road map for actionable threat intelligence
DESCRIPTION
Key takeaways: What is Cyber Threat Intelligence? Why should you care about it? How would you collect it? How would you generate it? What would you do with it?TRANSCRIPT
Road-map for actionable
threat intelligenceMaking Information Security Smarter
Abhi Singh, CISSP, CISA, CRISC, CISM, CCSK
Tuesday, February 12, 2013
State of the Union Address
Wednesday, October 2, 2012
U.S. Cyber Command GEN Keith Alexander
Thursday, December 19, 2013
Headline of the day
External92%
Internal passive
4%
Internal active2%
Unknown2%
What do I want to demonstrate?
What is actionable cyber threat intelligence
How does it enable business?
Why actionable cyber threat intelligence is not a product?
How can you develop a sound framework?
What are some capabilities that you would need?
What is a Cyber Threat and Threat
Intelligence?
Defense Science Board Task Force on Resilient Military Systems defines Cyber
Threat as:
“The cyber threat is characterized in terms of three classes of increasing
sophistication: those practitioners who rely on others to develop the
malicious code, those who can develop their own tools to exploit publically
known vulnerabilities as well as discovering new vulnerabilities, and those
who have significant resources and can dedicate them to creating
vulnerabilities in systems.”
Threat Intelligence should then provide:
Understanding of motivation, intents, and capabilities of attackers; and
Detailed specifics on tactics, techniques, and procedures utilized.
How will Cyber Threat intelligence
enable business?
Make effective decisions with actionable information
Save man-hours with automation – data collection, analysis, and usage
Control risk, detect problems, and prioritize remediation supported by
reliable data
Validate existing policies and controls
Demonstrate ROI – align expenses with business objectives
Where do collect the information from?
Internal – SIEM, Helpdesk, Incidents, Business direction and priorities (M&A
etc.), monitoring blind spots on network, Honeypots
External -
OSINT (using Matego,
Shodan, metagoofiletc.)
Pastebin, Google,
Facebook etc.
Cyveillance, Dell, iSIGHT, Mandiant, RSA, Verisign, Verizon, At&t, Fox-IT etc.
GovernmentIndustry
Community
Public Commercial
US-CERT, InfraGard,
FBI, DHS
FS-ISAC, NH-ISAC, ES-ISAC, REN-ISAC
What’s the first step after gathering
information?
Methods and modes
Metadata
Threat vectors
Threat sources
IP and hosts
Exploit modules
Logs
Indicators of compromise (IOC)*
Geo
*Indicators of compromise (IOC) - Forensic artifacts of an intrusion that can
be identified on a host or network
Learn and Adapt React
Hum
an a
spect
Machin
e a
spect
What would you do with intelligence?
Identify Indicators of Compromise (IOCs) [forensic artifacts of an intrusion
that can be identified on a host or network]
Create machine consumable information - Notable frameworks OpenIOC,
CybOX, IODEF
Perform accurate detection across the enterprise
Conduct a kill-chain based analysis to respond appropriately
Map the findings/possible effects to business priorities/activities
Develop strategic information for the senior leadership and decision makers
Some examples of threat intelligenceHost-Based
• Mutexes
• File names
• File hashes
• Registry keys
Network-Based
• IP addresses & address ranges
• Internet Domains
• AS Numbers
Behavioral
• Adversary tactics
• Attack techniques
• Compromise procedures
Actor-based
• Malicious actors, organizations, and nation states
• Cyber attack campaigns
React and
recover
Learn and
adapt
Example of actor based threat intelligence
Learn and
adapt
How do you put actionable intelligence
(OpenIOC) to use?IOC Editor
Allow users to create IOC’s in
XML format
Redline
Provides host investigative
capabilities to users to find signs of
malicious activity through memory
and file analysis, and the
development of a threat
assessment profile.
Create IOC
Deploy IOC
Identify potential
compromise
Preserve evidence
Analyze data
Network IOC,
Host IOC
SIEM, IPS,
End-point
tools
Forensic image,
System state,
Logs
Malware analysis,
log analysis
Investigation
process
Intelligence Sources
Therefore threat intelligence should be
a business priority because..
Is a capability not a product
Builds on a diverse foundation of people, processes, and technology
Provides actionable information on tactics, techniques, and procedures (TTP)
of adversaries
Allow effective response by identifying and analyzing indicators of comprise
Enables forward thinking (proactive vs. reactive approach)
So what are the next steps..
• Make threat intelligence a business
priority; allocate budget and resources
• Define program objectives
• Determine current state of critical
capabilities for “build vs. buy” e.g. of
critical capabilities – malware analysis,
traffic analysis, intrusion detection, legal
processes, SIEM etc.
• Create traffic and host baselines
• Conduct resource training
• Identify external sources that you plan to
use
1
• Develop framework to consume sources
to generate threat intelligence – people,
process, technology
• Formalize roles and responsibilities
• Pilot the framework with select
intelligence sources
• Decide external and internal information
sharing strategy
• Modify framework to consume all
intelligence sources
• Start sharing information across the
supply chain
• Demonstrate ROI based on the threats
averted
• Report metrics based on the
established baselines
2 3Develop Foundation
(month 0-6)
Formalize Course
(month 6-12)
Road to Maturity
(month 12 – 24)
Government Community Public Commercial
