SlideShare a Scribd company logo

Know Your Enemy - Practical insights for effective threat intelligence

Puneet Kukreja
Puneet Kukreja

The document discusses establishing an effective threat intelligence program. It outlines the different types of threat intelligence and sources of intelligence information. It emphasizes that the goal of a threat intelligence program is to translate information into useful insights for decision makers. An important part of setting up the program is defining its scope and goals based on the organization's risk profile and appetite. The program's value should be measured by how intelligence has helped improve the organization's threat posture and incident response capabilities.

1 of 26
Download to read offline
Know your enemy: Practical insights for effective threat intelligence Puneet Kukreja Partner Cyber Advisory Deloitte (Australia)
Know Your Enemy - Practical insights for effective threat intelligence ISF World Congress – 2016 Berlin
Our Discussion 3 The threat landscape The threat intelligence program Sourcing threat intelligence The program setup What’s the value
The threat landscape
© 2016 Deloitte Risk Advisory Pty Ltd “There is nothing more necessary than good intelligence to frustrate a designing enemy & nothing requires greater pains to obtain” - - GEORGE WASHINGTON Defining threat intelligence – still holds true from last year SOURCE: Gartner Definition – Threat Intelligence Gartner STRATEGIC TACTICAL TECHNICAL OPERATIONAL TYPES OF THREAT INTELLIGENCE SOURCE: Centre for the Protection of National Infrastructure – UK Government
© 2016 Deloitte Risk Advisory Pty Ltd Source: https://www.securityforum.org/uploads/2015/12/isf_threat-horizon_2016_es.pdf ISF threat horizon 2016 STRATEGIC TACTICAL TECHNICAL OPERATIONAL TYPES OF THREAT INTELLIGENCE
© 2016 Deloitte Risk Advisory Pty Ltd ENISAThreatLandscape Source: https://www.enisa.europa.eu/publications/etl2015 STRATEGIC TACTICAL TECHNICAL OPERATIONAL TYPES OF THREAT INTELLIGENCE
© 2016 Deloitte Risk Advisory Pty Ltd Source: https://www.securityforum.org/uploads/2015/12/isf_threat-horizon_2016_es.pdf ISF threat horizon 2014 – 2016 STRATEGIC TACTICAL TECHNICAL OPERATIONAL TYPES OF THREAT INTELLIGENCE
The threat intelligence program
© 2016 Deloitte Risk Advisory Pty Ltd The threat intelligence program Scoping for Threat Intelligence Sourcing Threat Intelligence The Program Setup What’s the Value
© 2016 Deloitte Risk Advisory Pty Ltd Threat intelligence program goals Define your intelligence scope through planning 11 What are you trying to achieve? What information do you need? Who is the information for? What is the budget? What resources will you need? How is the intended state different from today? It is important to note that a Threat Intelligence program is no different to any other security project or program that requires due diligence and thought on why funding is being asked for, what resources will be required and how target state will have an improved security posture as compared to what is present today.
© 2016 Deloitte Risk Advisory Pty Ltd Maturity level of threat intelligence UNCLEAR INITIAL INPLACE EXPANDING & IMPROVING RISK ALIGNED The type of program you set up will depend on the current maturity of your cyber operations. • Unclear: You know about it, subscribe to some free feeds however unsure on how Threat Intelligence will be utilised within your organisations. • Initial: There is an understanding on how Threat Intelligence will be tied into the security operations, information from Intelligence feeds is being used to guide operations. • In-place: You subscribe to Threat Intelligence and utilise it is a key control within your security operations function. The Threat Intelligence is utilised on a daily basis and is not ad- hoc. • Expanding & Improving: Threat Intelligence is being refined based on the sector the organisation operates in. Outputs are integrated into broader technology operations, regular reporting is established. • Risk Aligned: Outputs from your Threat Intelligence function inform your risk appetite settings.
Sourcing threat intelligence
© 2016 Deloitte Risk Advisory Pty Ltd Why understanding sourcing is important 14 Data Knowledge Intelligence •Data is raw and it’s abundant. •It simply exists and has no significance beyond its existence. •Information is data that has been given meaning by way of relational connections. •The bulk of commodity intelligence providers today are providing information feeds. •Knowledge is the appropriate collection of information, such that its intent is to be useful. •Very few providers and internal security functions get this far. •Intelligence is the ability to acquire and apply knowledge and skills to meet an objective. •Due to information overload and limited resources, rarely is this achieved. Information
