How to Use Cyber Threat Intelligence in my Workflows?

Transcription

1 How to Use Cyber Threat Intelligence in my Workflows?

2 The Power of Global Cyber Threat Intelligence There is a great deal of power that comes along with knowing your adversary. By mapping his past activities and capabilities, understanding his current readiness and objectives, and anticipating his future ambitions, you obtain a position of dominance and can drastically reduce his chances of success. This fact is known the world over by organizations of all types. Whether it is a sports club conducting scouting on an upcoming opponent, a Fortune 500 company conducting competitive research, or a nation state monitoring capabilities of a foe, it is widely recognized that the best way to win is to know the opponent and the quickest way to lose is to walk forward in any engagement without that knowledge. Unfortunately, we ve seen the latter play out far too many times over the past decade in information security, where a lack of deep intelligence on our adversaries has resulted in countless breaches. Know Thy Enemy with Cyber Threat Intelligence Know They Enemy is the fundamental principle driving growth and adoption rates in the cyber threat intelligence (CTI) market and it is the fuel behind the intelligence-led security revolution that is taking place in the cyber security sector. As this transition occurs, and as you begin developing your own intelligence-led security practices, it is vitally important that you have the best understanding of the CTI market and a solid handle on how to integrate CTI into your workflows. We ve put together this brief to help you better understand how to integrate cyber threat intelligence into your processes. We ll touch on the best way to evaluate a partner in this space, walk through benefits your peers are enjoying, and explore how CTI can be used from the boardroom to the security operations center. In a companion brief from this series What is Cyber Threat Intelligence and Why Do I Need It? we take a deeper exploration into CTI. We ll touch on some of those concepts here but invite you to download that document by clicking here or visiting If you know your enemy and know yourself, you need not fear the result of a hundred battles. Sun Tzu The Art of War 2014 All rights reserved. isight Partners, Inc. 2

3 Evaluating a Cyber Threat Intelligence Partner Many vendors can provide raw information, but there are only a comparative few that provide true intelligence capabilities. Rob McMillan & Kelly Kavanagh Gartner Technology Overview for Security Threat Intelligence Service Providers As we explored in-depth in the first brief in this series, many definitions exist for cyber threat intelligence. Because it is an emerging and very promising space, security vendors are trying to carve out their lanes and capitalize on the buzz resulting in a lot of noise and stark differences between offerings. We won t go into the same level of depth in this brief, but we have included a summary of important points to consider in your discovery and evaluation process. Important Points to Consider Does your definition of CTI align with the definition held by the vendor? Answering this may be hard if you don t already have a definition of CTI formed in your mind. We like the Gartner definition and think it best captures what CTI should be. Evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject s response to that menace or hazard. Can the vendor provide rich contextual information that includes an understanding of past, present and future tactics, techniques and procedures (TTPs) for a wide variety of adversaries? Can they provide the contextual linkage between technical indicators, the adversaries who are employing them and information about who is being targeted? Is the vendor offering raw information or processed Intelligence? When considering partners in this space, it is important to know that all CTI offerings are not created equal. In fact, many are not even intelligence offerings at all. The problem with technical intelligence is that it is essentially information without evaluation. Even though (its) role will increase and will supplement what is done by human means, it is the human factor that makes (intelligence) successful, not high-tech bells and whistles. Markus Wolf Head of East Germany s General Intelligence Administration What you will find is that most vendors are equating CTI with raw information data feeds of bad IP addresses or other unwashed threat indicators that are dumped into your environment for machine-to-machine consumption or for your security teams to sort out. These vendors are 2014 All rights reserved. isight Partners, Inc. 3

4 confusing information with intelligence. More raw information is not what your teams or your security technologies need they re already swimming in data. A data feed with a mountain of raw, unfiltered information will only exacerbate the alarm overload and false positives problem most security teams face today. Is the vendor truly in the CTI market or are they dabbling? You ve undoubtedly seen a lot of recent press announcements about vendors forming cyber threat intelligence teams. Again, the buzz is up in this space so this should come as no surprise. But are these vendors making CTI a core competency? Are they investing heavily into large, geographically dispersed teams to conduct research on a wide variety of global threat actors? Are they staffing up to create fusion centers where raw research is analyzed and turned into finished intelligence or investing deeply in the technology required to support the effort? Are they going to be around providing these solutions in the long run or are they using CTI as a check box hook to sell more products? Is the vendor more interested in your logs and information from your network than they are providing you with actionable intelligence from outside sources? Beware of the vendor that asks you for open access to your internal data with the promise of delivering back actionable intelligence. Don t get us wrong, a core part of CTI should include analysis of data you are collecting. However, this data alone doesn t provide you with full context of the risks you face from your adversaries it simply tells you what you already have happening on your network. Remember that CTI requires insight into past activities and capabilities, plus an understanding of your adversaries current readiness and objectives, and a reliable prediction of future ambitions. Be wary of vendors that tell you CTI is all about your data that is a rear view mirror look at the threat landscape. Chances are they re trying to build up their research libraries as opposed to delivering you instant value. Is the intelligence that the vendor provides actionable? Is it consumable, by your entire organization from the executive level to the security operations center (SOC)? We explored the issue of actionable-intelligence at great length in the first brief in this series. We believe that the 7 points outlined by Forrester are important criteria. Consider these factors when evaluating your potential partner. Actionable Intelligence is: Accurate Aligned with your intelligence requirements Integrated Predictive Relevant Tailored Timely Rick Holland Blog: Actionable Intelligence, Meet Terry Tate, Office Linebacker Published: 11 February All rights reserved. isight Partners, Inc. 4

