Threat Intelligence & Analytics Cyber Threat Intelligence and how to best understand the adversary s operations September 2015 Copyright 2015 Deloitte Development LLC. All rights reserved. This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation.
Point of View on Threat Intelligence
What is Threat Intelligence? Evidence-based knowledge about an existing or emerging threat that is timely, accurate, relevant, and predictive. Intelligence should drive all security operations and enable informed business decisions about mitigating risk. - 3 -
Why do we need Threat Intelligence? The adversary does not abide by the same legal, ethical, and moral norms that we do as defenders. Threat intelligence is the defensive weapon that allows defenders to gain a more coherent understanding of the adversary s operational objectives. Cybersecurity Incidents Are Not Just IT Problems Incidents can become serious business crises that can affect an organization's broader mission Making decisions with an understanding of the threat landscape has become a top priority for executives and the boardroom The complexity of a company s eco-system, including suppliers and partners, is increasingly more difficult to recover following a disaster Accurate and timely intelligence is critical in making time-sensitive decisions to recover essential functions Products alone are not enough to secure a company. 176M # of compromised records in Jan Mar 2014* $201 Average cost per compromised record** A serious security incident is a question of "when," not "if," for most enterprises. This reality makes developing an extensive threat knowledge base a critical concern for any business. Threat Intelligence can enable you to avert some incidents and to be prepared to understand the attacks that are successful. * https://www.riskbasedsecurity.com/reports/2014-1qdatabreachquickview.pdf ** 2014 Ponemon Institute Research Report - 4 -
This is not Threat Intelligence - 5 -
Any organization wishing to leverage the full breadth of an intelligence program will incorporate the full spectrum of the intelligence cycle Direction Feedback Collection Dissemination Processing Production Analysis - 6 -
Threat intelligence should be designed combat the advanced threat actor s three primary activities: intelligence gathering, access ops, and offensive capabilities Advanced threat actors conduct three types of operations: Intelligence Gathering Access Operations Offensive Capabilities Timeliness Accuracy Relevancy Predictability Leveraging intelligence to disrupt threat actors requires: Was the intelligence received in a timely manner that allowed the decision maker to preempt the threat? Was the intelligence accurate? Did it concisely describe the problem and help the decision maker achieve understanding? Was the threat intelligence relevant to the decision maker s area of responsibility and specific concerns? Did the intelligence provide an element of predictability? Does it enable the decision maker to make risk-based decisions about the future? Intended outcomes of a good threat intelligence program 1 Threat Forecasting The ability to make intelligence driven decisions that reduce future risk to operations 2 Becoming a Hard Target Proactive intelligence activities deter threat actors and steer them towards softer targets 3 Communal Strengthening Intelligence makes not only the organization more resilient, but increases resiliency of organizational partners 4 Increased Confidence Intelligence activities increase the confidence of employees, stakeholders, and customers - 7 -
If the threat actor acquires sufficient intelligence, access, and offensive capabilities, then they will achieve success the threat actor therefore prioritizes these activities Cyber Threat Actors Nation-State Orgs Cyber Criminals Hacktivists Competitors Terrorists Independent (Insider) Intelligence Gathering Data Collection Surveillance Reconnaissance Human Signals Open Source Passive Active Route Zone Human Deliberate Targeting Dynamic Physical Human Digital Economic Access Operations Supply Chain Physical Infrastructure Physical Security Social Engineering Insider Access Coercion Internal Network External Network 3 rd Party Infrastructure Acquisition Development Non- Validation Offensive Capabilities Espionage Denial Theft Human Predation Brand Damage Sabotage - 8 -
Intelligence professionals must leverage a wide breadth of sources in order to develop a more complete picture of the threat environment Open Source Intelligence (Popular search engines, news archives, vendor sites) Popular news article sources categorized in tiers based on confidentiality and Reliability. Using customized search queries to derive specific intelligence information on a daily basis. Using custom developed parser scripts to crawl web pages and extract specific information. Country-Specific Searches Tracking daily updates on popular search engines from specific countries or regions. Middle East, European, Asia Pacific, Latin American etc. Following advisories and alerts from country specific Computer Emergency Response Team (CERT) Websites. Following politically motivated developments that are indirectly provokes for cyber warfare. Deep Web and Anonymity Networks Underground forums actively involved in discussions on sale of exploits, malware, credit/ debit card data. Research beacon extended over anonymity networks such as Tor, for tracking hacking forums, hackersfor-hire service websites, doxes, etc. that are not indexed by search engines and inaccessible over the shallow/surface web. Others Deloitte Cyber Threat Management Portal Following suspicious communications over publically visible IRC channels. Social networking websites such as Twitter, Facebook, and others. Following proprietary CTI sources from Government sites, CERT teams, etc. Law enforcement relationships and cooperation. - 9 -