© 2016 Deloitte Risk Advisory Pty Ltd • Intelligence is about understanding something. This can only effectively be developed over time. • Intelligence is not about the sources or the raw information. • Intelligence is about what you can do with it. Types of intel Example sources 15 Threat actors EconomicalExpensive Intelligence sources Open source Intelligence Technical Intelligence Secret Underground EasytodetectHardtodetect Human Intelligence (HUMINT) •Intelligence gathered through the use of people. HUMINT employs overt and clandestine operations e.g. SPYING. •Gathering should be done under an assumed identity. Signals Intelligence (SIGINT) •Intelligence gathered through the use of interception or listening technologies. •Example: Wired/Wireless Sniffer TAP devices Imagery Intelligence (IMINT) •Intelligence gathered through recorded imagery such as photographs and satellite images. •Cross over between IMINT and OSINT if it extends to Google Earth and its equivalents Open-Source Intelligence (OSINT) •Intelligence gathered through freely available information, such as that presented in the media, available in libraries or the Internet. Opportunists Nation States Corporations Terrorist Organisations Botnets Script Kiddies Hacktivists Established Criminal Networks
© 2016 Deloitte Risk Advisory Pty Ltd Sourcing consideration Attributes to measure threat intelligence • Open Threat Exchange (OTX) • Structured Threat Information Expression (STIX) • Trusted Automated eXchange of Indicator Information (TAXII) • Cyber Observable eXpression (CybOX) • Collective Intelligence Framework (CIF) • Open Indicators of Compromise (OpenIOC) framework • Traffic Light Protocol (TLP) • Incident Object Description and Exchange Format (IODEF) • Vocabulary for Event Recording and Incident Sharing (VERIS) Feed structures What are you measuring? Strategic Operational Technical Tactical Type of threat intelligence sources HUMINT SIGINT IMINT OSINT Human Intelligence Signals Intelligence Imagery Intelligence Open-Source Intelligence 7 measures of threat intelligence 1.Who wrote the information? 2.Does the author understand the subject? 3.Why was it produced? 4.When was it produced? 5.Is this relevant to your objectives? 6.How did the author get their information? 7.How do they report on relevant and credible findings?
Program setup
© 2016 Deloitte Risk Advisory Pty Ltd It’s not about the threat feeds. Your program considerations EXECUTIVE SPONSORSHIP RELATIONSHIPS PARTNERSHIPS ATTRIBUTION OF ADVERSARIES TRENDING & HUNTING DEFENSE & RESILIENCE INCIDENT RESPONSE Integrated Architecture Threat Modelling Actionable Governance Stakeholders It’s about running a business program.
What’s the value
© 2016 Deloitte Risk Advisory Pty Ltd How will I measure program value Currency and Coverage of Threat Intelligence Align Threat intelligence program to your risk profile and risk appetite Measure Threat Intelligence using the right metrics Operational or Strategic Integration with existing security operational processes Measure how intelligence has helped prepare for a proactive response Report on how many operational processes have been enhanced
© 2016 Deloitte Risk Advisory Pty Ltd Metrics for measuring operational threat intelligence How many rules were created following Threat Intelligence enablement Number of architectural changes to underlying infra. What is the total number of IOC’s that are being consumed by the business What is the degree of false positives and positive correlation Number of proactive cyber security incident remediation Number of IOC correlations reduced given architectural maturity
© 2016 Deloitte Risk Advisory Pty Ltd Key takeaways 1. Monitoring all varieties of intelligence across regional and topical interests takes huge amounts of human resources, always prioritise. 2. Threat intelligence should aid in and assist with the translation of information into valuable insight for decision makers. 3. The focus should be on sourcing information applicable the organization and how the threat intelligence information has helped improve threat posture and or incident response capability. 4. Threat Intelligence is an evolving capability and the maturity actually moves up the curve and a point of note is that before you embark on this journey it should be supported by continuous investment and not be one off. 5. Focus on integration points across the security function and look for improvements via metrics that have defined outcomes for Threat Intelligence investment.
Thank you Puneet Kukreja | Partner | Cyber Advisory Deloitte Australia ISF World Congress – 2016 Berlin
QUESTIONS?
Please feel free to contact us for further discussion: Puneet Kukreja, Partner Cyber Advisory, Deloitte Australia pkukreja@deloitte.com.au Ralph Bennett, ISF Ralph.bennett@securityforum.org
Know Your Enemy - Practical insights for effective threat intelligence

