Threat Intelligence-Driven Security
Building Successful Threat Intelligence Programs
Allan Thomson, LookingGlass CTOJune 2017
© 2017 LookingGlass™. All Rights Reserved. 2
Intelligence-Driven Security
“Threat Intelligence” – evidence-based knowledge – including context, mechanisms,
indicators, implications and actionable advice – about an existing or emerging menace
or hazard to IT or information assets. It can be used to inform decisions regarding
the subject’s response to that menace or hazard.1
1Market Guide for Security Threat Intelligence Services – Gartner –14 October 2014
“Threat Mitigation” – the elimination or reduction of the frequency, magnitude, or
severity of exposure to risks, or minimization of the potential impact of a threat or
warning.2 2http://security.stackexchange.com/questions/tagged/threat-mitigation
Informs
Reduces
“Risk” – the possibility that something bad or unpleasant (such as an injury or a loss)
will happen.3 3 Webster's Dictionary
© 2017 LookingGlass™. All Rights Reserved. 3
The Threat Landscape…
Threat Sophistication
Technical (not
people)
People who are not
good at computers
People who are
good at computers
People who are good at
computers, organized &
experienced
People who are good
at computers,
organized,
experienced & kinetic
* Courtesy - Google Keynote Presentation FIRST 2017
Which threat level do
you face?
© 2017 LookingGlass™. All Rights Reserved. 4
Define Needs With Organization
Configure Collection
Management System
Review and Fine Tune
System Tasking
Sort, Filter, Vet & Prioritize DataAnalyze Relevant Data
Draft and Deliver to Intelligence
Product Organization
Discuss Impact, Manage
Follow Up Actions
Assess changes to requirements
Intelligence Lifecycle
© 2017 LookingGlass™. All Rights Reserved. 5
Intelligence Efforts Focus
• Identify intelligence efforts that protect the
following
• Priority #1: Self
• Priority #2: Third Party & Supply Chain
• Priority #3: Indirectly Connected
Indirectly Connected
Third Party & Supply Chain
Self
© 2017 LookingGlass™. All Rights Reserved. 6
Use Case
The Need For Cyber Assessment…
https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#445543fde599
http://fortune.com/2016/03/24/verizon-enterprise-data-breach/
http://fortune.com/2016/11/28/muni-hack-san-francisco/
“Hackers Threaten to Release 30GB of Stolen Data From San Francisco’s
Municipal Railway”
“Verizon’s Data Breach Fighter Gets Hit With, Well, a Data Breach”
“An NSA Cyber Weapon Might Be Behind A Massive
Global Ransomware Outbreak”
© 2017 LookingGlass™. All Rights Reserved. 7
Threat Intelligence Program Framework
7 Parts
Requirements - What you need
Roles - Who you need
Team - How they’re organized
Process - How the program works
Systems – What the program uses
Metrics & Reporting – How its measured
Connections – What & How it delivers
© 2017 LookingGlass™. All Rights Reserved. 8
Intelligence Program Part 1
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 9
Intelligence Program Part 1 Continued
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
Phishing Examples
Brand Protection Examples
Copyrighted Image
Search
Logos and Visual
Marks
Impostor Social
Media AccountsClaimed
Relationships
Takedown Services Examples
Phone EmailImposters Confidential Files PhishingMalware
Honeypots, spam email,
and links
Customer Abuse Box
Feed/Monitoring
Phone/SMS
messages
Org Web Logs Domain Name
Registrations and “Go
Live” Alerts
Phishing Sites
Detection
System
Phish
© 2017 LookingGlass™. All Rights Reserved. 10
Use Case
Cyber Assessment: Requirements
• Provide to security executives, assessment on either self or Third Party &
Supply Chain systems and assets
• Build program to continuously assess and report
• Areas to consider
▪ Network Footprint
▪ System Compromises & Infections
▪ Account Compromises
▪ External Facing Vulnerabilities
▪ Domain & Spear-Phishing Risk
▪ Intelligence Indications & Warnings
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 11
Intelligence Program Part 2
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
• Tip: Focused On Specific Deliverables
• Program
- Planning
- Architecture
- Strategy
• Security Subject Matter Experts (SME)
- Cyber Analysts
- Social Analysts
- Phishing Analysts
- Malware / Forensic Specialists
- Incident Response Specialists
- Brand Protection Analysts
- Rogue Applications
- Third Party Risk Analysts
- Physical Security Analysts
- Language & Translation Specialists
• Network System SMEs
- Network Security Operations
- Network Integration Specialists
• Systems Development SMEs
- Software developers
- Data processing
- Data analytics
- Data visualization
© 2017 LookingGlass™. All Rights Reserved. 12
Use Case
• Roles required
- Planning
- Architect
- Manager
- Cyber Analyst
- Social Analyst
- Third Party Risk Analyst
- Software developers covering
▪ Data processing
▪ Data analytics
▪ Data visualization
Cyber Assessment: Roles
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 13