Engaging the Adversary through the Use of Intelligence
A threat intelligence program should be inherently designed to preemptively and proactively counter threat actor activities Threat Intelligence Capabilities Counter- Surveillance Preemptive Targeting Assessment Analysis Against TTPs Cyber Hunt Capability Indicators of Compromise Malware Reversing Misinformation Campaign Analysis Against Threat Actor Intel Threat Landscape Assessment Credential Monitoring Analysis Against Exploits Threat Actor Engagement Threat Actor Operations Stage 3: Offensive Capability Stage 2: Access Stage 1: Intelligence Espionage Theft Data Collection Surveillance Physical Human Brand Damage Denial Recon Targeting Digital Economic Human Predation Sabotage - 11 -
Threat Actor Attribution Conducting attribution against threat actors raises the risk profile for conducting illegal activities online. Threat Actor Operations People Type of group: criminal, hacktivist, nation-state, etc. Motive: Profit, reprisal, ideology, political Membership Fluid, exclusive, vetting, etc. Human Intelligence Operations Forum Presence Relationship Building Human Network Analysis Source Operations Persona Maintenance Tools & Infrastructure Botnet Infrastructure Malware Exploits Anonymizing Software Underground Forums Restricted Channels (IRC) Attribution Activities Technical Attribution Analysis of Malicious Code Watermarking Hash Based IP Traceback Honeypots NetFlow Analytics Malicious Activities Social Engineering Campaign Distributed Denial of Service Identity Theft Intellectual Property Theft Financial Fraud Account Takeover Brand Degradation Contextual Link Analysis Service Provider Cost Summary Geopolitical Cultural References Motive Current Events Social - 12 -
Black Market Disruption Black Market & Malicious Activities Credit Card Information PII for Sale DDoS as a Service Ransomware Social Engineering Attacks Exploit Developers Observation Obfuscation Reporting Identification Redirection Disruption Methodologies We possess the technical and procedural capabilities to keep a strong pulse on black market activities. We possess the capability to confuse the black market process by introducing irrelevant content. When we observe illegal activity, we immediately report the activity to the appropriate authorities. We can identify botnet controllers and other C2 nodes from where malicious activity originates. We introduce information into the system that makes it more likely that criminals move in other directions. Intended outcomes of a Black Market Disruption program 1 Disincentivize the Criminal 2 Protect the Client s Critical Information and Information Systems 3 Deter Malicious Activity 4 Increase Consumer Confidence - 13 -
Campaign Tracking To combat threat actors and understand their campaigns, security minded professionals must conduct intelligence driven operations A constant stream of information laced with hidden threats Intelligence Operations Cyber Analytics Threat Intelligence Team Security Operations & Intelligence Personnel Four Operational Pillars of Campaign Tracking Hunt Capability Cyber Reconnaissance Desired Outcomes Threat Actor Tracking Internal Network Surveillance Industry Confidence A Secure Cyber Environment Intelligence Operations The ability to conduct engagement operations against cyber threat actors in austere environments. The ability to conduct active defense. Cyber Analytics The deployment of a capability to consume large amounts of data and portray in a visually consumable manner Disparate, unstructured threat intelligence data sources being consumed and analyzed non-standard data capture Hunt Capability Leveraging people, processes, and technology to hunt for indications of malicious activity across applications, systems, and environments. Leveraging hunt professionals capable of conducting network forensics based off captured data Cyber Reconnaissance Conducting operations in underground forums, open sources, and human intelligence sources to collect information. Persistently collecting intelligence data in order to process for future analysis. - 14 -
Building and Sustaining a Threat Intelligence Program
