Suche senden
Hochladen
Information Security Intelligence
•
27 gefällt mir
•
4,121 views
G
guest08b1e6
Folgen
Primer on Information Security Intelligence by a Cybertrust consultant
Weniger lesen
Mehr lesen
Technologie
Business
Melden
Teilen
Melden
Teilen
1 von 44
Empfohlen
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...
Avinash Ramineni
CCA study group
CCA study group
IIBA UK Chapter
Information security principles
Information security principles
Dan Morrill
002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in Depth
PECB
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
Empfohlen
Simplifying the data privacy governance quagmire building automated privacy ...
Simplifying the data privacy governance quagmire building automated privacy ...
Avinash Ramineni
CCA study group
CCA study group
IIBA UK Chapter
Information security principles
Information security principles
Dan Morrill
002.itsecurity bcp v1
002.itsecurity bcp v1
Mohammad Ashfaqur Rahman
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
Five Essential Enterprise Architecture Practices to Create the Security-Aware...
UBM_Design_Central
Protecting the Network From Yourself Using Defense in Depth
Protecting the Network From Yourself Using Defense in Depth
PECB
Dealing with Information Security, Risk Management & Cyber Resilience
Dealing with Information Security, Risk Management & Cyber Resilience
Donald Tabone
The Next Generation of Security Operations Centre (SOC)
The Next Generation of Security Operations Centre (SOC)
PECB
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
Shawn Tuma
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
Business case for information security program
Business case for information security program
William Godwin
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
Information security management (bel g. ragad)
Information security management (bel g. ragad)
Rois Solihin
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
Vulnerability management - beyond scanning
Vulnerability management - beyond scanning
Vladimir Jirasek
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
Cybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
Shawn Tuma
Information Security Benchmarking 2015
Information Security Benchmarking 2015
Capgemini
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB
Build an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
Roadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
Roadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
Doug Copley
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
John D. Johnson
Understanding cyber resilience
Understanding cyber resilience
Christophe Foulon, CISSP
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Simone Onofri
Weitere ähnliche Inhalte
Was ist angesagt?
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
Shawn Tuma
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Krist Davood - Principal - CIO
Business case for information security program
Business case for information security program
William Godwin
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Sirius
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
PECB
Information security management (bel g. ragad)
Information security management (bel g. ragad)
Rois Solihin
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Ernest Staats
Vulnerability management - beyond scanning
Vulnerability management - beyond scanning
Vladimir Jirasek
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
John Gilligan
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Jason Clark
Cybersecurity solution-guide
Cybersecurity solution-guide
AdilsonSuende
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
Shawn Tuma
Information Security Benchmarking 2015
Information Security Benchmarking 2015
Capgemini
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB
Build an Information Security Strategy
Build an Information Security Strategy
Andrew Byers
Roadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Greenway Health
Roadmap to security operations excellence
Roadmap to security operations excellence
Erik Taavila
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
Doug Copley
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
John D. Johnson
Understanding cyber resilience
Understanding cyber resilience
Christophe Foulon, CISSP
Was ist angesagt?
(20)
The Legal Case for Cyber Risk Management Programs and What They Should Include
The Legal Case for Cyber Risk Management Programs and What They Should Include
Cybersecurity Roadmap Development for Executives
Cybersecurity Roadmap Development for Executives
Business case for information security program
Business case for information security program
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Addressing the EU GDPR & New York Cybersecurity Requirements: 3 Keys to Success
Introduction to Risk Management via the NIST Cyber Security Framework
Introduction to Risk Management via the NIST Cyber Security Framework
Information security management (bel g. ragad)
Information security management (bel g. ragad)
A guide to Sustainable Cyber Security
A guide to Sustainable Cyber Security
Vulnerability management - beyond scanning
Vulnerability management - beyond scanning
Cybersecurity Priorities and Roadmap: Recommendations to DHS
Cybersecurity Priorities and Roadmap: Recommendations to DHS
"Thinking diffrent" about your information security strategy
"Thinking diffrent" about your information security strategy
Cybersecurity solution-guide
Cybersecurity solution-guide
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
The Legal Case for Cyber Risk Management - InfoSec World Privacy & Risk Summit
Information Security Benchmarking 2015
Information Security Benchmarking 2015
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
PECB Webinar: Enterprise Risk Management with ISO 27001 perspective
Build an Information Security Strategy
Build an Information Security Strategy
Roadmap to IT Security Best Practices
Roadmap to IT Security Best Practices
Roadmap to security operations excellence
Roadmap to security operations excellence
What it Takes to be a CISO in 2017
What it Takes to be a CISO in 2017
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
The Journey to Cyber Resilience in a World of Fear, Uncertainty and Doubt
Understanding cyber resilience
Understanding cyber resilience
Ähnlich wie Information Security Intelligence
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
DataExchangeAgency
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Simone Onofri
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Fidelis Cybersecurity
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
IBM
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
JoAnna Cheshire
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
Svetlana Belyaeva
Information security for business majors
Information security for business majors
Paul Melson
The significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information Security
learntransformation0
Data Security Breach: The Sony & Staples Story
Data Security Breach: The Sony & Staples Story
International Institute for Learning
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
IBM Danmark
The Perils that PCI brings to Security
The Perils that PCI brings to Security
Tripwire
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
lior mazor
Information Technology Security Basics
Information Technology Security Basics
Mohan Jadhav
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
North Texas Chapter of the ISSA
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in Cybersecurity
Dell EMC World
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...