• Tip: Consider Tiered Structure
- Support 24x7 Operations
• Structure
- Manager
- Tier 1 Cyber Threat Analysts (junior)
- Tier 2 Cyber Threat Analysts (senior)
• Typical Work Schedule
- 12 hour shifts 4on/4off with relief support
• Tiered Structure Essential
- Tier 1 Example: 24 full-time Cyber Analysts
- Tier 2 Example: One full-time Senior Cyber Threat Analyst and Three full-time Cyber Threat Analysts
• Backup/Resiliency
- Have permanent remote team members as geographic backup and resiliency support
Intelligence Program Part 3
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 14
Use Case
• Structure
- Manager
- Cyber/Social/Third Party
Analysts
- Software Development
• Work schedule
- On demand
- 9-to-5
Cyber Assessment: Team
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 15
Intelligence Program Part 4
• Tips:
- Functional Area Specific
- Keep It Current
- Invest in Technology Improvements
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 16
Intelligence Program Part 4: High Level Process
Tier 1: Rapid Alerting Tier 2: Contextual Alerting
Third Party Data
Local Org Data
Global Actor Data
Industry Data
Local Telemetry
Global Cyber Data
Feed Vetting/Noise Reduction
Data Tagging
Review Criteria Relevancy
Additional Capture
(e.g Screenshots)
Alert
Average alert 1 to 3 min after collection
Data Verification
Adding Context – 5Ws
Additional Tagging for Data
Lake/Threat Landscape
Quality Review
Hotline
Response 10 to 30 min after collection
24x7 Real-Time Intelligence Processing
Relevancy
Feedback
Quality
Feedback
EscalationIngest
Organization Threat Response & Reporting SMTP SMS VOIP …
© 2017 LookingGlass™. All Rights Reserved. 17
Intelligence Program Part 4: Phishing Detection Specific Workflow
Start
Assign Ownership
Site Review
End
Close Incident
Action Needed
Update Status
Create Action
Initiate Action
Determine Action
Type Required
Status Options
Not Reviewed
Under Review
Call - Waiting for Response
Email - Waiting for Response
C&D - Waiting for Response
No action needed
Monitor
Closed
Incident Target Issues
Claimed Relationship
Domain Name Violation
Image Use
Multi-Issue
Objectionable Content
Traffic Diversion
Threat
Yes
System
SOC Manager
SOC Analyst
Analyst
Manager
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 18
Use Case
• Gather
- Domains & Systems
- User Accounts
- Applications
• Assess
- Network Footprint
- System Compromises & Infections
- Account Compromises
- External Facing Vulnerabilities
- Domain & Spear-Phishing Risk
- Intelligence Indications & Warnings
• Report
Cyber Assessment: Process
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 19
Intelligence Program Part 5• Tips
- Identify system based on functional requirements
- Best-in-class focus
• Systems to support process include
- Threat Intelligence Platform
- Response Management
- Cyber Intel Workflow
- Phishing Workflow
- Social Media Intel Workflow
- Help Desk
- Time Management
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
INTEL
© 2017 LookingGlass™. All Rights Reserved. 20
Use Case
Intelligence Program Part 5
• Custom Web Application for Analysts
- Enter profile data
- Monitor and review status of automated pipeline
- Connects set of collection systems
• Systems Used
- Vulnerability Scanner
- Both Open Source and Commercial Network Footprinting
- Domain Analysis
- Dark and Surface Web Crawlers
- Database and Spreadsheets
- Threat Intelligence Platform (and aggregated MRTI)
- Internet Intelligence
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 21
Use Case
Intelligence Program Part 5
System Process
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
Infection Records Compromises Network Intelligence Open Source Vulnerability Scan
acme
acmegrp
access.acme
acme
Acme Group
acme
acme
acme
acme
acme
acme
acme
acme
acmeacmeacme
acme
acme
x.x.x.xx
x.x.x.xx
x.x.x.xx
x.x.xx.xxx
© 2017 LookingGlass™. All Rights Reserved. 22
Intelligence Program Part 6
• Tips:
- Who are reports for
- Expected outcomes of reports
• Including
- Daily/Weekly Metrics Reporting
- Threshold Alerting
- Event Notifications
- Visual and Electronic Event Triggers
- Workflow/Time analysis
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 23
Intelligence Program Part 6
• Reports
- Specific
- Segmented
- Actionable
- Business
Relevant
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
Brand Abuse Detection Report
Good Afternoon,
This is the Brand Abuse Detection Report for the week of [Date]. Cyveillance has identified seven incidents
that infringe on the [Brand Name] Brand. A list of these infringements consist of:
One Domain Violation
Two Impersonation Pages
One Claimed Relationship
Three Logo Violations
The data we collected for the week is reflected in the charts below:
Threat Types Incidents By Source
Imposter Social Media Accounts
A quick summary of how the page is impersonating your brand will go here.
A quick summary of how the page is impersonating your brand will go here.
