Cyber Threat IntelligenceDebbie Janeczek
May 24, 2017
.
AGENDA
▪ Today’s Cybersecurity Challenges
▪ What is Threat Intelligence?
▪ Data, Information, Intelligence
▪ Strategic, Operational and Tactical Threat Intelligence
▪ Intelligence Lifecycle
▪ Importance of Defined Requirements
▪ Information Sharing
.
TODAY’S CYBERSECURITY CHALLENGES
• Vastly expanding attack surface area Mobile, cloud, virtualization, global
business operations.
• Large protection investments and no good prioritization filter Who, why,
when, how?
• Operational chaos too many alarms, not enough people, poor
prioritization.
• Legacy security tools
that rely on past
events/signatures Vs.
extremely agile adversaries
Severe breaches continue…
.
GLOBAL CYBER THREAT LANDSCAPE
• Active & Global
• Transcends Geographies and Sectors
• Multiple Motivations
• Cyber Crime, Espionage, Hacktivism,
Destruction, etc.
• Low Entry Barriers
• Actors use what works; not necessarily
sophisticated methods
• Open marketplace providing capabilities
• Structured & Vibrant
• Ecosystem providing better tools,
infrastructure, sharing ideas and
methods, pooling resources
.
THREAT INTELLIGENCE
“You keep using (that term), I do not
think it means what you think it
means…..”
.
WHAT IS THREAT INTELLIGENCE?
▪ Information that can aid decisions, with the aim of preventing an attack
or decreasing the time taken to discover an attack. Intelligence can
also be information that, instead of aiding specific decisions, helps to
illuminate the risk landscape.
▪Most organizations do not have enough information about threats they
receive or their security posture in order to properly defend themselves.
▪ Idea is to provide the ability to recognize and act upon indicators of attack
and compromise scenarios in a timely manner.
▪Set of data collected, assessed and applied regarding security threats,
threat actors, exploits, malware, vulnerabilities, and compromise indicators.
.
Source: Joint Publication 2-0
.
LEVELS OF INTELLIGENCE
• Strategic questions• What keeps the C-suite up at night?
• What has the possibility to threaten our global business interests and impact our
customers?
• Who will target your organization?
• Operational questions• How do we shape our defenses and responses?
• What are the Tactics, Techniques and Procedures (Campaign) of the threat actor?
• Tactical questions• Which one of these 100 events should I examine first?
• What are attributable IOCs of the attack?
• These questions are divided into answerable parts • What is the pattern of who is attacked by the threat actor?
• How does a campaign unfold, step by step
• Intelligence Requirements and Priority Intelligence Requirements
• Drives the collection management plan
• Identifies intelligence gaps
• Create the needs statement & business case for new security services or products
.
INTELLIGENCE LIFECYCLE
The Intelligence Lifecycle
is the underlying
backbone of the CTI
program – driving
requirements, collection
efforts, and development
of intelligence products.
Planning and Direction
Collection
Processing and
Exploitation
Analysis and Production
Dissemination
.
INTELLIGENCE REQUIREMENTS
▪ Intelligence Requirements (IR’s) are long-term, broadly defined
categories that collectively set the scope of the team’s efforts and
responsibilities. Persist for several years. If a request does not
pertain to an existing IR, then it is outside the team’s scope.
▪ Priority Intelligence Requirements (PIR’S) will be more specific
requests reviewed every six months and they will revolve around a
particular topic.
▪ The development of IR’s and PIR’s will enable the CTI team to
manage vendor feeds to ensure collection of relevant intelligence.
.
INFORMATION SHARING EXAMPLE
.
WHY THREAT INTELLIGENCE?
• Good intelligence allows decision
makers to act more boldly
• The decision maker’s time is
valuable. Match his priorities –
command his attention
• Only deliver actionable
information, no history lessons, no
news reports
• The quality of the analysis is
directly proportional to the quality
of the question asked
• No software can replace the
analyst
• Intelligence is an art, not a science
• Less is more
• Everyone & everything is a
potential information source
• Disperse the team, embed the
resources, build a network
across the silos
• Any system that does not sustain
itself is not a system
• New does not mean better; Old
does not mean better
• Intelligence can be Cheap-Fast
Accurate. Pick any two
• The buck stops with me; the
team gets the credit