CTI Capability Maturity Model Marco Lourenco

Transcription

1 1

2 CTI Capability Maturity Model Cyber Threat Intelligence Course NIS Summer School 2018, Crete October 2018 MARCO LOURENCO - ENISA Cyber Security Analyst Lead European Union Agency for Network and Information Security

3 Agenda 1 Whoami 2 Recapping 3 CTI capability Framework 4 CTI maturity Model 5 Good practices of CTI capability according to organizations 6 Manage the level of expectation/fulfillment KPI/Metrics 7 MedX Case Study 8 Q&A 3

4 Whoami Started as data forensics analyst for the financial sector during the 90s. Worked with Interpol in criminal investigation system projects in early 2000s. With European External Action Service as CISO in mid 2000s. United Nations and Microsoft as regional manager in EMEA during the last 10 years working with government agencies in cyber threat intelligence. Since this year in ENISA as cyber security analyst lead. 4

5 Whoami Analyst background Computer forensics Criminal investigation Infosec operational CTIA Manager Threat Intelligence Analysis evangelist 5

6 6

7 7

8 8

9 9

10 10

11 11

12 12

13 13

14 Where Analyst sit? RISK MANAGEMENT APPLICATION PROTECTION RED/ BLUE TEAMMING INTELLIGENCE ANALYSIS MONITORING & DETECTION INCIDENT RESPONSE DATA PROTECTION SECURITY POLICY AND EDUCATION 14

15 Where Analyst sit? Outsourced SOC SO 15

16 Why Cyber Threat Intelligence Analysis became an important cyber security domain? The urgent need for moving from reactive to proactive approach; Difficulties in having a better understanding of the threat landscape; The need for clarity and interpretation from all the data and information available; Going beyond what is available within the organization radar and play in anticipation; Profiling adversaries through behavior and attribution and get a better understanding of their intentions; Apply a methodological approach on how to deal with threats. 16

17 Where we need to focus? EDUCATION COMMUNITY PRACTICE PARTNER 17

18 Recapping Risk Landscape Data breach/ theft Insider threat Ransomware Web based attacks DDoS SQL Injection Phishing IMPACT SPAM LIKELIHOOD 18

19 Recapping Potential Capability Opportunity THREAT Impeding Intent Insubstantial 19

20 Recapping Enrichment Analytics Mining Data analytics Context 20

21 Recapping Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets that can be used to conduct informed decisions regarding the subject s response to that menace or hazard. 21

22 Recapping Known Knowns Known Unknowns Unknown Unknowns 22

23 Recapping Though TTP Challenging Annoying Simple Easy Trivial David Bianco - Pyramid of Pain 23

24 Short-mid term use Long-term use Recapping The board Architects sysadmins Defenders SOC staff/ir High level Low level 24

25 Recapping TYPE LEVEL SCOPE MAIN TASK Strategic High Medium to Long Term High Level Information for Risk Reduction Operational High Short to Medium Term Details of Specific Incoming Attacks Tactical Low Medium to Long Term Attackers Methodologies, Tools Technical Low Short to Medium Term and Tactics Indicators of Specific Malware 25

26 CTI Capability Framework Planning and Requirements Collection Dissemination and integration Analysis and Processing Production and Evaluation 26

27 27

28 Failing to plan is planning to fail. Winston Churchill 28

29 Planning Stakeholders alignment Scope definition Requirements identification Requirements prioritization and traceability matrix Resources evaluation and assignment 29

30 30

31 Collection Threat Landscape OSINT Syslogs Process logs Technical Reports Actors The board/ Regulators Architects sysadmins Event logs Security logs TTP MO Defenders, threat hunters SOC staff Incident Response Domain Lists Net logs Tools IDS/IPS logs Stakeholders and information collection 31

32 Collection Collection Management Example Endpoint Protection Systems Operating Systems Network Firewall Data Type System Alert Host Based Logs Netflow System Alert Kill Chain Coverage Exploitation & Installation Exploitation Installation and Actions on Objectives Internal Reconnaissance, delivery and C2 Internal, Reconnaissance, Deliver and C2 Follow on Collection Typical Storage in Days Malware sample Files and timelines Packet capture Netflow 30 days 60 days 23 days 60 days 32

33 33

34 Analysis and processing over worked unproductive analysis data analytical sweet spot analytical work unreliable autogenerated analysis tools speculative guess-work 34

35 Analysis and processing Diamond Model of Intrusion Analysis KILL-CHAIN Lockheed Martin Campaigns Heat Map TIP Threat Intelligence Platforms Excel 35

36 36

37 Production and evaluation CoA CTI Advice Threat Land. Heat Map Risk ass. Stakeholders Requirements traceability matrix 37

38 38

39 Dissemination and Integration 39

40 Maturity Model 40

41 Risk Management CTI maturity DESCRIPTIVE PREDICTIVE PRE-EMPTIVE Initial level 0 Repeatable Level 1 Managed Level 2 Optimized Level 3 SIEM deployment Log management Advanced correlation and trends analysis Capability deployed Application and database activity monitor Pattern recognition and outlier detection Proactive incident response Adaptive threat detection Machine learning and linked analysis User behavior and entity analysis Pre-emptive response Breach protection Base infrastructure Enhanced visibility Business-centric Active threat monitoring Active threat management 41

42 Good practices Know your stakeholders and what they require Utilize internal and external data /information Hone critical thinking and analytical skills Evaluate and reevaluate Adopt classic intel, tradecraft and taxonomy Learn from yours and other mistakes Profile your adversaries Generate Intelligence adjusted to your different audiences Always contextualize Stick to the requirements and scope but stay agile By ready to cooperate and share 42

43 2018 CTI-EU Bonding Getting the Cyber Threat Intelligence Community together Brussels, 5 and 6 November

44 Thank you for your attention PO Box 1309, Heraklion, Greece Tel: