ISF Congress 2016 - Session 7.2_Kukreja

Know your enemy: Practical insights for effective threat intelligence

Puneet Kukreja

Partner Cyber Advisory

Deloitte (Australia)

Know Your Enemy- Practical insights for effective threat intelligence

ISF World Congress – 2016 Berlin

Our Discussion

3

The threat landscape

The threat intelligence program

Sourcing threat intelligence

The program setup

What’s the value

The threat landscape

© 2016 Deloitte Risk Advisory Pty Ltd

“There is nothing more necessary than good intelligence to frustrate a designing enemy & nothing requires greater pains to obtain” - - GEORGE WASHINGTON

Defining threat intelligence – still holds true from last year

SOURCE: Gartner Definition – Threat Intelligence

Gartn

er

STRATEGIC TACTICAL TECHNICAL OPERATIONAL

TYPES OF THREAT INTELLIGENCE

SOURCE: Centre for the Protection of National Infrastructure – UK Government

© 2016 Deloitte Risk Advisory Pty LtdSource: https://www.securityforum.org/uploads/2015/12/isf_threat-horizon_2016_es.pdf

ISF threat horizon 2016




EN

IS

A T

hreat

Lan

dscap

e

Source: https://www.enisa.europa.eu/publications/etl2015



© 2016 Deloitte Risk Advisory Pty LtdSource: https://www.securityforum.org/uploads/2015/12/isf_threat-horizon_2016_es.pdf

ISF threat horizon 2014 – 2016






Scoping for Threat Intelligence

Sourcing Threat Intelligence

The Program Setup

What’s the Value


Threat intelligence program goals

Define your intelligence scope through planning

11

What are you trying to achieve?

What information do you need?

Who is the information for?

What is the budget?

What resources will you need?

How is the intended state different from

today?

It is important to note that a Threat Intelligence program is no differentto any other security project or program that requires due diligence andthought on why funding is being asked for, what resources will berequired and how target state will have an improved security posture ascompared to what is present today.


Maturity level of threat intelligence

UNCLEAR

INITIAL

INPLACEEXPANDING

& IMPROVING

RISK ALIGNED

The type of program you set up willdepend on the current maturity ofyour cyber operations.

• Unclear: You know about it, subscribe to some free feeds however unsure on how Threat Intelligence will be utilised within your organisations.

• Initial: There is an understanding on how Threat Intelligence will be tied into the security operations, information from Intelligence feeds is being used to guide operations.

• In-place: You subscribe to Threat Intelligence and utilise it is a key control within your security operations function. The Threat Intelligence is utilised on a daily basis and is not ad-hoc.

• Expanding & Improving: Threat Intelligence is being refined based on the sector the organisation operates in. Outputs are integrated into broader technology operations, regular reporting is established.

• Risk Aligned: Outputs from your Threat Intelligence function inform your risk appetite settings.

Sourcing threat intelligence


Why understanding sourcing is important

14

Data

Knowledge

Intelligence

•Data is raw and it’s abundant. •It simply exists and has no significance beyond its existence.

•Information is data that has been given meaning by way of relational connections.

•The bulk of commodityintelligence providers today are providing information feeds.

•Knowledge is the appropriate collection of information, such that its intent is to be useful.

•Very few providers and internal security functions get this far.

•Intelligence is the ability to acquire and apply knowledge and skills to meet an objective.

•Due to information overload and limited resources, rarely is this achieved.

Information


• Intelligence is about understanding something. This can only effectively be developed over time.

• Intelligence is not about the sources or the raw information.

• Intelligence is about what you can do with it.

Types of intelExample sources

15

Threat actors

Econom

ical

Expensiv

e

Intelligence sources

Open sourceIntelligence

TechnicalIntelligence

Secret

Underground

Easy t

o d

ete

ct

Hard

to d

ete

ct

Human Intelligence (HUMINT)

•Intelligence gathered through the use of people. HUMINT employs overt and clandestine operations e.g. SPYING.