Recommended

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceSyed Peer
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsRahul Neel Mani
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Puneet Kukreja
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence programMark Arena
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirtvngundi
 
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, Doha
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, DohaGCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, Doha
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, DohaSyed Peer
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionCylance
 

Recommended

Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat IntelligenceSyed Peer
 
Threat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsThreat Intelligence in Cyber Risk Programs
Threat Intelligence in Cyber Risk ProgramsRahul Neel Mani
 
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...
Establishing an insider threat programme: Know your Snowden - Puneet Kukreja,...Puneet Kukreja
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadOpenDNS
 
How to build a cyber threat intelligence program
How to build a cyber threat intelligence programHow to build a cyber threat intelligence program
How to build a cyber threat intelligence programMark Arena
 
Day 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A CsirtDay 1 Enisa Setting Up A Csirt
Day 1 Enisa Setting Up A Csirtvngundi
 
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, Doha
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, DohaGCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, Doha
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, DohaSyed Peer
 
Embracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionEmbracing Threat Intelligence and Finding ROI in Your Decision
Embracing Threat Intelligence and Finding ROI in Your DecisionCylance
 
Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesLiberteks
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cyber Solutions
 
2015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_10152015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_1015Robin "Montana" Williams
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...Interset
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Hewlett Packard Enterprise Business Value Exchange
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber DataPhil Huggins FBCS CITP
 
Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Marketing Türkiye
 
Cyber security landscape
Cyber security landscapeCyber security landscape
Cyber security landscapeJisc
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionMurray Security Services
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]APNIC
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0Vincent Toms
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Exploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of CybercrimeExploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of CybercrimeCylance
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best DefenceShawn Brown
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response PlanMatthew J McMahon
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementMighty Guides, Inc.
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security OperationsPriyanka Aash
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 
Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseGeorge Goodall
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat IntelligenceSirius
 

More Related Content

What's hot

Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesLiberteks
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskSarah Clarke
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cyber Solutions
 
2015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_10152015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_1015Robin "Montana" Williams
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...Interset
 
Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Marketing Türkiye
 
Cyber security landscape
Cyber security landscapeCyber security landscape
Cyber security landscapeJisc
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]APNIC
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0Vincent Toms
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyePrime Infoserv
 
Exploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of CybercrimeExploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of CybercrimeCylance
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best DefenceShawn Brown
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response PlanMatthew J McMahon
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...IBM Security
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementMighty Guides, Inc.
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security OperationsPriyanka Aash
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementPriyanka Aash
 

What's hot (20)

Endpoint Detection and Response for Dummies
Endpoint Detection and Response for DummiesEndpoint Detection and Response for Dummies
Endpoint Detection and Response for Dummies
 
Vendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the riskVendor Cybersecurity Governance: Scaling the risk
Vendor Cybersecurity Governance: Scaling the risk
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
 
2015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_10152015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_1015
 
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
How to Operationalize Big Data Security Analytics - Technology Spotlight at I...
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
 
Pitfalls of Cyber Data
Pitfalls of Cyber DataPitfalls of Cyber Data
Pitfalls of Cyber Data
 
Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015Cisco Yıllık Güvenlik Raporu 2015
Cisco Yıllık Güvenlik Raporu 2015
 
Cyber security landscape
Cyber security landscapeCyber security landscape
Cyber security landscape
 
Accidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 VersionAccidental Insider Threat - 2018 Version
Accidental Insider Threat - 2018 Version
 
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
CERT Australia Update, by Scott Brown [APNIC 38 / Network Abuse BoF]
 
Linked in misti_rs_1.0
Linked in misti_rs_1.0Linked in misti_rs_1.0
Linked in misti_rs_1.0
 
Endpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEyeEndpoint Detection & Response - FireEye
Endpoint Detection & Response - FireEye
 
Exploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of CybercrimeExploring the Capabilities and Economics of Cybercrime
Exploring the Capabilities and Economics of Cybercrime
 
Security Awareness: The Best Defence
Security Awareness: The Best DefenceSecurity Awareness: The Best Defence
Security Awareness: The Best Defence
 
Sample Incident Response Plan
Sample Incident Response PlanSample Incident Response Plan
Sample Incident Response Plan
 
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
Meet the New IBM i2 QRadar Offense Investigator App and Start Threat Hunting ...
 
CounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat ManagementCounterTack: 10 Experts on Active Threat Management
CounterTack: 10 Experts on Active Threat Management
 
Data Science Transforming Security Operations
Data Science Transforming Security OperationsData Science Transforming Security Operations
Data Science Transforming Security Operations
 
Bridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk ManagementBridging the Gap Between Threat Intelligence and Risk Management
Bridging the Gap Between Threat Intelligence and Risk Management
 

Similar to Know Your Enemy - Practical insights for effective threat intelligence

Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseGeorge Goodall
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat IntelligenceSirius
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligenceseadeloitte
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsSirius
 
Accenture Security Services: Defending and empowering the resilient digital b...
Accenture Security Services: Defending and empowering the resilient digital b...Accenture Security Services: Defending and empowering the resilient digital b...
Accenture Security Services: Defending and empowering the resilient digital b...Accenture Technology
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...IBM Security
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecuritySPLICE Software
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceSurfWatch Labs
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comPentest-Tools.com
 
Insights from 2016 Cyberthreat Defense Report
Insights from 2016 Cyberthreat Defense ReportInsights from 2016 Cyberthreat Defense Report
Insights from 2016 Cyberthreat Defense ReportStephanie Brannan
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesKroll
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk
 
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxCNSHacking
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionIvanti
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Lancope, Inc.
 
Webinar - Bitglass and CyberEdge - Hidden Security Threats
Webinar - Bitglass and CyberEdge - Hidden Security ThreatsWebinar - Bitglass and CyberEdge - Hidden Security Threats
Webinar - Bitglass and CyberEdge - Hidden Security ThreatsBitglass
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)Norm Barber
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'aFahmi Albaheth
 
Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Proofpoint
 

Similar to Know Your Enemy - Practical insights for effective threat intelligence (20)

Improve Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small EnterpriseImprove Information Security Practices in the Small Enterprise
Improve Information Security Practices in the Small Enterprise
 
6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence6 Steps for Operationalizing Threat Intelligence
6 Steps for Operationalizing Threat Intelligence
 
Cyber Threat Intelligence
Cyber Threat IntelligenceCyber Threat Intelligence
Cyber Threat Intelligence
 
Maturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key ConsiderationsMaturing Endpoint Security: 5 Key Considerations
Maturing Endpoint Security: 5 Key Considerations
 
Accenture Security Services: Defending and empowering the resilient digital b...
Accenture Security Services: Defending and empowering the resilient digital b...Accenture Security Services: Defending and empowering the resilient digital b...
Accenture Security Services: Defending and empowering the resilient digital b...
 
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
Security (Ignorance) Isn't Bliss: 5 Ways to Advance Security Decisions with T...
 
Deliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data SecurityDeliver the ‘Right’ Customer Experience without Compromising Data Security
Deliver the ‘Right’ Customer Experience without Compromising Data Security
 
How to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital PresenceHow to Mitigate Risk From Your Expanding Digital Presence
How to Mitigate Risk From Your Expanding Digital Presence
 
COVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.comCOVID-19 free penetration tests by Pentest-Tools.com
COVID-19 free penetration tests by Pentest-Tools.com
 
Insights from 2016 Cyberthreat Defense Report
Insights from 2016 Cyberthreat Defense ReportInsights from 2016 Cyberthreat Defense Report
Insights from 2016 Cyberthreat Defense Report
 
Information Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & ResponsibilitiesInformation Security vs IT - Key Roles & Responsibilities
Information Security vs IT - Key Roles & Responsibilities
 
Splunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security KeynoteSplunk Discovery Day Dubai 2017 - Security Keynote
Splunk Discovery Day Dubai 2017 - Security Keynote
 
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
Splunk Discovery: Warsaw 2018 - Solve Your Security Challenges with Splunk En...
 
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptxLogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
LogRhythm_-_Modern_Cyber_Threat_Pandemic.pptx
 
OSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the UnionOSB50: Operational Security: State of the Union
OSB50: Operational Security: State of the Union
 
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
Ponemon Report: Cyber Security Incident Response: Are we as prepared as we th...
 
