Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the Past - SANS CTI Summit 2020
Melden
Andreas SfakianakisFolgen
23. Mar 2023•0 gefällt mir•10 Aufrufe
0 gefällt mir
Sei der Erste, dem dies gefällt
Mehr anzeigen
Aufrufe
Aufrufe insgesamt
0
Auf Slideshare
0
Aus Einbettungen
0
Anzahl der Einbettungen
0
Check these out next
Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the Past - SANS CTI Summit 2020
23. Mar 2023•0 gefällt mir•10 Aufrufe
0 gefällt mir
Sei der Erste, dem dies gefällt
Mehr anzeigen
Aufrufe
Aufrufe insgesamt
0
Auf Slideshare
0
Aus Einbettungen
0
Anzahl der Einbettungen
0
Downloaden Sie, um offline zu lesen
Melden
Technologie
Since the publication of Mandiant's APT1 report in 2013, cyber threat intelligence (CTI) has been widely adopted by private organizations all over the world. There have been both successes and failures in trying to develop cyber threat capabilities and add value to businesses. As a community, it is critical to capture the relevant lessons learned from these experiences and conduct a status check on these first years of applied CTI. This presentation aims to identify areas where organizations should put more focus in order to stop tilting at windmills. We will deep dive into three major areas where most current CTI teams struggle: (1) intelligence direction (specifically, stakeholder identification and collection of intelligence requirements); (2) intelligence reporting and dissemination; and (3) the skills sets of CTI analysts. Takeaways for attendees will include recognizing the significance of requirements for the intelligence cycle; identifying key stakeholders; understanding how classic intelligence approaches can be applied to CTI production/reporting; learning from success stories on disseminating intelligence products and capturing feedback; understanding the variety of competencies of CTI teams; and improving ways to work within CTI teams comprised of analysts with different backgrounds and experience levels. Andreas Sfakianakis, @asfakian, Cyber Threat Intelligence Analyst
Andreas SfakianakisFolgen
Recomendados
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Andreas Sfakianakis
CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019Andreas Sfakianakis
Cognitive/AI: views, perspectives & directionsIDC Italy
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
Stories from the Financial Service AI Trenches: Lessons Learned from Building...Databricks
Stop Tilting at Windmills: 3 Key Lessons that CTI Teams Should Learn from the Past - SANS CTI Summit 2020
- SANS CTI Summit 2020 Andreas Sfakianakis CTI Professional
- § CTI and IR in Financial and Oil & Gas sectors § ENISA CTI, FIRST.org CTI, European Commission § Twitter: @asfakian § Website: www.threatintel.eu tilting at windmills
- §Original authors are referenced within the slide deck §References for this presentation http://bit.ly/ctisummit2020 §Views are my own
- § Setting the scene § Lesson #1 § Lesson #2 § Lesson #3 § Final Remarks Image from hp-comic.com
- Image from gatewaytotheclassics.com
- 1989 Cuckoo’s Egg 2009 Operation Aurora 2010 Stuxnet 2011 LM Kill Chain 2013 APT1 Report 2013 Pyramid of Pain 2013 Snowden Leaks 2014 Heart Bleed 2015 ATT&CK 2016 The Shadow Brokers / US Elections 2017 Wanna Cry / Petya APT Becomes Mainstream Wider CTI Adoption
- Reference: We are here!
