SlideShare a Scribd company logo
SANS CTI Summit 2020
Andreas Sfakianakis
CTI Professional
§ CTI and IR in Financial and Oil & Gas sectors
§ ENISA CTI, FIRST.org CTI, European Commission
§ Twitter: @asfakian
§ Website: www.threatintel.eu
tilting at windmills
§Original authors are referenced within the slide deck
§References for this presentation http://bit.ly/ctisummit2020
§Views are my own
§ Setting the scene
§ Lesson #1
§ Lesson #2
§ Lesson #3
§ Final Remarks
Image from hp-comic.com
Image from gatewaytotheclassics.com
1989
Cuckoo’s
Egg
2009
Operation
Aurora
2010
Stuxnet
2011
LM Kill
Chain
2013
APT1
Report
2013
Pyramid
of Pain
2013
Snowden
Leaks
2014
Heart
Bleed
2015
ATT&CK
2016
The
Shadow
Brokers /
US
Elections
2017
Wanna
Cry /
Petya
APT Becomes Mainstream
Wider CTI Adoption
Reference:
We are here!
Problem Statement
Image from wikimedia.org
§Stakeholders and their pain points
§Operational landscape
§Business processes and risk reduction
“CTI teams should not do intelligence for intelligence’s sake, it costs
money and time” - Lauren Zabierek
Tactical
Intelligence
Security Engineers
SOC Team
Operational
Intelligence
Incident Responders
Threat Hunters
Vulnerability Management
Red Team
Fraud Team
Sys Admins
IT Managers
Strategic
Intelligence
C-Suite /
Executives
Group Security
Risk Managers
Business Stakeholders
Regional Stakeholders
IT Architects
§ Intelligence requirements are enduring questions that
consumers of intelligence need answers to.
§ Answer critical questions intelligence customers care about
(not whatYOU care about).
Reference: Sergio Caltagirone
Reference:
SANS
§ US Military - Joint Publication 2-0
§ SANS CTI Summit 2018 - I Can Haz Requirements? - Michael Rea
§ CTI SquadGoals—Setting Requirements - Scott J Roberts
§ SANS - Threat Intelligence: Planning and Direction - Brian Kime
§ SANS - Defining Threat Intelligence Requirements – Pasquale Stirparo
§ FIRST CTI 2019 -Your requirements are not my requirements – Pasquale
Stirparo
§ SANS CTI Summit 2018 - Intelligence Preparation of the Cyber Environment –
Rob Dartnall
§ ThreatIntel.eu - Intelligence Requirements: the Sancho Panza of CTI
References for this presentation: http://bit.ly/ctisummit2020
§ Identification of relevant stakeholders
§ Connection with business and enterprise risk management cycles
§ Identification of operational environment (crown jewels)
§ Capturing and documenting the intelligence requirements
Image from bestofspain.es
§Importance of CTI reporting
§Embedding of intelligence tradecraft
(cross-pollination)
§Means of dissemination
Collection
Analysis
?
ACTION
Reference:
Christian Paredes
Collection
Analysis
?
ACTION
Reference:
Christian Paredes
§Intelligence and production
requirements
Collection
Analysis
?
ACTION
Reference:
Christian Paredes
§Intelligence and production
requirements
§Structure - Report template
Collection
Analysis
?
ACTION
Reference:
Christian Paredes
§Intelligence and production
requirements
§Structure - Report template
§Style - Style guide document
Collection
Analysis
?
ACTION
Reference:
Christian Paredes
§Intelligence and production
requirements
§Structure - Report template
§Style - Style guide document
§Tradecraft –
IC Analytic Standards (ICD 203)
Collection
Analysis
?
ACTION
Reference:
Christian Paredes
§Intelligence and production
requirements
§Structure - Report template
§Style - Style guide document
§Tradecraft –
IC Analytic Standards (ICD 203)
§Constant feedback loop
§Title
§Executive Summary (BLUF)
§ What?
§ So what?
§ So what of the so what? What next?
§ References
§ Appendix
§ Indicators (machine readable?)
§ Tradecraft used
Report Structure
