Threat Intelligence: State-of-the-art and trends
40
www.ecs.co.uk Threat Intelligence: State-of-the-art and trends Secure South West 5 Andreas Sfakianakis ECS 02/04/2015
Transcript of Threat Intelligence: State-of-the-art and trends
www.ecs.co.uk
Threat Intelligence: State-of-the-art and trends
Secure South West 5Andreas SfakianakisECS
02/04/2015
ECS - Threat Management Strategy
Build a picture of your adversaries. Understand their strategies, objectives, methodologies and attributes.
Gain a clear understanding of your own network and systems alongside any weaknesses.Understand your countermeasures and contextual information. Bolster your countermeasures to deny attack channels.
Establish and execute business as usual threat intelligence, vulnerability management, monitoring and response procedures.
Review and report outcomes, deliverables, value and lessons learnt.
Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
The Global Risk Landscape
What about …. Cyber?
Number of breaches per threat actor category over time
What about …. Cyber?
Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
Threat Intelligence
• "We don't know what it is, but we need it.”• Intelligence is the application of knowledge to
information• Inform business decisions regarding the risks and
implications associated with threats.• Data is not information, information is not
knowledge, knowledge is not intelligence, intelligence is not wisdom.
• Buzzword of 2014!
Information versus Intelligence
Characteristics of Intelligence
Why we need Threat Intelligence?
• Dynamic threat landscape• Situational awareness (different sectors have
different threats) • Defend better by knowing adversary• From reactive to proactive• Driving better investment strategies • After all it’s all about … context, context and
context!
Types of Threat Intelligence
Strategic TacticalCreated by Humans Machines or humans + machinesConsumed by Humans Machines and humansDelivery time frame Days – months Seconds to hoursUseful lifespan Long Short (usually)Durability Durable Fragile (*)Ambiguity Possible; hypothesis and leads OK Undesirable; systems don’t tolerate itFocus Planning, decisions Detection, triage, response
Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
How do we build it?
• Fundamental cycle of intelligence processing
• Civilian or military intelligence agency / law enforcement
• Closed path consisting of repeating nodes.
Embedding Threat Intelligence into the DNA of an organisation
Interrupting the kill chain
“Kill Chain” is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks.
Threat Intelligence Sources
• Internal
• Open source
• Commercial
• Community/Information sharing
Internally-sourced Threat Intelligence
• Detailed analysis of locally caught malware• Detailed analysis of disk images, memory
images• Threat actor profiles based on local data• Artifacts shared by other organizations• Fusing local data with shared data• Behavioural analysis
Open Source Threat Intelligence
Open Source Tactical Feeds
Threat Intel Providers
What Threat Intel Providers deliver?
Information Sharing
Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
What is a Threat Intel Platform?
But…
Threat Intelligence Platforms
• ThreatConnect• Detica CyberReveal• IBM i2 Analyst Notebook• Lockheed Martin Palisade• Lookingglass
ScoutPlatfom• MITRE CRITs• Palantir• ThreatQuotient
• ThreatStream• Vorstack• Codenomicon• Soltra• Intelworks• ThreatQuotient• IID • ResilientSystems• Swimlane
Threat Intelligence Platforms
• ThreatConnect• Detica CyberReveal• IBM i2 Analyst Notebook• Lockheed Martin Palisade• Lookingglass
ScoutPlatfom• MITRE CRITs• Palantir• ThreatQuotient
• ThreatStream• Vorstack• Codenomicon• Soltra• Intelworks• ThreatQuotient• IID • ResilientSystems• Swimlane
CRITs(Collaborative Research into Threats)
Soltra Edge
The need for security automation
STIX standard
What Activity are we seeing?
What Threatsshould I be
looking for and why?
Where has this threat been Seen?
What does it Do?
What weaknesses does this threat
Exploit?
Why does it do this?
Who is responsible for
this threat?
What can I do?
Consider These Questions…..
Structured Threat Information Expression
STIX/TAXII Adoption
Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
Take aways
• Current state of TI is still initial BUT has a great potential
• Context is critical (makes everyone’s job easier)• Intelligence-led defense has significant operating
costs• Do not blindly invest in intelligence (first think of
requirements, DIY vs buy)• Look for upcoming automation/tool
developments• Do not forget people and processes!!!!
Thank you for your attention! J
Questions?
@asfakian
