SECURELY ENABLING BUSINESS Threat Intelligence: Friend of the Enterprise Danny Pickens Principal Intelligence Analyst MSS FishNet Security
DANNY PICKENS Principal Intelligence Analyst, FishNet Security Expertise: Military & Counterterrorism Intelligence Business & Competitive Intelligence Intrusion Detection Incident Handling & Management Cyber Threat Analysis Background: United States Marine Corps & Army Reserve Federal Contractor (supporting Department of Defense and other organizations) Department of Agriculture Security Operations Center FishNet Security
WANT ME SOME INTELLIGENCE Our collective ignorance of intelligence has undermined not only our intelligence capabilities, but ultimately the policy makers and citizens served. ~ Henry A. Crumpton The Art of Intelligence: Lessons from a Life in the CIA s Clandestine Service [Many] just think you can buy intelligence or download intelligence and don t realize they need to develop intelligence. ~ Scott Roberts Director of Bad Guy Catching GitHub
INTELLIGENCE: DEFINED Intelligence is the result of the collection, analysis and timely dissemination of intelligence information concerning threats and vulnerabilities to an organization. Why Intelligence? Provides localized threat identification. Assists in remediation and countermeasures for critical infrastructure. Improves the overall security posture for the organization.
INTELLIGENCE: DOMAINS COLD WAR Targets of Intelligence Efforts Perpetrators Former Soviet Union and its allies Soviet government seen as source of inimical activity Weapons Potential Targets of Attack Focus Strategic and conventional forces Counterforce and countervalue targets in the U.S. and the territories of its allies Large-scale military action
INTELLIGENCE: DOMAINS COUNTERTERRORISM Targets of Intelligence Efforts Perpetrators Individuals, small cells and networks, and state sponsors Increasingly anonymous Weapons Potential Targets of Attack Focus Light arms to large-scale weaponry and potentially weapons of mass destruction Vast number of highly symbolic, relatively soft targets Individual incidents and trends
INTELLIGENCE: DOMAINS CYBER Targets of Intelligence Efforts Perpetrators Individuals, cells and networks, and states with information warfare capabilities Anonymous only have technical signatures Weapons Potential Targets of Attack Focus Cyberweapons or conventional weapons against critical information and communication nodes Range from individual websites to national critical infrastructure Individual incidents, trends and patterns in attacks and vulnerabilities that can be exploited
INTELLIGENCE: DISCIPLINES DISCIPLINES HUMINT SIGINT GEOINT IMINT OSINT TECHINT Intelligence information derived from human sources. Collected from various communications mediums. Geospatial intelligence concerning terrain. Intelligence derived from satellite imagery or aerial reconnaissance. Intelligence data collected via publicly available resources. Technical information collected from internal technologies and platforms.
INTELLIGENCE CYCLE: REPEATABLE Requirement Gaps in knowledge surrounding a threat or vulnerability. Collection Research conducted against the requirement. Analysis & Production The process of fusing raw data and information into a finished product. Analytical methodologies used to visualize and validate hypothesis and conclusions. Dissemination & Integration Distribution of the finished product to Operations in a timely fashion. Dissemination & Integration Requirement Analysis & Production Collection
REQUIREMENTS Intelligence Cycle Good IRs are structured based on the following criteria: Necessity: Is it necessary to answer this question? Feasibility: Can we feasibly collect this information? Timeliness: Is the intelligence requirement timely? Specificity: Is the requirement specific enough? Primary Intelligence Requirements Intelligence Requirements Requests for Information
