Know your enemy: Practical insights for effective threat intelligence
Puneet Kukreja
Partner Cyber Advisory
Deloitte (Australia)
Know Your Enemy- Practical insights for effective threat intelligence
ISF World Congress – 2016 Berlin
Our Discussion
3
The threat landscape
The threat intelligence program
Sourcing threat intelligence
The program setup
What’s the value
© 2016 Deloitte Risk Advisory Pty Ltd
“There is nothing more necessary than good intelligence to frustrate a designing enemy & nothing requires greater pains to obtain” - - GEORGE WASHINGTON
Defining threat intelligence – still holds true from last year
SOURCE: Gartner Definition – Threat Intelligence
Gartn
er
STRATEGIC TACTICAL TECHNICAL OPERATIONAL
TYPES OF THREAT INTELLIGENCE
SOURCE: Centre for the Protection of National Infrastructure – UK Government
© 2016 Deloitte Risk Advisory Pty LtdSource: https://www.securityforum.org/uploads/2015/12/isf_threat-horizon_2016_es.pdf
ISF threat horizon 2016
STRATEGIC TACTICAL TECHNICAL OPERATIONAL
TYPES OF THREAT INTELLIGENCE
© 2016 Deloitte Risk Advisory Pty Ltd
EN
IS
A T
hreat
Lan
dscap
e
Source: https://www.enisa.europa.eu/publications/etl2015
STRATEGIC TACTICAL TECHNICAL OPERATIONAL
TYPES OF THREAT INTELLIGENCE
© 2016 Deloitte Risk Advisory Pty LtdSource: https://www.securityforum.org/uploads/2015/12/isf_threat-horizon_2016_es.pdf
ISF threat horizon 2014 – 2016
STRATEGIC TACTICAL TECHNICAL OPERATIONAL
TYPES OF THREAT INTELLIGENCE
© 2016 Deloitte Risk Advisory Pty Ltd
The threat intelligence program
Scoping for Threat Intelligence
Sourcing Threat Intelligence
The Program Setup
What’s the Value
© 2016 Deloitte Risk Advisory Pty Ltd
Threat intelligence program goals
Define your intelligence scope through planning
11
What are you trying to achieve?
What information do you need?
Who is the information for?
What is the budget?
What resources will you need?
How is the intended state different from
today?
It is important to note that a Threat Intelligence program is no differentto any other security project or program that requires due diligence andthought on why funding is being asked for, what resources will berequired and how target state will have an improved security posture ascompared to what is present today.
© 2016 Deloitte Risk Advisory Pty Ltd
Maturity level of threat intelligence
UNCLEAR
INITIAL
INPLACEEXPANDING
& IMPROVING
RISK ALIGNED
The type of program you set up willdepend on the current maturity ofyour cyber operations.
• Unclear: You know about it, subscribe to some free feeds however unsure on how Threat Intelligence will be utilised within your organisations.
• Initial: There is an understanding on how Threat Intelligence will be tied into the security operations, information from Intelligence feeds is being used to guide operations.
• In-place: You subscribe to Threat Intelligence and utilise it is a key control within your security operations function. The Threat Intelligence is utilised on a daily basis and is not ad-hoc.
• Expanding & Improving: Threat Intelligence is being refined based on the sector the organisation operates in. Outputs are integrated into broader technology operations, regular reporting is established.
• Risk Aligned: Outputs from your Threat Intelligence function inform your risk appetite settings.
© 2016 Deloitte Risk Advisory Pty Ltd
Why understanding sourcing is important
14
Data
Knowledge
Intelligence
•Data is raw and it’s abundant. •It simply exists and has no significance beyond its existence.
•Information is data that has been given meaning by way of relational connections.
•The bulk of commodityintelligence providers today are providing information feeds.
•Knowledge is the appropriate collection of information, such that its intent is to be useful.
•Very few providers and internal security functions get this far.
•Intelligence is the ability to acquire and apply knowledge and skills to meet an objective.
•Due to information overload and limited resources, rarely is this achieved.
Information
© 2016 Deloitte Risk Advisory Pty Ltd
• Intelligence is about understanding something. This can only effectively be developed over time.
• Intelligence is not about the sources or the raw information.
• Intelligence is about what you can do with it.
