Puneet Kukreja of Deloitte gave a presentation at the ISF's 26th Annual World Congress on implementing threat intelligence systems. He discussed defining threat intelligence, the threat landscape facing organizations, and challenges in threat intelligence. Kukreja also covered the threat intelligence lifecycle, standards like STIX and TAXII, using cases studies and attributes to measure threat intelligence effectiveness. The presentation emphasized that threat intelligence requires integration across security operations and is one part of an overall security strategy.

1. Copyright 2015 © Information Security Forum Limited
1ISF’s 26th Annual World Congress - Atlanta
IMPLEMENTING THREAT INTELLIGENCE SYSTEMS:
MOVING FROM CHAOS TO STRUCTURE
Speakers:
Puneet Kukreja
Partner, Cyber Advisory, Deloitte
Chair:
Nick Frost
ISF

2. Demystifying Threat
Intelligence
-keeping it real
ISF World Congress – 2015 Atlanta U.S.A.

3. Our Discussion
3
Threat landscape
Defining threat intelligence
Threat intelligence lifecycle
Challenges of threat intelligence
What we need
What can I takeaway

4. Deloitte Touche Tohmatsu © 2015 - Demystifying Threat Intelligence
Threat Landscape
The cyber threat landscape will continue to deteriorate as the attack surface
expands with advances through digital innovation via IoT, consumerisation of
enterprise mobility and cloud.
Source: http://blogs.cisco.com/ciscoit/cisco-security-intelligence-operations-defense-in-depth

5. Deloitte Touche Tohmatsu © 2015 - Demystifying Threat Intelligence
Threat landscape
Distributed
Denial of Service
(DDoS)
Application
Layer Attacks
Brute Force
Attacks
Network Protocol
Attacks
Known
Vulnerability
Exploitation
Zero Day
Exploitation
Phishing
Rogue Update
Attacks
Watering Hole
Attacks
Types of
Cyber
Attacks

6. Deloitte Touche Tohmatsu © 2015 - Demystifying Threat Intelligence
Threat landscape

7. Deloitte Touche Tohmatsu © 2015 - Demystifying Threat Intelligence
“There is nothing more necessary than good intelligence to frustrate a designing
enemy & nothing requires greater pains to obtain” - - GEORGE WASHINGTON
Defining threat intelligence?
Source: Gartner Definition – Threat Intelligence
Gartner
STRATEGIC TACTICAL TECHNICAL OPERATIONAL
TYPES OF THREAT INTELLIGENCE
SOURCE: Centre for the Protection of National Infrastructure – UK Government

8. Defining threat intelligence?
SOURCE: Centre for the Protection of National Infrastructure – UK Government

9. Deloitte Touche Tohmatsu © 2015 - Demystifying Threat Intelligence
Is it all about the Kill Chain?
Threat intelligence lifecycle
RECONNAISSANCE
WEAPONISATION
DELIVERY
EXPLOITATIONINSTALLATION
COMMAND &
CONTROL
ACTIONS ON
OBJECTIVES
THE
KILL
CHAIN
1
2
3
45
6
7

10. Deloitte Touche Tohmatsu © 2015 - Demystifying Threat Intelligence
Is it just not another control process?
Threat intelligence lifecycle
PLANNING
DIRECTION
COLLECTION
PROCESSINGANALYSIS
PRODUCTION
DISSEMINATION
1
2
3
45
6
7

11. Standards supporting threat intelligence
The Trusted Automated eXchange of
Indicator Information (TAXII™)
Standardizing Cyber Threat Intelligence
Information with the Structured Threat
Information eXpression (STIX™)
Cyber Observable eXpression (CybOX™)

12. Deloitte Touche Tohmatsu © 2015 - Demystifying Threat Intelligence
STIX Architecture

13. Deloitte Touche Tohmatsu © 2015 - Demystifying Threat Intelligence
Source: http://stix.mitre.org/
STIX Architecture

14. Deloitte Touche Tohmatsu © 2015 - Demystifying Threat Intelligence
STIX Use Case (sharing threat information)
Source: http://stixproject.github.io/getting-started/whitepaper/

15. Deloitte Touche Tohmatsu © 2015 - Demystifying Threat Intelligence
Challenges of threat intelligence
Why do I ask that question?
Attack
Graphs
Stakeholders
Scenario
Planning
Integrated
Architecture
Business
Case
Threat
Modelling
Contextual
Requirements
Threat Actors
Actionable
Governance
Threat Feeds

16. What we need
Attributes to measure threat intelligence
Accurate
Relevant
Aligned to
Requirements
Tailored
Integrated
Timely
Predictive
Actionable

17. Deloitte Touche Tohmatsu © 2015 - Demystifying Threat Intelligence
What can I take away
Improves
visibility &
reporting
Integration is
required
across design,
engineering
and
operations
Begins with
critical
systems and
asset
inventory
Do not
overlook
security
operations
process
maturity
Is only as
good as your
asset and
threat profile
classification
Vendors are
only as good
as “your” use
cases
It’s no
Silver
Bullet

18. Thank you
Puneet Kukreja | Partner | Cyber Advisory
Deloitte Australia

19. Copyright 2015 © Information Security Forum Limited
19ISF’s 26th Annual World Congress - Atlanta
QUESTIONS?

20. Copyright 2015 © Information Security Forum Limited
20ISF’s 26th Annual World Congress - Atlanta
Please feel free to contact us for further
discussion:
Puneet Kukreja – Partner, Cyber Advisory, Deloitte
pkukreja@deloitte.coma.au
Nick Frost - ISF
nick.frost@securityforum.org