a primer on cyber threat intelligence - issa...
TRANSCRIPT
![Page 1: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/1.jpg)
A Primer on Cyber Threat Intelligence
![Page 2: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/2.jpg)
…AS ADVERTISED
2
![Page 3: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/3.jpg)
BUZZWORD BINGO!
3
![Page 4: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/4.jpg)
TODAY’S CYBER SECURITY CHALLENGES
CISOs finding it difficult to define security ROI to executives
Short shelf life for CISOs
Vastly expanding attack surface area
Mobile, cloud, virtualization, global business operations
Large protection investments and no good prioritization filter
Who, why, when, how
Operational chaos
Too many alarms, not enough people, poor prioritization
“Brain dead” security tools that rely on past events/signatures
Versus extremely agile adversaries
Severe breaches continue…
4
![Page 5: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/5.jpg)
GLOBAL CYBER THREAT LANDSCAPE
• Active & Global
• Transcends Geographies and Sectors
• Multiple Motivations
• Cyber Crime, Espionage,
Hacktivism, Destruction, etc.
• Low Entry Barriers
• Actors use what works; not necessarily
sophisticated methods
• Open marketplace providing capabilities
• Structured & Vibrant
• Ecosystem providing better tools,
infrastructure, sharing ideas and methods,
pooling resources5
![Page 6: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/6.jpg)
MY INTELLIGENCE PHILOSOPHY
• Good intelligence allows decision makers to act more boldly
• The decision maker’s time is valuable. Match his priorities –command his attention
• Only deliver actionable information, no history lessons, no news reports
• The quality of the analysis is directly proportional to the quality of the question asked
• Good analysts are respected but not always popular
• No software can replace the analyst
• Intelligence is an art, not a science
• Less is more
• Everyone & everything is a potential information source
• Disperse the team, embed the resources, build a network across the silos
• Any system that does not sustain itself is not a system
• New does not mean better; Old does not mean better
• Intelligence can be Cheap-Fast-Accurate. Pick any two
• The buck stops with me; the team gets the credit
![Page 7: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/7.jpg)
FORMAL RESEARCH PROCESSYIELDS RICH, CONTEXTUAL THREAT INTELLIGENCE
Intelligence
Requirements
Created
Based on
Clients,
Sectors and
Adversaries
Requirements
Prioritized
by Analysts,
Matched to
Current
Holdings then
Passed to
Research
Teams
Collection
Planning and
Tasking of
Global
Teams
Requirements
Collected by
Unique
Global
Teams and
returned to
Fusion Center
Processing
and
Exploitation
To
Standardize
Multiple
Information
Sources
Ready for
Analysis
Analysis of
Information
and
Production of
Reporting for
Clients
Fully fused,
Corroborated
Cross-
referenced
and Edited
Multi-source
Intelligence
Reporting
Disseminated
to
Clients
Client
Feedback,
Refinement
of
Intelligence
Product
Intelligence
Requirements
Requested
From Client
? iFeedback &Clarification
Analysis DisseminationCollection
7
![Page 8: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/8.jpg)
“ACTIONABLE INTELLIGENCE” OBJECTIVES
Provide understanding of identified and credible
threats, correlated to business impact
Enable formulation of approaches to dealing with
threats and prioritization of team activity
Provide understanding of how to mitigate threats
and enable tools to do the heavy lifting
Strategic
Operational
TacticalSecurity
Operators
Managers& Analysts
Executives
8
![Page 9: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/9.jpg)
CYBER TACTICAL INTELLIGENCE
Cyber Threat Intelligence Threat Data Feed
• Bad IP Address
• Ranking
• Last Hop Geo
Location
• Bad IP Address
• Actor Group
• Motivation
• Primary Targets
• Ability to Execute
• Additional IPs, Domains
• Malware Used
• Lures
• Vulnerabilities Targeted
• Historic Campaigns
• Successful Compromises
9
![Page 10: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/10.jpg)
WHAT ARE INTELLIGENCE REQUIREMENTS?Strategic questions
• What keeps the C-suite up at night?
• What news stories or business events seem to be their hot buttons?
• Will the Qassam Cyber Fighters (QCF) target us?
Operational questions• What does a targeted DDOS attack look like?
• How do we shape our defenses and responses?
• What are the technical capabilities of the QCF?
• What are the Tactics, Techniques and Procedures (Campaign) of the QCF?
Tactical questions• Which one of these 100 events should I examine first?
• What are attributable IOCs of the QCF?
These questions are divided into answerable parts • What is the pattern of who is attacked by QCF?
• How does a QCF campaign unfold, step by step
• = Priority Intelligence Requirements (PIR) and Other Intelligence Requirements (OIR)
• Drives the collection management plan
• Identifies intelligence gaps• Create the needs statement &business case for new security services or products
10
![Page 11: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/11.jpg)
• Media Counterpoint - daily
• Threat Intelligence Briefing - daily or weekly
• Threat Intelligence Report - monthly
• Threat Intelligence Warning - as required
• Threat Intelligence Alert - as required
• Threat Scenarios - quarterly
• Sensor Enrichment - as required
• Threat Metrics – weekly
• Intelligence Support – Digital Brand Protection, Incident Response, Fraud, Attack Surface Management, Physical Security – as required
EXAMPLE INTELLIGENCE DELIVERABLES
![Page 12: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/12.jpg)
THREAT MATRIX
Company X
Business sector
Industry
Enterprise
General
Thre
at
Ac
tor
Fo
cu
s
Threat Actor Capability
Novice Apprentice Competent Skilled Expert
Hacktivist campaign
IP theft
![Page 13: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/13.jpg)
ACTIONABLE THREAT INTELLIGENCEFUNCTIONAL & TECHNICAL INTEGRATION
Ingress/EgressBlocking
EventPrioritization
Analyze Incidents(Who, Why)
& Hunt for Issues
Remediation& AttributionActivity:
Surface
ProtectionsSIEM
Incident Response
Security Analytics
Forensics
Investigations
GovernanceRisk
Compliance
Prioritize MostCritical Patches
Enhance ProtectionBlock with
Confidence
Patch Management
ShrinkThe Problem
Improve DecisionsBrief Executives
Who/Why AttackDid We Find everything?
Value:
13
Intelligence
![Page 14: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/14.jpg)
END TO END INTELLIGENCE PROCESS
![Page 15: A Primer on Cyber Threat Intelligence - ISSA NOVAnova.issa.org/wp-content/uploads/2014/07/iSIGHT-Partners_ISSA-NOVA... · MY INTELLIGENCE PHILOSOPHY •Good intelligence allows decision](https://reader034.vdocument.in/reader034/viewer/2022042801/5b02addb7f8b9ab9598e3134/html5/thumbnails/15.jpg)
W. Michael Susong+1 214 886 7714
iSIGHT Partners200+ experts, 16 Countries, 24 Languages, 1 Mission