- Problem Statement
- Image from wikimedia.org
- §Stakeholders and their pain points §Operational landscape §Business processes and risk reduction “CTI teams should not do intelligence for intelligence’s sake, it costs money and time” - Lauren Zabierek
- Tactical Intelligence Security Engineers SOC Team Operational Intelligence Incident Responders Threat Hunters Vulnerability Management Red Team Fraud Team Sys Admins IT Managers Strategic Intelligence C-Suite / Executives Group Security Risk Managers Business Stakeholders Regional Stakeholders IT Architects
- § Intelligence requirements are enduring questions that consumers of intelligence need answers to. § Answer critical questions intelligence customers care about (not whatYOU care about). Reference: Sergio Caltagirone
- Reference: SANS
- § US Military - Joint Publication 2-0 § SANS CTI Summit 2018 - I Can Haz Requirements? - Michael Rea § CTI SquadGoals—Setting Requirements - Scott J Roberts § SANS - Threat Intelligence: Planning and Direction - Brian Kime § SANS - Defining Threat Intelligence Requirements – Pasquale Stirparo § FIRST CTI 2019 -Your requirements are not my requirements – Pasquale Stirparo § SANS CTI Summit 2018 - Intelligence Preparation of the Cyber Environment – Rob Dartnall § ThreatIntel.eu - Intelligence Requirements: the Sancho Panza of CTI References for this presentation: http://bit.ly/ctisummit2020
- § Identification of relevant stakeholders § Connection with business and enterprise risk management cycles § Identification of operational environment (crown jewels) § Capturing and documenting the intelligence requirements
- Image from bestofspain.es
- §Importance of CTI reporting §Embedding of intelligence tradecraft (cross-pollination) §Means of dissemination
- Collection Analysis ? ACTION Reference: Christian Paredes
- Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements
- Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template
- Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template §Style - Style guide document
- Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template §Style - Style guide document §Tradecraft – IC Analytic Standards (ICD 203)
- Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template §Style - Style guide document §Tradecraft – IC Analytic Standards (ICD 203) §Constant feedback loop
- §Title §Executive Summary (BLUF) § What? § So what? § So what of the so what? What next? § References § Appendix § Indicators (machine readable?) § Tradecraft used Report Structure
- § Internal Communications / Email marketing application § Store the CTI products in SharePoint
- Reference: Robert M. Lee Reference:VB – Martijn Grooten Reference: Casey Brooks (2019 Thanksgiving edition)
- §SANS SEC402 - Cybersecurity Writing: Hack the Reader (Lenny Zeltser) §Effective Information Security Writing (Chris Sanders) §Write it or didn’t happen. Happy reporting! J (Yourself)
- § Intelligence Community Directive (ICD) 203 - Analytic Standards § CIA - Analytic Thinking and Presenting for Intelligence Producers § CIA - Compendium of Analytic Tradecraft Notes § CIA - Style Manual and Writers' Guide for Intelligence Publications § The Economist Style Guide § SANS CTI Summit 2017 - Pen-To-Paper and The Finished Report:The Key To Generating Threat Intelligence - Christian Paredes § SANS CTI Summit 2019 - Analytic Tradecraft in the Real World - Amy R. Bejtlich § Sergio Caltagirone - 15 Things Wrong with Today’s Threat Intelligence Reporting § Lenny Zeltser - Top 10 Writing Mistakes in Cybersecurity and HowYou Can Avoid Them References for this presentation: http://bit.ly/ctisummit2020
- § CTI needs to be better communicated to business at a strategic (and operational) level. § Communication competencies are key for CTI teams. § Report writing as a critical CTI skill. § Cross-pollination - Intelligence tradecraft wasn't invented yesterday
- Image from heritage-history.com
- § CTI skills shortage § SANS CTI Survey 2018:“62% of respondents cited a lack of trained CTI professionals and skills as a major roadblock,an increase of nearly 10 percentage points over 2017 (53%)” § Organizational challenges § Challenges for CTI teams
- §What is the skillset needed for a CTI team? § “Do I need a reverse engineer for my CTI team?” § “Do I need non-technical analysts in my team?” §How we develop the skillset of (junior) CTI analysts? §How do we streamline day to day CTI work? § “How do I reduce CTI analyst dependency?”
- Reference:
- Reference:
- Reference:
- § Core CTI curriculum and CTI training roadmap § Documented Standard Operating Procedures § Everyday learning culture § Periodic exercises with your team § Knowing your biases?
- § INSA - Cyber Intelligence: Preparing Today’s Talent for Tomorrow’s Threats § Sergio Caltagirone - 15 Knowledge Areas and Skills for Cyber Analysts and Operators § EclecticIQ – On the Importance of Standard Operating Procedures in Threat Intelligence § CIA – Fifteen Axioms for Intelligence Analysis § ENISA CTI-EU 2017 - Lessons Learned from Teaching CTI All Over the World - Jess Garcia § ComradeCookie - What is CTI and what makes a good CTI analyst? § Richards J. Heuer - Psychology of Intelligence Analysis § Richards J. Heuer - Structured Analytic Techniques for Intelligence Analysis § NIST - National Initiative for Cybersecurity Education Cybersecurity Workforce Framework § SEI Carnegie Mellon University - Cyber Intelligence Tradecraft Report References for this presentation: http://bit.ly/ctisummit2020
- § Use a competency-based framework to assess your CTI team’s skill coverage. § Invest on internal/external CTI training opportunities, especially on analysis and thinking. § Streamline BAU CTI tasks, make them repeatable. § Build a working environment for knowledge sharing (sharing is caring, huh?)
- Dulcinea Watches as Don Quixote Wins Battles For Her Image from elladocomicodedonquijote.wordpress.com
- §Intelligence direction phase is of utmost importance to your intelligence cycle process. §CTI needs to be better communicated. §Focus on CTI analyst’s skillset.
- Andreas Sfakianakis @asfakian threatintel.eu References for this presentation: http://bit.ly/ctisummit2020 Sharing is caring