§ Internal Communications /
Email marketing application
§ Store the CTI products in
SharePoint
Reference: Robert M. Lee
Reference:VB – Martijn Grooten
Reference: Casey Brooks
(2019 Thanksgiving edition)
§SANS SEC402 - Cybersecurity Writing: Hack the Reader
(Lenny Zeltser)
§Effective Information Security Writing
(Chris Sanders)
§Write it or didn’t happen. Happy reporting! J
(Yourself)
§ Intelligence Community Directive (ICD) 203 - Analytic Standards
§ CIA - Analytic Thinking and Presenting for Intelligence Producers
§ CIA - Compendium of Analytic Tradecraft Notes
§ CIA - Style Manual and Writers' Guide for Intelligence Publications
§ The Economist Style Guide
§ SANS CTI Summit 2017 - Pen-To-Paper and The Finished Report:The Key To Generating
Threat Intelligence - Christian Paredes
§ SANS CTI Summit 2019 - Analytic Tradecraft in the Real World - Amy R. Bejtlich
§ Sergio Caltagirone - 15 Things Wrong with Today’s Threat Intelligence Reporting
§ Lenny Zeltser - Top 10 Writing Mistakes in Cybersecurity and HowYou Can Avoid Them
References for this presentation: http://bit.ly/ctisummit2020
§ CTI needs to be better communicated to business at a strategic
(and operational) level.
§ Communication competencies are key for CTI teams.
§ Report writing as a critical CTI skill.
§ Cross-pollination - Intelligence tradecraft wasn't invented yesterday
Image from heritage-history.com
§ CTI skills shortage
§ SANS CTI Survey 2018:“62% of respondents cited a lack of trained
CTI professionals and skills as a major roadblock,an increase of
nearly 10 percentage points over 2017 (53%)”
§ Organizational challenges
§ Challenges for CTI teams
§What is the skillset needed for a CTI team?
§ “Do I need a reverse engineer for my CTI team?”
§ “Do I need non-technical analysts in my team?”
§How we develop the skillset of (junior) CTI analysts?
§How do we streamline day to day CTI work?
§ “How do I reduce CTI analyst dependency?”
Reference:
Reference:
Reference:
§ Core CTI curriculum and CTI training roadmap
§ Documented Standard Operating Procedures
§ Everyday learning culture
§ Periodic exercises with your team
§ Knowing your biases?
§ INSA - Cyber Intelligence: Preparing Today’s Talent for Tomorrow’s Threats
§ Sergio Caltagirone - 15 Knowledge Areas and Skills for Cyber Analysts and Operators
§ EclecticIQ – On the Importance of Standard Operating Procedures in Threat Intelligence
§ CIA – Fifteen Axioms for Intelligence Analysis
§ ENISA CTI-EU 2017 - Lessons Learned from Teaching CTI All Over the World - Jess Garcia
§ ComradeCookie - What is CTI and what makes a good CTI analyst?
§ Richards J. Heuer - Psychology of Intelligence Analysis
§ Richards J. Heuer - Structured Analytic Techniques for Intelligence Analysis
§ NIST - National Initiative for Cybersecurity Education Cybersecurity Workforce Framework
§ SEI Carnegie Mellon University - Cyber Intelligence Tradecraft Report
References for this presentation: http://bit.ly/ctisummit2020
§ Use a competency-based framework to assess your CTI team’s skill
coverage.
§ Invest on internal/external CTI training opportunities, especially on
analysis and thinking.
§ Streamline BAU CTI tasks, make them repeatable.
§ Build a working environment for knowledge sharing
(sharing is caring, huh?)
Dulcinea Watches as Don Quixote Wins Battles For Her
Image from elladocomicodedonquijote.wordpress.com
§Intelligence direction phase is of utmost importance to your
intelligence cycle process.
§CTI needs to be better communicated.
§Focus on CTI analyst’s skillset.
Andreas Sfakianakis
@asfakian
threatintel.eu
References for this presentation: http://bit.ly/ctisummit2020
Sharing is caring

