SlideShare a Scribd company logo

CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019

Andreas Sfakianakis
Andreas Sfakianakis

- Andreas Sfakianakis is a CTI professional in the financial and oil & gas sectors and is an external expert for ENISA and the European Commission. - He is a member of ENISA's CTI Stakeholder Group and was a member of the program committee for the FIRST CTI Symposium in 2019 and 2020. - His presentation focuses on setting intelligence requirements, connecting with stakeholders, and ensuring intelligence collection and production is driven by documented requirements.

Technology
1 of 41
Download to read offline
Andreas Sfakianakis CTI Professional Image from heritage-history.com Image from lapeceradepinocho.blogspot.com
§ CTI and IR professional in Financial and Oil & Gas sectors § External Expert for ENISA and European Commission § Member of ENISA CTI Stakeholder Group § Member of PC for FIRST CTI Symposium 2019 & 2020 § Get in touch: @asfakian / Website: www.threatintel.eu References for this presentation: http://bit.ly/enisa_nis_2019 tilting at windmills FORTH Alumni ENISA Trainee ENISA NIS Summer School (x4)
§Original authors are referenced within the slide deck. §References for this presentation: https://bit.ly/enisa_nis_2019 §Views are my own and not my employer’s
§Setting the scene §Intelligence requirements §Examples §Conclusions Image from hp-comic.com
Language matters. Narrative matters. Framing matters. People exist in and live by stories. @treyka Image from gatewaytotheclassics.com
Image from azquotes.com
1989 Cuckoo’s Egg 2009 Operation Aurora 2010 Stuxnet 2011 Kill Chain 2013 APT1 Report 2013 STIX1.0 2013 Snowden Leaks 2014 Heart Bleed 2015 ATT&CK 2016 TSB 2017 WannaCry Petya CTI Adoption APT Becomes Mainstream
CYBER THREAT INTELLIGENCE INCIDENT RESPONSE SECURITY OPERATIONS Adoption Early adoption phase Mainstream since ~2010 Mainstream since ~2005 Focus External threat monitoring Security incidents and risk escalation Notable security event monitoring Best practices Evolving best practices Mature best practices Mature best practices Technology enablement Limited technology enablement Mature technology enablement Mature technology enablement Reference:
Reference: We are here!
This will be a marvelous day for adventure,Sancho Image from imgbin.com
Reference:
Image from wikimedia.org
We are here ! Intelligence is a product and a process!
§ How do CTI teams identify which threats are relevant to their organisations and how to prioritize them? § Have CTI teams identified and connected with their stakeholders? § Have CTI teams captured the intelligence requirements of their stakeholders? § How do CTI teams contribute towards the utmost goal of organisational risk reduction? §“CTI teams should not do intelligence for intelligence’s sake, it costs money and time” - Lauren Zabierek
Tactical Intelligence Security Engineering SOC Team Operational Intelligence Incident Responders Threat Hunters Vulnerability Management Red Team Fraud Team Sys Admins IT Managers Strategic Intelligence C-Suite / Executives Group Security Risk Managers Business Stakeholders Regional Stakeholders IT Architects
“Any subject, general or specific, upon which there is a need for the collection of information, or the production of intelligence.” DOD Joint Pub 2-0 https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp2_0.pdf
§ Intelligence requirements are enduring questions that consumers of intelligence need answers to. § Answer critical questions intelligence customers/stakeholders care about (not whatYOU care about). Reference: Sergio Caltagirone
Reference: Michael Rea We are here ! Intelligence requirements are really critical for intelligence collection and production phases!!
Reference: SANS
PIRs are the Intelligence requirements that the intelligence requirements that are seen as critical to accomplish mission. If every requirement is critical then no requirement is critical https://fas.org/irp/doddir/army/fm34-2/Appd.htm
§ Past Incident Based Requirements § Business Plan Based Requirements § Geographic Based Requirements § Technology Based Requirements § Vertical Based Requirements Reference: Scott J Roberts https://medium.com/@sroberts/cti-squadgoals-setting-requirements-41bcb63db918
