Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Security Strategy and Tactic with Cyber Threat Intelligence (CTI)

1,140 views

Published on

Implications to the Cyber World
Cyber Attacks
Dos & DDOS
Logical Attacks on ATM's
Subtypes of Cyber Threat Intelligence



Published in: Technology
  • Be the first to comment

Security Strategy and Tactic with Cyber Threat Intelligence (CTI)

  1. 1. Reinhold Wochner, MSc., MBA Raiffeisen Bank International Cyber Threat Intelligence
  2. 2. Who are we? 2 No Kangaroo Austria
  3. 3. 3 History (last 30 years)
  4. 4. Risk Map 2016 4https://riskmap.controlrisks.com
  5. 5. Implications Maydan Nov. 2013 Crimea Feb. 2014 Donbass March 2014
  6. 6. Implications to the Cyber World
  7. 7. Cyber Implications Maydan Nov. 2013 Crimea Feb. 2014 Donbass March 2014 Ivano- Frankivsk Dec 2015
  8. 8. 23 December 2015
  9. 9. Cyberattacks Attacks against the Ukrainian ICS (industrial control system) networks
  10. 10. Attack in Ukraine started to spread to other sectors
  11. 11. Hijacking of CCTV Take over of electronic billboards
  12. 12. Dos & DDOS Ukrainian Members of Parliament have had their mobile phones disabled due to IP-based attacks Multiple Distributed Denial of Service attacks by Ukrainian hackers, are directed at Central Bank of Russia DDoS attacks against governmental infrastructure
  13. 13. Logical attacks on ATMs in this area  Logical attacks on ATMs are on the rise in Russia and Ukraine 14 http://krebsonsecurity.com/wp-content/uploads/2014/10/ncrmalware.png/
  14. 14. Cyber arms race has started A lot of Cybersecurity knowledge is created in this region 15 http://www.tripwire.com/state-of-security/government/32-people-charged-for-one-of-the-largest-computer-hacking-and-securities-fraud-schemes-in-history/ Security Start up companies International providers of CTI services create branches in this region to make use of the talents with professional skills New attack methods + New Threat actors -
  15. 15. 16 How can Cyber Threat Intelligence help your company?
  16. 16. 17 • Implementation new controls (people, process, technology) • Bolster protection, detection, and response capabilities 20152014 2016 April 1, 2014 Intel-134332 November 11, 2014 Intel- 1344337 November 25, 2014 Intel- 1495303 April 22, 2015 Intel- 1549023 January 4, 2016 Intel- 1712383 May 30, 2016 Intel- 127504 June 15, 2016 Intel- 1877630 Junly 30, 2015 Intel- 1575086 …Mexican actors modify POS terminals, installed in La Paz stores…(April 1, 2014 Intel-134332) …French actors arrested for possession of skimming equipment… (November 11, 2011 13443377) …Actors selling skimming software targeting POS malware… (November 25, 2014 Intel-1495303) …POS malware with RAM scraping functionality advertised in underground markets… (May 30, 2016 Intel- 127504) • Communicate “over the horizon” threats with business BoD&business executives • Continued monitoring of new cyber crime threat tactics • Access existing controls v.new POS related Tactics, Techniques & procedures (TTPs) • Build plan, develop budget • Make budget request to match new threat reality • Attack hits the Bank, • Security starts mitigating Early warning Preparation Inflection Point CTI provider warnings Bank actions …Actor advertising POS terminal manipulation software… (April 22, 2015 Intel-1549023) …Observed increases in POS malware use in Australia… (Junly 30, 2015 Intel-1575086) …CTI provider suggests actors turning to POS malware over skimmers because it can increase profitability and security… (January 4, 2016 Intel-171238) Time to react improves with CTI *) Real examples but date/threat actor names/locations have been changed Cyber Threat Intelligence in action - example POS
  17. 17. 18 20152014 2016 April 1, 2014 Intel-134332 November 11, 2014 Intel- 1344337 November 25, 2014 Intel- 1495303 April 22, 2015 Intel- 1549023 January 4, 2016 Intel- 1712383 May 30, 2016 Intel- 127504 June 15, 2016 Intel- 1877630 Junly 30, 2015 Intel- 1575086 • Attack hits the Bank, • Security starts mitigating Early warning Preparation Inflection Point CTI provider warnings Bank actions *) Real examples but date/threat actor names/locations have been changed Cyber Threat Intelligence in action - example POS Time to react improves with CTI
  18. 18. Black Energy attack – time line Still Investigating / Low chance of finding 2007 for BE-1 2012 for BE-2 2014 for BE-3 April 2015 October 24-25: Media December 2015: Energy https://socprime.com/en/blog/dismantling-blackenergy-part-3-all-aboard/
