Threat Intelligence-Driven Security Building Successful Threat Intelligence Programs Allan Thomson, LookingGlass CTO June 2017
Intelligence-Driven Security Threat Intelligence evidence-based knowledge including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to IT or information assets. It can be used to inform decisions regarding the subject s response to that menace or hazard. 1 1Market Guide for Security Threat Intelligence Services Gartner 14 October 2014 Informs Threat Mitigation the elimination or reduction of the frequency, magnitude, or severity of exposure to risks, or minimization of the potential impact of a threat or warning. 2 2 http://security.stackexchange.com/questions/tagged/threat-mitigation Reduces Risk the possibility that something bad or unpleasant (such as an injury or a loss) will happen. 3 3 Webster's Dictionary 2017 LookingGlass. All Rights Reserved. 2
The Threat Landscape * Courtesy - Google Keynote Presentation FIRST 2017 Technical (not people) People who are not good at computers People who are good at computers People who are good at computers, organized & experienced People who are good at computers, organized, experienced & kinetic Threat Sophistication Which threat level do you face? 2017 LookingGlass. All Rights Reserved. 3
Intelligence Lifecycle Assess changes to requirements Define Needs With Organization Discuss Impact, Manage Follow Up Actions Configure Collection Management System Draft and Deliver to Intelligence Product Organization Review and Fine Tune System Tasking Analyze Relevant Data Sort, Filter, Vet & Prioritize Data 2017 LookingGlass. All Rights Reserved. 4
Intelligence Efforts Focus Identify intelligence efforts that protect the following Indirectly Connected Priority #1: Self Third Party & Supply Chain Priority #2: Third Party & Supply Chain Priority #3: Indirectly Connected Self 2017 LookingGlass. All Rights Reserved. 5
The Need For Cyber Assessment Use Case An NSA Cyber Weapon Might Be Behind A Massive Global Ransomware Outbreak https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#445543fde599 Verizon s Data Breach Fighter Gets Hit With, Well, a Data Breach http://fortune.com/2016/03/24/verizon-enterprise-data-breach/ Hackers Threaten to Release 30GB of Stolen Data From San Francisco s Municipal Railway http://fortune.com/2016/11/28/muni-hack-san-francisco/ 2017 LookingGlass. All Rights Reserved. 6
Threat Intelligence Program Framework - What you need - Who you need - How they re organized 7 Parts - How the program works What the program uses How its measured What & How it delivers 2017 LookingGlass. All Rights Reserved. 7
Intelligence Program Part 1 2017 LookingGlass. All Rights Reserved. 8
Intelligence Program Part 1 Continued Phishing Examples Phish Honeypots, spam email, and links Customer Abuse Box Feed/Monitoring Org Web Logs Phone/SMS messages Domain Name Registrations and Go Live Alerts Phishing Sites Detection System Brand Protection Examples Logos and Visual Marks Impostor Social Media Accounts Copyrighted Image Search Claimed Relationships Takedown Services Examples Malware Imposters Confidential Files Phishing Phone Email 2017 LookingGlass. All Rights Reserved. 9
Cyber Assessment: Use Case Provide to security executives, assessment on either self or Third Party & Supply Chain systems and assets Build program to continuously assess and report Areas to consider Network Footprint System Compromises & Infections Account Compromises External Facing Vulnerabilities Domain & Spear-Phishing Risk Intelligence Indications & Warnings 2017 LookingGlass. All Rights Reserved. 10
Intelligence Program Part 2 Tip: Focused On Specific Deliverables Program - Planning - Architecture - Strategy Security Subject Matter Experts (SME) - Cyber Analysts - Social Analysts - Phishing Analysts - Malware / Forensic Specialists - Incident Response Specialists - Brand Protection Analysts - Rogue Applications - Third Party Risk Analysts - Physical Security Analysts - Language & Translation Specialists Network System SMEs - Network Security Operations - Network Integration Specialists Development SMEs - Software developers - Data processing - Data analytics - Data visualization 2017 LookingGlass. All Rights Reserved. 11
Cyber Assessment: Use Case required - Planning - Architect - Manager - Cyber Analyst - Social Analyst - Third Party Risk Analyst - Software developers covering Data processing Data analytics Data visualization 2017 LookingGlass. All Rights Reserved. 12
Intelligence Program Part 3 Tip: Consider Tiered Structure - Support 24x7 Operations Structure - Manager - Tier 1 Cyber Threat Analysts (junior) - Tier 2 Cyber Threat Analysts (senior) Typical Work Schedule - 12 hour shifts 4on/4off with relief support Tiered Structure Essential - Tier 1 Example: 24 full-time Cyber Analysts - Tier 2 Example: One full-time Senior Cyber Threat Analyst and Three full-time Cyber Threat Analysts Backup/Resiliency - Have permanent remote team members as geographic backup and resiliency support 2017 LookingGlass. All Rights Reserved. 13
Cyber Assessment: Use Case Structure - Manager - Cyber/Social/Third Party Analysts - Software Development Work schedule - On demand - 9-to-5 2017 LookingGlass. All Rights Reserved. 14
Intelligence Program Part 4 Tips: - Functional Area Specific - Keep It Current - Invest in Technology Improvements 2017 LookingGlass. All Rights Reserved. 15
Intelligence Program Part 4: High Level 24x7 Real-Time Intelligence ing Local Telemetry Tier 1: Rapid Alerting Tier 2: Contextual Alerting Local Org Data Ingest Feed Vetting/Noise Reduction Escalation Data Verification Third Party Data Data Tagging Adding Context 5Ws Review Criteria Relevancy Additional Tagging for Data Lake/Threat Landscape Industry Data Quality Feedback Additional Capture (e.g Screenshots) Relevancy Feedback Quality Review Global Actor Data Alert Hotline Global Cyber Data Average alert 1 to 3 min after collection Response 10 to 30 min after collection Organization Threat Response & SMTP SMS VOIP 2017 LookingGlass. All Rights Reserved. 16
