Injecting wisdom into Cyber Threat Intelligence

intelligent information securityA N I T I AN

Injecting Wisdom intoCyber Threat Intelligence


Meet the Speaker

Jordan Wiseman

• Certified Risk Assessor, QSA, GSEC

• 18+ years experience in Information Technology and Security

• 13+ years in Healthcare security, privacy, and HIPAA compliance


ANITIAN Intelligent Information Security

Risk assessment, third party risk management

Penetration testing, application security

Compliance audit and assessment

Cybersecurity leadership as a service (LaaS)

Managed security operations, threat hunting


Outline

• What Cyber Threat Intelligence IS and IS NOT

• How CTI compliments, but does not replace, traditional security

• Tactical and strategic applications for CTI

• Common CTI problems and how to avoid them

• Additional thoughts


WHAT CTI IS AND IS NOT

INJECTING WISDOM INTO CTI


What IS NOT cyber threat intelligence

Threat “feeds”

Firehoses

Varying audiences

Irrelevant data

Lack context

Intelligent” tech

Specialists

Behavior monitoring

Adaptive rules

Policy-based security



Automated defenses

DDoS mitigations

Active containment

Fraud detection

Reputation

Security analytics

Pattern recognition

Trend finding

Log monitoring

Alerting



Threat “feeds”

“Intelli-gent” tech

Auto-mated

defenses

Security analytics

these

are

tools


What IS cyber threat intelligence

Using the tools to gather and analyzeinformation about an attacker’s…

• Intentions

• Abilities

• Opportunities

…to inflict harm.



Ability

OpportunityIntent

If an attacker has… …an attack is:

Opportunity + Intent

Questionable

Ability + Opportunity

Possible

Ability + Intent

Expected

Cyber threat intelligence is the analyzedinformation about the intent, ability, and

opportunity of an attacker.

The analysis of…



Information Analysis Intelligence

• Risk assessments seek to identify who and what might threaten business.

• Threat intelligence seeks to identify who and what is threatening the business.


COMPLEMENTING TRADITIONAL INFOSEC



Tactical application: Support IR

Prevent

Detect

Respond

Contain

Eradicate

Learn


Inform vulnerability and risk management

• Prioritization

• Remediation

• Monitoring

• Escalations

• Spending

• Changes in risk

• Impact

• Likelihood

• Mitigations


Help communicate why we need specific controls

• We accept the trade-off between usability and safety, but only because we understand why it is better than the alternative.


Validate or assuage concerns

• We are not the target (unless we are).

• We may be a target.

• Rely on data, rather than fear, to support decisions.

• Head off distraction-based management and spending


TACTICAL AND STRATEGIC APPLICATIONS



Tactical application: Learn about the attack

Example: Kill Chain Analysis

• NOT a map for IR

• Helps communicate about and guide IR efforts

Recon Weaponize Deliver Exploit Install C2 Action


Tactical application: Learn about the attacker

• Enhance Kill Chain / Information / IOCs

Adversary

Capability/TTP

Victim

Infrastructure Delivered


Tactical application: Develop IOCs

Tactics, techniques, and procedures (TTPs)

Tools

Network/Host Artifacts

Domain Names

IP addresses

Hashes

P A I N

Hunt

RefineUse

Detect

IOCs have a limited shelf life!


Strategic application: Process improvement

Threat Intelligence

Incident Response

Vulnerability Management

System Administration

Application Support


• Sharing IOCs and intelligence internally helps the entire business

• Sharing IOCs and intelligence externally helps the entire industry

• Fosters goodwill

• Encourages reciprocity

• InfraGard, ISACs and ISAOs, Cyber Threat Exchanges

Strategic application: Share and share alike

Trust your own data, first.

Be careful of what you chose to share.


Strategic application: Decision support

• Security and control frameworks

• Project/vendor/solution selection

• Resourcing

• Security KPIs


COMMON PITFALLS



Jumping in too soon

Cyber threat intelligence dependson a mature information security

program.


Forgetting to wash your hands

In healthcare

• Hand washing is the most effective way to prevent infection!

In systemcare

• Patching is the most effective way to prevent compromise.

• Patch regularly, and follow up


Jumping to conclusions

• Formal CTI processes help avoid confirmation bias.

• Remember high-school science: Do not try to prove a theory, see if you can disprove it.


ADDITIONAL THOUGHTS



Tools and suggestions

• Open Source Tools

• Maltego – relations

• VirusTotal – hashes

• Whois – domains

• DDNS – C2 channels

• Identify Interesting IOCs/TTPs

• Unique strings – passwords, mutexes

• Algorithms – bad encryption, encoding dictionary


Storing and Sharing Intelligence

• Tools

• YARA, OpenIOC, Veris

• Traffic Light Protocol (TLP)

• CybOX, STIX, TAXII

• Information Sharing Organizations

• InfraGard

• ISACs and ISAOs

• Cyber Threat Exchanges


Countering Threats

• Defeat bad habits

• Avoid overreacting

• Placating

• Analysis of Competing Hypotheses (ACH)

• Brainstorm any/all possibilities

• Identify missing/needed information

• Threat Modeling

• Target-centered, adversary-centered

• Focus CTI and security efforts


? ? ?Use the chat feature to ask your questions

Or email [email protected]

QUESTIONS


EMAIL: [email protected]

WEB: www.anitian.com

BLOG: blog.anitian.com

SLIDES: bit.ly/anitian

CALL: 888-ANITIAN (264 8426)

THANK YOU!