Speaker at the IDC IT Security Roadshow 2017 in Doha. It was a one day event bringing together some Security Vendors and End User folks to present and discuss security related topics. The event midway was split into two tracks A - Threat Intelligence and B - Securing the Endpoint to the cloud. My End User Presentation (Track A) covered Threat Intelligence. There were some some interesting speakers and audience Q & A discussions followed by a networking lunch to boot. The venue at the Shangri La Hotel in Doha provided a great space and good networking opportunity.
2. All views, opinions, slide materials and charts contained herein are solely for
demonstration purposes ONLY by the presenter and are in no way
connected, endorsed or to be construed as advice or legal guidance in any
manner or form from any company, corporation or legal entity.
This presentation does not constitute or form part of, and should not be
construed as, an offer, invitation or inducement to purchase or subscribe for
services or products nor shall it or any part of it form the basis of, or be
relied on in connection with, any contract or commitment whatsoever. This
presentation does not constitute either advice or a recommendation
regarding any service or product.
Information used in this presentation is “Non-proprietary” and “Public” in
nature and aggregated from publicly available sources and the internet.
”
DISCLAIMER 1
3. CYBER THREAT INTELLIGENCE : PAST AND PRESENT 2
KEEP YOUR FRIENDS CLOSE
DON CORLEONE – THE GODFATHER
AND YOUR ENEMIES CLOSER
I FEAR THE GREEKS
AENEID (II,49) - VIRGIL 29-19 BC
EVEN WHEN BEARING GIFTS
A HORSE, A HORSE
RICHARD III - SHAKESPEARE
MY KINGDOM FOR A HORSE
SPEAR PHISHING EMAIL
A TROJAN HORSE
CYBER THREAT INTELLIGENCE
HISTORY PRESENT
4. AGILITY
Highly technical players leverage new
vulnerability within hours. Black market for tools
and Zero day exploits. Vendors always in catch
up mode.
EVOLUTION
Rapid code sharing and active community
generated variants in multiples. No longer
rocket science or requiring large funding
hardware or exceptional talent.
SLA
Service Level Agreements are based on
predictable behavior. Need to learn to love the
unpredictable and unexpected.
DIVERSITY
Modern day exploits are so varied and diverse
that old risk models are inadequate. Simple ISO
27001 compliance provides no guarantees for
security.
DIGITAL FRAUD
On an epidemic scale with yearly estimated
losses in the billions. Well coordinated and often
teams / gang based across global geographies.
STATE SPONSORED
Highly productive and well funded teams. Links to
military and government. Often done by known
adversaries or allies. e.g US elections 2016 –
Fancy Bear, Cozy Bear.
THREAT INTELLIGENCE : LANDSCAPE 3
5. Threat intelligence is evidence-based
knowledge, including context, mechanisms,
indicators, implications and actionable
advice, about an existing or emerging
menace or hazard to assets that can be used
to inform decisions regarding the subject's
response to that menace or hazard.
”
DEFINITION 4
GARTNER
“
6. WHAT IS THREAT INTELLIGENCE ? 5
TACTICAL
Technical intelligence such as using
threat indicators to proactively hunt
for and defend against adversaries.
OPERATIONAL
Intelligence focused on the
motivations intent and
capabilities (including TTPs) of
adversaries.
STRATEGIC
Intelligence about the risks and
implications associated with threats
used to inform business decisions
and direct cyber security
investment.
Intelligence : Information about threats and threat actors that provides sufficient
understanding for mitigating a harmful event.
GARTNER
7. CYBER THREAT INTELLIGENCE : DATA FUNNEL 6
WHAT ARE WE LOOKING FOR ?
RAW DATA ?
LIMITED USE IN THE BIG
PICTURE
INFORMATION ?
MORE COHERENT BUT STILL
LIMITED SCOPE FOR
EXTRAPOLATION
INTELLIGENCE ?
BASED ON COGNITIVE
PRINCIPLE DEEP ANALYSIS –
SELECTIVE – FILTERED –
TRUSTED FEEDS – RELIABLE
SOURCES
8. CYBER THREAT INTELLIGENCE : VERIZON 2016 DBIR 7
WHY ARE PEOPLE ATTACKING
?
FINANCIAL LEADS WITH THE
MATURITY OF CYBER
CRIMINALS AND ORGANIZED
GROUPS – RANSOMEWARE
RULES
STATE ACTORS FOLLOW WITH
SPYWARE FOR ESPIONAGE
AND INTELECTUAL PROPERTY
-EXFILTRATION RAMPANT
STATE / NATION SPONSORED
“WAR BY OTHER MEANS” FOR
METHODS TO DAMAGE
CRITICAL INFRATRUCTURE –
STUXNET, SHAMOON
9. CYBER THREAT INTELLIGENCE : VERIZON 2016 DBIR 8
ARMED AND DANGEROUS
HACKING AND MALWARE
LEAD – EXPONENTIALLY
WITHOUT ANY SIGNS OF
SLOWDOWN
SOCIAL DOMINATES AS ENTRY
PLATFORM WITH TARGETED
SPEAR PHISHING, FREEBIES
AND ATTACHMENTS
PHYSICAL MAY BE NEXT
GREAT WAVE WITH IoT
DOMAIN BEING ON THE VERGE
OF TAKEOFF
10. CYBER THREAT INTELLIGENCE : VERIZON 2016 DBIR 9
DETECTION DEFICIT
ATTACKS ARE FASTER AND
MORE PERSISTENT. BUSINESS
STILL TRAILING PLAYING
CATCH UP.