§High Level / Strategic Requirements §Functional / Operational Requirements §Visibility / Technical Requirements https://www.first.org/resources/papers/london2019/1430-1500-Your-Requirements-are- Not-My-Requirements-Speaker-Pasquale-Stirparo.pdf Reference: Pasquale Stirparo
§Characteristics of intelligence requirements §Update and communicate intelligence requirements §Ad hoc requirements §Documented and signed off
§ Intelligence collection driven by intelligence requirements § Threat relevancy § Shaping of the intelligence product(s) § Business value and other metrics § Traceability on resources and staffing Intelligence Collection Phase Intelligence Analysis Phase Intelligence Dissemination Phase Intelligence Direction Phase Intelligence Feedback Phase
§ Seek feedback § Manage and educate your stakeholders § Use the right terms § Tell a story § Build your organisation’s threat model
Your Organisation Availability Intellectual Property ICS/SCADA Adversary A Adversary B Adversary C Reference: SANS
Image from gatewaytotheclassics.com Image from blocs.xtec.cat
§ Decision centric: aids ONE decision. § Singular: a strong requirement focuses on ONE question and only one question. § Are specific: focuses on ONE activity/event/thing § Timeliness: a requirement should capture the timeframe for usable intelligence. § Are answerable using available assets and capabilities. Reference: Scott J Roberts
§ "Will the enemy attack? If so, where, when, and in what strength?"
Reference: Scott J Roberts
Reference: Scott J Roberts
Reference: Scott J Roberts
Reference: Scott J Roberts
§ Production Requirement § Your company is going to market with a new revolutionary product in three months, the Board wants to make sure all sensitive IP (from design docs/blueprints to marketing campaigns, etc.) is not leaked or stolen. § What are our Intelligence Requirements? https://www.first.org/resources/papers/london2019/1430-1500-Your-Requirements-are- Not-My-Requirements-Speaker-Pasquale-Stirparo.pdf Reference: Pasquale Stirparo
§ Production Requirement § What are the vulnerabilities that are currently being exploited in the wild and that we should worry about? Are we protected against or can we detect them? § What are our Intelligence Requirements? https://www.first.org/resources/papers/london2019/1430-1500-Your-Requirements-are- Not-My-Requirements-Speaker-Pasquale-Stirparo.pdf Reference: Pasquale Stirparo
Dulcinea Watches as Don Quixote Wins Battles For Her Image from elladocomicodedonquijote.wordpress.com
§ Identification of relevant stakeholders and get to know them § Connect with business and enterprise risk management cycles § Better identification of your organisation’s operational environment § Get to know your organisation's crown jewels § Capture, document and utilise your intelligence requirements § Start the conversation
https://en.wikipedia.org/wiki/ Self-licking_ice_cream_cone https://grammarist.com/idiom/tilting-at-windmills/
§ US Military - Joint Publication 2-0 § SANS CTI Summit 2018 - I Can Haz Requirements? - Michael Rea § CTI SquadGoals—Setting Requirements - Scott J Roberts § SANS - Threat Intelligence: Planning and Direction - Brian Kime § SANS - Defining Threat Intelligence Requirements – Pasquale Stirparo § FIRST CTI 2019 -Your requirements are not my requirements – Pasquale Stirparo § SANS CTI Summit 2018 - Intelligence Preparation of the Cyber Environment – Rob Dartnall § Mark Arena - How to build a cyber threat intelligence program References for this presentation: https://bit.ly/enisa_nis_2019
Sharing is caring! ENISA NIS Summer School 2019 Andreas Sfakianakis CTI Professional References for this presentation: https://bit.ly/enisa_nis_2019

Recommended

Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the...
Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the...Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the...
Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the...
Andreas Sfakianakis
 
Fast IT Mariano O'Kon, Cisco Live Cancun 2014
Fast IT Mariano O'Kon, Cisco Live Cancun 2014Fast IT Mariano O'Kon, Cisco Live Cancun 2014
Fast IT Mariano O'Kon, Cisco Live Cancun 2014
Felipe Lamus
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
NSC42 Ltd
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
NSC42 Ltd
 