United Security Providers AG
Retail security-services--client-presentation
Retail security-services--client-presentation
Joseph Schorr
The Thing That Should Not Be
The Thing That Should Not Be
morisson
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
TechBiz Forense Digital
Verisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence Services
TechBiz Forense Digital
Ähnlich wie Information Security Intelligence
(20)
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
FROM STRATEGY TO ACTION - Vasil Tsvimitidze
Cyber Defense - How to be prepared to APT
Cyber Defense - How to be prepared to APT
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Insider Threats Part 2: Preventing Data Exfiltration with Fidelis Elevate
Responding to and recovering from sophisticated security attacks
Responding to and recovering from sophisticated security attacks
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
The Role of Threat Intelligence and Layered Securiy for Intrusion Prevention ...
2 21677 splunk_big_data_futureofsecurity
2 21677 splunk_big_data_futureofsecurity
Information security for business majors
Information security for business majors
The significance of the 7 Colors of Information Security
The significance of the 7 Colors of Information Security
Data Security Breach: The Sony & Staples Story
Data Security Breach: The Sony & Staples Story
PCTY 2012, IBM Security and Strategy v. Fabio Panada
PCTY 2012, IBM Security and Strategy v. Fabio Panada
The Perils that PCI brings to Security
The Perils that PCI brings to Security
The CISO Problems Risk Compliance Management in a Software Development 030420...
The CISO Problems Risk Compliance Management in a Software Development 030420...
Information Technology Security Basics
Information Technology Security Basics
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
NTXISSACSC2 - The Role of Threat Intelligence and Layered Security for Intrus...
MT 117 Key Innovations in Cybersecurity
MT 117 Key Innovations in Cybersecurity
The Importance of Consolidating Your Infrastructure Security – by United Secu...
The Importance of Consolidating Your Infrastructure Security – by United Secu...
Retail security-services--client-presentation
Retail security-services--client-presentation
The Thing That Should Not Be
The Thing That Should Not Be
VeriSign iDefense Security Intelligence Services
VeriSign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence Services
Verisign iDefense Security Intelligence Services
Kürzlich hochgeladen
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
Miki Katsuragi
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
Hervé Boutemy
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
Kalema Edgar
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
Fwdays
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
gvaughan
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Alfredo García Lavilla
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
hariprasad279825
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Ridwan Fadjar
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
Manik S Magar
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
comworks
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
Commit University
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
The Digital Insurer
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Scott Keck-Warren
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
2toLead Limited
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
charlottematthew16
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Fwdays
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Mark Billinghurst
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Florian Wilhelm
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
ScyllaDB
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Fwdays
Kürzlich hochgeladen
(20)
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
Information Security Intelligence
1.
Information Security Intelligence
Maarten Van Horenbeeck, Security Consultant
2.
Content
Information Security Intelligence Basic concepts Changing threat landscape Security Intelligence Intelligence methodology • Direction • Collection • Processing • Dissemination The Intelligence Organization Metrics and effectiveness Automation of intelligence processes Conclusion: what to take home ©2007 Cybertrust. All rights reserved. www.cybertrust.com 2
3.
1. Basic concepts
of security and information Robust systems and incident response
4.
