CYBER THREAT INTEL: A STATE OF MIND Internal Audit, Risk, Business & Technology Consulting
WHO ARE WE? Randy Armknecht, CISSP, EnCE Protiviti Director - IT Consulting randy.armknecht@protiviti.com Albin Ahmetspahic Protiviti Manager IT Consulting albin.ahmetspahic@protiviti.com
WHAT IS CYBER THREAT INTELLIGENCE
CYBER THREAT INTELLIGENCE: A DEFINITION to evidence-based knowledge including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to IT or information assets and can be used to inform decisions regarding response that menace or hazard -- Gartner
LET S THINK ABOUT THAT Context DATA WITHOUT CONTEXT IS JUST DATA INTELLIGENCE REQUIRES CONTEXT 5
LET S THINK ABOUT THAT Context Mechanism WHAT ARE THE THREAT MECHANICS 6
LET S THINK ABOUT THAT Context Mechanism Indicators HOW WILL WE KNOW THE THREAT HAS BEEN REALIZED? 7
LET S THINK ABOUT THAT Context Mechanism Indicators IF THE THREAT IS REALIZED WHAT DOES IT MEAN FOR US? Implications 8
LET S THINK ABOUT THAT Context Mechanism Indicators IF THE THREAT IS REALIZED WHAT ARE THE ACTIONS NECESSARY TO MINIMIZE THE IMPACT Implications Actionable Advise 9
DOES YOUR CYBER THREAT INTELLIGENCE PROGRAM GENERATE OUTPUT THAT CONTAINS CONTEXT MECHANISMS REPEATABLE INDICATORS CONSISTENT IMPLICATIONS ACTIONABLE ADVISE 10
IF YOU SAID YES
CONGRATULATIONS!
CURRENT STATE 49% don t look at the threat intel or reports received 43% don t use the data for decision making 69% don t have necessary staff skills Source: http://www.infosecurity-magazine.com/news/firms-value-threat-intel-but-fail/ 13
SO IF YOU RE LIKE EVERYBODY ELSE.
WHERE CAN WE OBTAIN INTELLIGENCE?
BUT ARE WE BUYING INTELLIGENCE OR JUST DATA? CONTEXT MECHANISMS INDICATORS IMPLICATIONS ACTIONABLE ADVISE 16
SO WHAT SHOULD WE DO?
CYBER THREAT INTELLIGENCE IS A STATE OF MIND Take the data from the vendors Augment it with your own internal data Mix them thoroughly in the minds of your analysts Use the results to impart change in the environment Effective intelligence is the result of a process 18
THE CYBER THREAT INTELLIGENCE LIFECYCLE
THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Planning & Direction 6 Evaluation CCIR Analysis & Production Feedback Collection Processing & Exploitation 20
CCIR COMMANDER S (CISO) CRITICAL INFORMATION REQUIREMENTS Information requirement identified by the commander as being critical to facilitating timely decision making -- Joint Publication 1-02 PIR CCIR 21
THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration 6 Evaluation Planning & Direction Determine intelligence requirements Develop a CTI team Create a collection plan Generate requests for information Analysis & Production CCIR Feedback Collection Processing & Exploitation 22
THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Planning & Direction Analysis & Production 6 Evaluation CCIR Feedback Collection Collect data to satisfy intelligence requirements using: All-Source collection: Critical Applications Network Infrastructure Security Infrastructure Processing & Exploitation 23
THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Planning & Direction 6 Evaluation Analysis & Production CCIR Feedback Collection Processing & Exploitation Interpret raw data Convert interpreted data into a usable format (information) for analysis 24
THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Planning & Direction Analysis & Production Fuse information from Step 3 Provide facts, findings, and forecasts Analysis should be: Objective Timely Accurate Actionable Use Confidence Method 6 Evaluation CCIR Feedback Processing & Exploitation Collection 25
THE CYBER THREAT INTELLIGENCE LIFECYCLE Dissemination & Integration Deliver the finished product to intelligence consumers at various levels: Strategic (CISO) Operational (APT) Tactical (TTP) 6 Evaluation Planning & Direction Analysis & Production CCIR Feedback Collection Processing & Exploitation 26
WHAT DOES IT LOOK LIKE IN AN ORGANIZATION?