IoT and 5G: Future Career
IoT and 5G: Future CareerIoT and 5G: Future Career
IoT and 5G: Future Career
Redwan Ferdous
 
Cloud-Native Microservices
Cloud-Native MicroservicesCloud-Native Microservices
Cloud-Native Microservices
Judy Breedlove
 
reStartEvents Nationwide All-Clearances May 26th Employer Directory.pdf
reStartEvents Nationwide All-Clearances May 26th Employer Directory.pdfreStartEvents Nationwide All-Clearances May 26th Employer Directory.pdf
reStartEvents Nationwide All-Clearances May 26th Employer Directory.pdf
Ken Fuller
 
2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...
2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...
2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...Neil Curran MSc CISSP CRISC CGEIT CISM CISA
 

Recommended

Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the...
Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the...Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the...
Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the...
Andreas Sfakianakis
 
Fast IT Mariano O'Kon, Cisco Live Cancun 2014
Fast IT Mariano O'Kon, Cisco Live Cancun 2014Fast IT Mariano O'Kon, Cisco Live Cancun 2014
Fast IT Mariano O'Kon, Cisco Live Cancun 2014
Felipe Lamus
 
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020The security phoenix - from the ashes of DEV-OPS Appsec California 2020
The security phoenix - from the ashes of DEV-OPS Appsec California 2020
NSC42 Ltd
 
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC ConferenceNsc42 - is the cloud secure - is easy if you do it smart ECC Conference
Nsc42 - is the cloud secure - is easy if you do it smart ECC Conference
NSC42 Ltd
 
IoT and 5G: Future Career
IoT and 5G: Future CareerIoT and 5G: Future Career
IoT and 5G: Future Career
Redwan Ferdous
 
Cloud-Native Microservices
Cloud-Native MicroservicesCloud-Native Microservices
Cloud-Native Microservices
Judy Breedlove
 
reStartEvents Nationwide All-Clearances May 26th Employer Directory.pdf
reStartEvents Nationwide All-Clearances May 26th Employer Directory.pdfreStartEvents Nationwide All-Clearances May 26th Employer Directory.pdf
reStartEvents Nationwide All-Clearances May 26th Employer Directory.pdf
Ken Fuller
 
2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...
2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...
2015 Conference Brochure - Trust Security Agility - Businesses Better Prepare...Neil Curran MSc CISSP CRISC CGEIT CISM CISA
 
Cisco Case Study
Cisco Case StudyCisco Case Study
Cisco Case Study
Mudasser Afzal
 
Webinar: How To Build A Bot With Cisco Spark And Built.io Flow
Webinar: How To Build A Bot With Cisco Spark And Built.io FlowWebinar: How To Build A Bot With Cisco Spark And Built.io Flow
Webinar: How To Build A Bot With Cisco Spark And Built.io Flow
Builtio
 
Ben goodman cybersecurity in the iiot
Ben goodman cybersecurity in the iiotBen goodman cybersecurity in the iiot
Ben goodman cybersecurity in the iiot
MassTLC
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTs
APNIC
 
2013 csi interchange_pietro_leo - ex
2013 csi interchange_pietro_leo - ex2013 csi interchange_pietro_leo - ex
2013 csi interchange_pietro_leo - ex
Pietro Leo
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
Synopsys Software Integrity Group
 
Best Intranets from the Intranet Global Forum (LA 2014)
Best Intranets from the Intranet Global Forum (LA 2014)Best Intranets from the Intranet Global Forum (LA 2014)
Best Intranets from the Intranet Global Forum (LA 2014)
Prescient Digital Media
 
Cisco Connect Ottawa 2018 jabberv2
Cisco Connect Ottawa 2018 jabberv2Cisco Connect Ottawa 2018 jabberv2
Cisco Connect Ottawa 2018 jabberv2
Cisco Canada
 
