Cyber Threat Intelligence Debbie Janeczek May 24, 2017
AGENDA Today s Cybersecurity Challenges What is Threat Intelligence? Data, Information, Intelligence Strategic, Operational and Tactical Threat Intelligence Intelligence Lifecycle Importance of Defined Requirements Information Sharing
TODAY S CYBERSECURITY CHALLENGES Vastly expanding attack surface area Mobile, cloud, virtualization, global business operations Large protection investments and no good prioritization filter Who, why, when, how? Operational chaos too many alarms, not enough people, poor prioritization Legacy security tools that rely on past events/signatures Vs extremely agile adversaries Severe breaches continue
GLOBAL CYBER THREAT LANDSCAPE Active & Global Transcends Geographies and Sectors Multiple Motivations Cyber Crime, Espionage, Hacktivism, Destruction, etc Low Entry Barriers Actors use what works; not necessarily sophisticated methods Open marketplace providing capabilities Structured & Vibrant Ecosystem providing better tools, infrastructure, sharing ideas and methods, pooling resources
THREAT INTELLIGENCE You keep using (that term), I do not think it means what you think it means
WHAT IS THREAT INTELLIGENCE? Information that can aid decisions, with the aim of preventing an attack or decreasing the time taken to discover an attack Intelligence can also be information that, instead of aiding specific decisions, helps to illuminate the risk landscape Most organizations do not have enough information about threats they receive or their security posture in order to properly defend themselves Idea is to provide the ability to recognize and act upon indicators of attack and compromise scenarios in a timely manner Set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities, and compromise indicators
Source: Joint Publication 2-0
LEVELS OF INTELLIGENCE Strategic questions What keeps the C-suite up at night? What has the possibility to threaten our global business interests and impact our customers? Who will target your organization? Operational questions How do we shape our defenses and responses? What are the Tactics, Techniques and Procedures (Campaign) of the threat actor? Tactical questions Which one of these 100 events should I examine first? What are attributable IOCs of the attack? These questions are divided into answerable parts What is the pattern of who is attacked by the threat actor? How does a campaign unfold, step by step Intelligence Requirements and Priority Intelligence Requirements Drives the collection management plan Identifies intelligence gaps Create the needs statement & business case for new security services or products
INTELLIGENCE LIFECYCLE The Intelligence Lifecycle is the underlying backbone of the CTI program driving requirements, collection efforts, and development of intelligence products Dissemination Analysis and Production Processing and Exploitation Planning and Direction Collection
INTELLIGENCE REQUIREMENTS Intelligence Requirements (IR s) are long-term, broadly defined categories that collectively set the scope of the team s efforts and responsibilities Persist for several years If a request does not pertain to an existing IR, then it is outside the team s scope Priority Intelligence Requirements (PIR S) will be more specific requests reviewed every six months and they will revolve around a particular topic The development of IR s and PIR s will enable the CTI team to manage vendor feeds to ensure collection of relevant intelligence
INFORMATION SHARING EXAMPLE
WHY THREAT INTELLIGENCE? Good intelligence allows decision makers to act more boldly The decision maker s time is valuable Match his priorities command his attention Only deliver actionable information, no history lessons, no news reports The quality of the analysis is directly proportional to the quality of the question asked No software can replace the analyst Intelligence is an art, not a science Less is more Everyone & everything is a potential information source Disperse the team, embed the resources, build a network across the silos Any system that does not sustain itself is not a system New does not mean better; Old does not mean better Intelligence can be Cheap-Fast Accurate Pick any two The buck stops with me; the team gets the credit
Thank You Questions? Contact Information: Debbie Janeczek DeborahJaneczek@aexpcom T: 602-766-3930