More Related Content

Similar to Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the Past - SANS CTI Summit 2020

Cybersecurity Threats - NI Business Continuity Forum
Cybersecurity Threats - NI Business Continuity ForumCybersecurity Threats - NI Business Continuity Forum
Cybersecurity Threats - NI Business Continuity Forum
David Crozier
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
Tudor Damian
 
Leading in a digital world for MIT Research School Comfer
Leading in a digital world for MIT Research School ComferLeading in a digital world for MIT Research School Comfer
Leading in a digital world for MIT Research School Comfer
Robin Teigland
 
The Sky’s the Limit – The Rise of Machine Learnin
The Sky’s the Limit – The Rise of Machine LearninThe Sky’s the Limit – The Rise of Machine Learnin
The Sky’s the Limit – The Rise of Machine Learnin
Inside Analysis
 
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
John Mancini
 
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsUsing Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
Enterprise Management Associates
 
How AI is revolutionizing the world
How AI is revolutionizing the worldHow AI is revolutionizing the world
How AI is revolutionizing the world
SK Reddy
 
IoT and 5G: Future Career
IoT and 5G: Future CareerIoT and 5G: Future Career
IoT and 5G: Future Career
Redwan Ferdous
 
Finely Chair talk: Every company is an AI company - and why Universities sho...
Finely Chair talk: Every company is an AI company  - and why Universities sho...Finely Chair talk: Every company is an AI company  - and why Universities sho...
Finely Chair talk: Every company is an AI company - and why Universities sho...
Amit Sheth
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady
Starttech Ventures
 
The role of the COO in the age of AI
The role of the COO in the age of AI The role of the COO in the age of AI
The role of the COO in the age of AI
Antony Turner
 
Artificial intelligence events and presentations
Artificial intelligence events and presentationsArtificial intelligence events and presentations
Artificial intelligence events and presentations
Amir Sabirovic
 
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyondCompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
Zeshan Sattar
 
Department of Justice IT Sales Opportunities
Department of Justice IT Sales OpportunitiesDepartment of Justice IT Sales Opportunities
Department of Justice IT Sales Opportunities
immixGroup
 
Managing Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial InstitutionsManaging Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial Institutions
Mark Curphey
 
ITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AIITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp
 
AI-SDV Meeting in Nice
AI-SDV Meeting in NiceAI-SDV Meeting in Nice
AI-SDV Meeting in Nice
Dr. Haxel Consult
 
Why I Am a Software Engineer
Why I Am a Software EngineerWhy I Am a Software Engineer
Why I Am a Software Engineer
Craig Saunders
 
Webinar - How to Become a Cyber-threat Intelligence Analyst
Webinar - How to Become a Cyber-threat Intelligence AnalystWebinar - How to Become a Cyber-threat Intelligence Analyst
Webinar - How to Become a Cyber-threat Intelligence Analyst
Tuan Yang
 
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Enterprise Management Associates
 

Similar to Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the Past - SANS CTI Summit 2020 (20)

Cybersecurity Threats - NI Business Continuity Forum
Cybersecurity Threats - NI Business Continuity ForumCybersecurity Threats - NI Business Continuity Forum
Cybersecurity Threats - NI Business Continuity Forum
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Leading in a digital world for MIT Research School Comfer
Leading in a digital world for MIT Research School ComferLeading in a digital world for MIT Research School Comfer
Leading in a digital world for MIT Research School Comfer
 
The Sky’s the Limit – The Rise of Machine Learnin
The Sky’s the Limit – The Rise of Machine LearninThe Sky’s the Limit – The Rise of Machine Learnin
The Sky’s the Limit – The Rise of Machine Learnin
 