Webinar - Bitglass and CyberEdge - Hidden Security Threats
Webinar - Bitglass and CyberEdge - Hidden Security ThreatsWebinar - Bitglass and CyberEdge - Hidden Security Threats
Webinar - Bitglass and CyberEdge - Hidden Security Threats
 
SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)SAM05_Barber PW (7-9-15)
SAM05_Barber PW (7-9-15)
 
New technologies - Amer Haza'a
New technologies - Amer Haza'aNew technologies - Amer Haza'a
New technologies - Amer Haza'a
 
Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned. Adapted from an ESG report - Outnumbered, Outgunned.
Adapted from an ESG report - Outnumbered, Outgunned.
 

Know Your Enemy - Practical insights for effective threat intelligence

  • 1. Know your enemy: Practical insights for effective threat intelligence Puneet Kukreja Partner Cyber Advisory Deloitte (Australia)
  • 2. Know Your Enemy - Practical insights for effective threat intelligence ISF World Congress – 2016 Berlin
  • 3. Our Discussion 3 The threat landscape The threat intelligence program Sourcing threat intelligence The program setup What’s the value
  • 5. © 2016 Deloitte Risk Advisory Pty Ltd “There is nothing more necessary than good intelligence to frustrate a designing enemy & nothing requires greater pains to obtain” - - GEORGE WASHINGTON Defining threat intelligence – still holds true from last year SOURCE: Gartner Definition – Threat Intelligence Gartner STRATEGIC TACTICAL TECHNICAL OPERATIONAL TYPES OF THREAT INTELLIGENCE SOURCE: Centre for the Protection of National Infrastructure – UK Government
  • 6. © 2016 Deloitte Risk Advisory Pty Ltd Source: https://www.securityforum.org/uploads/2015/12/isf_threat-horizon_2016_es.pdf ISF threat horizon 2016 STRATEGIC TACTICAL TECHNICAL OPERATIONAL TYPES OF THREAT INTELLIGENCE
  • 7. © 2016 Deloitte Risk Advisory Pty Ltd ENISAThreatLandscape Source: https://www.enisa.europa.eu/publications/etl2015 STRATEGIC TACTICAL TECHNICAL OPERATIONAL TYPES OF THREAT INTELLIGENCE
  • 8. © 2016 Deloitte Risk Advisory Pty Ltd Source: https://www.securityforum.org/uploads/2015/12/isf_threat-horizon_2016_es.pdf ISF threat horizon 2014 – 2016 STRATEGIC TACTICAL TECHNICAL OPERATIONAL TYPES OF THREAT INTELLIGENCE
  • 10. © 2016 Deloitte Risk Advisory Pty Ltd The threat intelligence program Scoping for Threat Intelligence Sourcing Threat Intelligence The Program Setup What’s the Value
  • 11. © 2016 Deloitte Risk Advisory Pty Ltd Threat intelligence program goals Define your intelligence scope through planning 11 What are you trying to achieve? What information do you need? Who is the information for? What is the budget? What resources will you need? How is the intended state different from today? It is important to note that a Threat Intelligence program is no different to any other security project or program that requires due diligence and thought on why funding is being asked for, what resources will be required and how target state will have an improved security posture as compared to what is present today.
  • 12. © 2016 Deloitte Risk Advisory Pty Ltd Maturity level of threat intelligence UNCLEAR INITIAL INPLACE EXPANDING & IMPROVING RISK ALIGNED The type of program you set up will depend on the current maturity of your cyber operations. • Unclear: You know about it, subscribe to some free feeds however unsure on how Threat Intelligence will be utilised within your organisations. • Initial: There is an understanding on how Threat Intelligence will be tied into the security operations, information from Intelligence feeds is being used to guide operations. • In-place: You subscribe to Threat Intelligence and utilise it is a key control within your security operations function. The Threat Intelligence is utilised on a daily basis and is not ad- hoc. • Expanding & Improving: Threat Intelligence is being refined based on the sector the organisation operates in. Outputs are integrated into broader technology operations, regular reporting is established. • Risk Aligned: Outputs from your Threat Intelligence function inform your risk appetite settings.
  • 14. © 2016 Deloitte Risk Advisory Pty Ltd Why understanding sourcing is important 14 Data Knowledge Intelligence •Data is raw and it’s abundant. •It simply exists and has no significance beyond its existence. •Information is data that has been given meaning by way of relational connections. •The bulk of commodity intelligence providers today are providing information feeds. •Knowledge is the appropriate collection of information, such that its intent is to be useful. •Very few providers and internal security functions get this far. •Intelligence is the ability to acquire and apply knowledge and skills to meet an objective. •Due to information overload and limited resources, rarely is this achieved. Information
