Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Welcome to the world of Cyber Threat Intelligence

Title: Welcome to the world of Cyber Threat Intelligence!

Abstract: Welcome to the world of Cyber Threat Intelligence (CTI)! During this presentation, we will discuss about some of the basic concepts within CTI domain and we will have a look at the current threat landscape as observed from the trenches. The presentation is split into 3 parts: a) Intro to CTI, b) A view at the current threat landscape, and c) CTI analyst skillset.

Short Bio: Andreas Sfakianakis is a Cyber Threat Intelligence and Incident Response professional and works for Standard and Poors' CTI team. He is also a member of ENISA’s CTI Stakeholders’ Group and Incident Response Working Group. He is the author of a number of CTI reports and an instructor of CTI. In the past, Andreas has worked within the Financial and Oil & Gas sectors as well as an external reviewer for European Commission. Andreas' Twitter handle is @asfakian and his website is

Welcome to the world of Cyber Threat Intelligence

  1. 1. Welcome to the world of Cyber Threat Intelligence! Andreas Sfakianakis - Guest Lecture at DTU - 27/04/2021 Image: EclecticIQ
  2. 2. whoami CTI Lead EMEA @ S&P Global CTI @ Financial and Oil & Gas sectors ENISA,, SANS, European Commission Twitter: @asfakian Website:
  3. 3. Outline • Intro to CTI • A view at the Threat Landscape • CTI Analyst Skillset References for this lecture can be found here:
  4. 4. Intro to Cyber Threat Intelligence Image: Katie Nickels
  5. 5. How old is Cyber Threat Intelligence?
  6. 6. When everything started in CTI!
  7. 7. From Intelligence to Cyber Threat Intelligence Reference:
  8. 8. CTI, IR and SecOps CYBER THREAT INTELLIGENCE INCIDENT RESPONSE SECURITY OPERATIONS Adoption Early adoption phase Mainstream since ~2010 Mainstream since ~2005 Focus External threat monitoring Security incidents and risk escalation Notable security event monitoring Best practices Evolving best practices Mature best practices Mature best practices Technology enablement Evolving technology enablement Mature technology enablement Mature technology enablement Reference: EclecticIQ
  9. 9. Timeline of important events in CTI history 1989 Cuckoo’s Egg 2009 Operation Aurora 2010 Stuxnet 2011 LM Kill Chain 2013 APT1 Report 2013 Pyramid of Pain 2013 Snowden Leaks 2014 Heart Bleed 2015 ATT&CK 2016 The Shadow Brokers / US Elections 2017 Wanna Cry / Petya APT Becomes Mainstream Wider CTI Adoption
  10. 10. CTI Hype Cycle Reference: We are here!
  11. 11. How would you consume or generate (cyber threat) intelligence?
  12. 12. Reference: Joe Slowik
  13. 13. Repeat after me
  14. 14. Let me introduce you to the intelligence cycle All models are wrong, but some are useful (especially within corporate environments)
  15. 15. Intelligence Direction We are here !
  16. 16. Questions to be answered • How do you identify which threats are relevant to your organisation? • How do you prioritize to which threats to spend time on? • Has your CTI team identified and connected with its stakeholders? • How does your analysis bring value to the CyberDefence and your organisation? “CTI teams should not do intelligence for intelligence’s sake; it costs money and time”
  17. 17. Intelligence Requirements • Intelligence requirements are enduring questions that consumers of intelligence need answers to. • Answer critical questions intelligence customers care about (not what YOU care about). Reference: Sergio Caltagirone
  18. 18. CONFIDENTIAL CTI Focus and Stakeholders Tactical Intelligence Security Engineering SOC Team Operational Intelligence Incident Responders Threat Hunters Vulnerability Management Red Team Fraud Team Sys Admins IT Managers Strategic Intelligence C-Suite / Executives Group Security Risk Managers Business Stakeholders Regional Stakeholders IT Architects
  19. 19. CONFIDENTIAL Reference: Katie Nickels
  20. 20. A Simple Threat Model Reference: SANS
  21. 21. Intelligence Collection We are here !
  22. 22. Where would you go to collect data for cyber threat intelligence?
  23. 23. Intelligence Collection Sources • Internal Security Incident Data • (Listen to your enemy, for God is talking. ~ Jewish Proverb) • Internal Log Data Lake • Internal Stakeholders • Corporate Security/Business • Vendor Reports • Sharing Communities, ISACs • Governmental Sources • OSINT • IOC Feeds Reference: Scott J Roberts
  24. 24. Intelligence Processing We are here !
  25. 25. Data versus Intelligence • Data is a piece of information, a fact, or a statistic. Data is something that describes something that is. • Intelligence is derived from a process of collecting, processing, and analyzing data. • The difference between data and true intelligence is analysis. Reference: Joint Publication 2-0