Types of intelExample sources
15
Threat actors
Econom
ical
Expensiv
e
Intelligence sources
Open sourceIntelligence
TechnicalIntelligence
Secret
Underground
Easy t
o d
ete
ct
Hard
to d
ete
ct
Human Intelligence (HUMINT)
•Intelligence gathered through the use of people. HUMINT employs overt and clandestine operations e.g. SPYING.
•Gathering should be done under an assumed identity.
Signals Intelligence (SIGINT)
•Intelligence gathered through the use of interception or listening technologies.
•Example: Wired/Wireless Sniffer TAP devices
Imagery Intelligence (IMINT)
•Intelligence gathered through recorded imagery such as photographs and satellite images.
•Cross over between IMINT and OSINT if it extends to Google Earth and its equivalents
Open-Source Intelligence (OSINT)
•Intelligence gathered through freely available information, such as that presented in the media, available in libraries or the Internet.
Opportunists
Nation States
Corporations
Terrorist Organisations
Botnets
Script Kiddies
Hacktivists
Established Criminal Networks
© 2016 Deloitte Risk Advisory Pty Ltd
Sourcing consideration
Attributes to measure threat intelligence
• Open Threat Exchange (OTX)• Structured Threat Information Expression (STIX)• Trusted Automated eXchange of Indicator Information (TAXII)• Cyber Observable eXpression (CybOX)• Collective Intelligence Framework (CIF) • Open Indicators of Compromise (OpenIOC) framework• Traffic Light Protocol (TLP)• Incident Object Description and Exchange Format (IODEF)• Vocabulary for Event Recording and Incident Sharing (VERIS)
Feed structures
What are you measuring?
Strategic Operational Technical Tactical
Type of threat intelligence sources
HUMINT SIGINT IMINT OSINT
Human Intelligence Signals Intelligence Imagery Intelligence Open-Source Intelligence
7 measures of threat intelligence
1.Who wrote the information?
2.Does the author understand
the subject?
3.Why was it produced?
4.When was it produced?
5.Is this relevant to your
objectives?
6.How did the author get their
information?
7.How do they report on
relevant and credible
findings?
© 2016 Deloitte Risk Advisory Pty Ltd
It’s not about the threat feeds.
Your program considerations
EXECUTIVE SPONSORSHIP
RELATIONSHIPS
PARTNERSHIPS
ATTRIBUTION OF
ADVERSARIES
TRENDING & HUNTING
DEFENSE & RESILIENCE
INCIDENT RESPONSE
IntegratedArchitecture
Threat Modelling
Actionable
Governance
Stakeholders
It’s about running a business program.
© 2016 Deloitte Risk Advisory Pty Ltd
How will I measure program value
Currency and
Coverage of Threat
Intelligence
Align Threat intelligence program to your risk
profile and risk appetite
Measure Threat
Intelligence using the
right metrics
Operational or Strategic
Integration with
existing security
operational processes
Measure how
intelligence has helped prepare for a proactive response
Report on how many operational processes have been enhanced
© 2016 Deloitte Risk Advisory Pty Ltd
Metrics for measuring operational threat intelligence
How many rules were
created following
Threat Intelligence enablement
Number of architectural changes to underlying
infra.
What is the total
number of IOC’s that are being consumed
by the business
What is the degree of
false positives
and positive correlation
Number of proactive
cyber security incident
remediation
Number of IOC
correlations reduced
given architectural
maturity
© 2016 Deloitte Risk Advisory Pty Ltd
Key takeaways
1. Monitoring all varieties of intelligence across regional and topicalinterests takes huge amounts of human resources, always prioritise.
2. Threat intelligence should aid in and assist with the translation ofinformation into valuable insight for decision makers.
3. The focus should be on sourcing information applicable theorganization and how the threat intelligence information has helpedimprove threat posture and or incident response capability.
4. Threat Intelligence is an evolving capability and the maturity actuallymoves up the curve and a point of note is that before you embark onthis journey it should be supported by continuous investment andnot be one off.
5. Focus on integration points across the security function and look forimprovements via metrics that have defined outcomes for ThreatIntelligence investment.
Thank youPuneet Kukreja | Partner | Cyber Advisory
Deloitte Australia
ISF World Congress – 2016 Berlin
Please feel free to contact us for further discussion:
Puneet Kukreja, Partner Cyber Advisory, Deloitte Australia
Ralph Bennett, ISF