CYBER THREAT INTEL: A STATE OF MIND. Internal Audit, Risk, Business & Technology Consulting

Transcription

1 CYBER THREAT INTEL: A STATE OF MIND Internal Audit, Risk, Business & Technology Consulting

2 WHO ARE WE? Randy Armknecht, CISSP, EnCE Protiviti Director - IT Consulting randy.armknecht@protiviti.com Albin Ahmetspahic Protiviti Manager IT Consulting albin.ahmetspahic@protiviti.com

3 WHAT IS CYBER THREAT INTELLIGENCE

4 CYBER THREAT INTELLIGENCE: A DEFINITION to evidence-based knowledge including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to IT or information assets and can be used to inform decisions regarding response that menace or hazard -- Gartner

5 LET S THINK ABOUT THAT Context DATA WITHOUT CONTEXT IS JUST DATA INTELLIGENCE REQUIRES CONTEXT 5

6 LET S THINK ABOUT THAT Context Mechanism WHAT ARE THE THREAT MECHANICS 6

7 LET S THINK ABOUT THAT Context Mechanism Indicators HOW WILL WE KNOW THE THREAT HAS BEEN REALIZED? 7

8 LET S THINK ABOUT THAT Context Mechanism Indicators IF THE THREAT IS REALIZED WHAT DOES IT MEAN FOR US? Implications 8

9 LET S THINK ABOUT THAT Context Mechanism Indicators IF THE THREAT IS REALIZED WHAT ARE THE ACTIONS NECESSARY TO MINIMIZE THE IMPACT Implications Actionable Advise 9

10 DOES YOUR CYBER THREAT INTELLIGENCE PROGRAM GENERATE OUTPUT THAT CONTAINS CONTEXT MECHANISMS REPEATABLE INDICATORS CONSISTENT IMPLICATIONS ACTIONABLE ADVISE 10

11 IF YOU SAID YES

12 CONGRATULATIONS!

13 CURRENT STATE 49% don t look at the threat intel or reports received 43% don t use the data for decision making 69% don t have necessary staff skills Source: 13

14 SO IF YOU RE LIKE EVERYBODY ELSE.

15 WHERE CAN WE OBTAIN INTELLIGENCE?

16 BUT ARE WE BUYING INTELLIGENCE OR JUST DATA? CONTEXT MECHANISMS INDICATORS IMPLICATIONS ACTIONABLE ADVISE 16

17 SO WHAT SHOULD WE DO?

18 CYBER THREAT INTELLIGENCE IS A STATE OF MIND Take the data from the vendors Augment it with your own internal data Mix them thoroughly in the minds of your analysts Use the results to impart change in the environment Effective intelligence is the result of a process 18

19 THE CYBER THREAT INTELLIGENCE LIFECYCLE

20 THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Planning & Direction 6 Evaluation CCIR Analysis & Production Feedback Collection Processing & Exploitation 20

21 CCIR COMMANDER S (CISO) CRITICAL INFORMATION REQUIREMENTS Information requirement identified by the commander as being critical to facilitating timely decision making -- Joint Publication 1-02 PIR CCIR 21

22 THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration 6 Evaluation Planning & Direction Determine intelligence requirements Develop a CTI team Create a collection plan Generate requests for information Analysis & Production CCIR Feedback Collection Processing & Exploitation 22

23 THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Planning & Direction Analysis & Production 6 Evaluation CCIR Feedback Collection Collect data to satisfy intelligence requirements using: All-Source collection: Critical Applications Network Infrastructure Security Infrastructure Processing & Exploitation 23

24 THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Planning & Direction 6 Evaluation Analysis & Production CCIR Feedback Collection Processing & Exploitation Interpret raw data Convert interpreted data into a usable format (information) for analysis 24

25 THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Planning & Direction Analysis & Production Fuse information from Step 3 Provide facts, findings, and forecasts Analysis should be: Objective Timely Accurate Actionable Use Confidence Method 6 Evaluation CCIR Feedback Processing & Exploitation Collection 25