Intelligence Program Part 4: Phishing Detection Specific Workflow System Start Assign Ownership Site Review Update Status Create Action Initiate Action Status Options Not Reviewed Under Review Call - Waiting for Response Email - Waiting for Response C&D - Waiting for Response No action needed Monitor Closed SOC Manager SOC Analyst Analyst Manager Action Needed Yes Determine Action Type Required Close Incident End Incident Target Issues Claimed Relationship Domain Name Violation Image Use Multi-Issue Objectionable Content Traffic Diversion Threat 2017 LookingGlass. All Rights Reserved. 17
Cyber Assessment: Gather - Domains & - User Accounts - Applications Assess - Network Footprint - System Compromises & Infections - Account Compromises - External Facing Vulnerabilities - Domain & Spear-Phishing Risk - Intelligence Indications & Warnings Use Case Report 2017 LookingGlass. All Rights Reserved. 18
Intelligence Program Part 5 Tips - Identify system based on functional requirements - Best-in-class focus to support process include - Threat Intelligence Platform - Response Management - Cyber Intel Workflow - Phishing Workflow - Social Media Intel Workflow - Help Desk INTEL - Time Management 2017 LookingGlass. All Rights Reserved. 19
Intelligence Program Part 5 Use Case Custom Web Application for Analysts - Enter profile data - Monitor and review status of automated pipeline - Connects set of collection systems Used - Vulnerability Scanner - Both Open Source and Commercial Network Footprinting - Domain Analysis - Dark and Surface Web Crawlers - Database and Spreadsheets - Threat Intelligence Platform (and aggregated MRTI) - Internet Intelligence 2017 LookingGlass. All Rights Reserved. 20
Intelligence Program Part 5 System Use Case x.x.x.xx x.x.x.xx x.x.x.xx x.x.xx.xxx Infection Records Compromises Network Intelligence Open Source Vulnerability Scan acme acme acme acme acme acme acme acme acme acme acme acme acme acme Acme Group acme acmegrp access.acme 2017 LookingGlass. All Rights Reserved. 21
Intelligence Program Part 6 Tips: - Who are reports for - Expected outcomes of reports Including - Daily/Weekly Metrics - Threshold Alerting - Event Notifications - Visual and Electronic Event Triggers - Workflow/Time analysis 2017 LookingGlass. All Rights Reserved. 22
Intelligence Program Part 6 Reports - Specific - Segmented - Actionable - Business Relevant Good Afternoon, Brand Abuse Detection Report This is the Brand Abuse Detection Report for the week of [Date]. Cyveillance has identified seven incidents that infringe on the [Brand Name] Brand. A list of these infringements consist of: One Domain Violation Two Impersonation Pages One Claimed Relationship Three Logo Violations The data we collected for the week is reflected in the charts below: Threat Types Imposter Social Media Accounts Company Name Incidents By Source A quick summary of how the page is impersonating your brand will go here. Company Name A quick summary of how the page is impersonating your brand will go here. Domain Name Registration Monitoring Newly registered domains of interest: cyveillance.ooo (whois) cyveillance.io (whois) cyveillance.finance (whois) The top TLD('s) registered using the [brand] name for this week are:.ooo.finance.io 2017 LookingGlass. All Rights Reserved. 23
Intelligence Program Part 6: Report/System & Account Compromises Analysis & Summary on - Total Records Analyzed Use Case - Recent Breaches Listing - Unique Users Covered - Malware Infections Found - High-Recurrence Users - Reputation Risks - Executive Credentials 2017 LookingGlass. All Rights Reserved. 24
Intelligence Program Part 6: Report/Vulnerabilities Use Case Listing sites analyzed Assessment of active vulnerabilities found Number of instances 2017 LookingGlass. All Rights Reserved. 25
Intelligence Program Part 6: Report/Domain & Spear-Phishing Risk Use Case Company owned domains High risk domains 2017 LookingGlass. All Rights Reserved. 26
Intelligence Program Part 6: Report/Intelligence & Warnings Use Case Aggregated view of threat intelligence reports Context and background to support analysis Analysis and prioritization Recommendations on critical intelligence to act on 2017 LookingGlass. All Rights Reserved. 27
Intelligence Program Part 6: Report/Exec Summary Use Case Provide to security professionals Insight into application vulnerabilities Information on potential leaks, theft of sensitive data Identify holes in internal security posture to ensure compliance Identify latest data breaches and compromised user accounts Reduce risk of high impact exploits such as ransomware, website defacements or malicious injection 2017 LookingGlass. All Rights Reserved. 28
Intelligence Program Part 7 Tip: Empower rapid response to incidents and maintain goodwill Internal and Groups - SecOps/NetOps - IT, Compliance, Third Party Risk Supply Chain - Infosec/SecOps Industry - Data Feeds (Open, Commercial) - Technology Learnings - Trusted Sharing Law Enforcement 2017 LookingGlass. All Rights Reserved. 29
Intelligence Program Part 7 Final report influences and updates connected teams Patched Vulnerability Mgmt s Use Case Policy & Password Changes IT Supply Chain Updates Policy and Enforcement Third Party Risk Security Rules Update NetOps & SecOps s 2017 LookingGlass. All Rights Reserved. 30
Define Recommendations Justify Threat Intelligence Program to reduce business risk Justify Define program across Focus intelligence Self Focus Third Party Indirect Protect Protect business leveraging threat intelligence 2017 LookingGlass. All Rights Reserved. 31
Questions? www.lookingglasscyber.com @LG_Cyber @LookingGlassCyber /company/lookingglass /+LookingGlassCyber