2016 issa conference threat intelligence keynote phila
TRANSCRIPT
![Page 1: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/1.jpg)
State of the Art Threat Intelligence // philA
*Based on The Cyber Shafarat - Treadstone 71
![Page 2: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/2.jpg)
2
We are in a confused state…
![Page 3: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/3.jpg)
3
Functions don’t follow standard intelligence tradecraft - Programs support only a fraction of the intelligence needs- Stakeholders hold unrealistic expectations
Most programs are poorly conceived- Follow inaccurate definitions of threat intelligence
Focus on Technology repeats the historical problems of infosec- See, Detect, and Arrest Paradigm
Threat intelligence vendors are driving the market- Communicate definitions supporting their offerings- Propagate fallacy they solve numerous security problems
The State of Cyber Threat Intelligence
Source: Treadstone 71
![Page 4: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/4.jpg)
4
Mistakes being made in threat intelligence
- Many reports aren’t written in analytic form or format- Many don’t provide confidence levels- Many don’t cite sources, provide reliability of sources, or provide credibility of the information
Many take these reports for face value
Source: Treadstone 71
![Page 5: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/5.jpg)
5
Thre
at In
tellig
ence
Cyber Threat Intelligence
![Page 6: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/6.jpg)
6
What is Intelligence?
What is Risk?
TaxonomiesDefinitions
![Page 7: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/7.jpg)
7
The Intelligence Cycle is the process by which information is acquired, converted into intelligence, and made available to policymakers.
Information is raw data from any source, data that may be fragmentary, contradictory, unreliable, ambiguous, deceptive, or wrong.
Intelligence is information that has been collected, integrated, evaluated, analyzed, and interpreted.
Finished intelligence is the final product of the Intelligence Cycle ready to be delivered to the policymaker.
(CIA World Fact Book, 2016) A1
Definitions
![Page 8: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/8.jpg)
8
The three types of finished intelligence :
Basic intelligence provides the fundamental and factual reference material on a country or issue.
Current intelligence reports on new developments.
Estimative intelligence judges probable outcomes.
The three are mutually supportive: basic intelligence is the foundation on which the other two are constructed; current intelligence continually updates the inventory of knowledge; and estimative intelligence revises overall interpretations of country and issue prospects for guidance of basic and current intelligence. The World Factbook, The President's Daily Brief, and the National Intelligence Estimates are examples of the three types of finished intelligence.
(CIA World Fact Book, 2016) A1
![Page 9: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/9.jpg)
9
What is Threat Intelligence?
Source: MWR InfoSecurity Model of Threat Intelligence
Based on consumption, strategic, operational,tactical, and technical. (InfoSecurity, 2015) B3
![Page 10: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/10.jpg)
10
Problem…Ex
clusiv
e Fo
cus T
hrea
t In
tellig
ence
Thre
at In
tellig
ence
is a
su
bset
of I
ntel
ligen
ce
Lacks scope, depth, breadth, and is deficient in tradecraft
Basic
Foundational
Research
Competitive
Estimative
Warning
![Page 11: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/11.jpg)
11
What is Tradecraft?
Spy Stuff…
Military Secretive
![Page 12: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/12.jpg)
12
Intelligence Tradecraft rooted in CIA capabilities - Honed over years of trial, error, mistakes, and triumphs
Sherman Kent- Father of intelligence analysis- Defined methods of intelligence analysis used today- Analytic standards, doctrines, and practices need to be applied today within cyber threat intelligence functions. (Davis, 2007) A1
Richards J. Heuer Jr.- 45 year CIA veteran- Documented issues with critical thinking, cognitive bias, and structured analytic techniques used today
+Both offer approaches directly applicable to information security efforts to create threat intelligence +Enable organizations to see beyond the limited view of ‘see, detect, and arrest’ paradigm+Progress to data collection, analysis, and intelligence creation use to prevent and eventually predict adversary actions
Tradecraft is the underlying framework for intelligence upon which military and non-military programs should be built
Source: Treadstone 71
![Page 13: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/13.jpg)
13
Infosec: Intelligence is a whole other discipline
![Page 14: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/14.jpg)
14
Intelligence analysts endure rigor, structure, focused training that specializes in the craft of intelligence analysis.
Core function of any intelligence organization:They learn how to think, write, and brief. They study analytic tools, counterintelligence issues, denial and deception, analysis, and warning skills. (Agency, 2007) A1
Source: Treadstone 71
![Page 15: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/15.jpg)
15
Well-built intelligence programs are top-down as opposed to technically oriented from the bottom-up
Know:
![Page 16: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/16.jpg)
16
Your adversaries are already inside your network and must be removed. Organizations need to do this for proper hygiene.
Know:
![Page 17: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/17.jpg)
17
Recognize the latest focus on ‘hunt and detect’ is merely an enhancement to the failed attempts at event correlation in SIEMs.
Know:
![Page 18: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/18.jpg)
18
Log aggregation and then analysis of the content for tactics, techniques, and procedures is but an improved method of finding adversaries and malware already in your environment. This is not proactive. This is not preventive. It is necessary, but not new.
Know:
![Page 19: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/19.jpg)
19
Intelligence is not the same as incident response or a core component of the security operations center.
Know:
![Page 20: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/20.jpg)
20
Hire intelligence professionals and/or train those with the aptitude for intelligence skills.
Recommendation:
![Page 21: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/21.jpg)
21
Build your intelligence program from the top-down.
Recommendation:
![Page 22: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/22.jpg)
22
Develop goals and outcomes that you want out of your intelligence program.
Recommendation:
![Page 23: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/23.jpg)
23
Treat each vendor report as nothing more than another source of data. Evaluate each for credibility, reliability, and relevance.
Consider using the NATO Admiralty Code which helps organizations evaluate sources of data and the credibility of the information provided by that source.
Evaluate each vendor report using this coding method while documenting ease of data extraction, relevance to your organizational issues, type of intelligence (strategic, operational, tactical, and technical), and value in solving your security problems.
Recommendation:
![Page 24: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/24.jpg)
24
Find a balance between long-term analysis and short-term reporting.
Don’t get stuck in the reporting hamster wheel—gathering current data, serialized reporting, reporting rollups, and fighting daily issues.
Recommendation:
Self-Inflicted Punishment
Never have the time to analyze data based on historical collection—intelligence-type work.
![Page 25: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/25.jpg)
25
Give intelligence functions direct access to organizational stakeholders.
Don’t bury the function in a SOC.
Recommendation:
![Page 26: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/26.jpg)
26
Focus on the right People, the right Process, and then the right Technology.
Recommendation:
![Page 27: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/27.jpg)
27
Know:
![Page 28: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/28.jpg)
28
We live in a time where: > Information is vulnerable. > Everyone is being watched. > Anyone can be compromised.
philA Society
Know:
![Page 29: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/29.jpg)
29To be forewarned is to be fore-armed
Information Sharing
A nonprofit private sector initiative formed in 1999Designed/developed/owned by financial services industry Mitigate cybercrime, hactivist, nation state activityProcess thousands of threat indicators per month2004: 68 members; 2015: 6000+ members Sharing information globally
Mission: Sharing Timely, Relevant, Actionable Cyber and Physical Security Information & Analysis
![Page 30: 2016 ISSA Conference Threat Intelligence Keynote philA](https://reader035.vdocument.in/reader035/viewer/2022062822/587efc591a28ab35528b6387/html5/thumbnails/30.jpg)
30
You can do this!