Deloitte FST Media Threat Intel FINAL 2003
-
Upload
puneet-kukreja -
Category
Documents
-
view
227 -
download
0
Transcript of Deloitte FST Media Threat Intel FINAL 2003
Threat Intelligence
Fair dinkum or
dog's breakfast?
James Nunn-Price &
Puneet Kukreja
23rd and 25th February 2016
1
Simplifying the market noise
Where should threat intelligence be positioned?
What does good look like?
Improving operating effectiveness using situational awareness
Contents
2
Simplifying the
market noise
Image for illustrative purposes only.
To replace the image 'right click' and
select 'Format Background', click 'Picture
or texture fill' and then 'Insert from file'.
Select your image and click 'insert'. This
will ensure the image is placed behind all
slide elements.
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
Threat landscape
It’s complex and confusing
4
Distributed Denial of Service
(DDoS)
Application Layer Attacks
Brute Force Attacks
Network Protocol Attacks
Known Vulnerability Exploitation
Zero Day Exploitation
Phishing
Rogue Update Attacks
Watering Hole Attacks
Types of
Cyber
Attacks
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
Threat landscape
A bit late for some many!
5
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
The big data problem
(aka dog’s breakfast…)
6
Data
Information
Knowledge
Intelligence
• Data is raw and it’s abundant.
• It simply exists and has no significance beyond its existence.
• Information is data that has been given meaning by way of relational connections.
• The bulk of commodity intelligence providers today are providing information feeds.
• Knowledge is the appropriate collection of information, such that its intent is to be useful.
• Very few providers and internal security functions get this far.
• Intelligence is the ability to acquire and apply knowledge and skills to meet an objective.
• Due to information overload and limited resources, rarely is this achieved.
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
• Intelligence is about understanding
something. This can only effectively
be developed over time. Intelligence
is not about the sources or the raw
information. Intelligence is about
what you can do with it.
Several types of intel
Example sources
7
Threat actors
Eco
no
mic
al
Exp
ensi
ve
Intelligence sources
Open source Intelligence
Technical Intelligence
Secret Intelligence
Underground Intelligence
Easy
to
det
ect
Har
d t
o
det
ect
Human Intelligence (HUMINT)
• Intelligence gathered through the use of people. HUMINT employs overt and clandestine operations e.g. SPYING.
• Gathering should be done under an assumed identity.
Signals Intelligence (SIGINT)
• Intelligence gathered through the use of interception or listening technologies.
• Example: Wired/Wireless Sniffer TAP devices
Imagery Intelligence (IMINT)
• Intelligence gathered through recorded imagery such as photographs and satellite images.
• Cross over between IMINT and OSINT if it extends to Google Earth and its equivalents
Open-Source Intelligence (OSINT)
• Intelligence gathered through freely available information, such as that presented in the media, available in libraries or the Internet.
Opportunists
Nation States
Corporations
Terrorist Organisations
Botnets
Script Kiddies
Hacktivists
Established Criminal Networks
Where should
threat intelligence
be positioned?
Image for illustrative purposes only.
To replace the image 'right click' and
select 'Format Background', click 'Picture
or texture fill' and then 'Insert from file'.
Select your image and click 'insert'. This
will ensure the image is placed behind all
slide elements.
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
“There is nothing more necessary than good intelligence to frustrate a designing enemy and nothing
requires greater pains to obtain” George Washington
High expectations?
A shift in thinking
Source: Gartner Definition – Threat Intelligence
Ga
rtn
er
STRATEGIC TACTICAL OPERATIONAL TECHNICAL
TYPES OF THREAT INTELLIGENCE
SOURCE: Centre for the Protection of National Infrastructure – UK Government
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
Position threat intelligence by consumer?
Helps to meet expectations and reduce negative experiences
SOURCE: Centre for the Protection of National Infrastructure – UK Government
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
In-house and threat intelligence provider analysis
A raft of providers/in-house teams but rarely are they categorised
by the end consumer but by industry buzzwords
13
Vendor Type Mobile Apps
Executive Brief
Threat Brief
Phishing/ Takedown
Data Disclosure
Malware Intel
Malware Analysis
Social media
Cyber Attacks
Vuln. Mapping
Incident Response Etc
A Boutique Yes Yes Yes Yes/Yes Yes Yes No Yes Yes No No ..
B Security Specialist Yes Yes Yes Yes/Yes No Yes Yes No Yes Yes Yes ..
C Security Specialist No Yes Yes Yes/Yes Yes Yes Yes Yes Yes Yes Yes ..
D Defence Contractor Yes Yes Yes No No Yes Yes No Yes Yes Yes ..
E Boutique No Yes No No Yes No No Yes No Yes No ..
F Boutique Yes Yes No No No No Yes No Yes Yes Yes ..
G Defence Contractor No Yes No No No No Yes No Yes Yes Yes ..
H Vendor No Yes Yes Yes/Yes No Yes Yes No Yes Yes Yes ..
I Network Provider Yes Yes Yes No Yes No Yes No Yes Yes Yes ..
J Boutique No No Yes Yes/No Yes Yes No Yes Yes No No ..
etc etc … … … … … … … … … … … …
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
Threat intelligence goals
Define your intelligence scope through planning
15
What are you trying
to achieve?
What information
do you need?
Who is the information
for?
What is the budget?
What resources
will you need?
How should it be presented?
Monitoring all varieties of intelligence across
regional and topical interests takes huge amounts of
manpower. Prioritise.
