Post on 10-Jan-2020
Internal Audit, Risk, Business & Technology Consulting
CYBER THREAT INTEL:A STATE OF MIND
WHO ARE WE?
Randy Armknecht, CISSP, EnCE
Protiviti
Director - IT Consulting
randy.armknecht@protiviti.com
Albin Ahmetspahic
Protiviti
Manager – IT Consulting
albin.ahmetspahic@protiviti.com
WHAT IS CYBER THREAT INTELLIGENCE
CYBER THREAT INTELLIGENCE: A DEFINITION
evidence-based knowledge — including context, mechanisms, indicators, implications and actionable advice — about an existing or emerging menace or hazard to IT or information assets and can be used to inform decisions regarding response to that menace or hazard
“-- Gartner
LET’S THINK ABOUT THAT…
5
Context
DATA WITHOUT CONTEXT IS JUST DATA
INTELLIGENCE REQUIRES CONTEXT
LET’S THINK ABOUT THAT…
6
Mechanism
Context
WHAT ARE THE THREAT MECHANICS
LET’S THINK ABOUT THAT…
7
Mechanism
Indicators
Context
HOW WILL WE KNOW THE THREAT
HAS BEEN REALIZED?
Implications
LET’S THINK ABOUT THAT…
8
Mechanism
Indicators
Context
IF THE THREAT IS REALIZED
WHAT DOES IT MEAN FOR US?
Implications
LET’S THINK ABOUT THAT…
9
Mechanism
Indicators
Actionable Advise
Context
IF THE THREAT IS REALIZED
WHAT ARE THE ACTIONS NECESSARY
TO MINIMIZE THE IMPACT
DOES YOUR CYBER THREAT INTELLIGENCE PROGRAM GENERATE OUTPUT THAT CONTAINS…
10
CONTEXT
MECHANISMS
INDICATORS
IMPLICATIONS
ACTIONABLE ADVISE
REPEATABLE
CONSISTENT
IF YOU SAID “YES”
CONGRATULATIONS!
CURRENT STATE
13
Source: http://www.infosecurity-magazine.com/news/firms-value-threat-intel-but-fail/
don’t look at the threat intel or reports received
don’t use the data for decision making
don’t have necessary staff skills
49%
43%
69%
SO IF YOU’RE LIKE EVERYBODY ELSE….
WHERE CAN WE OBTAIN “INTELLIGENCE” ?
BUT ARE WE BUYING INTELLIGENCE OR JUST DATA?
16
CONTEXT
MECHANISMS
INDICATORS
IMPLICATIONS
ACTIONABLE ADVISE
SO WHAT SHOULD WE DO?
CYBER THREAT INTELLIGENCE IS A STATE OF MIND
18
Take the data from the vendors
Augment it with your own internal data
Mix them thoroughly in the minds of your analysts
Use the results to impart change in the environment
Effective intelligence is the result of a process
THE CYBER THREAT INTELLIGENCE LIFECYCLE
CCIR
THE CYBER THREAT INTELLIGENCE LIFECYCLE
Planning & Direction
Collection
Processing & Exploitation
Analysis & Production
Dissemination & Integration
6
Evaluation
Feedback
20
CCIR – COMMANDER’S (CISO) CRITICAL INFORMATION REQUIREMENTS
Information requirement identified by the commander as being
critical to facilitating timely decision making“-- Joint Publication 1-02
CCIRPIR
21
“
22
Planning & Direction
• Determine intelligence requirements
• Develop a CTI team
• Create a collection plan
• Generate requests for information
Collection
Processing & Exploitation
Analysis & Production
Dissemination & Integration
THE CYBER THREAT INTELLIGENCE LIFECYCLE
CCIR
Feedback
6
Evaluation
CCIR
23
Planning & Direction
Processing & Exploitation
Analysis & Production
Dissemination & Integration
Feedback
6
Evaluation
THE CYBER THREAT INTELLIGENCE LIFECYCLE
Collection
• Collect data to satisfy intelligence requirements using:
All-Source collection:
− Critical Applications
− Network Infrastructure
− Security Infrastructure
24
THE CYBER THREAT INTELLIGENCE LIFECYCLE
Collection
Planning & Direction
Processing & Exploitation
• Interpret raw data
• Convert interpreted data into a usable format (information) for analysis
Analysis & Production
Dissemination & Integration
CCIR
Feedback
6
Evaluation
25
THE CYBER THREAT INTELLIGENCE LIFECYCLE
Collection
Planning & Direction
Processing & Exploitation
Analysis & Production
• Fuse information from Step 3
• Provide facts, findings, and forecasts
• Analysis should be:
− Objective
− Timely
− Accurate
− Actionable
• Use Confidence Method
Dissemination & Integration
CCIR
Feedback
6
Evaluation
26
THE CYBER THREAT INTELLIGENCE LIFECYCLE
Collection
Planning & Direction
Processing & Exploitation
Analysis & Production
Dissemination & Integration
• Deliver the finished product to intelligence consumers at various levels:
− Strategic (CISO)
− Operational (APT)
− Tactical (TTP)
CCIR
Feedback
6
Evaluation
WHAT DOES IT LOOK LIKE IN AN ORGANIZATION ?
