a primer on cyber threat intelligence - issa...
TRANSCRIPT
A Primer on Cyber Threat Intelligence
…AS ADVERTISED
2
BUZZWORD BINGO!
3
TODAY’S CYBER SECURITY CHALLENGES
CISOs finding it difficult to define security ROI to executives
Short shelf life for CISOs
Vastly expanding attack surface area
Mobile, cloud, virtualization, global business operations
Large protection investments and no good prioritization filter
Who, why, when, how
Operational chaos
Too many alarms, not enough people, poor prioritization
“Brain dead” security tools that rely on past events/signatures
Versus extremely agile adversaries
Severe breaches continue…
4
GLOBAL CYBER THREAT LANDSCAPE
• Active & Global
• Transcends Geographies and Sectors
• Multiple Motivations
• Cyber Crime, Espionage,
Hacktivism, Destruction, etc.
• Low Entry Barriers
• Actors use what works; not necessarily
sophisticated methods
• Open marketplace providing capabilities
• Structured & Vibrant
• Ecosystem providing better tools,
infrastructure, sharing ideas and methods,
pooling resources5
MY INTELLIGENCE PHILOSOPHY
• Good intelligence allows decision makers to act more boldly
• The decision maker’s time is valuable. Match his priorities –command his attention
• Only deliver actionable information, no history lessons, no news reports
• The quality of the analysis is directly proportional to the quality of the question asked
• Good analysts are respected but not always popular
• No software can replace the analyst
• Intelligence is an art, not a science
• Less is more
• Everyone & everything is a potential information source
• Disperse the team, embed the resources, build a network across the silos
• Any system that does not sustain itself is not a system
• New does not mean better; Old does not mean better
• Intelligence can be Cheap-Fast-Accurate. Pick any two
• The buck stops with me; the team gets the credit
FORMAL RESEARCH PROCESSYIELDS RICH, CONTEXTUAL THREAT INTELLIGENCE
Intelligence
Requirements
Created
Based on
Clients,
Sectors and
Adversaries
Requirements
Prioritized
by Analysts,
Matched to
Current
Holdings then
Passed to
Research
Teams
Collection
Planning and
Tasking of
Global
Teams
Requirements
Collected by
Unique
Global
Teams and
returned to
Fusion Center
Processing
and
Exploitation
To
Standardize
Multiple
Information
Sources
Ready for
Analysis
Analysis of
Information
and
Production of
Reporting for
Clients
Fully fused,
Corroborated
Cross-
referenced
and Edited
Multi-source
Intelligence
Reporting
Disseminated
to
Clients
Client
Feedback,
Refinement
of
Intelligence
Product
Intelligence
Requirements
Requested
From Client
? iFeedback &Clarification
Analysis DisseminationCollection
7
“ACTIONABLE INTELLIGENCE” OBJECTIVES
Provide understanding of identified and credible
threats, correlated to business impact
Enable formulation of approaches to dealing with
threats and prioritization of team activity
Provide understanding of how to mitigate threats
and enable tools to do the heavy lifting
Strategic
Operational
TacticalSecurity
Operators
Managers& Analysts
Executives
8
CYBER TACTICAL INTELLIGENCE
Cyber Threat Intelligence Threat Data Feed
• Bad IP Address
• Ranking
• Last Hop Geo
Location
• Bad IP Address
• Actor Group
• Motivation
• Primary Targets
• Ability to Execute
• Additional IPs, Domains
• Malware Used
• Lures
• Vulnerabilities Targeted
• Historic Campaigns
• Successful Compromises
9
WHAT ARE INTELLIGENCE REQUIREMENTS?Strategic questions
• What keeps the C-suite up at night?
• What news stories or business events seem to be their hot buttons?
• Will the Qassam Cyber Fighters (QCF) target us?
Operational questions• What does a targeted DDOS attack look like?
• How do we shape our defenses and responses?
• What are the technical capabilities of the QCF?
• What are the Tactics, Techniques and Procedures (Campaign) of the QCF?
Tactical questions• Which one of these 100 events should I examine first?
• What are attributable IOCs of the QCF?
These questions are divided into answerable parts • What is the pattern of who is attacked by QCF?
• How does a QCF campaign unfold, step by step
• = Priority Intelligence Requirements (PIR) and Other Intelligence Requirements (OIR)
• Drives the collection management plan
• Identifies intelligence gaps• Create the needs statement &business case for new security services or products
10
• Media Counterpoint - daily
• Threat Intelligence Briefing - daily or weekly
• Threat Intelligence Report - monthly
• Threat Intelligence Warning - as required
• Threat Intelligence Alert - as required
• Threat Scenarios - quarterly
• Sensor Enrichment - as required
• Threat Metrics – weekly
• Intelligence Support – Digital Brand Protection, Incident Response, Fraud, Attack Surface Management, Physical Security – as required
EXAMPLE INTELLIGENCE DELIVERABLES
THREAT MATRIX
Company X
Business sector
Industry
Enterprise
General
Thre
at
Ac
tor
Fo
cu
s
Threat Actor Capability
Novice Apprentice Competent Skilled Expert
Hacktivist campaign
IP theft
ACTIONABLE THREAT INTELLIGENCEFUNCTIONAL & TECHNICAL INTEGRATION
Ingress/EgressBlocking
EventPrioritization
Analyze Incidents(Who, Why)
& Hunt for Issues
Remediation& AttributionActivity:
Surface
ProtectionsSIEM
Incident Response
Security Analytics
Forensics
Investigations
GovernanceRisk
Compliance
Prioritize MostCritical Patches
Enhance ProtectionBlock with
Confidence
Patch Management
ShrinkThe Problem
Improve DecisionsBrief Executives
Who/Why AttackDid We Find everything?
Value:
13
Intelligence
END TO END INTELLIGENCE PROCESS
W. Michael Susong+1 214 886 7714
iSIGHT Partners200+ experts, 16 Countries, 24 Languages, 1 Mission