SlideShare ist ein Scribd-Unternehmen logo

SANS CTI Summit 2020: Developing CTI Skills and Effective Communication

Andreas Sfakianakis
Andreas Sfakianakis

Since the publication of Mandiant's APT1 report in 2013, cyber threat intelligence (CTI) has been widely adopted by private organizations all over the world. There have been both successes and failures in trying to develop cyber threat capabilities and add value to businesses. As a community, it is critical to capture the relevant lessons learned from these experiences and conduct a status check on these first years of applied CTI. This presentation aims to identify areas where organizations should put more focus in order to stop tilting at windmills. We will deep dive into three major areas where most current CTI teams struggle: (1) intelligence direction (specifically, stakeholder identification and collection of intelligence requirements); (2) intelligence reporting and dissemination; and (3) the skills sets of CTI analysts. Takeaways for attendees will include recognizing the significance of requirements for the intelligence cycle; identifying key stakeholders; understanding how classic intelligence approaches can be applied to CTI production/reporting; learning from success stories on disseminating intelligence products and capturing feedback; understanding the variety of competencies of CTI teams; and improving ways to work within CTI teams comprised of analysts with different backgrounds and experience levels. Andreas Sfakianakis, @asfakian, Cyber Threat Intelligence Analyst

Technologie
1 von 41
Downloaden Sie, um offline zu lesen
SANS CTI Summit 2020 Andreas Sfakianakis CTI Professional
§ CTI and IR in Financial and Oil & Gas sectors § ENISA CTI, FIRST.org CTI, European Commission § Twitter: @asfakian § Website: www.threatintel.eu tilting at windmills
§Original authors are referenced within the slide deck §References for this presentation http://bit.ly/ctisummit2020 §Views are my own
§ Setting the scene § Lesson #1 § Lesson #2 § Lesson #3 § Final Remarks Image from hp-comic.com
Image from gatewaytotheclassics.com
1989 Cuckoo’s Egg 2009 Operation Aurora 2010 Stuxnet 2011 LM Kill Chain 2013 APT1 Report 2013 Pyramid of Pain 2013 Snowden Leaks 2014 Heart Bleed 2015 ATT&CK 2016 The Shadow Brokers / US Elections 2017 Wanna Cry / Petya APT Becomes Mainstream Wider CTI Adoption
Reference: We are here!
Problem Statement
Image from wikimedia.org
§Stakeholders and their pain points §Operational landscape §Business processes and risk reduction “CTI teams should not do intelligence for intelligence’s sake, it costs money and time” - Lauren Zabierek
Tactical Intelligence Security Engineers SOC Team Operational Intelligence Incident Responders Threat Hunters Vulnerability Management Red Team Fraud Team Sys Admins IT Managers Strategic Intelligence C-Suite / Executives Group Security Risk Managers Business Stakeholders Regional Stakeholders IT Architects
§ Intelligence requirements are enduring questions that consumers of intelligence need answers to. § Answer critical questions intelligence customers care about (not whatYOU care about). Reference: Sergio Caltagirone
Reference: SANS
§ US Military - Joint Publication 2-0 § SANS CTI Summit 2018 - I Can Haz Requirements? - Michael Rea § CTI SquadGoals—Setting Requirements - Scott J Roberts § SANS - Threat Intelligence: Planning and Direction - Brian Kime § SANS - Defining Threat Intelligence Requirements – Pasquale Stirparo § FIRST CTI 2019 -Your requirements are not my requirements – Pasquale Stirparo § SANS CTI Summit 2018 - Intelligence Preparation of the Cyber Environment – Rob Dartnall § ThreatIntel.eu - Intelligence Requirements: the Sancho Panza of CTI References for this presentation: http://bit.ly/ctisummit2020
§ Identification of relevant stakeholders § Connection with business and enterprise risk management cycles § Identification of operational environment (crown jewels) § Capturing and documenting the intelligence requirements
Image from bestofspain.es
§Importance of CTI reporting §Embedding of intelligence tradecraft (cross-pollination) §Means of dissemination
Collection Analysis ? ACTION Reference: Christian Paredes
Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements
Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template
Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template §Style - Style guide document
Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template §Style - Style guide document §Tradecraft – IC Analytic Standards (ICD 203)
Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template §Style - Style guide document §Tradecraft – IC Analytic Standards (ICD 203) §Constant feedback loop
§Title §Executive Summary (BLUF) § What? § So what? § So what of the so what? What next? § References § Appendix § Indicators (machine readable?) § Tradecraft used Report Structure
§ Internal Communications / Email marketing application § Store the CTI products in SharePoint
Reference: Robert M. Lee Reference:VB – Martijn Grooten Reference: Casey Brooks (2019 Thanksgiving edition)
§SANS SEC402 - Cybersecurity Writing: Hack the Reader (Lenny Zeltser) §Effective Information Security Writing (Chris Sanders) §Write it or didn’t happen. Happy reporting! J (Yourself)
§ Intelligence Community Directive (ICD) 203 - Analytic Standards § CIA - Analytic Thinking and Presenting for Intelligence Producers § CIA - Compendium of Analytic Tradecraft Notes § CIA - Style Manual and Writers' Guide for Intelligence Publications § The Economist Style Guide § SANS CTI Summit 2017 - Pen-To-Paper and The Finished Report:The Key To Generating Threat Intelligence - Christian Paredes § SANS CTI Summit 2019 - Analytic Tradecraft in the Real World - Amy R. Bejtlich § Sergio Caltagirone - 15 Things Wrong with Today’s Threat Intelligence Reporting § Lenny Zeltser - Top 10 Writing Mistakes in Cybersecurity and HowYou Can Avoid Them References for this presentation: http://bit.ly/ctisummit2020
§ CTI needs to be better communicated to business at a strategic (and operational) level. § Communication competencies are key for CTI teams. § Report writing as a critical CTI skill. § Cross-pollination - Intelligence tradecraft wasn't invented yesterday
Image from heritage-history.com
§ CTI skills shortage § SANS CTI Survey 2018:“62% of respondents cited a lack of trained CTI professionals and skills as a major roadblock,an increase of nearly 10 percentage points over 2017 (53%)” § Organizational challenges § Challenges for CTI teams
§What is the skillset needed for a CTI team? § “Do I need a reverse engineer for my CTI team?” § “Do I need non-technical analysts in my team?” §How we develop the skillset of (junior) CTI analysts? §How do we streamline day to day CTI work? § “How do I reduce CTI analyst dependency?”
Reference:
Reference:
Reference:
§ Core CTI curriculum and CTI training roadmap § Documented Standard Operating Procedures § Everyday learning culture § Periodic exercises with your team § Knowing your biases?
§ INSA - Cyber Intelligence: Preparing Today’s Talent for Tomorrow’s Threats § Sergio Caltagirone - 15 Knowledge Areas and Skills for Cyber Analysts and Operators § EclecticIQ – On the Importance of Standard Operating Procedures in Threat Intelligence § CIA – Fifteen Axioms for Intelligence Analysis § ENISA CTI-EU 2017 - Lessons Learned from Teaching CTI All Over the World - Jess Garcia § ComradeCookie - What is CTI and what makes a good CTI analyst? § Richards J. Heuer - Psychology of Intelligence Analysis § Richards J. Heuer - Structured Analytic Techniques for Intelligence Analysis § NIST - National Initiative for Cybersecurity Education Cybersecurity Workforce Framework § SEI Carnegie Mellon University - Cyber Intelligence Tradecraft Report References for this presentation: http://bit.ly/ctisummit2020
§ Use a competency-based framework to assess your CTI team’s skill coverage. § Invest on internal/external CTI training opportunities, especially on analysis and thinking. § Streamline BAU CTI tasks, make them repeatable. § Build a working environment for knowledge sharing (sharing is caring, huh?)
Dulcinea Watches as Don Quixote Wins Battles For Her Image from elladocomicodedonquijote.wordpress.com
§Intelligence direction phase is of utmost importance to your intelligence cycle process. §CTI needs to be better communicated. §Focus on CTI analyst’s skillset.
Andreas Sfakianakis @asfakian threatintel.eu References for this presentation: http://bit.ly/ctisummit2020 Sharing is caring