NO MORE WAITING. SYSTEMS
COMPROMIIZED WITHIN DAYS
OF KNOWN DISCOVERY –
ZERO DAY EXPLOITS
COMPROMISE DISCOVERY
TAKES WEEKS OR MONTHS
AND SOMETIMES YEARS
11. CYBER THREAT INTELLIGENCE : VERIZON 2016 DBIR 10
DISCOVERY METHODS
INTERNAL DISCOVERY IS
POOR AND DECLINING STILL
MORE – SKILLS OR TECH
DEFICIT
LAW ENFORCEMENT DOING
BETTER AND IMPROVING.
FRAUD DETECTION BECOMING
INCREASINGLY MORE
DIFFICULT
THIRD PARTY DISCOVERY
IMPROVING – INDEPENDENT
SECURITY LABS IMPROVING
THEIR GAME
12. THREAT INTELLIGENCE : STANDARDS & TOOLS 11
DEVELOPING TOOLS
Collaborative, community-
driven effort to define and
develop a
structured language to
represent cyber threat
informationSTIX use cases include:
■ Analyzing Cyber Threats
■ Specifying Indicator Patterns for CT
■ Manage CT Prevention and Response Activities
■ Sharing Cyber Threat Information
STIX provides unifying architecture tying together:
■ Observables (e.g., registry key, IP address,
email)
■ Indicators (potential observables with meaning)
■ Incidents (instances of specific adversary
actions)
■ Adversary (Tactics, Techniques, and
Procedures)
■ Exploit Targets (e.g., vulnerabilities,
weaknesses)
■ Courses of Action ( incident response or
remedy)
STIX
Structured Threat Information
eXpression
A standardized XML based
programming language
developed to represent
structured cyber threat
indicators that can be easily
understood by humans and
cyber technologies.
TAXI
Trusted Automated eXchange of
Indicator Information
Defines set of services and
message exchanges that, when
implemented, enable sharing of
actionable cyber threat information
across organizational, product line
and service boundaries. Data in
this format is accessible using the
STIX Language.
13. INTERNAL SKILLS DEFICIT
Lack of specialized resources for CTI. Unable
to leverage expensive tools fully. Under staffed
NOC/SOC for 24/7 diligence.
DATA OVERLOAD
Immense volumes of data available from CTI
sources, vendors, public/private sharing
platforms and international CERTS. Resources
drowning in data without a reprieve.
VENDOR SOLUTIONS
Difficult to easily identify correct CTI Vendor
solution in a crowded market. Vendors need to
be constantly providing latest relevant CTI
feeds. Room for patch latency and being
behind the curve.
MANAGEMENT SUPPORT
Hard climb to get top level management
support for sharing CTI -- especially to outside
agencies and teams.
POLICIES & PROCEDURES
Develop using a risk based approach. Work with
business owners to classify data criticality. Bake
in BCP and DR plan and drill schedules.
COMMUNICATION CHANNEL
Need to build effective information exchange
channels between CTI teams and internal
business function owners.
THREAT INTELLIGENCE : CHALLENGES 12
14. 13
TIP : Threat Intelligence Platform
What do we look for ?
01 02 03 04 05 06
Feeds
Subscribes to
internal /
external reliable
feeds that source
all necessary
information.
Analyze
Enrich / Connect /
Contextualize /
prioritize your
data by means of
deep analytics
and BI tools
available
currently.
Integrate
Plan to integrate
your TI data with
existing security
tools ( Firewalls,
IDS/IPS, WAFs,
VM, SIEMs).
Expand the ROI
on current
infrastructure and
assets.
History
Keeps track of
historic data for
reference and
trend analysis in
pursuit of
repeatable
patterns of bad
actors and
methods.
Community
Allows interaction
with common
interest
communities for
sharing Cyber
Threat Intelligence
data. A tome of
knowledge builds up
over time. Helps
other Security
Teams collaborate
on threat data.
Executive
CIO/CISO and
other senior execs
gain informed
insights for the
purpose of
strategic decision
making.
15. 14CONCLUSION : CYBER THREAT INTELLIGENC IMPERATIVES
IT must have the ability to set
expectations for service quality,
availability and timeliness. High
availability and data protection
are integral for IT to set these
expectations.
Build strategy to stay
current with CTI and
push to improve
infrastructure to
support the vision. A
stitch in time saves
lives.
Aim for ease of
acquiring, deploying,
and managing IT Cyber
Security Infrastructure,
and deploying IT
workloads.
SERVICE DELIVERY
Maintain Availability and
Customer Satisfaction as
always or better. CTI
gathering should never
impede the business model.
LONG TERM
Realise long term Cost
Saving by spending wisely
now. Invest in staff training
and building out PEN / NOC
and SOC skills and staffing.
SIMPLICITY
Use the KISS Rule to ensure
that you are not over reaching
the expectation.