Basic concepts of
security Robust systems Information Security Professionals strive to build robust systems that are reliable, fail in predictable ways and resist attack. Also known as the Ross Anderson school of thought, being the main undertone in his book ‘Security Engineering’ Time-based security In reality, systems do still fail and we introduce controls to make succesful attacks more difficult, increasing the time between attack and compromise. This time allows for detection and incident response. Coined by Winn Schwartau in his book ‘Time Based Security’ ©2007 Cybertrust. All rights reserved. www.cybertrust.com 4
5.
Basic concept of
information Data: Unordered events, facts or figures. Information: Collected facts and data on a subject, ordered data. Knowledge: Awareness or possession of information, facts, truth, principles. Wisdom: Knowledge and experience required to make sensible decisions and judgments. Intelligence: The required input for getting to wisdom in a structured manner, and the process of establishing this input. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 5
6.
2. Changing Threat
Landscape From defacement to fraud
7.
Virus and malware
evolution Computer viruses used to pose an availability threat to end user data. In 1991, Tequila infected local executable files, and transferred through infected floppies. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 7
8.
Virus and malware
evolution Change in methodology: Malicious code is now spread through compromised sites Change in target: This same code now gathers authentication credentials for internet banking sites or on-line games. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 8
9.
Format rendering vulnerabilities
Vulnerabilities in network-exposed services have always been popularly exploited. Our response has been to minimize attack surface by disabling services where not necessary. The increased popularity of fuzzers has now exposed a new class of vulnerabilities • Attacking indirectly by exploiting vulnerabilities in file format parsers such as Microsoft Office and Ichitaro word processor • Recently used in targeted attacks against organizations • UK Government institutions (2005) • US Department of State (2006) ©2007 Cybertrust. All rights reserved. www.cybertrust.com 9
10.
Just last week
Organizations are being targeted with e-mails from a valid ‘business partner’ with an RTF attachment. • RTF : Rich Text Format, but is able to contain OLE embedded objects, such as executables; • Plenty of anti virus solutions generally scan the RTF file but do not unpack the embedded object; • Issue first identified in 2005, re-identified in 2007. Many risks: • What if you are the ‘business partner’ ? • Is your team aware of these types of attacks and is there a plan on how to respond to them? ©2007 Cybertrust. All rights reserved. www.cybertrust.com 10
11.
Conclusion
A much more complex threat environment has drastically increased the scope of ‘residual risk’. Do we fully understand these and other emerging threats or threat facilitators? Did we see them coming or did we ‘respond’? How can our information security program deal with these events more proactively, saving resources? ©2007 Cybertrust. All rights reserved. www.cybertrust.com 11
12.
4. Security Intelligence
Understanding and mitigating threats
13.
Security Intelligence
As a product, intelligence is information that has the ability to reduce uncertainty in decisionmaking. Intelligence is also the process of gathering, evaluating, correlating and interpreting of information, and disseminating it to decision makers. Everyone in the organization performs the intelligence role, but it is only rarely formalized. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 13
14.
The Intelligence Cycle
Direction Collection and Planning Dissemination Processing ©2007 Cybertrust. All rights reserved. www.cybertrust.com 14
15.
Direction
Security intelligence is gathered in response to management requirements. Such requirements can originate both with business management as information security management. The intelligence process is generally started by defining: Key Intelligence Topics • Threats towards our information assets; • Threats towards our reputation; Key Intelligence Questions “To what degree are incidents reported that could be instigated by our competitors”; “There has been an increase in the number of succesful security incidents. Are we missing a trend, or not seeing the wider picture?” ©2007 Cybertrust. All rights reserved. www.cybertrust.com 15
16.
Direction: current intelligence
Aims to provide up-to-date intelligence to enable day-to-day intelligent decision-making: New vulnerabilities; Exploits being released; Important new talks at security conferences. Aims to answer: Should we patch ? Should we install new software ? ©2007 Cybertrust. All rights reserved. www.cybertrust.com 16
17.
Direction: warning intelligence
Warning intelligence prepares the organization for new and emerging threats, and serves as input to the risk management processes already in place. •Warning intelligence monitors trends over a longer period of time and identifies emerging threats; •Aims to prevent being ‘surprised’ • WMF file format vulnerability in 2005; • Targeted attacks in 2005-2007. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 17
18.