5 When considering CTI partners, keep in mind CTI should be consumable at all levels of the organization. It is, after all, designed to help you better align your security program with the business. Does the vendor offer finished intelligence in multiple formats for example both human and machine consumable structures? Do they provide you with reporting geared towards different stakeholders in your organization? Can they map CTI to your workflows from the Boardroom to the SOC? If the vendor doesn t have multiple output options, they ll never be able to meet your requirements for multiple input options. Does the vendor provide you with access to the analysts conducing the research and analysis are they multiplying the strength of your team? When looking for a cyber threat intelligence solution you need to understand that you aren t buying technology so much as engaging with a long-term partner that extends the size of your team and strengthens your defenses or at least that should be the case. Make sure the vendors you are talking to provide open access to the analysts providing the finished intelligence because you will have questions and you will need a path for instant clarification. The time has come to invest resources into understanding and countering specific threats - a threat-centric approach will compliment the existing preoccupation with vulnerability and asset-centric security All rights reserved. isight Partners, Inc. 5

6 The Benefits of Cyber Threat Intelligence With more than 7 years at the forefront of the cyber threat intelligence market, isight Partners has a unique perspective on the benefits companies are deriving from its use. We re supporting leading organization across both government and private sectors, have seen a myriad of different use cases and received feedback on the value CTI provides from an array of stakeholders. Our clients have gravitated towards the use of cyber threat intelligence for a wide variety of reasons. Some that stand out are: Driving executive and board-level discussions about the risks their adversaries represent and appropriate risk management investments. Gaining a true understanding of varying adversarial motives and intents and prioritizing security policies and investments. Moving their organizations from event driven (reactive) to intelligence-led and risk driven (proactive) security models. Driving strategic board-level decisions by improving adversary visibility moving from a near-sighted position to one of 20/20 clarity. Extending the life and effectiveness of aging security infrastructure by feeding actionable, real-time threat intelligence into those systems. Reducing operational chaos and improving tactical response by fusing intelligence with security events All rights reserved. isight Partners, Inc. 6

7 How to Use Cyber Threat Intelligence in Your Workflows From the Boardroom to the Security Operations Center When correctly implemented in your organization, cyber threat intelligence is a game changer not only for the men and women in the security operations center trenches, but for the business as a whole. Our clients are using cyber threat intelligence to revolutionize and reinvigorate the relationship between security and the business changing their operating models from reactive to proactive and risk based. Our cyber threat intelligence helps clients prioritize better and drive rapid response to the threats that matter. It helps them get ahead of the curve on threats that are over the horizon by driving the right investments supporting risk-based security decisions that map to the needs of the business. isight Partners premium intelligence supports a range of business units within client organizations including: Chief Information Security Officer (Improved Board of Directors and Business Executive Communications): At isight, we provide intelligence in formats geared towards different stakeholders. We provide executive summaries written in layman s language with reporting on adversaries, vulnerabilities and exploitation, and security trends geared specifically towards business leaders. These intelligence reports help CISOs communicate to the rest of the business providing tools to highlight the need for action and when required even debunk hype in the industry. Our intelligence includes a daily news analysis service that our clients often share with senior leadership taking stories that appear in major news outlets and trade publications and applying our analysis. This gets CISOs out in front of the questions they are likely to receive and saves them, and their overtaxed teams, research time that can be better used for protecting the organization. To secure ourselves against defeat lies in our own hands, but the opportunity of defeating the enemy is provided by the enemy himself. Sun Tzu The Art of War Global Risk and Compliance (Patch Management Process Improvement): We help GRC teams streamline patch management processes. Using our vulnerability and exploitation data, clients are able to better prioritize which vulnerabilities to patch and on what time schedule. Many vulnerability feed vendors and even the National Vulnerability Database rank the vast majority of new vulnerabilities at high or critical. But if everything is important then nothing is. Our vulnerability rankings are derived from two key factors. First, how easy is the vulnerability to 2014 All rights reserved. isight Partners, Inc. 7

