Delivered at ACSC in Canberra on 10 April 2018.
Associated intelligence requirements spreadsheet is available for download at https://www.dropbox.com/s/rtisz5zdy5sl1w1/ACSC-Reqs.xlsx?dl=0
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
How to build a cyber threat intelligence program
1. How to Build a Cyber
Threat $Intelligence
Program
By Mark Arena
2. Mark Arena
• Australian but hasn’t lived in Australia for 5+ years
• CEO and Founder of Intel 471
• Previously Chief Researcher at iSIGHT Partners (FireEye)
• Previously Technical Specialist at Australian Federal Police
• Over a decade of researching and tracking top tier cyber threat actors
across both government and the commercial space
3. General infosec view on intelligence
When it comes to cyber threat intelligence, the security industry
mostly appears to take the view that indicators of compromise (IOCs)
are the best approach to initiate/drive the intelligence process.
4. CTI: An incident-centric approach
• Begins with detection of an event (reconnaissance or compromise)
• Any time we initiate/drive the intel process from indicators of
compromise (IOCs)
• Enumerate TTPs and Actor (intent, goals, motivation) from IOCs
5. Pros of the incident-centric approach
• Direct relevance is established
• Potentially allows identification of the threat actors and groups that
are targeting your organization
• Provides IOCs that can be used to aid in the identification of
compromise from the same threat actor, campaign and incidents
across an organization.
6. Cons of the incident-centric approach
• Reactive approach initiated after your organization has already been
impacted to some degree.
• Focuses primarily on the attack surface and doesn’t reflect the
process that the threat actor needs to go through to impact your
organization.
• Difficult to be predictive.
8. Attribution - valuable or not?
• Lots of debate in the infosec community re: value of attribution (or
not)
• I believe that attribution to various levels (person, group, nation-
state, etc.) provides valuable insights that support decision-making at
all levels
• Don’t confuse attribution as always meaning to identify the person
behind the keyboard
9. Which actors should I be interested in?
• Actors targeting my organisation
• Actors targeting other organisations in my sector/vertical
• Actors that are enablers for the actors targeting me and my sector
• All prioritised by business impact (intent will drive prioritisation)
10. With actors, we want to understand:
• Who are they?
• What are their associations with enabling actors and partners?
• What are their motivations?
• What are their technical skills and abilities?
• Who are they targeting?
11. Next step
• What are their TTPs?
• Fuse actor-centric information (through analysis) tied to TTPs and
ideally campaigns and even IOCs
12. Pros of the actor-centric approach
• Enables your organization to be proactive and predictive.
• Provides context around an actor’s motivations and their abilities
before an incident occurs.
• Focused on adversary’s business process rather than just the
elements that (could) impact an organization’s attack surface.
13. Cons of the actor-centric approach
• Relevance to your organization might not be readily apparent.
• It is challenging to gain and maintain accesses where threat actors and
groups operate.
• Requires analytical effort to fuse with your other sources of information.
• Requires regularly updated prioritization of threat actors to focus on.
• May be missing IOCs to look for within your organization.
14. Intelligence
“… intelligence is information that has been analyzed and refined so
that it is useful to policymakers in making decisions - specifically,
decisions about potential threats …”
• https://www.fbi.gov/about-us/intelligence/defined
15. Cyber threat intelligence
• Threat is a person with a motivation, goal and sophistication
• Malware isn’t a threat, the person using it is
16. Pop quiz
• The US government’s intelligence community spending is massive
• Who is the #1 customer for the US intelligence community?
• What are the deliverables for that customer?
23. Top 5 challenges for building a CTI program
1. Assessing internal capabilities versus external purchasing
1. Explaining CTI as an enabler, not a hindrance
1. Understanding what a threat is
1. Program metrics and KPIs
1. Common vision re: CTI
27. Planning, Direction, Needs, Requirements
Three requirements lists to build and maintain:
• Production requirements – What will be delivered to the intelligence
customer/consumer.
• Intelligence requirements – What we need to collect to meet our
production requirements.
• Collection requirements – The observables/data inputs we need to
answer our intelligence requirements.
28. Production requirements
• What is needed to be
delivered to the
intelligence customer (the
end consumer of the
intelligence).