Collection targets
Intelligence exists both internally as externally If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not your enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle - Sun Tzu Internal sources - Intrusion Detection Systems - Security Event Manager - Individual logs - Personnel ©2007 Cybertrust. All rights reserved. www.cybertrust.com 18
19.
Collection targets
External sources - Vendors - Microsoft, Verisign, Symantec each publish security intelligence reports - iDefense, Secunia, IBM, Cisco sell security intelligence information - Sharing of information - FS-ISAC, Water ISAC, IT ISAC, Electricity Sector ISAC - NSP & threat related mailing lists - SANS Internet Storm Center - Law enforcement contacts ©2007 Cybertrust. All rights reserved. www.cybertrust.com 19
20.
Collection sources
Closed sources - Some information is not publically available, and someone else’s intellectual property; - Usually not ethical nor lawful to access, but may be shared by the organization while remaining closed to others. Grey sources - Sources that have a significant barrier of entry (cost to access a database) while open to everyone who is interested. Open sources - Information that is generally available to everyone; - May not be on the internet, or may not be in English. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 20
21.
Technical collection ©2007 Cybertrust.
All rights reserved. www.cybertrust.com 21
22.
Processing: collation
When received, information needs to be ordered based on a characteristic of interest to the process. This may be: • Time of occurence of certain events; • Region of occurence; • Size of business impact. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 22
23.
Processing: evaluation
Evaluating information prior to accepting it Is the information: •Accurate; •Complete; •Timely; •Potentially fabricated? We also try to establish with what purpose the information was provided to us. Is there any way it can be verified using existing information (information triangulation)? ©2007 Cybertrust. All rights reserved. www.cybertrust.com 23
24.
Processing: synthesis/analysis
The analysis phase consists of two subsets: Synthesis In the synthesis phase, a model is generated of the threat at hand or the intelligence question. This model consists of a systems-centered replica of the question at hand, including all its inputs, outputs, processes and algorithms. Models can be physical and conceptual. Analysis Extracting knowledge from a model by: • changing an input parameter and monitoring the model’s output; • identifying and studying forces that have an impact on any parameter and measuring their impact on the final output. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 24
25.
Processing: synthesis
Generic models Timelines, maps, process models. Sample applied models Broken Windows Model Field Anomaly Relaxation Threat assessment models Ballistic Threat Model Some models are better placed to function in warning analysis, others are ideal for current analysis. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 25
26.
Processing: integration
Integrate information within existing frameworks •Dominant use of databases; •Web 2.0 technology for specific purposes: • Wiki for collaboration on topics; • Blogs for inter-group communication of ‘prime time’ issues; • Forums for generic Q&A; • Social networking for location of subject matter experts. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 26
27.
Processing: interpretation
Information is interpreted by: - Formulating hypotheses; - Testing hypotheses; When the hypotheses is not supported by most, or proved unreasonable by even a single item of trusted information, it is proven false and new hypotheses need to be generated. Unfortunately, cognitive limitations apply: Information that has personal influence is likely to be ranked higher than unpersonal, but perhaps more important data (your ex-department’s assets at risk ?); Most people believe other cultures, other organizations think and act in similar ways as they do. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 27
28.
Processing: interpretation
Methodology to reduce impact of bias: Analysis of Competing Hypotheses • Prepare a matrix of hypotheses; • Refine this matrix by deleting evidence with little diagnostic value; • Draw preliminary conclusions of likelihood. Attempt to disprove hypotheses; • Analyze sensitivity of the conclusion to the items of evidence; • Report conclusions. Include relative likelihood of all hypotheses; • Identify milestones for future observation. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 28
29.
Processing: interpretation ©2007 Cybertrust.
All rights reserved. www.cybertrust.com 29
30.
Processing: interpretation
Decision making support tool by PARC • As with all intelligence analysis, merely a supportive measure • It doesn’t make decisions for you • Formalizes the process and forces the analyst to employ competing hypotheses • Instills trust in recipient of intelligence information • Free of charge at: • http://www2.parc.com/istl/projects/ach/ach.html ©2007 Cybertrust. All rights reserved. www.cybertrust.com 30
31.
Dissemination
Perhaps the most important phase of the intelligence process Making decisions should be separated from the intelligence gathering process, however this may not always be possible; In smaller organizations, intelligence gathering may be performed by operational teams, upon which they may make decisions themselves; Presentation of evidence may impact decisions: Representation of numbers; Risk is low, medium, “slam dunk”; Cost of collection often over-appreciates importance. Sample deliverables Threat reports Statistical information ©2007 Cybertrust. All rights reserved. www.cybertrust.com 31
32.