Steps to Scale Internet of Things (IoT)
Steps to Scale Internet of Things (IoT)Steps to Scale Internet of Things (IoT)
Steps to Scale Internet of Things (IoT)
Rafael Maranon
 
Critical Considerations for Mobile and IoT Strategy
Critical Considerations for Mobile and IoT StrategyCritical Considerations for Mobile and IoT Strategy
Critical Considerations for Mobile and IoT Strategy
CA Technologies
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
Ray Bugg
 
Skynet Week 9 H4D Stanford 2016
Skynet Week 9 H4D Stanford 2016Skynet Week 9 H4D Stanford 2016
Skynet Week 9 H4D Stanford 2016
Stanford University
 
Webinar: Making the Move from Legacy IAM to Modern Digital Identity – On Your...
Webinar: Making the Move from Legacy IAM to Modern Digital Identity – On Your...Webinar: Making the Move from Legacy IAM to Modern Digital Identity – On Your...
Webinar: Making the Move from Legacy IAM to Modern Digital Identity – On Your...
IdentityNorthEvents
 
Design ethics f
Design ethics fDesign ethics f
Design ethics fR. Sosa
 
What is technology due diligence and why is it important © dr pete technology...
What is technology due diligence and why is it important © dr pete technology...What is technology due diligence and why is it important © dr pete technology...
What is technology due diligence and why is it important © dr pete technology...
Roelof Iball
 
UX strategy for digital transformation
UX strategy for digital transformationUX strategy for digital transformation
UX strategy for digital transformation
Cristina Viganò
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with them
Tudor Damian
 
Introduction to SPICEsim ESO Ltd.
Introduction to SPICEsim ESO Ltd.Introduction to SPICEsim ESO Ltd.
Introduction to SPICEsim ESO Ltd.
Christine Q.
 
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T... Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
ITCamp
 
Developers Driving DevOps at Scale: 5 Keys to Success
Developers Driving DevOps at Scale: 5 Keys to SuccessDevelopers Driving DevOps at Scale: 5 Keys to Success
Developers Driving DevOps at Scale: 5 Keys to Success
DevOps.com
 
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Andreas Sfakianakis
 
Spin Your CTI Process Round - FIRST CTI Conference 2023
Spin Your CTI Process Round - FIRST CTI Conference 2023Spin Your CTI Process Round - FIRST CTI Conference 2023
Spin Your CTI Process Round - FIRST CTI Conference 2023
Andreas Sfakianakis
 

More Related Content

Similar to CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019

Cisco Case Study
Cisco Case StudyCisco Case Study
Cisco Case Study
Mudasser Afzal
 
Webinar: How To Build A Bot With Cisco Spark And Built.io Flow
Webinar: How To Build A Bot With Cisco Spark And Built.io FlowWebinar: How To Build A Bot With Cisco Spark And Built.io Flow
Webinar: How To Build A Bot With Cisco Spark And Built.io Flow
Builtio
 
Ben goodman cybersecurity in the iiot
Ben goodman cybersecurity in the iiotBen goodman cybersecurity in the iiot
Ben goodman cybersecurity in the iiot
MassTLC
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTs
APNIC
 
2013 csi interchange_pietro_leo - ex
2013 csi interchange_pietro_leo - ex2013 csi interchange_pietro_leo - ex
2013 csi interchange_pietro_leo - ex
Pietro Leo
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
Synopsys Software Integrity Group
 
Best Intranets from the Intranet Global Forum (LA 2014)
Best Intranets from the Intranet Global Forum (LA 2014)Best Intranets from the Intranet Global Forum (LA 2014)
Best Intranets from the Intranet Global Forum (LA 2014)
Prescient Digital Media
 
Cisco Connect Ottawa 2018 jabberv2
Cisco Connect Ottawa 2018 jabberv2Cisco Connect Ottawa 2018 jabberv2
Cisco Connect Ottawa 2018 jabberv2
Cisco Canada
 
