A Primer on Cyber Threat Intelligence

…AS ADVERTISED

2

BUZZWORD BINGO!

3

TODAY’S CYBER SECURITY CHALLENGES

CISOs finding it difficult to define security ROI to executives

Short shelf life for CISOs

Vastly expanding attack surface area

Mobile, cloud, virtualization, global business operations

Large protection investments and no good prioritization filter

Who, why, when, how

Operational chaos

Too many alarms, not enough people, poor prioritization

“Brain dead” security tools that rely on past events/signatures

Versus extremely agile adversaries

Severe breaches continue…

4

GLOBAL CYBER THREAT LANDSCAPE

• Active & Global

• Transcends Geographies and Sectors

• Multiple Motivations

• Cyber Crime, Espionage,

Hacktivism, Destruction, etc.

• Low Entry Barriers

• Actors use what works; not necessarily

sophisticated methods

• Open marketplace providing capabilities

• Structured & Vibrant

• Ecosystem providing better tools,

infrastructure, sharing ideas and methods,

pooling resources5

MY INTELLIGENCE PHILOSOPHY

• Good intelligence allows decision makers to act more boldly

• The decision maker’s time is valuable. Match his priorities –command his attention

• Only deliver actionable information, no history lessons, no news reports

• The quality of the analysis is directly proportional to the quality of the question asked

• Good analysts are respected but not always popular

• No software can replace the analyst

• Intelligence is an art, not a science

• Less is more

• Everyone & everything is a potential information source

• Disperse the team, embed the resources, build a network across the silos

• Any system that does not sustain itself is not a system

• New does not mean better; Old does not mean better

• Intelligence can be Cheap-Fast-Accurate. Pick any two

• The buck stops with me; the team gets the credit

FORMAL RESEARCH PROCESSYIELDS RICH, CONTEXTUAL THREAT INTELLIGENCE

Intelligence

Requirements

Created

Based on

Clients,

Sectors and

Adversaries

Requirements

Prioritized

by Analysts,

Matched to

Current

Holdings then

Passed to

Research

Teams

Collection

Planning and

Tasking of

Global

Teams

Requirements

Collected by

Unique

Global

Teams and

returned to

Fusion Center

Processing

and

Exploitation

To

Standardize

Multiple

Information

Sources

Ready for

Analysis

Analysis of

Information

and

Production of

Reporting for

Clients

Fully fused,

Corroborated

Cross-

referenced

and Edited

Multi-source

Intelligence

Reporting

Disseminated

to

Clients

Client

Feedback,

Refinement

of

Intelligence

Product

Intelligence

Requirements

Requested

From Client

? iFeedback &Clarification

Analysis DisseminationCollection

7

“ACTIONABLE INTELLIGENCE” OBJECTIVES

Provide understanding of identified and credible

threats, correlated to business impact

Enable formulation of approaches to dealing with

threats and prioritization of team activity

Provide understanding of how to mitigate threats

and enable tools to do the heavy lifting

Strategic

Operational

TacticalSecurity

Operators

Managers& Analysts

Executives

8

CYBER TACTICAL INTELLIGENCE

Cyber Threat Intelligence Threat Data Feed

• Bad IP Address

• Ranking

• Last Hop Geo

Location

• Bad IP Address

• Actor Group

• Motivation

• Primary Targets

• Ability to Execute

• Additional IPs, Domains

• Malware Used

• Lures

• Vulnerabilities Targeted

• Historic Campaigns

• Successful Compromises

9

WHAT ARE INTELLIGENCE REQUIREMENTS?Strategic questions

• What keeps the C-suite up at night?

• What news stories or business events seem to be their hot buttons?

• Will the Qassam Cyber Fighters (QCF) target us?

Operational questions• What does a targeted DDOS attack look like?

• How do we shape our defenses and responses?

• What are the technical capabilities of the QCF?

• What are the Tactics, Techniques and Procedures (Campaign) of the QCF?

Tactical questions• Which one of these 100 events should I examine first?

• What are attributable IOCs of the QCF?

These questions are divided into answerable parts • What is the pattern of who is attacked by QCF?

• How does a QCF campaign unfold, step by step

• = Priority Intelligence Requirements (PIR) and Other Intelligence Requirements (OIR)

• Drives the collection management plan

• Identifies intelligence gaps• Create the needs statement &business case for new security services or products

10

• Media Counterpoint - daily

• Threat Intelligence Briefing - daily or weekly

• Threat Intelligence Report - monthly

• Threat Intelligence Warning - as required

• Threat Intelligence Alert - as required

• Threat Scenarios - quarterly

• Sensor Enrichment - as required

• Threat Metrics – weekly

• Intelligence Support – Digital Brand Protection, Incident Response, Fraud, Attack Surface Management, Physical Security – as required

EXAMPLE INTELLIGENCE DELIVERABLES

THREAT MATRIX

Company X

Business sector

Industry

Enterprise

General

Thre

at

Ac

tor

Fo

cu

s

Threat Actor Capability

Novice Apprentice Competent Skilled Expert

Hacktivist campaign

IP theft

ACTIONABLE THREAT INTELLIGENCEFUNCTIONAL & TECHNICAL INTEGRATION

Ingress/EgressBlocking

EventPrioritization

Analyze Incidents(Who, Why)

& Hunt for Issues

Remediation& AttributionActivity:

Surface

ProtectionsSIEM

Incident Response

Security Analytics

Forensics

Investigations

GovernanceRisk

Compliance

Prioritize MostCritical Patches

Enhance ProtectionBlock with

Confidence

Patch Management

ShrinkThe Problem

Improve DecisionsBrief Executives

Who/Why AttackDid We Find everything?

Value:

13

Intelligence

END TO END INTELLIGENCE PROCESS

W. Michael Susong+1 214 886 7714

msusong@isightpartners.com

iSIGHT Partners200+ experts, 16 Countries, 24 Languages, 1 Mission