26 THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Deliver the finished product to intelligence consumers at various levels: Strategic (CISO) Operational (APT) Tactical (TTP) 6 Evaluation Planning & Direction Analysis & Production CCIR Feedback Collection Processing & Exploitation 26

27 WHAT DOES IT LOOK LIKE IN AN ORGANIZATION?

28 COMMON INFORMATION SECURITY ORGANIZATION STRUCTURE CISO Governance Security Engineering CTI Compliance Security Operations Center (SOC) Vulnerability Management 28

29 ANALYST ROLES & RESPONSIBILITIES Collection Threat Feeds, Alerts IOCs Incident Reporting Processing & Exploitation Analysis & Production Indexing Raw Data Sorting Raw Data Organizing Raw Data Integrating, Evaluating Information Analyzing Information Assessing Courses of Action Dissemination & Integration Strategic Consumers Operational Consumers Tactical Consumers 29

30 AN EXAMPLE

31 TOP DOWN, DEFINE THE MISSION Risk Analysis and Assessment Business Processes and Data Mission and Security Mapping Definition Existing Architecture and Infrastructure Threat Definition and Threat Intelligence Critical Applications Network Infrastructure Security Infrastructure Collect Intel Collect Intel, Net Flows Collect Intel Filtering, Correlation, Analytics, Analysis, Reporting, Prevention, and Response Monitoring, Triage, Analysis, Escalation, Prevention, Counter, and Response 31

32 APPLYING THE INTELLIGENCE CYCLE TO CTI Organic Infrastructure Endpoint Devices Routers OS / Hypervisors Databases Network Storage Servers Applications Middleware FW DMZ FW Security devices, Software, Services, and Processes Internal Resources 32

33 APPLYING THE INTELLIGENCE CYCLE TO CTI Threat Intel CTI Vendors OSINT Govt sources Common Groups Intel collection layer Security Processes Log Collectors Event Collectors Net Flows Social Media News Dark Web Media and Web Managed Device Layer Syslog / Eventlog / WMI / Logfile / SNMP / SMTP / SQL / API / Custom Organic Infrastructure Endpoint Devices Routers OS / Hypervisors Databases Network Storage Servers Applications Middleware FW DMZ FW Security Devices, Software, Services, and Processes Internal Resources 33

34 APPLYING THE INTELLIGENCE CYCLE TO CTI Analytical Layer Correlation Layer Correlation engine, filtering and analysis Operations, Security, and User Behavior Analytics Workflow automation Config and Problem Management Security process intel AV, IDS/IPS, DLP, Content Security, Data & DB Security, App Security, FIM, FW Threat Intel T Intel Vendors OSINT Govt sources Common Groups Intel collection layer Security Processes Log Collectors Event Collectors Net Flows Social Media News Dark Web Media and Web Managed Device Layer Syslog / Eventlog / WMI / Logfile / SNMP / SMTP / SQL / API / Custom Organic Infrastructure Endpoint Devices Routers OS / hypervisors Databases Network Storage Servers Applications Middleware FW DMZ FW Security Devices, Software, Services, and Processes Internal Resources 34

35 APPLYING THE INTELLIGENCE CYCLE TO CTI Presentation layer Reports Security Management IT Operations Compliance Business Analytical Layer Correlation Layer Correlation engine, filtering and analysis Operations, Security, and User Behavior Analytics Workflow automation Config and Problem Management Security process intel AV, IDS/IPS, DLP, Content Security, Data & DB Security, App Security, FIM, FW Threat Intel T Intel Vendors OSINT Govt sources Common Groups Intel collection layer Security Processes Log Collectors Event Collectors Net Flows Social Media News Dark Web Media and Web Managed Device Layer Syslog / Eventlog / WMI / Logfile / SNMP / SMTP / SQL / API / Custom Organic Infrastructure Endpoint Devices Routers OS / hypervisors Databases Network Storage Servers Applications Middleware FW DMZ FW Security Devices, Software, Services, and Processes Internal Resources 35

36 WHAT DID WE LEARN?

37 WHAT WE VE LEARNED Data!= Intelligence 37

38 CYBER THREAT INTELLIGENCE A STATE OF MIND 38

39 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.