This document outlines a roadmap for developing an effective actionable threat intelligence program. It discusses what threat intelligence is, how it can enable businesses, and provides recommendations for collecting intelligence from internal and external sources. The roadmap involves initially developing a foundation, then formalizing processes, and moving toward maturity with a goal of demonstrating return on investment from averted threats.
DevEX - reference for building teams, processes, and platforms
Road map for actionable threat intelligence
1. Road-map for actionable threat intelligence
Making Information Security Smarter
AbhiSingh, CISSP, CISA, CRISC, CISM, CCSK
2. Tuesday, February 12, 2013
State of the Union Address
Wednesday, October 2, 2012
U.S. Cyber Command GEN Keith Alexander
Thursday, December 19, 2013
Headline of the day
External92%
Internal passive4%
Internal active2%
Unknown2%
3. What do I want to demonstrate?
What is actionable cyber threat intelligence
How does it enable business?
Why actionable cyber threat intelligence is not a product?
How can you develop a sound framework?
What are some capabilities that you would need?
4. What is a Cyber Threat and Threat Intelligence?
Defense Science Board Task Force on Resilient Military Systems defines Cyber Threat as:
“The cyber threat is characterized in terms of three classes of increasing sophistication: those practitioners who rely on others to develop the malicious code, those who can develop their own tools to exploit publically known vulnerabilities as well as discovering new vulnerabilities, and those who have significant resources and can dedicate them to creating vulnerabilitiesin systems.”
Threat Intelligence should then provide:
Understanding of motivation, intents, and capabilities of attackers; and
Detailed specifics on tactics, techniques, and procedures utilized.
5. How will Cyber Threat intelligence enable business?
Make effective decisions with actionable information
Save man-hours with automation –data collection, analysis, and usage
Control risk, detect problems, and prioritize remediation supported by reliable data
Validate existing policies and controls
Demonstrate ROI –align expenses with business objectives
6. Where do collect the information from?
Internal –SIEM, Helpdesk, Incidents, Business direction and priorities (M&A etc.), monitoring blind spots on network, Honeypots
External -
OSINT (using Matego,
Shodan, metagoofiletc.)
Pastebin, Google,
Facebook etc.
Cyveillance, Dell, iSIGHT, Mandiant, RSA, Verisign, Verizon, At&t, Fox-IT etc.
Government
Industry Community
Public
Commercial
US-CERT, InfraGard,
FBI, DHS
FS-ISAC, NH-ISAC, ES- ISAC, REN-ISAC
7. What’s the first step after gathering information?
Methods and modes
Metadata
Threat vectors
Threat sources
IP and hosts
Exploit modules
Logs
Indicators of compromise (IOC)*
Geo
*Indicators of compromise (IOC) -Forensic artifacts of an intrusion that can be identified on a host or network
Learn and Adapt
React
Human aspect
Machine aspect
8. What would you do with intelligence?
Identify Indicators of Compromise (IOCs)[forensic artifacts of an intrusion that can be identified on a host or network]
Create machine consumable information -Notable frameworks OpenIOC, CybOX, IODEF
Perform accurate detection across the enterprise
Conduct a kill-chain based analysis to respond appropriately
Map the findings/possible effects to business priorities/activities
Develop strategic information for the senior leadership and decision makers
9. Some examples of threat intelligence
Host-Based
•Mutexes
•File names
•File hashes
•Registry keys
Network-Based
•IP addresses & address ranges
•Internet Domains
•AS Numbers
Behavioral
•Adversary tactics
•Attack techniques
•Compromise procedures
Actor-based
•Malicious actors, organizations, and nation states
•Cyber attack campaigns
React and recover
Learn and adapt
11. How do you put actionable intelligence (OpenIOC) to use?
IOC Editor
Allow users to create IOC’s in XML format
Redline
Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile.
Create IOC
Deploy IOC
Identify potential compromise
Preserve evidence
Analyze data
Network IOC, Host IOC
SIEM, IPS, End-point tools
Forensic image, System state, Logs
Malware analysis, log analysis
Investigation process
Intelligence Sources
12. Therefore threat intelligence should be a business priority because..
Is a capability not a product
Builds on a diverse foundation of people, processes, and technology
Provides actionable information on tactics, techniques, and procedures (TTP) of adversaries
Allow effective response by identifying and analyzing indicators of comprise
Enables forward thinking (proactive vs. reactive approach)
13. So what are the next steps..
•Make threat intelligence a business priority; allocate budget and resources
•Define program objectives
•Determine current state of critical capabilities for “build vs. buy” e.g. of critical capabilities –malware analysis, traffic analysis, intrusion detection, legal processes, SIEM etc.
•Create traffic and host baselines
•Conduct resource training
•Identify external sources that you plan to use
1
•Develop framework to consume sources to generate threat intelligence –people, process, technology
•Formalize roles and responsibilities
•Pilot the framework with select intelligence sources
•Decide external and internal information sharing strategy
•Modify framework to consume all intelligence sources
•Start sharing information across the supply chain
•Demonstrate ROI based on the threats averted
•Report metrics based on the established baselines
2
3
Develop Foundation
(month 0-6)
Formalize Course
(month 6-12)
Road to Maturity
(month 12 –24)
Government
Community
Public
Commercial