Upload
anitian
View
114
Download
1
Embed Size (px)
Citation preview
intelligent information securityA N I T I AN
Meet the Speaker
Jordan Wiseman
• Certified Risk Assessor, QSA, GSEC
• 18+ years experience in Information Technology and Security
• 13+ years in Healthcare security, privacy, and HIPAA compliance
intelligent information securityA N I T I AN
ANITIAN Intelligent Information Security
Risk assessment, third party risk management
Penetration testing, application security
Compliance audit and assessment
Cybersecurity leadership as a service (LaaS)
Managed security operations, threat hunting
intelligent information securityA N I T I AN
Outline
• What Cyber Threat Intelligence IS and IS NOT
• How CTI compliments, but does not replace, traditional security
• Tactical and strategic applications for CTI
• Common CTI problems and how to avoid them
• Additional thoughts
intelligent information securityA N I T I AN
What IS NOT cyber threat intelligence
Threat “feeds”
Firehoses
Varying audiences
Irrelevant data
Lack context
Intelligent” tech
Specialists
Behavior monitoring
Adaptive rules
Policy-based security
intelligent information securityA N I T I AN
What IS NOT cyber threat intelligence
Automated defenses
DDoS mitigations
Active containment
Fraud detection
Reputation
Security analytics
Pattern recognition
Trend finding
Log monitoring
Alerting
intelligent information securityA N I T I AN
What IS NOT cyber threat intelligence
Threat “feeds”
“Intelli-gent” tech
Auto-mated
defenses
Security analytics
these
are
tools
intelligent information securityA N I T I AN
What IS cyber threat intelligence
Using the tools to gather and analyzeinformation about an attacker’s…
• Intentions
• Abilities
• Opportunities
…to inflict harm.
intelligent information securityA N I T I AN
What IS cyber threat intelligence
Ability
OpportunityIntent
If an attacker has… …an attack is:
Opportunity + Intent
Questionable
Ability + Opportunity
Possible
Ability + Intent
Expected
Cyber threat intelligence is the analyzedinformation about the intent, ability, and
opportunity of an attacker.
The analysis of…
intelligent information securityA N I T I AN
What IS cyber threat intelligence
Information Analysis Intelligence
• Risk assessments seek to identify who and what might threaten business.
• Threat intelligence seeks to identify who and what is threatening the business.
intelligent information securityA N I T I AN
COMPLEMENTING TRADITIONAL INFOSEC
INJECTING WISDOM INTO CTI
intelligent information securityA N I T I AN
Tactical application: Support IR
Prevent
Detect
Respond
Contain
Eradicate
Learn
intelligent information securityA N I T I AN
Inform vulnerability and risk management
• Prioritization
• Remediation
• Monitoring
• Escalations
• Spending
• Changes in risk
• Impact
• Likelihood
• Mitigations
intelligent information securityA N I T I AN
Help communicate why we need specific controls
• We accept the trade-off between usability and safety, but only because we understand why it is better than the alternative.
intelligent information securityA N I T I AN
Validate or assuage concerns
• We are not the target (unless we are).
• We may be a target.
• Rely on data, rather than fear, to support decisions.
• Head off distraction-based management and spending
intelligent information securityA N I T I AN
TACTICAL AND STRATEGIC APPLICATIONS
INJECTING WISDOM INTO CTI
intelligent information securityA N I T I AN
Tactical application: Learn about the attack
Example: Kill Chain Analysis
• NOT a map for IR
• Helps communicate about and guide IR efforts
Recon Weaponize Deliver Exploit Install C2 Action
intelligent information securityA N I T I AN
Tactical application: Learn about the attacker
• Enhance Kill Chain / Information / IOCs
Adversary
Capability/TTP
Victim
Infrastructure Delivered
intelligent information securityA N I T I AN
Tactical application: Develop IOCs
Tactics, techniques, and procedures (TTPs)
Tools
Network/Host Artifacts
Domain Names
IP addresses
Hashes
P A I N
Hunt
RefineUse
Detect
IOCs have a limited shelf life!
intelligent information securityA N I T I AN
Strategic application: Process improvement
Threat Intelligence
Incident Response
Vulnerability Management
System Administration
Application Support
intelligent information securityA N I T I AN
• Sharing IOCs and intelligence internally helps the entire business
• Sharing IOCs and intelligence externally helps the entire industry
• Fosters goodwill
• Encourages reciprocity
• InfraGard, ISACs and ISAOs, Cyber Threat Exchanges
Strategic application: Share and share alike
Trust your own data, first.
Be careful of what you chose to share.
intelligent information securityA N I T I AN
Strategic application: Decision support
• Security and control frameworks
• Project/vendor/solution selection
• Resourcing
• Security KPIs
intelligent information securityA N I T I AN
Jumping in too soon
Cyber threat intelligence dependson a mature information security
program.
intelligent information securityA N I T I AN
Forgetting to wash your hands
In healthcare
• Hand washing is the most effective way to prevent infection!
In systemcare
• Patching is the most effective way to prevent compromise.
• Patch regularly, and follow up
intelligent information securityA N I T I AN
Jumping to conclusions
• Formal CTI processes help avoid confirmation bias.
• Remember high-school science: Do not try to prove a theory, see if you can disprove it.
intelligent information securityA N I T I AN
Tools and suggestions
• Open Source Tools
• Maltego – relations
• VirusTotal – hashes
• Whois – domains
• DDNS – C2 channels
• Identify Interesting IOCs/TTPs
• Unique strings – passwords, mutexes
• Algorithms – bad encryption, encoding dictionary
intelligent information securityA N I T I AN
Storing and Sharing Intelligence
• Tools
• YARA, OpenIOC, Veris
• Traffic Light Protocol (TLP)
• CybOX, STIX, TAXII
• Information Sharing Organizations
• InfraGard
• ISACs and ISAOs
• Cyber Threat Exchanges
intelligent information securityA N I T I AN
Countering Threats
• Defeat bad habits
• Avoid overreacting
• Placating
• Analysis of Competing Hypotheses (ACH)
• Brainstorm any/all possibilities
• Identify missing/needed information
• Threat Modeling
• Target-centered, adversary-centered
• Focus CTI and security efforts
intelligent information securityA N I T I AN
? ? ?Use the chat feature to ask your questions
Or email [email protected]
QUESTIONS
intelligent information securityA N I T I AN
EMAIL: [email protected]
WEB: www.anitian.com
BLOG: blog.anitian.com
SLIDES: bit.ly/anitian
CALL: 888-ANITIAN (264 8426)
THANK YOU!