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
 
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsUsing Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
 
How AI is revolutionizing the world
How AI is revolutionizing the worldHow AI is revolutionizing the world
How AI is revolutionizing the world
 
IoT and 5G: Future Career
IoT and 5G: Future CareerIoT and 5G: Future Career
IoT and 5G: Future Career
 
Finely Chair talk: Every company is an AI company - and why Universities sho...
Finely Chair talk: Every company is an AI company  - and why Universities sho...Finely Chair talk: Every company is an AI company  - and why Universities sho...
Finely Chair talk: Every company is an AI company - and why Universities sho...
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady
 
The role of the COO in the age of AI
The role of the COO in the age of AI The role of the COO in the age of AI
The role of the COO in the age of AI
 
Artificial intelligence events and presentations
Artificial intelligence events and presentationsArtificial intelligence events and presentations
Artificial intelligence events and presentations
 
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyondCompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
 
Department of Justice IT Sales Opportunities
Department of Justice IT Sales OpportunitiesDepartment of Justice IT Sales Opportunities
Department of Justice IT Sales Opportunities
 
Managing Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial InstitutionsManaging Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial Institutions
 
ITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AIITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AI
 
AI-SDV Meeting in Nice
AI-SDV Meeting in NiceAI-SDV Meeting in Nice
AI-SDV Meeting in Nice
 
Why I Am a Software Engineer
Why I Am a Software EngineerWhy I Am a Software Engineer
Why I Am a Software Engineer
 
Webinar - How to Become a Cyber-threat Intelligence Analyst
Webinar - How to Become a Cyber-threat Intelligence AnalystWebinar - How to Become a Cyber-threat Intelligence Analyst
Webinar - How to Become a Cyber-threat Intelligence Analyst
 
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
 

Recently uploaded

The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
Razin Mustafiz
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
shanihomely
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
Jimmy Lai
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
SubhamMandal40
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
DianaGray10
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
David Wilson
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
Zilliz
 
What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024
Stephanie Beckett
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
Enterprise Knowledge
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
siddu769252
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
ldtexsolbl
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Nicolás Lopéz
 
Keynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive SecurityKeynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive Security
Priyanka Aash
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
AmandaCheung15
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
sunilverma7884
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
SAI KAILASH R
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
BrainSell Technologies
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
ankush9927
 
Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024
Michael Price
 

Recently uploaded (20)

The Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - CoatueThe Path to General-Purpose Robots - Coatue
The Path to General-Purpose Robots - Coatue
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
Premium Girls Call Mumbai 9920725232 Unlimited Short Providing Girls Service ...
 
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python CodebaseEuroPython 2024 - Streamlining Testing in a Large Python Codebase
EuroPython 2024 - Streamlining Testing in a Large Python Codebase
 
Sonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdfSonkoloniya documentation - ONEprojukti.pdf
Sonkoloniya documentation - ONEprojukti.pdf
 
Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3Communications Mining Series - Zero to Hero - Session 3
Communications Mining Series - Zero to Hero - Session 3
 
Mastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for SuccessMastering OnlyFans Clone App Development: Key Strategies for Success
Mastering OnlyFans Clone App Development: Key Strategies for Success
 
It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...It's your unstructured data: How to get your GenAI app to production (and spe...
It's your unstructured data: How to get your GenAI app to production (and spe...
 