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
• Before reporting on any information found it should be assessed and analysed
Threat intelligence sources
It's about understanding the origin of the information
16
Analyse each source
of information
Who wrote the
information?
Does the author know
about the subject?
Why was it produced?
How did the author
get their information?
Is this relevant to your
objectives?
When was it
produced?
Report on relevant, credible findings
Remember the 5 W’s & H: Who, What, When, Where, Why, and How
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
Good threat intelligence requires human context
It's about understanding the context of the information
17
Are they acting alone? Do they have
credibility or a history?
What is their
motivation ?
What is their
capability?
What is the
vulnerability ?
What are they saying
?
Are they acting within
a group?
What is the
specificity?
What is their
opportunity?
Outcome Leading questions
Who or what
the actor is
What the
threat is
Likelihood of
the threat
materialising?
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
Processing the findings
Scoring the information, ensure intel consumers are aware
18
1 Confirmed Confirmed by other independent sources; logical in itself; consistent with other information on the subject
2 Probably true Not confirmed: logical in itself; consistent with other information on the subject;
3 Possibly true Not confirmed: reasonably logical in itself; agrees with some other information on the subject;
4 Doubtfully true Not confirmed: possible but not logical; no other information on the subject
5 Improbable Not confirmed: not logical in itself; contradicted by other information on the subject
6 Misinformation Unintentionally false: not logical in itself; contradicted by other information on the subject; confirmed by other independent sources.
7 Deception Deliberately false: contradicted by other information on the subject; confirmed by other independent sources.
8 Cannot be judged No basis exists for evaluating the validity of the information.
Credibility ratings (In relation to other information)
A Reliable No doubt of authenticity, trustworthiness, or competency, has a history or complete reliability.
B Usually reliable Minor doubt about authenticity, trustworthiness, or competency, has a history of valid information most of the time.
C Fairly reliable Doubt of authenticity, trustworthiness, or competency, but has provided valid information in the past.
D Not usually reliable Significant Doubt about authenticity, trustworthiness, or competency, but has provided valid information in the past.
E Unreliable Lacking authenticity, trustworthiness, or competency; history of invalid information.
F Cannot be judged No basis exists for evaluating the reliability of the source.
Reliability of source ratings
It takes time!
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
• Are you delivering compelling narratives tailored to the threat intelligence ‘consumer’? or just mirroring
regurgitated facts and news at all ‘consumer’ levels? If the later then the intelligence will be disregarded,
or ignored by decision-makers and you won’t get the investment you need.
Threat intelligence reporting
Strategic, Tactical, Operational or Technical?
20
• Does the report answer the questions or objectives
raised in the planning phase?
• Is the information relevant to your audience?
• Have you drawn a meaningful conclusion or just
listed facts?
• Wherever possible, deliver and discuss intelligence
face-to-face.
Key Considerations Risks of Poor Reports
• Information will be discarded and credibility is lost.
• The report isn’t relevant and so is ignored.
• The report doesn’t answer the question so it is
disregarded wasting time, money and resources.
• A written report is sent to the wrong person and is
never read.
Does it meet the
Objective?
Relevant to the
stakeholder?
Meaningful
conclusions?
Robust
Analysis
Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?
What can I take away
Information is not intelligence and is not one-size fits all
21
Improves visibility &
reporting
Integration is
required across
design, engineering
and operations
Begins with critical
systems and asset
inventory
Do not overlook
security operations
process maturity
Is only as good as
your asset and
threat profile
classification
Vendors are only as
good as “your” use
cases
It’s no Silver
Bullet
Asia Pacific Cyber Risk Leader
Partner, Deloitte Touche Tohmatsu
+61 428 200 542
James Nunn-Price
http://www2.deloitte.com/au/en/pages/risk/articles/protecting-businesses-
cyber-criminals-cyber-attacks.html
Partner, Cyber Risk Services
Deloitte Touche Tohmatsu
+61 403 037 010
Puneet Kukreja
INDIA
UAE
TURKEY ITALY
SPAIN
FRANCE
Deloitte’s global cyber threat intelligence centres offer
local context and tailored business understanding
USA
CANADA
BRAZIL
ARGENTINA
UK
GERMANY
NETHERLANDS
ISRAEL
SOUTH AFRICA
HUNGARY
SINGAPORE
MALAYSIA
AUSTRALIA
HONG KONG, CHINA
JAPAN
Globally over 3500 cyber staff,
in Australia:
• 120+ Dedicated Cyber Risk
professionals
• Ability to cover all states with core
cyber expertise supported by
national Subject Matter Experts
OPERATIONAL
PLANNED
N.B. larger markets have multiple centres
FRANCE
General information only
This presentation contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively the “Deloitte Network”) is, by means of this presentation, rendering professional advice or services. Before making
any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this presentation.
About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/au/about for a detailed
description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.
Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality
service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence.
About Deloitte Australia
In Australia, the member firm is the Australian partnership of Deloitte Touche Tohmatsu. As one of Australia’s leading professional services firms. Deloitte Touche Tohmatsu and its affiliates provide audit, tax, consulting, and financial advisory services through
approximately 6,000 people across the country. Focused on the creation of value and growth, and known as an employer of choice for innovative human resources programs, we are dedicated to helping our clients and our people excel. For more information, please
visit our web site at www.deloitte.com.au.
Liability limited by a scheme approved under Professional Standards Legislation.
Member of Deloitte Touche Tohmatsu Limited
© 2016 Deloitte Touche Tohmatsu