Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence Analysts January 2017
CLASSIFICATION MARKS The Global Domain Network Domain The internet offers global connectivity to all the good things contained therein and to all the bad things, as well. CLASSIFICATION MARKS 2
Situational Awareness Risk and opportunity management is a core function of every organization. Situational awareness is key to improved business decisions. 3
CLASSIFICATION MARKS The Value of Cyber Threat Intelligence Proper CTI should extend our vision and allow us to take steps that normally we would not. CLASSIFICATION MARKS 4
Noblis Definition and Vision CLASSIFICATION MARKS Requirements-Driven Methodology Traditional and Non-Traditional Intelligence Techniques Holistic Cyber Threat Picture Tactical Operational Strategic Proactively Diminish Threats Technical Expertise Analytic Tradecraft Timely Accurate Our vision incorporates network defense data and all-source intelligence to provide a holistic cyber threat picture. CLASSIFICATION MARKS 5
CLASSIFICATION MARKS The Three Levels of Threat Intelligence STRATEGIC LONG-TERM TRENDS OPERATIONAL SHORT-TERM TRENDS TACTICAL TIMEFRAME IMMEDIATE tactics are concerned with doing the job right, and higher levels of strategy are concerned with doing the right job. (Drew and Snow, 2006) CLASSIFICATION MARKS 6
Cyber Threat Intelligence: A Holistic Picture Tactical Operational Strategic Reactive Focused on Today/Tomorrow Feeds and IoCs Focused on Next Week/Month Adversary TTP Focused on Years Ahead Planning and Risk 7
Man in the Middle DDoS Proactive Defense Measures! Risk Mitigation: Social Engineering What do we have that they want? How do we protect our data? 8
Incorporating the Traditional Intelligence Cycle Monitoring and Response Requirements and Planning Dissemination Collection Analysis and Production Processing and Exploitation Incorporating the traditional Intelligence Cycle into analysts workflow will expand the precision with which we can identify, defend against, and prevent cyber threats. 9
NETFLOW Industrial Attacks 10
Monitoring and Response Integration Integrating CTI, network operations and security, and business operations enables more effective decisions to balance risk, response, and allocation of resources. 11
12
IdealWorks: Risk Assessment 13
Incorporating the Traditional Intelligence Cycle Monitoring and Response Requirements and Planning Dissemination Collection Analysis and Production Processing and Exploitation Incorporating the Intelligence Cycle into analysts workflow allows the company to proactively identify threats and intelligence gaps. 14
TTP Military Modernization Economic Opportunity Job Applications Job Applications Market Access Agreements Military Modernization Industrial Attacks Market Access Agreements TTP Leaps in R&D Leaps in R&D Economic Opportunity Gaps Industrial Attacks NETFLOW Traffic NETFLOW Traffic 15
Incorporating the Traditional Intelligence Cycle Monitoring and Response Requirements and Planning Dissemination Collection Analysis and Production Processing and Exploitation Incorporating the Intelligence Cycle into analysts workflow allows the company to proactively identify threats and intelligence gaps. 16
Monitoring and Response Integration A Monitoring and Response framework links the organization s intelligence support with its network operations division and drives information flow. 17
Cyber Threat Intelligence: A Holistic Picture Tactical Operational Strategic Reactive Proactive Focused on Today/Tomorrow Feeds and IoCs Focused on Next Week/Month Adversary TTP Focused on Years Ahead Planning and Risk 18
Benefits of Integrating People and Tools 19
CLASSIFICATION MARKS Knowledge, Skills, and Abilities: Integrating People Cyber Threat Intelligence Analyst (Foundational Skills) CND Analyst (Technical Track) Open Source Analyst (Analytical Track) Just as people and tools are behind these threats, people and tools are required to resolve these threats automation and machine learning provide only half of the solution. CLASSIFICATION MARKS 20
CLASSIFICATION MARKS Knowledge, Skills, and Abilities: Integrating People Open Source Analyst Cyber Threat Intelligence Analyst (Analytical Track) (Foundational Skills) Cyber Threat Intelligence Analyst CND Analyst (Foundational Open Skills) Source Analyst (Technical Track) (Analytical Track) Just as people and tools are behind these threats, people and tools are required to resolve these threats automation and machine learning provide only half of the solution. CLASSIFICATION MARKS 21
Now remember, Proactive Man says: 22