  19. 19. General CTI goals – Improve detection gap! Have we been breached?
  20. 20. General CTI goals – Improve response gap! How bad is it? How bad is it?
  21. 21. General CTI goals – Improve prevention gap! Can we avoid this from happening again?
  22. 22. Subtypes of Cyber Threat Intelligence Strategic High level reports on changing risk Understand tendencies and new threats  Management  Decision makers (CEO, COO, CRO, CSO, CISO, CIO, CFO, etc.) Deliverables Why we need it Targeted at
  23. 23. Subtypes of Cyber Threat Intelligence Strategic  Quality of strategic CTI reports: look at example reports and check if they add value  to update your security strategy  Optimize your security budget planning and priorization  Can the CTI provider customize the report to you business needs?  Are there strategic CTI reports on special security topics (e.g. ATM or POS?)  What preparation time does the analyst need?  What is the quality of the analyst access? Can he speak financial language?
  24. 24. Subtypes of Cyber Threat Intelligence Tactical Attacker methodologies, tools, tactics, techniques and procedures (TTPs) Malware analysis Incident reports React to the exact threat  COO,CSO, CISO  Architects  Sysadmins Deliverables Why we need it Targeted at
  25. 25. Tactical  What are the criteria's to determine the cyber threat level? Can the provider map his criticality classes to your classification?  During the POC: Could the historical data warned for breaches of customer data or internal documents?  How is the information processed and analyzed? Is it really intelligence that you get? Detection data Public Source data Commercial data Operational Environment Data Information Intelligence Sources validated for credibility of relevance Alternatives considered ActionDissemination Stakeholder value Collaboration Leadership focused Usable/Actionable Credible Clear Concise Complete Relevant Timely Accurate Gaps understood Collection Quallity assurance Accurate target Group
  26. 26. Tactical  Check the quality of tactical reports!
  27. 27. Subtypes of Cyber Threat Intelligence Operational Deliverables Why we need it Targeted at Actionable information on specific incoming attack from news sources, social media, chat rooms, business contacts, official sources, data breach notifications Adapt risk analysis React to the exat threat  Security officers  Security Architects
  28. 28. Operational  Can you easily change the CTI provider?  Does the CTI provider support secure M2M communication for sensitive information exchange (both directions)?  Can you integrate the information exchange in your Security Management System? CTI Provider A CTI Provider B CTI Provider C
  29. 29. Subtypes of Cyber Threat Intelligence Technical Attacker methodologies, tools, tactics, techniques and procedures (TTPs) Malware analysis Incident reports React to the exact threat  CISO  Architects  Sysadmins Deliverables Why we need it Targeted at
  30. 30. Technical  What is the quality of the information provided  Data feeds (e.g. IOCs): are important fields in standard formats missing or the information is in the wrong field?  Information is outdated or already publicly known  Is your SIEM system capable to consume the CTI data coming from the CTI Provider?  Is there a possibility for information enrichment?  Is there a content based image recognition to protect the companies brands?
  31. 31. 32 Project Outcome: Creation of a CTI Competence Center CTI Competence Center in our Ukraine bank for RBI Group Improve maturity level in CTI in the group Maintain awareness of RBI NWUs about new and sophisticated targeted attacks and threats Support RBI NWUs in integrating CTI feeds to security systems (IOC Hub) Central overview of Cyber Threat Intelligence in the RBI Group Develop and establish CTI service governance process
  32. 32. If you are a global organization use local advantages
  33. 33. CTI seen from the C-SUITE 1. Protect the company brands 2. Prioritize real threats relevant to the enterprise 3. Influence right budgeting and staffing 4. Prevent and predict evolving cyber threats 5. Effective cyber risk communictions with top executives and board members by Security 6. Better focus for the CISO (more time to tackle the problems from a strategic and not from a reactive perspective) Security Maturity Model Ad Hoc Opportunistic Repeatable Managed Optimized Predictions & Prioritizations enabled by CTI
  34. 34. Reinhold Wochner, MSc., MBA CRISC, CRMA, CISM, CGEIT, CISSP, CISA speaker.wochner@web.de Thank you 

×