A Primer on Cyber Threat Intelligence
AS ADVERTISED 2
BUZZWORD BINGO! 3
TODAY S CYBER SECURITY CHALLENGES CISOs finding it difficult to define security ROI to executives Short shelf life for CISOs Vastly expanding attack surface area Mobile, cloud, virtualization, global business operations Large protection investments and no good prioritization filter Who, why, when, how Operational chaos Too many alarms, not enough people, poor prioritization Brain dead security tools that rely on past events/signatures Versus extremely agile adversaries Severe breaches continue 4
GLOBAL CYBER THREAT LANDSCAPE Active & Global Transcends Geographies and Sectors Multiple Motivations Cyber Crime, Espionage, Hacktivism, Destruction, etc. Low Entry Barriers Actors use what works; not necessarily sophisticated methods Open marketplace providing capabilities Structured & Vibrant Ecosystem providing better tools, infrastructure, sharing ideas and methods, pooling resources 5
MY INTELLIGENCE PHILOSOPHY Good intelligence allows decision makers to act more boldly The decision maker s time is valuable. Match his priorities command his attention Only deliver actionable information, no history lessons, no news reports The quality of the analysis is directly proportional to the quality of the question asked Good analysts are respected but not always popular No software can replace the analyst Intelligence is an art, not a science Less is more Everyone & everything is a potential information source Disperse the team, embed the resources, build a network across the silos Any system that does not sustain itself is not a system New does not mean better; Old does not mean better Intelligence can be Cheap-Fast- Accurate. Pick any two The buck stops with me; the team gets the credit
FORMAL RESEARCH PROCESS YIELDS RICH, CONTEXTUAL THREAT INTELLIGENCE Feedback & Clarification? i Collection Analysis Dissemination Intelligence Requirements Requested From Client Intelligence Requirements Created Based on Clients, Sectors and Adversaries Requirements Prioritized by Analysts, Matched to Current Holdings then Passed to Research Teams Collection Planning and Tasking of Global Teams Requirements Collected by Unique Global Teams and returned to Fusion Center Processing and Exploitation To Standardize Multiple Information Sources Ready for Analysis Analysis of Information and Production of Reporting for Clients Fully fused, Corroborated Crossreferenced and Edited Multi-source Intelligence Reporting Disseminated to Clients Client Feedback, Refinement of Intelligence Product 7
ACTIONABLE INTELLIGENCE OBJECTIVES Executives Strategic Provide understanding of identified and credible threats, correlated to business impact Managers & Analysts Operational Enable formulation of approaches to dealing with threats and prioritization of team activity Security Operators Tactical Provide understanding of how to mitigate threats and enable tools to do the heavy lifting 8
CYBER TACTICAL INTELLIGENCE Cyber Threat Intelligence Bad IP Address Actor Group Motivation Primary Targets Ability to Execute Additional IPs, Domains Malware Used Lures Vulnerabilities Targeted Historic Campaigns Successful Compromises Threat Data Feed Bad IP Address Ranking Last Hop Geo Location 9
WHAT ARE INTELLIGENCE REQUIREMENTS? Strategic questions What keeps the C-suite up at night? What news stories or business events seem to be their hot buttons? Will the Qassam Cyber Fighters (QCF) target us? Operational questions What does a targeted DDOS attack look like? How do we shape our defenses and responses? What are the technical capabilities of the QCF? What are the Tactics, Techniques and Procedures (Campaign) of the QCF? Tactical questions Which one of these 100 events should I examine first? What are attributable IOCs of the QCF? These questions are divided into answerable parts What is the pattern of who is attacked by QCF? How does a QCF campaign unfold, step by step = Priority Intelligence Requirements (PIR) and Other Intelligence Requirements (OIR) Drives the collection management plan Identifies intelligence gaps Create the needs statement &business case for new security services or products 10
EXAMPLE INTELLIGENCE DELIVERABLES Media Counterpoint - daily Threat Intelligence Briefing - daily or weekly Threat Intelligence Report - monthly Threat Intelligence Warning - as required Threat Intelligence Alert - as required Threat Scenarios - quarterly Sensor Enrichment - as required Threat Metrics weekly Intelligence Support Digital Brand Protection, Incident Response, Fraud, Attack Surface Management, Physical Security as required
Threat Actor Focus THREAT MATRIX Company X Hacktivist campaign Business sector Industry IP theft Enterprise General Novice Apprentice Competent Skilled Expert Threat Actor Capability
ACTIONABLE THREAT INTELLIGENCE FUNCTIONAL & TECHNICAL INTEGRATION Intelligence Governance Risk Compliance Surface Protections SIEM Incident Response Security Analytics Forensics Investigations Activity: Patch Management Ingress/Egress Blocking Event Prioritization Analyze Incidents (Who, Why) & Hunt for Issues Remediation & Attribution Value: Prioritize Most Critical Patches Enhance Protection Block with Confidence Shrink The Problem Improve Decisions Brief Executives Who/Why Attack Did We Find everything? 13
END TO END INTELLIGENCE PROCESS
isight Partners 200+ experts, 16 Countries, 24 Languages, 1 Mission W. Michael Susong +1 214 886 7714 msusong@isightpartners.com