  • 15. © 2016 Deloitte Risk Advisory Pty Ltd • Intelligence is about understanding something. This can only effectively be developed over time. • Intelligence is not about the sources or the raw information. • Intelligence is about what you can do with it. Types of intel Example sources 15 Threat actors EconomicalExpensive Intelligence sources Open source Intelligence Technical Intelligence Secret Underground EasytodetectHardtodetect Human Intelligence (HUMINT) •Intelligence gathered through the use of people. HUMINT employs overt and clandestine operations e.g. SPYING. •Gathering should be done under an assumed identity. Signals Intelligence (SIGINT) •Intelligence gathered through the use of interception or listening technologies. •Example: Wired/Wireless Sniffer TAP devices Imagery Intelligence (IMINT) •Intelligence gathered through recorded imagery such as photographs and satellite images. •Cross over between IMINT and OSINT if it extends to Google Earth and its equivalents Open-Source Intelligence (OSINT) •Intelligence gathered through freely available information, such as that presented in the media, available in libraries or the Internet. Opportunists Nation States Corporations Terrorist Organisations Botnets Script Kiddies Hacktivists Established Criminal Networks
  • 16. © 2016 Deloitte Risk Advisory Pty Ltd Sourcing consideration Attributes to measure threat intelligence • Open Threat Exchange (OTX) • Structured Threat Information Expression (STIX) • Trusted Automated eXchange of Indicator Information (TAXII) • Cyber Observable eXpression (CybOX) • Collective Intelligence Framework (CIF) • Open Indicators of Compromise (OpenIOC) framework • Traffic Light Protocol (TLP) • Incident Object Description and Exchange Format (IODEF) • Vocabulary for Event Recording and Incident Sharing (VERIS) Feed structures What are you measuring? Strategic Operational Technical Tactical Type of threat intelligence sources HUMINT SIGINT IMINT OSINT Human Intelligence Signals Intelligence Imagery Intelligence Open-Source Intelligence 7 measures of threat intelligence 1.Who wrote the information? 2.Does the author understand the subject? 3.Why was it produced? 4.When was it produced? 5.Is this relevant to your objectives? 6.How did the author get their information? 7.How do they report on relevant and credible findings?
  • 18. © 2016 Deloitte Risk Advisory Pty Ltd It’s not about the threat feeds. Your program considerations EXECUTIVE SPONSORSHIP RELATIONSHIPS PARTNERSHIPS ATTRIBUTION OF ADVERSARIES TRENDING & HUNTING DEFENSE & RESILIENCE INCIDENT RESPONSE Integrated Architecture Threat Modelling Actionable Governance Stakeholders It’s about running a business program.
  • 20. © 2016 Deloitte Risk Advisory Pty Ltd How will I measure program value Currency and Coverage of Threat Intelligence Align Threat intelligence program to your risk profile and risk appetite Measure Threat Intelligence using the right metrics Operational or Strategic Integration with existing security operational processes Measure how intelligence has helped prepare for a proactive response Report on how many operational processes have been enhanced
  • 21. © 2016 Deloitte Risk Advisory Pty Ltd Metrics for measuring operational threat intelligence How many rules were created following Threat Intelligence enablement Number of architectural changes to underlying infra. What is the total number of IOC’s that are being consumed by the business What is the degree of false positives and positive correlation Number of proactive cyber security incident remediation Number of IOC correlations reduced given architectural maturity
  • 22. © 2016 Deloitte Risk Advisory Pty Ltd Key takeaways 1. Monitoring all varieties of intelligence across regional and topical interests takes huge amounts of human resources, always prioritise. 2. Threat intelligence should aid in and assist with the translation of information into valuable insight for decision makers. 3. The focus should be on sourcing information applicable the organization and how the threat intelligence information has helped improve threat posture and or incident response capability. 4. Threat Intelligence is an evolving capability and the maturity actually moves up the curve and a point of note is that before you embark on this journey it should be supported by continuous investment and not be one off. 5. Focus on integration points across the security function and look for improvements via metrics that have defined outcomes for Threat Intelligence investment.
  • 23. Thank you Puneet Kukreja | Partner | Cyber Advisory Deloitte Australia ISF World Congress – 2016 Berlin
  • 25. Please feel free to contact us for further discussion: Puneet Kukreja, Partner Cyber Advisory, Deloitte Australia pkukreja@deloitte.com.au Ralph Bennett, ISF Ralph.bennett@securityforum.org