Empfohlen

Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Andreas Sfakianakis
 
CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019
CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019
CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019Andreas Sfakianakis
 
Cognitive/AI: views, perspectives & directions
Cognitive/AI: views, perspectives & directionsCognitive/AI: views, perspectives & directions
Cognitive/AI: views, perspectives & directionsIDC Italy
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
 
Stories from the Financial Service AI Trenches: Lessons Learned from Building...
Stories from the Financial Service AI Trenches: Lessons Learned from Building...Stories from the Financial Service AI Trenches: Lessons Learned from Building...
Stories from the Financial Service AI Trenches: Lessons Learned from Building...Databricks
 
TDWI 17 Munich - Are enterprises ready for the 4th industrial revolution? - S...
TDWI 17 Munich - Are enterprises ready for the 4th industrial revolution? - S...TDWI 17 Munich - Are enterprises ready for the 4th industrial revolution? - S...
TDWI 17 Munich - Are enterprises ready for the 4th industrial revolution? - S...Santiago Cabrera-Naranjo
 
Fintech 2018 Edinburgh
Fintech 2018 EdinburghFintech 2018 Edinburgh
Fintech 2018 EdinburghRay Bugg
 

Empfohlen

Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021
Still thinking your Ex(cel)? Here are some TIPs - SANS CTI Summit 2021Andreas Sfakianakis
 
CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019
CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019
CTI Training on Intelligence Requirements - ENISA CTI Summer School 2019Andreas Sfakianakis
 
Cognitive/AI: views, perspectives & directions
Cognitive/AI: views, perspectives & directionsCognitive/AI: views, perspectives & directions
Cognitive/AI: views, perspectives & directionsIDC Italy
 
Cyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsCyber Risk Management in 2017: Challenges & Recommendations
Cyber Risk Management in 2017: Challenges & RecommendationsUlf Mattsson
 
Cyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsCyber Risk Management in 2017 - Challenges & Recommendations
Cyber Risk Management in 2017 - Challenges & RecommendationsUlf Mattsson
 
Stories from the Financial Service AI Trenches: Lessons Learned from Building...
Stories from the Financial Service AI Trenches: Lessons Learned from Building...Stories from the Financial Service AI Trenches: Lessons Learned from Building...
Stories from the Financial Service AI Trenches: Lessons Learned from Building...Databricks
 
TDWI 17 Munich - Are enterprises ready for the 4th industrial revolution? - S...
TDWI 17 Munich - Are enterprises ready for the 4th industrial revolution? - S...TDWI 17 Munich - Are enterprises ready for the 4th industrial revolution? - S...
TDWI 17 Munich - Are enterprises ready for the 4th industrial revolution? - S...Santiago Cabrera-Naranjo
 
Fintech 2018 Edinburgh
Fintech 2018 EdinburghFintech 2018 Edinburgh
Fintech 2018 EdinburghRay Bugg
 
Cybersecurity Threats - NI Business Continuity Forum
Cybersecurity Threats - NI Business Continuity ForumCybersecurity Threats - NI Business Continuity Forum
Cybersecurity Threats - NI Business Continuity ForumDavid Crozier
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Leading in a digital world for MIT Research School Comfer
Leading in a digital world for MIT Research School ComferLeading in a digital world for MIT Research School Comfer
Leading in a digital world for MIT Research School ComferRobin Teigland
 
The Sky’s the Limit – The Rise of Machine Learnin
The Sky’s the Limit – The Rise of Machine LearninThe Sky’s the Limit – The Rise of Machine Learnin
The Sky’s the Limit – The Rise of Machine LearninInside Analysis
 
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...John Mancini
 
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsUsing Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsEnterprise Management Associates
 
How AI is revolutionizing the world
How AI is revolutionizing the worldHow AI is revolutionizing the world
How AI is revolutionizing the worldSK Reddy
 
