2016 issa conference threat intelligence keynote phila

State of the Art Threat Intelligence // philA

*Based on The Cyber Shafarat - Treadstone 71

2

We are in a confused state…

3

Functions don’t follow standard intelligence tradecraft - Programs support only a fraction of the intelligence needs- Stakeholders hold unrealistic expectations

Most programs are poorly conceived- Follow inaccurate definitions of threat intelligence

Focus on Technology repeats the historical problems of infosec- See, Detect, and Arrest Paradigm

Threat intelligence vendors are driving the market- Communicate definitions supporting their offerings- Propagate fallacy they solve numerous security problems

The State of Cyber Threat Intelligence

Source: Treadstone 71

4

Mistakes being made in threat intelligence

- Many reports aren’t written in analytic form or format- Many don’t provide confidence levels- Many don’t cite sources, provide reliability of sources, or provide credibility of the information

Many take these reports for face value

Source: Treadstone 71

5

Thre

at In

tellig

ence

Cyber Threat Intelligence

6

What is Intelligence?

What is Risk?

TaxonomiesDefinitions

7

The Intelligence Cycle is the process by which information is acquired, converted into intelligence, and made available to policymakers. 

Information is raw data from any source, data that may be fragmentary, contradictory, unreliable, ambiguous, deceptive, or wrong. 

Intelligence is information that has been collected, integrated, evaluated, analyzed, and interpreted. 

Finished intelligence is the final product of the Intelligence Cycle ready to be delivered to the policymaker.

(CIA World Fact Book, 2016) A1

Definitions

8

The three types of finished intelligence :

Basic intelligence provides the fundamental and factual reference material on a country or issue.

Current intelligence reports on new developments.

Estimative intelligence judges probable outcomes.

The three are mutually supportive: basic intelligence is the foundation on which the other two are constructed; current intelligence continually updates the inventory of knowledge; and estimative intelligence revises overall interpretations of country and issue prospects for guidance of basic and current intelligence. The World Factbook, The President's Daily Brief, and the National Intelligence Estimates are examples of the three types of finished intelligence.

(CIA World Fact Book, 2016) A1

9

What is Threat Intelligence?

Source: MWR InfoSecurity Model of Threat Intelligence

Based on consumption, strategic, operational,tactical, and technical. (InfoSecurity, 2015) B3

10

Problem…Ex

clusiv

e Fo

cus T

hrea

t In

tellig

ence

Thre

at In

tellig

ence

is a

su

bset

of I

ntel

ligen

ce

Lacks scope, depth, breadth, and is deficient in tradecraft

Basic

Foundational

Research

Competitive

Estimative

Warning

11

What is Tradecraft?

Spy Stuff…

Military Secretive

12

Intelligence Tradecraft rooted in CIA capabilities - Honed over years of trial, error, mistakes, and triumphs

Sherman Kent- Father of intelligence analysis- Defined methods of intelligence analysis used today- Analytic standards, doctrines, and practices need to be applied today within cyber threat intelligence functions. (Davis, 2007) A1

Richards J. Heuer Jr.- 45 year CIA veteran- Documented issues with critical thinking, cognitive bias, and structured analytic techniques used today

+Both offer approaches directly applicable to information security efforts to create threat intelligence +Enable organizations to see beyond the limited view of ‘see, detect, and arrest’ paradigm+Progress to data collection, analysis, and intelligence creation use to prevent and eventually predict adversary actions

Tradecraft is the underlying framework for intelligence upon which military and non-military programs should be built

Source: Treadstone 71

13

Infosec: Intelligence is a whole other discipline

14

Intelligence  analysts  endure  rigor,  structure, focused  training   that specializes in the craft of intelligence analysis.

Core function of any intelligence organization:They learn how to think, write, and brief. They study analytic tools, counterintelligence issues, denial and deception, analysis, and warning skills. (Agency, 2007) A1

Source: Treadstone 71

15

Well-built intelligence programs are top-down as opposed to technically oriented from the bottom-up

Know:

16

Your adversaries are already inside your network and must be removed. Organizations need to do this for proper hygiene.

Know:

17

Recognize the latest focus on ‘hunt and detect’ is merely an enhancement to the failed attempts at event correlation in SIEMs. 

Know:

18

Log aggregation and then analysis of the content for tactics, techniques, and procedures is but an improved method of finding adversaries and malware already in your environment. This is not proactive. This is not preventive. It is necessary, but not new.

Know:

19

Intelligence is not the same as incident response or a core component of the security operations center.

Know:

20

Hire intelligence professionals and/or train those with the aptitude for intelligence skills.

Recommendation:

21

Build your intelligence program from the top-down.

Recommendation:

22

Develop goals and outcomes that you want out of your intelligence program.

Recommendation:

23

Treat each vendor report as nothing more than another source of data. Evaluate each for credibility, reliability, and relevance.

Consider using the NATO Admiralty Code which helps organizations evaluate sources of data and the credibility of the information provided by that source.

Evaluate each vendor report using this coding method while documenting ease of data extraction, relevance to your organizational issues, type of intelligence (strategic, operational, tactical, and technical), and value in solving your security problems.

Recommendation:

24

Find a balance between long-term analysis and short-term reporting.

Don’t get stuck in the reporting hamster wheel—gathering current data, serialized reporting, reporting rollups, and fighting daily issues.

Recommendation:

Self-Inflicted Punishment

Never have the time to analyze data based on historical collection—intelligence-type work.

25

Give intelligence functions direct access to organizational stakeholders.

Don’t bury the function in a SOC.

Recommendation:

26

Focus on the right People, the right Process, and then the right Technology.

Recommendation:

27

Know:

28

We live in a time where: > Information is vulnerable. > Everyone is being watched. > Anyone can be compromised.

philA Society

Know:

29To be forewarned is to be fore-armed

Information Sharing

A nonprofit private sector initiative formed in 1999Designed/developed/owned by financial services industry Mitigate cybercrime, hactivist, nation state activityProcess thousands of threat indicators per month2004: 68 members; 2015: 6000+ members Sharing information globally

Mission: Sharing Timely, Relevant, Actionable Cyber and Physical Security Information & Analysis

30

You can do this!