8 exploit? Second, do adversaries have or are they developing tools to actively exploit the vulnerability. From a GRC perspective we help organizations patch critical vulnerabilities when they are truly critical and otherwise prioritize and patch according to a non-emergency schedule. Network Operations (Improving Effectiveness of Attack Surface Protection Systems): Cyber threat intelligence plays a key role in making existing security tools better. Many legacy security protection tools are blind to today s threats. Further, even when tools can be configured to automatically block based off of data in raw threat feeds, network operations often does not turn this feature on for fear that they will block the wrong things and adversely impact the business. We enable tools like firewalls and malware gateways to automatically block based on our highly validated technical indicators. Since we take care in validating our threat intelligence instead of just sending out raw lists of bad IP addresses or bad domains we don t generate additional false positive events. We enable organizations that are otherwise reticent to turn on automatic blocking, to block with confidence. The result is fewer incidents and an extension of the useful life of existing security protection tools. Security Operations Centers (Enhanced Situational Awareness and Event Prioritization): We enable SOC teams to prioritize which events are most important by delivering more power to security information and event management (SIEM) systems. The various security protection systems (firewalls, gateways, host protection, etc.) generate thousands of events each day that are typically integrated into a SIEM tool. But organizations typically only have the incident response resources to investigate a few handfuls of events. So which ones should they look at? Our SIEM integration enables organizations to apply cyber threat intelligence to significantly improve event prioritization. With our intelligence integrated into a SIEM system, the SOC analyst sees context around the alarm (our threat intelligence can show the who, what, why, targets, etc. behind the attack). Further, the SIEM tool can apply rules to automate the prioritization process for example raising the priority of an event that was created by malware used by an adversary that is targeting the client s market segment, or geography. Security Incident Response Team (Enhanced Incident Response and Executive Communication): We help incident responders understand who is targeting their organization and enable improved communications across the business. By linking the indicator that exposed the incident in the first place with an adversary or campaign, the SIRT team is able to search for other indications of a breach. Adversaries often leverage multiple methods to attack a target and isight Partners historical database links technical indicators with adversaries and campaigns. The SIRT team can use this database to hunt for additional breaches. We also help SIRT teams understand actor motivation so that they can communicate incidents in ways the business will understand. With traditional security and data analytics tools, it is impossible for an incident response analyst to understand the who, what, why, how of an attack/incident All rights reserved. isight Partners, Inc. 8

9 Using our intelligence, the incident response analyst can understand and communicate these important details to the management team. We help change the discussion from we were hit with malware variant x to An actor group from Eastern Europe is targeting us, and others in our sector, and actively trying to steal personally identifiable information (PII). They can use this PII to take out credit cards in our customer s names. Forensics Teams (Find Everything and Improve Communications): We help clients determine incident attribution and make sure they find and fix everything. Figuring out who is attacking you is impossible without adversary focused intelligence. Further, if you don t know who attacked you or what else they may have used against you in the past, you or your third-party forensic team many not find and fix everything. Clients leverage isight s cyber threat intelligence in their forensic investigations and fuse our intelligence with their forensics investigation tools. They understand who the attacker was, better communicate impact with executives, and use our historic databases to see if there are other indicators that the actor typically employs present in the network All rights reserved. isight Partners, Inc. 9

10 The isight Partners Difference Like cloud computing or big data, cyber threat intelligence risks becoming a watered-down phrase employed by vendors in an attempt to sell more stuff, just as its purpose and value becomes most clear. That is why we ve put together this series of primers on cyber threat intelligence to help you set the bar for what to expect from a partner in this space and get a better handle on how to use CTI in your environment. As we ve explored, there is a significant difference between cyber threat information and cyber threat intelligence. As Gartner highlights, there is a scarcity of vendors offering true Intelligence. When looking to vendors in this space, consider the Gartner definition carefully and evaluate potential partners against it. Also keep in mind the need for actionable intelligence highlighted by Forrester Research. If you keep these requirements in mind, you ll find that isight Partners is unique in the market. Having delivered intelligence globally for more than seven years to clients across government and the private sector we pride ourselves on delivering against the criteria we ve discussed in this paper. At isight, we ve invested heavily in building and refining our threat intelligence capability over nearly a decade. We have unmatched experience and reach over 200 experts around the globe with deep historical perspectives in cyber intelligence gathering, analysis and dissemination. We have combined this experience with a well-oiled process and technology platform based on a formal intelligence lifecycle. The result is that we help our clients see the big picture as it relates to the threats they face and we provide the depth and context that drives better decisions. We fuse technology and human intelligence. We are leading the way in cyber threat intelligence providing a bridge between security and the business and supporting some of the most sophisticated government and private organizations in the world. We are also helping others who are starting their journey towards building intelligence-led security programs. Turning Information into Intelligence requires deep technological capabilities and human expertise the type that only isight has developed throughout these years. For more information contact us at isightpartners.com info@isightpartners.com All rights reserved. isight Partners, Inc. 10