Intelligence requirements
• What we need to collect to
be able to meet our
production requirements.
29. Production requirement Intelligence requirements
What vulnerabilities are being
exploited in the world that we
can't defend against or detect?
- What vulnerabilities are
currently being exploited in
the wild?
- What exploited
vulnerabilities can my
organization defend?
- What exploited
vulnerabilities can my
organization detect?
- What vulnerabilities are
being researched by cyber
threat actors?
30. Intelligence requirements
• What we need to collect to
be able to meet our
production requirements.
Collection requirements
• The observables/data
inputs we need to answer
the intelligence
requirement.
31. Intelligence requirements Collection requirements
What vulnerabilities are
currently being exploited in the
wild?
- Liaison with other
organizations in the same
market sector.
- Liaison with other members
of the information security
industry.
- Open source feeds of
malicious URLs, exploit
packs, etc mapped to
vulnerability/vulnerabilities
being exploited.
- Online forum monitoring
where exploitation of
vulnerabilities are
discussed/sold/etc.
32. Intelligence requirements Collection requirements
What vulnerabilities are
being researched by cyber
threat actors?
- Online forum monitoring.
- Social network monitoring.
- Blog monitoring.
33. XYZ Online Introduction
• XYZ Online is a US headquartered company (approx. 5000 employees)
that sells numerous goods online that ship to most places worldwide
• Has Chief Information Security Officer (CISO)
• Has 4 person cyber threat intelligence team
35. Discussion - 2
• Discuss what are some intelligence requirements for these
production requirements:
• What vulnerabilities are in XYZ Online software or infrastructure are being
actively exploited?
• What vulnerabilities are in XYZ Online software or infrastructure that we can’t
defend against or detect?
• How do we stop or reduce XYZ Online being scammed through fraudulent
transactions?
37. PR
#
Production Requirement Intelligence
Consumer
1 What vulnerabilities are in XYZ Online
software or infrastructure are being
actively exploited?
IT Security and
Vulnerability
Management teams
2 What vulnerabilities are in XYZ Online
software or infrastructure that we can’t
defend against or detect?
IT Security and
Vulnerability
Management teams
3 How do we stop or reduce XYZ Online
being scammed through fraudulent
transactions?
Fraud
38. What vulnerabilities are in XYZ Online software
or infrastructure are being actively exploited?
Intelligence requirements examples:
• What vulnerabilities are currently being exploited against Amazon
Elastic Compute Cloud (EC2)?
• What vulnerabilities are currently being exploited against Apache
Cassandra?
39. What vulnerabilities are currently being
exploited against Amazon Elastic Compute Cloud
(EC2)?
Collection requirements examples:
• Liaison with other ecommerce companies
• Liaison with Amazon’s EC2 security team
• Open sources
• Social media monitoring
• Online cyber crime forum monitoring
40. Requirements updates
• Update your requirements at least bi-annually
• Changing threat landscape
• Changing internal security posture
• Changing business needs
• Ad hoc requirements should be a subset of an existing requirement
• If it doesn’t fit, your original requirements are either not comprehensive
enough or poorly written
41. Traceability
Enables the business justification of:
• Increased staff versus requirements asked of intel team
• Vendor purchases/subscriptions
42. Once you have your collection requirements
• Look at what is feasible.
• Consider risk/cost/time of doing something in-house versus using an external
provider
• Task out individual collection requirements internally or to external
providers as guidance.
• Track internal team/capability and external provider ability to collect
against the assigned guidance.
43. Collection
• Characteristics of intelligence collection:
• Source of collection or characterization of source provided
• Source reliability and information credibility assessed
• Some types of intelligence collection:
• Open source intelligence (OSINT)
• Human intelligence (HUMINT)
• Liaison/outreach
• Technical collection
44. NATO’s admiralty system
• Used for evaluating intelligence collection
Reliability of Source Accuracy of Data
A - Completely reliable
B - Usually reliable
C - Fairly reliable
D - Not usually reliable
E – Unreliable
F - Reliability cannot be
judged
1 - Confirmed by other
sources
2 - Probably True
3 - Possibly True
4 – Doubtful
5 – Improbable
6 - Truth cannot be judged
45. Processing / Exploitation
• Is your intelligence collection easily consumable?