Steps to Scale Internet of Things (IoT)
Steps to Scale Internet of Things (IoT)Steps to Scale Internet of Things (IoT)
Steps to Scale Internet of Things (IoT)
Rafael Maranon
 
Critical Considerations for Mobile and IoT Strategy
Critical Considerations for Mobile and IoT StrategyCritical Considerations for Mobile and IoT Strategy
Critical Considerations for Mobile and IoT Strategy
CA Technologies
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
Ray Bugg
 
Skynet Week 9 H4D Stanford 2016
Skynet Week 9 H4D Stanford 2016Skynet Week 9 H4D Stanford 2016
Skynet Week 9 H4D Stanford 2016
Stanford University
 
Webinar: Making the Move from Legacy IAM to Modern Digital Identity – On Your...
Webinar: Making the Move from Legacy IAM to Modern Digital Identity – On Your...Webinar: Making the Move from Legacy IAM to Modern Digital Identity – On Your...
Webinar: Making the Move from Legacy IAM to Modern Digital Identity – On Your...
IdentityNorthEvents
 
Design ethics f
Design ethics fDesign ethics f
Design ethics fR. Sosa
 
What is technology due diligence and why is it important © dr pete technology...
What is technology due diligence and why is it important © dr pete technology...What is technology due diligence and why is it important © dr pete technology...
What is technology due diligence and why is it important © dr pete technology...
Roelof Iball
 
UX strategy for digital transformation
UX strategy for digital transformationUX strategy for digital transformation
UX strategy for digital transformation
Cristina Viganò
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with them
Tudor Damian
 
Introduction to SPICEsim ESO Ltd.
Introduction to SPICEsim ESO Ltd.Introduction to SPICEsim ESO Ltd.
Introduction to SPICEsim ESO Ltd.
Christine Q.
 
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T... Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
ITCamp
 
Developers Driving DevOps at Scale: 5 Keys to Success
Developers Driving DevOps at Scale: 5 Keys to SuccessDevelopers Driving DevOps at Scale: 5 Keys to Success
Developers Driving DevOps at Scale: 5 Keys to Success
DevOps.com
 

Similar to CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019 (20)

Cisco Case Study
Cisco Case StudyCisco Case Study
Cisco Case Study
 
Webinar: How To Build A Bot With Cisco Spark And Built.io Flow
Webinar: How To Build A Bot With Cisco Spark And Built.io FlowWebinar: How To Build A Bot With Cisco Spark And Built.io Flow
Webinar: How To Build A Bot With Cisco Spark And Built.io Flow
 
Ben goodman cybersecurity in the iiot
Ben goodman cybersecurity in the iiotBen goodman cybersecurity in the iiot
Ben goodman cybersecurity in the iiot
 
Philippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTsPhilippines Cybersecurity Conference 2021: The role of CERTs
Philippines Cybersecurity Conference 2021: The role of CERTs
 
2013 csi interchange_pietro_leo - ex
2013 csi interchange_pietro_leo - ex2013 csi interchange_pietro_leo - ex
2013 csi interchange_pietro_leo - ex
 
Webinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec ResourceWebinar - Developers Are Your Greatest AppSec Resource
Webinar - Developers Are Your Greatest AppSec Resource
 
Best Intranets from the Intranet Global Forum (LA 2014)
Best Intranets from the Intranet Global Forum (LA 2014)Best Intranets from the Intranet Global Forum (LA 2014)
Best Intranets from the Intranet Global Forum (LA 2014)
 
Cisco Connect Ottawa 2018 jabberv2
Cisco Connect Ottawa 2018 jabberv2Cisco Connect Ottawa 2018 jabberv2
Cisco Connect Ottawa 2018 jabberv2
 
Steps to Scale Internet of Things (IoT)
Steps to Scale Internet of Things (IoT)Steps to Scale Internet of Things (IoT)
Steps to Scale Internet of Things (IoT)
 