5. The Intelligence
Organization Real-life implementation
33.
Intelligence as a
CERT function CERT teams often also carry a partial intelligence function Track vendor bulletins and re-issue those that may affect the organization; CERTS have defined matrix team liaisons across the organization; Advantages Usually an existing, skilled team; Awareness of threats can be used in incident response. Makes the CERT realize the value of maintaining a good inventory of security incidents; Greater visibility of the CERT to management. Disadvantages Less appropriate for warning analysis; Intelligence function may suffer during high-incident timeframes. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 33
34.
Intelligence as a
research group A specific research team is assigned to perform ongoing intelligence efforts. It usually delivers input to the risk analysis process, or supports it as mediators and subject matter experts. Advantages Dedicated team; Team members can be selected more accurately; Intelligence function remains independent from decision makers. Disadvantages Less visibility and experience with company assets than a CERT. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 34
35.
A quote
“Intelligence is best done by a minimum number of men and women of the greatest possible ability” - RV Jones, UK Military Intelligence Expert (1911-1997) ©2007 Cybertrust. All rights reserved. www.cybertrust.com 35
36.
6. Metrics
Measuring effectiveness
37.
Measuring intelligence results
Security Intelligence is primarily a support function to risk management. It enables Better measurement in support of risk management; Better measurement of risk management efforts; Some measurement of intelligence product. Some examples: Measuring the threat level against the organization: how many of the vulnerability exploitations observed against the network were not actively translated into a worm but had a high complexity of exploitation according to the NVD; How many new threats out of the total that required change management was the team informed of well advance; ©2007 Cybertrust. All rights reserved. www.cybertrust.com 37
38.
7. Automation
Automating the intelligence process
39.
Automating intelligence
Most software currently available is aimed at: Intelligence/Law Enforcement clients; • Uses industry-developed checklists and data-mining tools; • Allows interaction with various closed databases, but mainly collaboration tools; • Inxight, Interquest, ... Competitive intelligence; • Market research, competitor analysis, internet discussion tracking • Digimind, Factiva, Trellian, Attentio... Information Security threat management (event management) •Automate the collection process by crawling open, grey and closed databases. •They store and make searchable key concepts. •Some apply automate translation. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 39
40.
Automating intelligence
In 2004, the RAND Institute published a major study in the automization of intelligence structures. • Introduces ASAP: Atypical Signal and Analysis Processing Schema • Interceptor agents: test data and gather information; • Detection agents: filter the dots for events matching and violating criteria; • Agents to identify relationships and sweep back using these for further information; • Hypotheses agents: create and test; • Prioritize hypotheses and forward to analysts for manual review • Also introduces a framework for short-term implementation: • Use Delphi technique to obtain expert opinion on ‘status quo’ in monitored threats; • Define ‘items of note’ that may impact the expression of these threats; • Design systems to monitor these ‘items of note’; • Establish virtual communities amongst experts to track these items and use modelling for forecasting. • Future tools will most likely be based on similar frameworks ©2007 Cybertrust. All rights reserved. www.cybertrust.com 40
41.
8. Conclusion
What to take home today
42.
Intelligence
It is • A support tool that enables better risk management; • A formalized way of dealing with ‘current’ and ‘warning’ research questions and forecasting; • Consists of collection that occurs both within the organization (know yourself) and outside the organization (know thy enemy); It is not: • Something you purchase in itself, though it can consist of purchased ‘current’ intelligence with in-house research; • Yet fully standardized: many concepts, ideas and models linger, but many are only published in journals. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 42
43.
Combine strengths
Vendors are best placed to: •Provide information (‘intelligence’) on what is happening on the internet and in the business, and who is likely to be targeted; •Provide detail on current incidents and attacks; •Help with the definition of relevant models. Organizations themselves should: •Consider the use of intelligence concepts in their research and risk management processes; •Better understand their own networks, systems and people; •Make use of public information where available to enable better decision making. ©2007 Cybertrust. All rights reserved. www.cybertrust.com 43
44.
5. Any Questions
? maarten.vanhorenbeeck@cybertrust.com Tel. +32 (016)28 73 92 .