What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024What's New in Teams Calling, Meetings, Devices June 2024
What's New in Teams Calling, Meetings, Devices June 2024
 
Improving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning ContentImproving Learning Content Efficiency with Reusable Learning Content
Improving Learning Content Efficiency with Reusable Learning Content
 
Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024Generative AI Reasoning Tech Talk - July 2024
Generative AI Reasoning Tech Talk - July 2024
 
Types of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technologyTypes of Weaving loom machine & it's technology
Types of Weaving loom machine & it's technology
 
Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024Vertex AI Agent Builder - GDG Alicante - Julio 2024
Vertex AI Agent Builder - GDG Alicante - Julio 2024
 
Keynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive SecurityKeynote : AI & Future Of Offensive Security
Keynote : AI & Future Of Offensive Security
 
Zaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdfZaitechno Handheld Raman Spectrometer.pdf
Zaitechno Handheld Raman Spectrometer.pdf
 
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
Girls call Kolkata 👀 XXXXXXXXXXX 👀 Rs.9.5 K Cash Payment With Room Delivery
 
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and DisadvantagesBLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
BLOCKCHAIN TECHNOLOGY - Advantages and Disadvantages
 
Acumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptxAcumatica vs. Sage Intacct _Construction_July (1).pptx
Acumatica vs. Sage Intacct _Construction_July (1).pptx
 
Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10Computer HARDWARE presenattion by CWD students class 10
Computer HARDWARE presenattion by CWD students class 10
 
Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024Perth MuleSoft Meetup July 2024
Perth MuleSoft Meetup July 2024
 

Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the Past - SANS CTI Summit 2020