COMMON INFORMATION SECURITY ORGANIZATION STRUCTURE
28
CISO
Governance
Compliance
Security
Engineering
Security
Operations
Center (SOC)
Vulnerability
Management
CTI
29
ANALYST ROLES & RESPONSIBILITIES
Threat Feeds, Alerts
IOCs
Incident Reporting
Collection
Analysis &
Production
Dissemination
& Integration
Collection
Processing &
Exploitation
Indexing Raw Data
Sorting Raw Data
Organizing Raw Data
Integrating, Evaluating
Information
Analyzing Information
Assessing Courses of Action
Strategic Consumers
Operational Consumers
Tactical Consumers
AN EXAMPLE…
Collect IntelCollect Intel,
Net FlowsCollect Intel
Filtering, Correlation, Analytics, Analysis, Reporting, Prevention, and Response
Monitoring, Triage, Analysis, Escalation, Prevention, Counter, and Response
Critical Applications Network Infrastructure Security Infrastructure
• Risk Analysis and Assessment
• Business Processes and Data
• Existing Architecture and Infrastructure
• Threat Definition and Threat Intelligence
Mission and Security Mapping Definition
TOP DOWN, DEFINE THE MISSION
31
Routers
Endpoint
Devices
DMZ
Organic Infrastructure
Internal Resources
Network Storage Servers
OS /
HypervisorsApplicationsDatabases
Middleware
FW FW
Security devices, Software, Services, and Processes
APPLYING THE INTELLIGENCE CYCLE TO CTI
32
Routers
Endpoint
Devices
DMZ
Organic Infrastructure
Network Storage Servers
OS /
HypervisorsApplicationsDatabases
Middleware
FW FW
Syslog / Eventlog / WMI / Logfile / SNMP / SMTP / SQL / API / Custom
Intel collection layer
Log
Collectors
Event
CollectorsNet FlowsSecurity
Processes
Threat Intel
CTI Vendors
OSINT
Govt sources
Common
Groups
Managed Device Layer
Security Devices, Software, Services, and Processes
APPLYING THE INTELLIGENCE CYCLE TO CTI
Internal Resources
Social Media
News
Dark Web
Media and Web
33
Routers
Endpoint
Devices
DMZ
Organic Infrastructure
Network Storage Servers
OS /
hypervisorsApplicationsDatabases
Middleware
FW FW
Intel collection layer
Log
Collectors
Event
Collectors
Analytical Layer
Correlation Layer
• Correlation engine, filtering and analysis
• Operations , Security, and User Behavior
Analytics
• Workflow automation
• Config and Problem Management
• Security process intel
• AV, IDS/IPS, DLP, Content Security, Data
& DB Security, App Security, FIM, FW …
Net FlowsSecurity
Processes
Threat Intel
T Intel Vendors
OSINT
Govt sources
Common
Groups
Security Devices, Software, Services, and Processes
APPLYING THE INTELLIGENCE CYCLE TO CTI
Internal Resources
Syslog / Eventlog / WMI / Logfile / SNMP / SMTP / SQL / API / CustomManaged Device Layer
Social Media
News
Dark Web
Media and Web
34
Routers
Endpoint
Devices
DMZ
Organic Infrastructure
Network Storage Servers
OS /
hypervisorsApplicationsDatabases
Middleware
FW FW
Intel collection layer
Log
Collectors
Event
Collectors
Analytical Layer
Correlation Layer
• Correlation engine, filtering and analysis
• Operations , Security, and User Behavior
Analytics
• Workflow automation
• Config and Problem Management
• Security process intel
• AV, IDS/IPS, DLP, Content Security, Data
& DB Security, App Security, FIM, FW …
Net FlowsSecurity
Processes
Threat Intel
T Intel Vendors
OSINT
Govt sources
Common
Groups
Security Devices, Software, Services, and Processes
APPLYING THE INTELLIGENCE CYCLE TO CTI
Internal Resources
Syslog / Eventlog / WMI / Logfile / SNMP / SMTP / SQL / API / CustomManaged Device Layer
Presentation layer
Reports Security Management IT Operations Compliance Business
Social Media
News
Dark Web
Media and Web
35
WHAT DID WE LEARN?
WHAT WE’VE LEARNED
37
Data != Intelligence
38
CYBER THREAT INTELLIGENCE
A STATE OF MIND
© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed
or registered as a public accounting firm and does not issue opinions on financial statements or
offer attestation services. All registered trademarks are the property of their respective owners.