbound and outbound
Experiment with IP addresses
Experiment with DNS
Dont do maps
Data set
Novelty test
Information asymmetry
Novelty tests
Overlap test
Outbound data
Population test
True population
Hypothesis testing
Confidence intervals
Animal names
Comparing different populations
GPL
Combine
Conclusion
Main takeaway
QA
False positives