  • 1. SANS CTI Summit 2020 Andreas Sfakianakis CTI Professional
  • 2. § CTI and IR in Financial and Oil & Gas sectors § ENISA CTI, FIRST.org CTI, European Commission § Twitter: @asfakian § Website: www.threatintel.eu tilting at windmills
  • 3. §Original authors are referenced within the slide deck §References for this presentation http://bit.ly/ctisummit2020 §Views are my own
  • 4. § Setting the scene § Lesson #1 § Lesson #2 § Lesson #3 § Final Remarks Image from hp-comic.com
  • 10. §Stakeholders and their pain points §Operational landscape §Business processes and risk reduction “CTI teams should not do intelligence for intelligence’s sake, it costs money and time” - Lauren Zabierek
  • 11. Tactical Intelligence Security Engineers SOC Team Operational Intelligence Incident Responders Threat Hunters Vulnerability Management Red Team Fraud Team Sys Admins IT Managers Strategic Intelligence C-Suite / Executives Group Security Risk Managers Business Stakeholders Regional Stakeholders IT Architects
  • 12. § Intelligence requirements are enduring questions that consumers of intelligence need answers to. § Answer critical questions intelligence customers care about (not whatYOU care about). Reference: Sergio Caltagirone
  • 14. § US Military - Joint Publication 2-0 § SANS CTI Summit 2018 - I Can Haz Requirements? - Michael Rea § CTI SquadGoals—Setting Requirements - Scott J Roberts § SANS - Threat Intelligence: Planning and Direction - Brian Kime § SANS - Defining Threat Intelligence Requirements – Pasquale Stirparo § FIRST CTI 2019 -Your requirements are not my requirements – Pasquale Stirparo § SANS CTI Summit 2018 - Intelligence Preparation of the Cyber Environment – Rob Dartnall § ThreatIntel.eu - Intelligence Requirements: the Sancho Panza of CTI References for this presentation: http://bit.ly/ctisummit2020
  • 15. § Identification of relevant stakeholders § Connection with business and enterprise risk management cycles § Identification of operational environment (crown jewels) § Capturing and documenting the intelligence requirements
  • 17. §Importance of CTI reporting §Embedding of intelligence tradecraft (cross-pollination) §Means of dissemination
  • 20. Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template
  • 21. Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template §Style - Style guide document
  • 22. Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template §Style - Style guide document §Tradecraft – IC Analytic Standards (ICD 203)
  • 23. Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template §Style - Style guide document §Tradecraft – IC Analytic Standards (ICD 203) §Constant feedback loop
  • 24. §Title §Executive Summary (BLUF) § What? § So what? § So what of the so what? What next? § References § Appendix § Indicators (machine readable?) § Tradecraft used Report Structure
  • 25. § Internal Communications / Email marketing application § Store the CTI products in SharePoint
  • 26. Reference: Robert M. Lee Reference:VB – Martijn Grooten Reference: Casey Brooks (2019 Thanksgiving edition)
  • 27. §SANS SEC402 - Cybersecurity Writing: Hack the Reader (Lenny Zeltser) §Effective Information Security Writing (Chris Sanders) §Write it or didn’t happen. Happy reporting! J (Yourself)
  • 28. § Intelligence Community Directive (ICD) 203 - Analytic Standards § CIA - Analytic Thinking and Presenting for Intelligence Producers § CIA - Compendium of Analytic Tradecraft Notes § CIA - Style Manual and Writers' Guide for Intelligence Publications § The Economist Style Guide § SANS CTI Summit 2017 - Pen-To-Paper and The Finished Report:The Key To Generating Threat Intelligence - Christian Paredes § SANS CTI Summit 2019 - Analytic Tradecraft in the Real World - Amy R. Bejtlich § Sergio Caltagirone - 15 Things Wrong with Today’s Threat Intelligence Reporting § Lenny Zeltser - Top 10 Writing Mistakes in Cybersecurity and HowYou Can Avoid Them References for this presentation: http://bit.ly/ctisummit2020
  • 29. § CTI needs to be better communicated to business at a strategic (and operational) level. § Communication competencies are key for CTI teams. § Report writing as a critical CTI skill. § Cross-pollination - Intelligence tradecraft wasn't invented yesterday
  • 31. § CTI skills shortage § SANS CTI Survey 2018:“62% of respondents cited a lack of trained CTI professionals and skills as a major roadblock,an increase of nearly 10 percentage points over 2017 (53%)” § Organizational challenges § Challenges for CTI teams
  • 32. §What is the skillset needed for a CTI team? § “Do I need a reverse engineer for my CTI team?” § “Do I need non-technical analysts in my team?” §How we develop the skillset of (junior) CTI analysts? §How do we streamline day to day CTI work? § “How do I reduce CTI analyst dependency?”
  • 36. § Core CTI curriculum and CTI training roadmap § Documented Standard Operating Procedures § Everyday learning culture § Periodic exercises with your team § Knowing your biases?
  • 37. § INSA - Cyber Intelligence: Preparing Today’s Talent for Tomorrow’s Threats § Sergio Caltagirone - 15 Knowledge Areas and Skills for Cyber Analysts and Operators § EclecticIQ – On the Importance of Standard Operating Procedures in Threat Intelligence § CIA – Fifteen Axioms for Intelligence Analysis § ENISA CTI-EU 2017 - Lessons Learned from Teaching CTI All Over the World - Jess Garcia § ComradeCookie - What is CTI and what makes a good CTI analyst? § Richards J. Heuer - Psychology of Intelligence Analysis § Richards J. Heuer - Structured Analytic Techniques for Intelligence Analysis § NIST - National Initiative for Cybersecurity Education Cybersecurity Workforce Framework § SEI Carnegie Mellon University - Cyber Intelligence Tradecraft Report References for this presentation: http://bit.ly/ctisummit2020
  • 38. § Use a competency-based framework to assess your CTI team’s skill coverage. § Invest on internal/external CTI training opportunities, especially on analysis and thinking. § Streamline BAU CTI tasks, make them repeatable. § Build a working environment for knowledge sharing (sharing is caring, huh?)
  • 39. Dulcinea Watches as Don Quixote Wins Battles For Her Image from elladocomicodedonquijote.wordpress.com
  • 40. §Intelligence direction phase is of utmost importance to your intelligence cycle process. §CTI needs to be better communicated. §Focus on CTI analyst’s skillset.
  • 41. Andreas Sfakianakis @asfakian threatintel.eu References for this presentation: http://bit.ly/ctisummit2020 Sharing is caring