• Standards
• Centralized data/information (not 10 portals to use)
• APIs
• Language issues?
• Threat intelligence platforms (TIPs) can help you here
46. Intelligence analysis
• Analysts who are able to deal with incomplete information and
predict what has likely occurred and what is likely to happen.
48. Words of estimative probability
• Consistency in words used to estimate probability of things occurring
or not occurring, i.e.
100% Certainty
The General Area of Possibility
93% give or take about 6% Almost certain
75% give or take about 12% Probable
50% give or take about 10% Chances about even
30% give or take about 10% Probably not
7% give or take about 5% Almost certainly not
0% Impossibility
49. Not analysis
• Dealing with facts only (intelligence analysts aren’t newspaper
reporters)
• Reporting on the past only, no predictive intelligence
• Copy and pasting intelligence reports from vendors
• You have outsourced your intelligence function
50. Dissemination
• Intelligence products written with each piece of collection used
graded and linked to source.
• Intelligence products sent to consumers based on topic and
requirements met.
• What information gaps do we have?
51. Feedback loop
• We need to receive information from our intelligence customers on:
• Timeliness
• Relevance
• What requirements were met?
• This will allow identification of intelligence (collection) sources that
are supporting your requirements and which aren’t
52. Intelligence program KPIs
• Quantity – How many intelligence reports produced?
• Quality – Feedback from intelligence consumers
• Timeliness, relevance and requirements met
53. Observing the adversary
• Your own attack surface ← #1 way to observe as it relates to you
• The attack surface of other people like you (ISACs and sharing)
• Technical collection (botnet/campaign tracking and emulation)
• Actor communications (the underground)
R
E
A
C
T
I
V
E
P
R
O
A
C
T
I
V
E
--------------------------------THE PERIMETER--------------------------------
55. Questions?
• My blog on intelligence program tradecraft and strategy
https://medium.com/@markarenaau
Hinweis der Redaktion
Mark does introduction to talk
Lots of job offers mentioned because there is currently:
Huge demand in CTI hires
Not enough supply of good CTI hires
Poll the audience to see whether they want the discussion to be in a big group or break out into smaller groups
Direct relevance is established, as the intelligence effort dovetails from an incident response that has already impacted your organization;
Doesn’t cover a threat actor seeking:
Exploits to purchase;
Malware to purchase;
Hosting
Don’t focus on just actors targeting you now. That’s like brand monitoring in the underground
Enablers: infrastructure hosters, exploit writers, malware developers etc
- Analyzed and refined (by a person, i.e. an analyst)
- “Policymakers” in this example means customized your intelligence consumers within your organization
Office of the president
Deliverables: President’s Daily Brief (written and presentations)
Talk about frequency
Mark slide
1. Link capabilities needed with good requirements identification and management
DaMon’s story
Mark slide
Mark slide
Can be a case of garbage in, garbage out
Traceability between each part is very important so you can map things back to the business need and intelligence customer you are supporting
Poll the audience for who has the following documented:
Production requirements
Intelligence requirements
Collection requirements
Talk about intelligence customers based on these requirements
Group break out for 5 minutes. How can we potentially collect on this (collection requirements identification)?
Liaison with other ecommerce companies – Communication with other companies that use EC2.
Liaison with Amazon’s EC2 security team.
Conferences – This is to collect information from conferences which may cover or focus on Amazon EC2 vulnerabilities and exploitation.
Open sources – Examples include news articles. This is to identify articles or coverage Amazon EC2 vulnerabilities and/or exploitation.
Social media monitoring – This is to identify discussions around Amazon EC2 vulnerabilities and/or exploitation.
Online forum monitoring – This is to identify hacker discussions on Amazon EC2 vulnerabilities and/or exploitation. Will include coverage of criminal marketplaces where vulnerabilities and exploits are bought and sold.
Talk about justifying vendor purchases
Human intelligence is when you talk to the bad guy to obtain information. Human intelligence isn’t a person analysing information
At the top is things directly relevant to you
At the top is being the most reactive - like doing a boxing match with your hands tied by your back
At the bottom is being the most proactive