COMMON INFORMATION SECURITY ORGANIZATION STRUCTURE CISO Governance Security Engineering CTI Compliance Security Operations Center (SOC) Vulnerability Management 28
ANALYST ROLES & RESPONSIBILITIES Collection Threat Feeds, Alerts IOCs Incident Reporting Processing & Exploitation Analysis & Production Indexing Raw Data Sorting Raw Data Organizing Raw Data Integrating, Evaluating Information Analyzing Information Assessing Courses of Action Dissemination & Integration Strategic Consumers Operational Consumers Tactical Consumers 29
AN EXAMPLE
TOP DOWN, DEFINE THE MISSION Risk Analysis and Assessment Business Processes and Data Mission and Security Mapping Definition Existing Architecture and Infrastructure Threat Definition and Threat Intelligence Critical Applications Network Infrastructure Security Infrastructure Collect Intel Collect Intel, Net Flows Collect Intel Filtering, Correlation, Analytics, Analysis, Reporting, Prevention, and Response Monitoring, Triage, Analysis, Escalation, Prevention, Counter, and Response 31
APPLYING THE INTELLIGENCE CYCLE TO CTI Organic Infrastructure Endpoint Devices Routers OS / Hypervisors Databases Network Storage Servers Applications Middleware FW DMZ FW Security devices, Software, Services, and Processes Internal Resources 32
APPLYING THE INTELLIGENCE CYCLE TO CTI Threat Intel CTI Vendors OSINT Govt sources Common Groups Intel collection layer Security Processes Log Collectors Event Collectors Net Flows Social Media News Dark Web Media and Web Managed Device Layer Syslog / Eventlog / WMI / Logfile / SNMP / SMTP / SQL / API / Custom Organic Infrastructure Endpoint Devices Routers OS / Hypervisors Databases Network Storage Servers Applications Middleware FW DMZ FW Security Devices, Software, Services, and Processes Internal Resources 33
APPLYING THE INTELLIGENCE CYCLE TO CTI Analytical Layer Correlation Layer Correlation engine, filtering and analysis Operations, Security, and User Behavior Analytics Workflow automation Config and Problem Management Security process intel AV, IDS/IPS, DLP, Content Security, Data & DB Security, App Security, FIM, FW Threat Intel T Intel Vendors OSINT Govt sources Common Groups Intel collection layer Security Processes Log Collectors Event Collectors Net Flows Social Media News Dark Web Media and Web Managed Device Layer Syslog / Eventlog / WMI / Logfile / SNMP / SMTP / SQL / API / Custom Organic Infrastructure Endpoint Devices Routers OS / hypervisors Databases Network Storage Servers Applications Middleware FW DMZ FW Security Devices, Software, Services, and Processes Internal Resources 34
APPLYING THE INTELLIGENCE CYCLE TO CTI Presentation layer Reports Security Management IT Operations Compliance Business Analytical Layer Correlation Layer Correlation engine, filtering and analysis Operations, Security, and User Behavior Analytics Workflow automation Config and Problem Management Security process intel AV, IDS/IPS, DLP, Content Security, Data & DB Security, App Security, FIM, FW Threat Intel T Intel Vendors OSINT Govt sources Common Groups Intel collection layer Security Processes Log Collectors Event Collectors Net Flows Social Media News Dark Web Media and Web Managed Device Layer Syslog / Eventlog / WMI / Logfile / SNMP / SMTP / SQL / API / Custom Organic Infrastructure Endpoint Devices Routers OS / hypervisors Databases Network Storage Servers Applications Middleware FW DMZ FW Security Devices, Software, Services, and Processes Internal Resources 35
WHAT DID WE LEARN?
WHAT WE VE LEARNED Data!= Intelligence 37
CYBER THREAT INTELLIGENCE A STATE OF MIND 38
2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. All registered trademarks are the property of their respective owners.