Critical Considerations for Mobile and IoT Strategy
Critical Considerations for Mobile and IoT StrategyCritical Considerations for Mobile and IoT Strategy
Critical Considerations for Mobile and IoT Strategy
 
Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)Scot Secure 2019 Edinburgh (Day 2)
Scot Secure 2019 Edinburgh (Day 2)
 
Skynet Week 9 H4D Stanford 2016
Skynet Week 9 H4D Stanford 2016Skynet Week 9 H4D Stanford 2016
Skynet Week 9 H4D Stanford 2016
 
Webinar: Making the Move from Legacy IAM to Modern Digital Identity – On Your...
Webinar: Making the Move from Legacy IAM to Modern Digital Identity – On Your...Webinar: Making the Move from Legacy IAM to Modern Digital Identity – On Your...
Webinar: Making the Move from Legacy IAM to Modern Digital Identity – On Your...
 
Design ethics f
Design ethics fDesign ethics f
Design ethics f
 
What is technology due diligence and why is it important © dr pete technology...
What is technology due diligence and why is it important © dr pete technology...What is technology due diligence and why is it important © dr pete technology...
What is technology due diligence and why is it important © dr pete technology...
 
UX strategy for digital transformation
UX strategy for digital transformationUX strategy for digital transformation
UX strategy for digital transformation
 
Modern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with themModern cybersecurity threats, and shiny new tools to help deal with them
Modern cybersecurity threats, and shiny new tools to help deal with them
 
Introduction to SPICEsim ESO Ltd.
Introduction to SPICEsim ESO Ltd.Introduction to SPICEsim ESO Ltd.
Introduction to SPICEsim ESO Ltd.
 
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T... Modern cybersecurity threats, and shiny new tools to help deal with them - T...
Modern cybersecurity threats, and shiny new tools to help deal with them - T...
 
Developers Driving DevOps at Scale: 5 Keys to Success
Developers Driving DevOps at Scale: 5 Keys to SuccessDevelopers Driving DevOps at Scale: 5 Keys to Success
Developers Driving DevOps at Scale: 5 Keys to Success
 

More from Andreas Sfakianakis

Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Andreas Sfakianakis
 
Spin Your CTI Process Round - FIRST CTI Conference 2023
Spin Your CTI Process Round - FIRST CTI Conference 2023Spin Your CTI Process Round - FIRST CTI Conference 2023
Spin Your CTI Process Round - FIRST CTI Conference 2023
Andreas Sfakianakis
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Andreas Sfakianakis
 
Setting Your CTI Process In Motion - ENISA CTI-EU 2022
Setting Your CTI Process In Motion - ENISA CTI-EU 2022Setting Your CTI Process In Motion - ENISA CTI-EU 2022
Setting Your CTI Process In Motion - ENISA CTI-EU 2022
Andreas Sfakianakis
 
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Andreas Sfakianakis
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
Andreas Sfakianakis
 

More from Andreas Sfakianakis (6)

Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
Cyber Shield Up - They Shall Not Pass - Andreas Sfakianakis - Lecture at CSD ...
 
Spin Your CTI Process Round - FIRST CTI Conference 2023
Spin Your CTI Process Round - FIRST CTI Conference 2023Spin Your CTI Process Round - FIRST CTI Conference 2023
Spin Your CTI Process Round - FIRST CTI Conference 2023
 
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
Threat Intelligence: State-of-the-art and Trends - Secure South West 2015
 
Setting Your CTI Process In Motion - ENISA CTI-EU 2022
Setting Your CTI Process In Motion - ENISA CTI-EU 2022Setting Your CTI Process In Motion - ENISA CTI-EU 2022
Setting Your CTI Process In Motion - ENISA CTI-EU 2022
 
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
 
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat IntelligenceWelcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
 

Recently uploaded

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Ramesh Iyer
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
Frank van Harmelen
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
James Anderson
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
DianaGray10
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
Dorra BARTAGUIZ
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
RTTS
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Jeffrey Haguewood
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
KatiaHIMEUR1
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
Paul Groth
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
Ana-Maria Mihalceanu
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
Elena Simperl
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 