COLLECTION Intelligence Cycle Areas to consider: Actual collection of data Collections management Collection process: Obtain information needed to answer requirement Internal (logs and events from network appliances) External (commercial or open source intelligence) Collection sources should be: Trustworthy Reliable IP ADDRESSES URLs / DOMAINS NETWORK / HOST ARTIFACTS TOOLS FILE DATA / HASHES TTPs
ANALYSIS & PRODUCTION Intelligence Cycle Intelligence Analysis: Examines and evaluates raw data and information. Determines if it is applicable to organization or environment. Produces products and assessments for implementation. The Intelligence Analyst Role: Identify and retrieve pertinent information within collection management system. Correlate information against additional sources. Research while utilizing personal knowledge and expertise. Produce assessment or finished product. Critical thinkers and Subject Matter Experts (SME) in their field. Draw conclusions based off of differing sources of information and to extract the appropriate information within without bias. Link Analysis Timeline Analysis Analytical Approaches Trend Analysis
ANALYSIS Intelligence Cycle 25 20 15 10 5 0 0:00 1:00 2:00 3:00 4:00 5:00 6:00 7:00 8:00 9:00 10:00 11:00 12:00 13:00 14:00 15:00 16:00 17:00 18:00 19:00 20:00 21:00 22:00 23:00 Account Locked Brute Force Cncrnt Auth From Multi Cities Cncrnt Auth Multi Regions Detected Malware Activity Detected Virus Activity Failed Virus Activity FNS APT 1 Rule FNS Shun List General Antivirus Warning Group Created Multi Unique Attcks Against ihost Recon followed by Attack Temp Accnt Created, Used, Deleted User Account Created
ANALYSIS Intelligence Cycle Country Count % Korea 356 65.80% China 67 12.38% United States 48 8.87% Germany 11 2.03% Taiwan 7 1.29% Brazil 6 1.11% Japan 6 1.11% India 5 0.92% RussianFederation 5 0.92% France 4 0.74% Canada 3 0.55% Ukraine 3 0.55% United Kingdom 3 0.55% Australia 2 0.37%
ANALYSIS Intelligence Cycle Event Count % FNS APT1 Rule 349 64.63% Accnt Attck:Brt Force Single ohost 102 18.89% FNS Shun List 62 11.48% Detected Trojan Activity 17 3.15% User Logon Failure 4 0.74% Recon Followed By Attck 2 0.37% VPN Session Started 2 0.37% Policy Modified : Firewall/ACL 1 0.19% User Logon 1 0.19%
DISSEMINATION & INTEGRATION Intelligence Cycle Key Sections for a Finished Product: Executive Summary Bottom Line Up Front (B.L.U.F.) Main Body Key Points Technical Analysis Rules to Apply Conclusion Recommendations Assessments The best thing an intelligence analyst can provide to his customer is a finished product which is actionable and timely.
SCOPING LEVELS OF EFFORT STRATEGIC IPB/Overall Threat Assessments Risk Assessments Categorizing Threats & Threat Groups Intelligence Informs Policy OPERATIONAL Current & Emerging Threat Research Trend & Historical Analysis Preventative Analysis Intelligence Drives Operations TACTICAL Case/Incident Investigation Damage Assessment Attribution Intelligence Leads Response
EFFECTIVE INTELLIGENCE Open lines of communication both with and to the enterprise. Channels of communication should be opened up to: Executive staff Internal IT staff User base External sources Allows for greater collection of information and data, more in-depth analysis and trusted dissemination. INTELLIGENCE SENIOR MANAGEMENT IT STAFF USERS EXTERNAL Intelligence must be tasked to meet operational needs, and equally, it is essential that operations implement the output of intelligence.
SHARING Uptick in Intelligence sharing frameworks over the past couple of years, from Mandiant s OpenIOC to MITRE s offerings of CyBox, STIX and TAXII. Organizations should be involved and have a willingness to share collected intelligence data with not only the industry, but with parties seen as competitors.
THE TAKE AWAY Invest in the proper PEOPLE and TOOLS. Encourage internal development (DEVOPS). Allow for open COMMUNICATION channels. Don t shy away from SHARING. Make it OPERATIONAL.
THANK YOU Danny Pickens Principal Intelligence Analyst - MSS FishNet Security Danny.Pickens@fishnetsecurity.com Global Threat Intel Center Managed Security Services - gtic FishNet Security GTIC@fishnetsecurity.com fishnetsecurity.com/6labs