•Gathering should be done under an assumed identity.

Signals Intelligence (SIGINT)

•Intelligence gathered through the use of interception or listening technologies.

•Example: Wired/Wireless Sniffer TAP devices

Imagery Intelligence (IMINT)

•Intelligence gathered through recorded imagery such as photographs and satellite images.

•Cross over between IMINT and OSINT if it extends to Google Earth and its equivalents

Open-Source Intelligence (OSINT)

•Intelligence gathered through freely available information, such as that presented in the media, available in libraries or the Internet.

Opportunists

Nation States

Corporations

Terrorist Organisations

Botnets

Script Kiddies

Hacktivists

Established Criminal Networks


Sourcing consideration

Attributes to measure threat intelligence

• Open Threat Exchange (OTX)• Structured Threat Information Expression (STIX)• Trusted Automated eXchange of Indicator Information (TAXII)• Cyber Observable eXpression (CybOX)• Collective Intelligence Framework (CIF) • Open Indicators of Compromise (OpenIOC) framework• Traffic Light Protocol (TLP)• Incident Object Description and Exchange Format (IODEF)• Vocabulary for Event Recording and Incident Sharing (VERIS)

Feed structures

What are you measuring?

Strategic Operational Technical Tactical

Type of threat intelligence sources

HUMINT SIGINT IMINT OSINT

Human Intelligence Signals Intelligence Imagery Intelligence Open-Source Intelligence

7 measures of threat intelligence

1.Who wrote the information?

2.Does the author understand

the subject?

3.Why was it produced?

4.When was it produced?

5.Is this relevant to your

objectives?

6.How did the author get their

information?

7.How do they report on

relevant and credible

findings?

Program setup


It’s not about the threat feeds.

Your program considerations

EXECUTIVE SPONSORSHIP

RELATIONSHIPS

PARTNERSHIPS

ATTRIBUTION OF

ADVERSARIES

TRENDING & HUNTING

DEFENSE & RESILIENCE

INCIDENT RESPONSE

IntegratedArchitecture

Threat Modelling

Actionable

Governance

Stakeholders

It’s about running a business program.

What’s the value


How will I measure program value

Currency and

Coverage of Threat

Intelligence

Align Threat intelligence program to your risk

profile and risk appetite

Measure Threat

Intelligence using the

right metrics

Operational or Strategic

Integration with

existing security

operational processes

Measure how

intelligence has helped prepare for a proactive response

Report on how many operational processes have been enhanced


Metrics for measuring operational threat intelligence

How many rules were

created following

Threat Intelligence enablement

Number of architectural changes to underlying

infra.

What is the total

number of IOC’s that are being consumed

by the business

What is the degree of

false positives

and positive correlation

Number of proactive

cyber security incident

remediation

Number of IOC

correlations reduced

given architectural

maturity


Key takeaways

1. Monitoring all varieties of intelligence across regional and topicalinterests takes huge amounts of human resources, always prioritise.

2. Threat intelligence should aid in and assist with the translation ofinformation into valuable insight for decision makers.

3. The focus should be on sourcing information applicable theorganization and how the threat intelligence information has helpedimprove threat posture and or incident response capability.

4. Threat Intelligence is an evolving capability and the maturity actuallymoves up the curve and a point of note is that before you embark onthis journey it should be supported by continuous investment andnot be one off.

5. Focus on integration points across the security function and look forimprovements via metrics that have defined outcomes for ThreatIntelligence investment.

Thank youPuneet Kukreja | Partner | Cyber Advisory

Deloitte Australia

ISF World Congress – 2016 Berlin

QUESTIONS?

Please feel free to contact us for further discussion:

Puneet Kukreja, Partner Cyber Advisory, Deloitte Australia

[email protected]

Ralph Bennett, ISF

[email protected]

Documents

ISF Congress 2016 - Session 7.2_Kukreja