Recently uploaded (20)

Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*Neuro-symbolic is not enough, we need neuro-*semantic*
Neuro-symbolic is not enough, we need neuro-*semantic*
 
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3UiPath Test Automation using UiPath Test Suite series, part 3
UiPath Test Automation using UiPath Test Suite series, part 3
 
Elevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object CalisthenicsElevating Tactical DDD Patterns Through Object Calisthenics
Elevating Tactical DDD Patterns Through Object Calisthenics
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
JMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and GrafanaJMeter webinar - integration with InfluxDB and Grafana
JMeter webinar - integration with InfluxDB and Grafana
 
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
 
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdfFIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
FIDO Alliance Osaka Seminar: FIDO Security Aspects.pdf
 
Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !Securing your Kubernetes cluster_ a step-by-step guide to success !
Securing your Kubernetes cluster_ a step-by-step guide to success !
 
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMsTo Graph or Not to Graph Knowledge Graph Architectures and LLMs
To Graph or Not to Graph Knowledge Graph Architectures and LLMs
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Monitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR EventsMonitoring Java Application Security with JDK Tools and JFR Events
Monitoring Java Application Security with JDK Tools and JFR Events
 
Knowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and backKnowledge engineering: from people to machines and back
Knowledge engineering: from people to machines and back
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 

CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019

  • 1. Andreas Sfakianakis CTI Professional Image from heritage-history.com Image from lapeceradepinocho.blogspot.com
  • 2. § CTI and IR professional in Financial and Oil & Gas sectors § External Expert for ENISA and European Commission § Member of ENISA CTI Stakeholder Group § Member of PC for FIRST CTI Symposium 2019 & 2020 § Get in touch: @asfakian / Website: www.threatintel.eu References for this presentation: http://bit.ly/enisa_nis_2019 tilting at windmills FORTH Alumni ENISA Trainee ENISA NIS Summer School (x4)
  • 3. §Original authors are referenced within the slide deck. §References for this presentation: https://bit.ly/enisa_nis_2019 §Views are my own and not my employer’s
  • 4. §Setting the scene §Intelligence requirements §Examples §Conclusions Image from hp-comic.com
  • 5. Language matters. Narrative matters. Framing matters. People exist in and live by stories. @treyka Image from gatewaytotheclassics.com
  • 8. CYBER THREAT INTELLIGENCE INCIDENT RESPONSE SECURITY OPERATIONS Adoption Early adoption phase Mainstream since ~2010 Mainstream since ~2005 Focus External threat monitoring Security incidents and risk escalation Notable security event monitoring Best practices Evolving best practices Mature best practices Mature best practices Technology enablement Limited technology enablement Mature technology enablement Mature technology enablement Reference:
  • 10. This will be a marvelous day for adventure,Sancho Image from imgbin.com
  • 13. We are here ! Intelligence is a product and a process!
  • 14. § How do CTI teams identify which threats are relevant to their organisations and how to prioritize them? § Have CTI teams identified and connected with their stakeholders? § Have CTI teams captured the intelligence requirements of their stakeholders? § How do CTI teams contribute towards the utmost goal of organisational risk reduction? §“CTI teams should not do intelligence for intelligence’s sake, it costs money and time” - Lauren Zabierek
  • 15. Tactical Intelligence Security Engineering SOC Team Operational Intelligence Incident Responders Threat Hunters Vulnerability Management Red Team Fraud Team Sys Admins IT Managers Strategic Intelligence C-Suite / Executives Group Security Risk Managers Business Stakeholders Regional Stakeholders IT Architects
  • 16. “Any subject, general or specific, upon which there is a need for the collection of information, or the production of intelligence.” DOD Joint Pub 2-0 https://www.jcs.mil/Portals/36/Documents/Doctrine/pubs/jp2_0.pdf