Domain Name Registration Monitoring
Newly registered domains of interest:
cyveillance.ooo (whois)
cyveillance.io (whois)
cyveillance.finance (whois)
The top TLD('s) registered using the [brand] name for this week are:
.ooo
.finance
.io
New gTLD Launch Updates:
.men (begins July 9)
Sunrise ending this week
.site (ends July 6)
Limited REgistration II starting this week
.taipei (begins July 7)
General Availability starting this week
.love (begins July 7)
.cafe (begins July 8)*
.express (begins July 8)*
.news (begins July 8)
.site (begins July 8)
Please note that * indicates the DONUTS DPML applies.
Weekly Trends
The American Federation of Government Employees filed a class-action lawsuit against the Office of
Personnel Management and KeyPoint Government Solutions over the failure to protect against the major
cybersecurity breach. (Washington Examiner)
The city council in Sao Paulo, South America’s largest metropolis, voted to ban Uber’s ride-sharing service,
marking the latest setback for the company. (Reuters)
In a move designed to create competition against YouTube, Facebook will begin sharing ad revenue with
video creators. (Re/code)
To receive our full Weekly Trends email please send email addresses for interested members of your
organization to Camille Stewart.
Please feel free to contact Camille Stewart ([email protected]) with any questions or concerns.
Regards,
Cyveillance Security Operations Center (CSOC)
Cyveillance, Inc. (a QinetiQ company)
http://cyveillance.com/
+1 (866) 553-0646 Toll Free U.S.
+1 (703) 351-2400 Direct Intl.
+1 (703) 560-2793 Fax
Keep up with top security news and trends with the Cyveillance blog, or by following us on Twitter
The information transmitted is intended only for the person or entity to which it is addressed and may contain
confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of
any action in reliance upon this information by persons or entities other than the intended recipient is
prohibited. If you received this in error, please contact the sender and delete the material from any computer.
Copyright © Cyveillance 2014 - www.cyveillance.com
These findings are based on items identified in the open sour ce internet and do not constitute actual evidence. The conclusion of fact is
only made when intelligence becomes evidence by vetting and authentication. Intelligence findings do not equate to facts, actus r eus
(guilty acts) or mens rea (intent/knowledge) of the Subject/Person(s) in question.
Company Name
Company Name
© 2017 LookingGlass™. All Rights Reserved. 24
Use Case
Intelligence Program Part 6: Report/System & Account Compromises
• Analysis & Summary on
- Total Records Analyzed
- Recent Breaches Listing
- Unique Users Covered
- Malware Infections Found
- High-Recurrence Users
- Reputation Risks
- Executive Credentials
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 25
Use Case
Intelligence Program Part 6: Report/Vulnerabilities
• Listing sites analyzed
• Assessment of active
vulnerabilities found
• Number of instances
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 26
Use Case
Intelligence Program Part 6: Report/Domain & Spear-Phishing Risk
• Company owned domains
• High risk domainsRoles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 27
Use Case
Intelligence Program Part 6: Report/Intelligence & Warnings
• Aggregated view of threat
intelligence reports
• Context and background to
support analysis
• Analysis and prioritization
• Recommendations on critical
intelligence to act on
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 28
Use Case
Intelligence Program Part 6: Report/Exec Summary
• Provide to security professionals…
• Insight into application vulnerabilities
• Information on potential leaks, theft of sensitive data
• Identify holes in internal security posture to ensure
compliance
• Identify latest data breaches and compromised user
accounts
• Reduce risk of high impact exploits such as
ransomware, website defacements or malicious
injection
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 29
Intelligence Program Part 7• Tip: Empower rapid response to incidents and maintain goodwill
• Internal Systems and Groups
- SecOps/NetOps
- IT, Compliance, Third Party Risk
• Supply Chain
- Infosec/SecOps
• Industry Connections
- Data Feeds (Open, Commercial)
- Technology Learnings
- Trusted Sharing
• Law Enforcement Connections
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
© 2017 LookingGlass™. All Rights Reserved. 30
Use Case
Intelligence Program Part 7
• Final report influences and updates connected teams
Roles
Team
Process
Systems
Metrics &
Reporting
Connections
Requirements
Systems Patched
Vulnerability Mgmt Teams
Policy & Password ChangesIT Team
Supply Chain Updates
Policy and Enforcement
Third Party Risk Team
Security Rules Update
NetOps & SecOps Teams
© 2017 LookingGlass™. All Rights Reserved. 31
Recommendations
Define program across
Requirements
Team
Roles
Process
Systems
Metrics & Reporting
Connections
Justify Threat Intelligence Program to reduce business risk
Justify
Focus intelligence
Self
Third Party
IndirectFo
cus
Protect
Protect business leveraging threat intelligence
Defi
ne
Questions?
www.lookingglasscyber.com
@LG_Cyber @LookingGlassCyber /company/LookingGlass /+LookingGlassCyber