  26. 26. Threat Intelligence Platforms 2012 MISP 2012 CIF 2014 CRITs 2015 Threat Note 2016 MineMeld 2017 Yeti 2018 OpenCTI 2012 MISP 2012 AlienVault OTX 2015 Micro Focus Threat Central 2015 IBM X-Force Exchange 2015 Facebook Threat Exchange 2013 ThreatConnect 2013 Anomali 2014 EclecticIQ 2015 ThreatQuotient 2016 TruSTAR 2016 Cyware 2018 Analyst1 Open Source Commercial Community Exchange Platforms
  27. 27. The Analyst’s Dream: Data Into Buckets
  28. 28. Intrusion Analysis Frameworks 101 • Kill Chain • Diamond Model • ATT&CK Framework
  29. 29. Diamond Model of Intrusion Analysis Malware TTPs Domains IP addresses Email addresses Systems targeted People targeted Sectors targeted Personas Human fingerprints
  30. 30. Intelligence Analysis We are here !
  31. 31. Cognitive Biases
  32. 32. Overcoming Biases
  33. 33. Intelligence Dissemination We are here !
  34. 34. Collection Analysis ? ACTION Reference: Christian Paredes
  35. 35. Reference: Amy Bejtlich
  36. 36. Words of Estimative Probability
  37. 37. TLP (Traffic Light Protocol)
  38. 38. Intelligence Feedback We are here !
  39. 39. Wrapping up From intelligence to CTI Intelligence cycle Basic CTI concepts and frameworks
  40. 40. End of the 1st part of the presentation Questions?
  41. 41. A view at the Threat Landscape
  42. 42. The human behind the keyboard
  43. 43. Ransomware
  44. 44. Ransomware Trends • Target is the whole organisation • Data exfiltration before ransomware payload • Public shaming sites • Cold-calling victims • Ransomware cartels • Interconnected cybercrime ecosystem • The role of insurance companies • OFAC guidance on ransom payment
  45. 45. How much is the average ransom payment?
  46. 46. How long does it take to get ransomwared?
  47. 47. Reference: DFIRReport
  48. 48. As a network defender, how can you detect and respond to ransomware?
  49. 49. State Sponsored Threat Groups
  50. 50. What does the term APT mean?
  51. 51. Reference: Recorded Future • Advanced • Persistent • Threat APT 2010 APT goes mainstream
  52. 52. When everything started! (version 2)
  53. 53. External Threat Intelligence Services Q4 2020 Source: Forrester
  54. 54. I SEE threat intelligence Reports Threat intelligence REPORTS EVERYWHERE
  55. 55. Bears, Pandas, Kittens and the rest
  56. 56. FireEye APT Groups • FireEye’s list of sophisticated actors and naming conventions looks like this: • APT0-27, 30/31, 40/41 = China • APT28/29 = Russia • APT32 = Vietnam • APT33/34/35/39 = Iran • APT36 = Pakistan • APT37/38 = North Korea >2k UNCs threat groups
  57. 57. CrowdStrike APT Groups *Adversary map from 2014
  58. 58. Reference: Joe Slowik
  59. 59. How do states do attribution? What sources do they use?
  60. 60. On attribution • Type of attribution • Person? Organisation? Country? Threat group? • Technology enablement • False flags • Usage of open-source offensive tools
  61. 61. APT Research
  62. 62. Geopolitics and Cyber • Adversary intent • Geopolitical signaling • Geopolitical shaping
  63. 63. Wrapping up Ransomware threat State sponsored threats Threat group tracking
  64. 64. CTI Analyst Skillset
  65. 65. Reference: Henry Jiang
  66. 66. CTI Analyst Skillset Reference:
  67. 67. Cyber Threat Intel Analyst Tradecraft Reference:
  68. 68. Threat Intelligence Paths Reference: Amy Bejtlich Law Enforcement National Security Military Intelligence Journalism Data Science Cybersecurity
  69. 69. Maintaining External Situational Awareness RSS Aggregator (e.g., Feedly, Inoreader) Twitter (plus Twitter lists) Nuzzel Reddit Podcasts (e.g., CyberWire) Newsletter Team (e.g., TC Dragon News Bytes) Strategic sources (e.g., Economist, CFR, etc.) Weekly Summaries (e.g., This Week in 4n6) Threat Intelligence Reports ISACs Trust Groups (e.g., Slack channels, mailing lists) Threat Intelligence vendors
  70. 70. Maintaining Internal Situational Awareness Incident ticketing system Phishing campaigns Signature hits and alerts Failed intrusions Hunting/red team findings Critical vulnerabilities Business strategy and updates Internal events
  71. 71. Continuous Education Self-initiated CTFs Academic programs Certifications Online training material Conferences Books Audiobooks
  72. 72. If you gonna read 2 articles… • A Cyber Threat Intelligence Self-Study Plan: Part 1 • FAQs on Getting Started in Cyber Threat Intelligence
  73. 73. Wrapping up Lifelong learner Communication skills are critical Be part of the community Try different CTI perspectives
  74. 74. Final Thoughts •Remember the process of the intelligence cycle •Discussion on the evolving cyber threat landscape: major cybercrime and state sponsored threats •Diverse skillset of the CTI analyst
  75. 75. Thank you! Andreas Sfakianakis @asfakian References for this lecture can be found here: