building an intelligence-driven organization · first cyber threat intelligence webinar series....
TRANSCRIPT
![Page 1: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/1.jpg)
Building an intelligence-driven organization
TLP:WHITE
Anastasios Pingios
4 May 2020FIRST Cyber Threat Intelligence Webinar Series
![Page 2: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/2.jpg)
TLP:WHITE
All opinions expressed are my own, and do not represent my employer.
Disclaimer.
![Page 3: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/3.jpg)
TLP:WHITE
About.
● Principal Security Engineer at Booking.com
● Contributor at MITRE ATT&CK framework
● @xorlgr
● SANS GCTI, RecordedFuture Geopolitical Analyst, Bellingcat OSINT, ISS OSINT, ...
![Page 4: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/4.jpg)
TLP:WHITE
Agenda.
● Definition
● Risk versus threat-based approach
● The 5 phases
![Page 5: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/5.jpg)
TLP:WHITE
Definition.
Threat intelligence
![Page 6: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/6.jpg)
TLP:WHITE
Definition.
Threat intelligence
● Intent● Opportunity● Capability
![Page 7: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/7.jpg)
TLP:WHITE
Definition.
Threat intelligence
● Product● Process
![Page 8: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/8.jpg)
TLP:WHITE
Definition.
Threat intelligence
● Product● Process
![Page 9: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/9.jpg)
TLP:WHITE
Definition.
If you know the enemy and know yourself, you need not fear the
result of a hundred battles.Sun Tzu, The Art of War
![Page 10: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/10.jpg)
TLP:WHITE
Definition.
If you know the enemy and know yourself, you need not fear the
result of a hundred battles.Sun Tzu, The Art of War
![Page 11: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/11.jpg)
TLP:WHITE
Risk vs threat-based approach.
![Page 12: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/12.jpg)
TLP:WHITE
Risk vs threat-based approach.
Risk = Impact x Likelihood
![Page 13: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/13.jpg)
TLP:WHITE
Risk vs threat-based approach.
![Page 14: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/14.jpg)
TLP:WHITE
Risk vs threat-based approach.
Threat = Opportunity +
In
tent + Capability
![Page 15: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/15.jpg)
TLP:WHITE
Risk vs threat-based approach.
● Covers all cases● Well known● Standardized
● Very specific● Applicable to all
levels● Proactive security
Risk-based Threat-based
![Page 16: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/16.jpg)
TLP:WHITE
Why?
![Page 17: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/17.jpg)
TLP:WHITE
Why?
![Page 18: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/18.jpg)
TLP:WHITE
Why?
The Sliding Scale of Cyber SecurityRobert M. Lee - September 2015
![Page 19: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/19.jpg)
TLP:WHITE
Phase 1: The beginning.
● Typically on spare-time ● No Intelligence Requirements? Start small
● Analysis on past incidents
● Build campaigns & threat actor profiles
● Develop simple products and get lots of feedback(WARNING: DO NOT MAKE THIS AN ECHO CHAMBER)
![Page 20: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/20.jpg)
TLP:WHITE
Phase 1: The beginning.
Cyber-security team(s)
TI “team”
Products
● Past campaigns● Past threat actor profiles
Customers
● Cyber-security team(s)● Cyber-security leadership
KPIs
● Consistency of products● Incidents analyzed
![Page 21: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/21.jpg)
TLP:WHITE
Phase 2: External threats.
● Map identified threat actors/groups to external ones
● Track their activities and proactively deploy controls
● Develop processes and focus on quality
● Start measuring key indicators
● Share success stories / develop good reputation
![Page 22: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/22.jpg)
TLP:WHITE
Phase 2: External threats.
Cyber-security team(s)
TI “team”
Products
● Actor/campaign tracking● External/internal mapping
Customers
● Cyber-security team(s)● Cyber-security leadership
KPIs
● Incident response from TI● False positive/negative rate
![Page 23: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/23.jpg)
TLP:WHITE
Phase 3: Formal CTI function.
● Clear mission, vision, and purpose
● Goal-driven intelligence - be a force multiplier
● Quality over quantity!
● Start offering intelligence products for all levels (strategic, tactical, and operational) based on PIRs
● Formal team KPIs
![Page 24: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/24.jpg)
TLP:WHITE
Phase 3: Formal CTI function.
Cyber-security team(s)
CTI team
Products
● Support for RFIs● Regular threat updates
Customers
● Cyber-security team(s)● Cyber-security leadership
KPIs
● Response time on RFIs● Quality of products
![Page 25: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/25.jpg)
TLP:WHITE
Phase 4: Intelligence-driven security.
● Expand beyond cyber
● Provide intelligence services to all security teams
● Find links between threats from different domains
● Holistic intelligence reporting
![Page 26: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/26.jpg)
TLP:WHITE
Phase 4: Intelligence-driven security.Products
● Analytical support● Multi-domain intelligence
Customers
● All security teams● Security leadership
KPIs
● Metrics of proactive actions● Teams utilizing TI resources
Fraud prevention
Security department
Physical security
Cyber-security team(s)
GRC
TI team
![Page 27: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/27.jpg)
TLP:WHITE
Phase 5: Intelligence-driven organization.
● Natural progression
● Build and train specialized intelligence teams
● Moving to the “left side of the boom” collectively
● Wider adoption of threat-based prioritization
● Create an internal intelligence community
![Page 28: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/28.jpg)
TLP:WHITE
Phase 5: Intelligence-driven organization.
KPIs
● Per domain KPIs● Deviations from standards
Company
Security
HR
TI teams
Legal
Finance
Product development
Customers
● All company teams● All company leadership
Products
● Analytical support● Domain specific RFIs
R&D
TI teams
TI teams
Sales
![Page 29: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/29.jpg)
TLP:WHITE
Summary.Threat-based
Risk-based
Phase 1: Beginning
Phase 2: External threats
Phase 3: Formal CTI function
Phase 4: Intelligence-driven security
Phase 5: Intelligence-driven organization
![Page 30: Building an intelligence-driven organization · FIRST Cyber Threat Intelligence Webinar Series. TLP:WHITE ... Risk vs threat-based approach. Covers all cases Well known Standardized](https://reader035.vdocument.in/reader035/viewer/2022071117/6002ea73160e1a2e163d3aa3/html5/thumbnails/30.jpg)
TLP:WHITE
References.
@xorlgr
Anastasios Pingios
● Conducting Risk Assessments, NIST 800-30
● MITRE ATT&CK framework
● The Sliding Scale of Cyber Security, Robert M. Lee - September 2015
● Left of boom: Do we actually do this?, Anastasios (xorl) Pingios - December 2019