The broad list of topics include (but not limited to):
- What is Threat Intelligence?
- Type of Threat Intelligence?
- Intelligence Lifecycle
- Threat Intelligence - Classification & Vendor Landscape
- Threat Intelligence Standards (STIX, TAXII, etc.)
- Open Source Threat Intel Tools
- Incident Response
- Role of Threat Intel in Incident Response
- Bonus Agenda
2. I am not an intelligence analyst but would love to be
The topic is close to my heart
Do not expect any FM (Freakin Magic )
The objective is to help attendees get familiar with the
world of threat intel
Disclaimer
3. Overview of Threat Intel
Understanding Threat Intel
What is Cyber Threat Intelligence
Types of Threat Intel
Intelligence Lifecycle
Threat Intel – Classification & Vendor Landscape
Threat Intel – Standards
Open Source Threat Data/Intel Sources
Bonus Agenda
Agenda
5. • Buzzword
• Growing field
- $250M in 2013
- $1.5B in 2018
• Lots of new service providers entering the
market
• and still maturing
Overview
6. Risk = Vulnerability * Threat * Impact
Threat = Intent * Capability
We like the term "Threat Actor". May be any of:
• Cybercrime
• State-sponsored
• Hacktivism
• Insider
• Industry competition
Threat
7. Intelligencea.k.a. Renseignement, ré-enseignement
• Environment → Data → Information → Intelligence
• Intelligence is a cyclic process
• Analysis and contextualization
• Models help counter diversity with abstraction
12. • Target audience: decision-makers
• Focus on changing risks, high level topics
• Geopolitics
• Foreign markets
• Cultural background
• Vision timeframe: years
Note: You may never have heard of this; could be explained by
lack of maturity in orgs
Strategic TI
13. • Target audience: defenders
• Focus on current & future attacks:
• Who, what, when?
• Early warning on incoming attacks
• Social media activity
• Vision timeframe: months, weeks, hours
Operational TI
Note: Hard for private companies to obtain on advanced attackers;
traditionally collected through HUMINT / SIGINT
14. • Target audience: architects & sysadmins
• Focus on "TTPs":
• Attacker modus operandi
• Blue team / red team tools
• Exfiltration / C2 methods
• Persistence / stealth / deception mechanisms
• Vision timeframe: weeks to a year
Note: The most common form of threat intel (and marketing )
produced today; easy to obtain
Tactical TI
15. Technical TI
a.k.a. Data
• Target audience: SOC, IR people
• Focus on raw observables:
• Indicators of compromise
• Host and network artifacts
• Yara, Snort, OpenIOC rules
• Vision timeframe: hours to years
Note: Man-hours are valuable. Technical TI is abundant. Processing
should be as automated as possible.
16. Strategic Will feed SWOT, risk assessments,
Porter Diamond model...
Tactical Cyber Kill-chain, Diamond model, ACH
Operational OODA Loop, Pyramid of Pain
Technical F3EAD, CIF, FIR, MISP, Malcom,
Maltego,….
Weaponry
18. Intelligence Cycle applied to CTI in orgs
• Planning
• What are you looking for?
• Collection
• OSINT/HUMINT
• Logs/Data points inside the org
• Honeypots/nets/docs, social networks
• FM-5
• Processing
• Synthesizing the collected data so that intelligence analyst can
work
• Analysis
• Finished Intelligence
• Dissemination
• Present to the right audience
22. Symantec's 12-month retail subscription to its
reputation feed costs $95,300 (INR 6100000
approx.)
FireEye threat intelligence appliances cost around
$17000 at starting price and increase upto $175000
per unit
28. • Developed by REN-ISAC
• http://csirtgadgets.org/collective-intelligence-framework/
• Does not generate data, simply takes sources normalizes it and
then outputs by given types
• Limited in the types of data it can handle
– URLs
– Domains
– IPs
– MD5s
• Certainly more to threat intel than this, but it’s a start
CIF: Collective Intelligence Framework
30. • A target-centric approach
to intelligence analysis
• Bridge between operations
and intelligence
• a.k.a. “Hunting”
F3EAD
31. • TI is closely related to traditional intelligence
• Models help but have limitations
• The quality of your TI directly influences the quality of your
response
• Tools to store, analyze, and share intelligence exist, but
there's room for improvement
Conclusion