cti capability maturity model | marco lourenco 1 · unreliable auto- guess-work generated analysis...
Post on 02-Feb-2019
220 Views
Preview:
TRANSCRIPT
1CTI Capability Maturity Model | Marco Lourenco
European Union Agency for Network and Information Security
CTI Capability Maturity ModelCyber Threat Intelligence CourseNIS Summer School 2018, Crete | October 2018MARCO LOURENCO - ENISA Cyber Security Analyst Lead
3
Agenda
1 Whoami
2 Recapping
3 CTI capability Framework
4 CTI maturity Model
5 Good practices of CTI capability according to organizations
6 Manage the level of expectation/fulfillment KPI/Metrics
7 MedX Case Study
8 Q&A
CTI Capability Maturity Model | Marco Lourenco
4CTI Capability Maturity Model | Marco Lourenco
Whoami
Started as data forensics analyst for the financial sectorduring the 90s. Worked with Interpol in criminal investigation system projects in early 2000s. With European External Action Service as CISO in mid 2000s. United Nations and Microsoft as regional manager in EMEA during the last 10 years working with government agencies in cyber threat intelligence. Since this year in ENISA as cyber security analyst lead.
5CTI Capability Maturity Model | Marco Lourenco
Whoami
• Analyst background• Computer forensics• Criminal investigation• Infosec operational• CTIA Manager
• Threat Intelligence Analysis evangelist
6CTI Capability Maturity Model | Marco Lourenco
7CTI Capability Maturity Model | Marco Lourenco
8CTI Capability Maturity Model | Marco Lourenco
9CTI Capability Maturity Model | Marco Lourenco
10CTI Capability Maturity Model | Marco Lourenco
11CTI Capability Maturity Model | Marco Lourenco
12CTI Capability Maturity Model | Marco Lourenco
13CTI Capability Maturity Model | Marco Lourenco
14
Where Analyst sit?
CTI Capability Maturity Model | Marco Lourenco
INCIDENT RESPONSE
RED/ BLUE TEAMMING
INTELLIGENCE ANALYSIS
SECURITY POLICY AND EDUCATION
APPLICATION PROTECTION
MONITORING & DETECTION
DATA PROTECTION
RISK MANAGEMENT
15
Where Analyst sit?
CTI Capability Maturity Model | Marco Lourenco
SO
SOC
Outsourced
16CTI Capability Maturity Model | Marco Lourenco
Why Cyber Threat Intelligence Analysis became an important cyber security domain?
• The urgent need for moving from reactive to proactive approach;
• Difficulties in having a better understanding of the threat landscape;
• The need for clarity and interpretation from all the data and information available;
• Going beyond what is available within the organization radar and play in anticipation;
• Profiling adversaries through behavior and attribution and get a better understanding of their intentions;
• Apply a methodological approach on how to deal with threats.
17
Where we need to focus?
CTI Capability Maturity Model | Marco Lourenco
EDUCATION COMMUNITY PRACTICE PARTNER
18CTI Capability Maturity Model | Marco Lourenco
“Recapping”
Risk Landscape
LIKELIHOOD
IMPA
CT
Data breach/ theft
Ransomware
Phishing
Insider threat
SPAM
SQL Injection
DDoS
Web based attacks
19CTI Capability Maturity Model | Marco Lourenco
“Recapping”
THREAT
Capability Opportunity
Intent
Insubstantial
Impeding
Potential
20CTI Capability Maturity Model | Marco Lourenco
“Recapping”
ContextData analytics
Enrichment
Mining
Analytics
21CTI Capability Maturity Model | Marco Lourenco
“Recapping”
“Threat intelligence is evidence-based
knowledge, including context, mechanisms,
indicators, implications and actionable advice
about an existing or emerging menace or
hazard to assets that can be used to conduct
informed decisions regarding the subject’s response to that menace or hazard.”
