Incorporating Cyber Threat Intelligence into Security Assessment Programs

Size: px

Start display at page:

Download "Incorporating Cyber Threat Intelligence into Security Assessment Programs"

Madison Joy McDowell
10 years ago
Views:

1 Incorporating Cyber Threat Intelligence into Security Assessment Programs

2 Security Assessment Team SATBLUE Identifying Vulnerabilities SATRed Simulating Threats Identifying what works and what needs working on with respect to preventing, detecting, and responding to cyber threats

3 Tumble, Twiddle, Spin & Roll the Black Hat Tumble Terminology: what s in a word? Twiddle Threats: vulnerable, moi? Spin CTI: how to use your intelligence? Roll Reports: show em the light! Doggy Bag - Um, I ll take those thoughts to go, please.

4 Tumble the Black Hat

5 Tumbling the Black Hat I don t think that word means what you think it means. The Buzzwords? RED: Simulating Threats Red Teaming, Pentesting Black Box, Grey Box, White Box, Purple Box, Pink Box Florescent Box (80s) Tie-dye Box (70s) Tandem Pentest Blind Pentest, Double-Blind Crystal Box Pentesting Ethical Hacking BLUE: Finding Vulnerabilities Blue Teaming Security Assessment Vulnerability Assessment Security Scan Security Testing What works. What needs working on.

(80s) Tie-dye Box (70s) Tandem Pentest Blind Pentest, Double-Blind Crystal Box Pentesting Ethical Hacking BLUE:

6 Tumbling the Black Hat I don t think that word means what you think it means. Builders Vs Breakers Beyond the Security Auditor s Perspective System boundaries - well-defined, political, arbitrary Threats just look for vulnerabilities and exploit them Identify failures scripted, criteria open to interpretation Threats just look for vulnerabilities and exploit them Technical generalists they scan, heavily restricted Threats are diverse and they just look for vulnerabilities and exploit them Fancy graphs, bucket lists, detailed matrices about your state of risk Threats found vulnerabilities and exploited them

vulnerabilities and exploit them Identify failures scripted, criteria open to interpretation Threats just look for vulnerabilities and exploit them

7 Twiddle the Black Hat

8 Twiddling the Black Hat Vulnerable, moi? Cyber Threat Intelligence Get to know the bad guys and gals Who are the threats? What are their motivations? What are their objectives? What tools & techniques do they use?

9 Twiddling the Black Hat Vulnerable, moi? Use your CTI collection Kung Fu to Get to know yourself 1 The big picture Business risks: financial, regulator, market Hacking at the speed of light 2 Technology & mission What is on your networks? A vulnerability, isn t a vulnerability, isn t a vulnerability

Business risks: financial, regulator, market Hacking at the speed of light

10 Spin the Black Hat

11 Spin the Black Hat Using your cyber threat intelligence Approaching Blue/Red Team Security Assessments From a threats perspective Priorities/Objectives Scope Duration Frequency Driven by what matters, Effective use of resources Driven by the threat perspective Not politics, personalities, or auditors Take the time it takes to do good work No scans, one day pentest Continuous blue/red assessments Once a year is not good enough

of resources Driven by the threat perspective Not politics, personalities, or auditors Take the time it

12 Spin the Black Hat Using your cyber threat intelligence Approaching Blue/Red Team Security Assessments From a threats perspective Test Points Information Rules of Engagement People Blue Everything / Red - Threats Use your access, be comprehensive Blue Everything / Red - Everything No politics, personalities, or p p auditors Realistic, use creativity Not too constraining to be useful Teams of security professionals Security professionals are not one size fits all

access, be comprehensive Blue Everything / Red - Everything No politics, personalities, or p p auditors Realistic,

13 Roll the Black Hat

14 Roll the Black Hat Show em the light! A Few Ideas The REPORT is EVERYTHING Don t just hack around for the fun of it. It s irresponsible. Blue Team Reports Real world examples Language your customers understand Provide context impact to mission Red Team Reports It is not about you! Details - what did not work? Why? Identify real problems, provide real solutions Don t forget DETECTION and INCIDENT RESPONSE

Blue Team Reports Real world examples Language your customers understand Provide context impact to

15 Roll the Black Hat Show em the light! A Few Ideas The Many Ways to Disseminate Information Use your intelligence, use your results, and use your creativity Road show Tailored presentations techies, security, management Demo TTPs hacker series

your intelligence, use your results, and use your creativity

16 The Doggy Bag

17 The Doggy Bag Some thoughts to take home 1. Assess from a threat perspective - Builders vs. Breakers 2. Continuously discover what works, does not work, and what needs working on 3. Assess prevention, detection, and response all three! 4. Understand the threats, understand your business, and provide real solutions to real problems 5. Influence vs. dictate change 6. Free your people let them be creative

Assess prevention, detection, and response all three! 4.

18 The End

VULNERABILITY MANAGEMENT AND RESEARCH PENETRATION TESTING OVERVIEW

VULNERABILITY MANAGEMENT AND RESEARCH PENETRATION TESTING OVERVIEW Len Kleinman Director ATO Trusted Access Australian Taxation Office Session ID: DAS-W01 Session Classification: General Interest What