Business value of an advanced Cyber Threat Intelligence program An advanced program that has been designed to protect your business against the threats specific to your organization and industry will allow you to: Protect value and brand, not compliance Align your cyber threat program to your business risks Protect what matters most from advanced threats Realize greater value and risk mitigation on dollars invested Demonstrate compliance via superior protection, not checklists and spreadsheets Disrupt attacks as they happen Leverage internal and external intelligence to identify threats in real time Leverage automation to speed analysis Generate analytics that provide transparency into the real state of security Disrupt campaigns before they turn into a breach Clean up quickly and adapt for the next round Mitigate the threat Reduce timeframe to and cost of recovery Reduce disruption to the business Improve your security posture, adapt tactics and techniques in an agile fashion Prevent similar attacks in the future Automate control updates and forensic response Reduce investigation timeframes Contain the threat more quickly Limit exposure and loss - 16 -
From raw data to actionable intelligence External intelligence Internal intelligence Normalization Enrichment Integration Raw data Actionable intelligence Security control updates Authentication decisions Risk assessment intelligence Technology investment Intel Vendor selection and HR decisions A forward looking cyber intelligence capability 1. Conducting emerging threat research 2. Establishing teaming to share intelligence 3. Understand the IT environment attack surface across the organization 4. Establishing live, dynamic intelligence feeds 5. Implementing a holistic approach to cyber threat identification 6. Actively tracking cyber threat actors 7. Performing daily emerging threat reviews 8. Maintaining awareness of the changing technology and business environment 9. Identifying and remediating vulnerabilities pertaining to operating system, network, processes and application 10. Deploying and maintaining signature and behavioral based controls 11. Identifying indicators of compromise and comparing against historical network patterns 12. Producing metrics and trending data for multiple key threat indicators 13. Continuously improving automation capabilities - 17 -
The best threat intelligence programs will leverage cross-industry experience, organization-specific tailored analysis, and subject matter expertise Threat intelligence activities should allow clients to access customized services and knowledge beyond a typical vendor. Paired with industry experience and diversified subject matter expertise, analysts should work closely with security operations personnel to identify gaps and needs. Intelligence and Analytics Cross-Industry Experience History of experience providing cybersecurity service to large and small institutions -Success in assisting law enforcement organizations with confidential takedowns -Dedicated teams that specialize in cyber risk research and data science Tailored Analysis Analysts should deliver timely, accurate, relevant, and predictive intelligence reports to help their organizations detect threats, discern their impact, and decide on the necessary mitigation actions. - Regular Briefings - Tailored Intel Reports - Custom Threat Research & Analysis DEDICATED ANALYST Subject Matter Expertise Proficiency in Multiple Languages Intelligence Community Experience Military Veterans Commercial Intel Experts Computer Programmers Malware Experts Vulnerability Researchers Attribution Specialists - 18 -
Threat Intelligence Functions Organizations must invest in and evolve their own threat intelligence programs in order to defend themselves against advanced threat actors Business Goals Predictive Cyber Risk Mitigation Operational Cyber Risk Mitigation Integrate external strategic & tactical intelligence Generate organization specific threat intelligence Operational Excellence Compliance Driven Basic Foundational program Absent Reporting Blind Add atomic indicator feeds to SIEM Ad Hoc Foundational AV, Logging, Patching Periodic Audits Continuous Monitoring 24x7x365 Monitoring & Incident Response Hunting, Threat Modeling, Red- Teaming, Insider Threats Operational Maturity - 19 -
Questions?
This presentation contains general information only and Deloitte is not, by means of this presentation, rendering accounting, business, financial, investment, legal, tax, or other professional advice or services. This presentation is not a substitute for such professional advice or services, nor should it be used as a basis for any decision or action that may affect your business. Before making any decision or taking any action that may affect your business, you should consult a qualified professional advisor. Deloitte shall not be responsible for any loss sustained by any person who relies on this presentation. About Deloitte Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee ( DTTL ), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as Deloitte Global ) does not provide services to clients. Please see www.deloitte.com/about for a detailed description of DTTL and its member firms. Please see www.deloitte.com/us/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting. Copyright 2015 Deloitte Development LLC. All rights reserved. Member of Deloitte Touche Tohmatsu Limited