22CTI Capability Maturity Model | Marco Lourenco
“Recapping”
Known Knowns
Known Unknowns
Unknown Unknowns
23CTI Capability Maturity Model | Marco Lourenco
“Recapping”
TTP
David Bianco - Pyramid of Pain
Though
Challenging
Annoying
Simple
Trivial
Easy 206.127.151.169 80.187.53.167
24CTI Capability Maturity Model | Marco Lourenco
“Recapping”
Architects sysadmins
SOC staff/IRDefenders
The board
Low levelHigh level
Lon
g-te
rm u
seSh
ort
-mid
ter
m u
se
25CTI Capability Maturity Model | Marco Lourenco
“Recapping”
TYPE LEVEL SCOPE MAIN TASK
Strategic High Medium to Long
Term
High Level Information
for Risk Reduction
Operational High Short to Medium
Term
Details of Specific
Incoming Attacks
Tactical Low Medium to Long
Term
Attackers
Methodologies, Tools
and Tactics
Technical Low Short to Medium
Term
Indicators of Specific
Malware
26CTI Capability Maturity Model | Marco Lourenco
CTI Capability Framework
Planning and Requirements
Collection
Analysis and Processing
Production and Evaluation
Dissemination and integration
27CTI Capability Maturity Model | Marco Lourenco
28
“
”28
Failing to plan is planning to fail.
CTI Capability Maturity Model | Marco Lourenco
Winston Churchill
29CTI Capability Maturity Model | Marco Lourenco
Planning
Stakeholders alignment
Scope definition
Requirements identification
Requirements prioritization and traceability matrix
Resources evaluation and assignment
30CTI Capability Maturity Model | Marco Lourenco
31
Collection
CTI Capability Maturity Model | Marco Lourenco
MO
TTP
Threat Landscape
OSINT
Actors
Technical Reports
Tools
Architects sysadmins
SOC staff Incident
Response
Defenders, threat
hunters
The board/ Regulators
Security logs
Domain Lists
Syslogs
Process logs
Net logs
Event logs
IDS/IPS logs
Stakeholders and information collection
32
Endpoint Protection
Systems
Operating Systems
Network Firewall
Data Type System Alert Host Based Logs Netflow System Alert
Kill Chain Coverage
Exploitation & Installation
Exploitation Installation and
Actions on Objectives
Internal Reconnaissance,delivery and C2
Internal,Reconnaissance, Deliver and C2
Follow on Collection
Malware sample Files and timelines Packet capture Netflow
Typical Storage in Days
30 days 60 days 23 days 60 days
Collection
CTI Capability Maturity Model | Marco Lourenco
Collection Management Example
33CTI Capability Maturity Model | Marco Lourenco
34
Analysis and processing
CTI Capability Maturity Model | Marco Lourenco
analytical sweet spot
data analytical work
tools
speculative guess-workunreliable auto-
generated analysis
over worked unproductive analysis
35
Analysis and processing
CTI Capability Maturity Model | Marco Lourenco
Diamond Model of Intrusion Analysis
KILL-CHAINLockheed Martin
Campaigns Heat Map
Threat Intelligence Platforms
TIP
Excel
36CTI Capability Maturity Model | Marco Lourenco
37
Production and evaluation
CTI Capability Maturity Model | Marco Lourenco
CoA
CTIThreat Land.
Heat Map
Advice
Risk ass.
StakeholdersRequirements
traceability matrix
38CTI Capability Maturity Model | Marco Lourenco
39
Dissemination and Integration
CTI Capability Maturity Model | Marco Lourenco
40
Maturity Model
CTI Capability Maturity Model | Marco Lourenco
41
CTI maturity
CTI Capability Maturity Model | Marco Lourenco
Logmanagement
Advanced correlation and trends analysis
SIEM deployment
Capability deployed
Pattern recognition and outlier detection
Application and database activity monitor
Adaptive threat detection
Proactive incident response
Machine learning and linked analysis
Initial – level 0 Repeatable – Level 1 Managed – Level 2 Optimized – Level 3
Base infrastructure Enhanced visibility Business-centric
User behavior and entity analysis
Pre-emptive response
Breach protection
Active threat monitoring
Active threat management
DESCRIPTIVE PREDICTIVE PRE-EMPTIVE
Ris
k M
anag
emen
t
42
Good practices
CTI Capability Maturity Model | Marco Lourenco
Adopt classic intel,
tradecraft and
taxonomy
Utilize internal and external data /information
Hone critical thinking and
analytical skills
Generate Intelligence adjusted to
your different audiences
Stick to the requirements
and scope but stay agile
By ready to cooperate and share
Learn from yours and
other mistakes
Profile your adversaries
Always contextualize
Evaluate and reevaluate
Know your stakeholders
and what they require
43CTI Capability Maturity Model | Marco Lourenco
2018 CTI-EU Bonding
https://www.enisa.europa.eu/2018-cti-eu-event/enisa-cti-eu-event
Getting the Cyber Threat Intelligence Community together
Brussels, 5 and 6 November 2018
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
louis.marinos@enisa.europa.eu
www.enisa.europa.eu
Thank you for your attention
top related