  • 17. § Intelligence requirements are enduring questions that consumers of intelligence need answers to. § Answer critical questions intelligence customers/stakeholders care about (not whatYOU care about). Reference: Sergio Caltagirone
  • 18. Reference: Michael Rea We are here ! Intelligence requirements are really critical for intelligence collection and production phases!!
  • 20. PIRs are the Intelligence requirements that the intelligence requirements that are seen as critical to accomplish mission. If every requirement is critical then no requirement is critical https://fas.org/irp/doddir/army/fm34-2/Appd.htm
  • 21. § Past Incident Based Requirements § Business Plan Based Requirements § Geographic Based Requirements § Technology Based Requirements § Vertical Based Requirements Reference: Scott J Roberts https://medium.com/@sroberts/cti-squadgoals-setting-requirements-41bcb63db918
  • 22. §High Level / Strategic Requirements §Functional / Operational Requirements §Visibility / Technical Requirements https://www.first.org/resources/papers/london2019/1430-1500-Your-Requirements-are- Not-My-Requirements-Speaker-Pasquale-Stirparo.pdf Reference: Pasquale Stirparo
  • 23. §Characteristics of intelligence requirements §Update and communicate intelligence requirements §Ad hoc requirements §Documented and signed off
  • 24. § Intelligence collection driven by intelligence requirements § Threat relevancy § Shaping of the intelligence product(s) § Business value and other metrics § Traceability on resources and staffing Intelligence Collection Phase Intelligence Analysis Phase Intelligence Dissemination Phase Intelligence Direction Phase Intelligence Feedback Phase
  • 25. § Seek feedback § Manage and educate your stakeholders § Use the right terms § Tell a story § Build your organisation’s threat model
  • 28. § Decision centric: aids ONE decision. § Singular: a strong requirement focuses on ONE question and only one question. § Are specific: focuses on ONE activity/event/thing § Timeliness: a requirement should capture the timeframe for usable intelligence. § Are answerable using available assets and capabilities. Reference: Scott J Roberts
  • 29. § "Will the enemy attack? If so, where, when, and in what strength?"
  • 34.
  • 35. § Production Requirement § Your company is going to market with a new revolutionary product in three months, the Board wants to make sure all sensitive IP (from design docs/blueprints to marketing campaigns, etc.) is not leaked or stolen. § What are our Intelligence Requirements? https://www.first.org/resources/papers/london2019/1430-1500-Your-Requirements-are- Not-My-Requirements-Speaker-Pasquale-Stirparo.pdf Reference: Pasquale Stirparo
  • 36. § Production Requirement § What are the vulnerabilities that are currently being exploited in the wild and that we should worry about? Are we protected against or can we detect them? § What are our Intelligence Requirements? https://www.first.org/resources/papers/london2019/1430-1500-Your-Requirements-are- Not-My-Requirements-Speaker-Pasquale-Stirparo.pdf Reference: Pasquale Stirparo
  • 37. Dulcinea Watches as Don Quixote Wins Battles For Her Image from elladocomicodedonquijote.wordpress.com
  • 38. § Identification of relevant stakeholders and get to know them § Connect with business and enterprise risk management cycles § Better identification of your organisation’s operational environment § Get to know your organisation's crown jewels § Capture, document and utilise your intelligence requirements § Start the conversation
  • 40. § US Military - Joint Publication 2-0 § SANS CTI Summit 2018 - I Can Haz Requirements? - Michael Rea § CTI SquadGoals—Setting Requirements - Scott J Roberts § SANS - Threat Intelligence: Planning and Direction - Brian Kime § SANS - Defining Threat Intelligence Requirements – Pasquale Stirparo § FIRST CTI 2019 -Your requirements are not my requirements – Pasquale Stirparo § SANS CTI Summit 2018 - Intelligence Preparation of the Cyber Environment – Rob Dartnall § Mark Arena - How to build a cyber threat intelligence program References for this presentation: https://bit.ly/enisa_nis_2019
  • 41. Sharing is caring! ENISA NIS Summer School 2019 Andreas Sfakianakis CTI Professional References for this presentation: https://bit.ly/enisa_nis_2019