IoT and 5G: Future Career
IoT and 5G: Future CareerIoT and 5G: Future Career
IoT and 5G: Future CareerRedwan Ferdous
 
Finely Chair talk: Every company is an AI company - and why Universities sho...
Finely Chair talk: Every company is an AI company - and why Universities sho...Finely Chair talk: Every company is an AI company - and why Universities sho...
Finely Chair talk: Every company is an AI company - and why Universities sho...Amit Sheth
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon BradyStarttech Ventures
 
The role of the COO in the age of AI
The role of the COO in the age of AI The role of the COO in the age of AI
The role of the COO in the age of AI Antony Turner
 
Artificial intelligence events and presentations
Artificial intelligence events and presentationsArtificial intelligence events and presentations
Artificial intelligence events and presentationsAmir Sabirovic
 
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyondCompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyondZeshan Sattar
 
Department of Justice IT Sales Opportunities
Department of Justice IT Sales OpportunitiesDepartment of Justice IT Sales Opportunities
Department of Justice IT Sales OpportunitiesimmixGroup
 
Managing Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial InstitutionsManaging Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial InstitutionsMark Curphey
 
ITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AIITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AIITCamp
 
AI-SDV Meeting in Nice
AI-SDV Meeting in NiceAI-SDV Meeting in Nice
AI-SDV Meeting in NiceDr. Haxel Consult
 
Why I Am a Software Engineer
Why I Am a Software EngineerWhy I Am a Software Engineer
Why I Am a Software EngineerCraig Saunders
 
Webinar - How to Become a Cyber-threat Intelligence Analyst
Webinar - How to Become a Cyber-threat Intelligence AnalystWebinar - How to Become a Cyber-threat Intelligence Analyst
Webinar - How to Become a Cyber-threat Intelligence AnalystTuan Yang
 
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...Enterprise Management Associates
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Weitere ähnliche Inhalte

Ähnlich wie SANS CTI Summit 2020: Developing CTI Skills and Effective Communication

Cybersecurity Threats - NI Business Continuity Forum
Cybersecurity Threats - NI Business Continuity ForumCybersecurity Threats - NI Business Continuity Forum
Cybersecurity Threats - NI Business Continuity ForumDavid Crozier
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk ManagementTudor Damian
 
Leading in a digital world for MIT Research School Comfer
Leading in a digital world for MIT Research School ComferLeading in a digital world for MIT Research School Comfer
Leading in a digital world for MIT Research School ComferRobin Teigland
 
The Sky’s the Limit – The Rise of Machine Learnin
The Sky’s the Limit – The Rise of Machine LearninThe Sky’s the Limit – The Rise of Machine Learnin
The Sky’s the Limit – The Rise of Machine LearninInside Analysis
 
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...John Mancini
 
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsUsing Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsEnterprise Management Associates
 
How AI is revolutionizing the world
How AI is revolutionizing the worldHow AI is revolutionizing the world
How AI is revolutionizing the worldSK Reddy
 
IoT and 5G: Future Career
IoT and 5G: Future CareerIoT and 5G: Future Career
IoT and 5G: Future CareerRedwan Ferdous
 
Finely Chair talk: Every company is an AI company - and why Universities sho...
Finely Chair talk: Every company is an AI company - and why Universities sho...Finely Chair talk: Every company is an AI company - and why Universities sho...
Finely Chair talk: Every company is an AI company - and why Universities sho...Amit Sheth
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon BradyStarttech Ventures
 
The role of the COO in the age of AI
The role of the COO in the age of AI The role of the COO in the age of AI
The role of the COO in the age of AI Antony Turner
 
Artificial intelligence events and presentations
Artificial intelligence events and presentationsArtificial intelligence events and presentations
Artificial intelligence events and presentationsAmir Sabirovic
 
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyondCompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyondZeshan Sattar
 
Department of Justice IT Sales Opportunities
Department of Justice IT Sales OpportunitiesDepartment of Justice IT Sales Opportunities
Department of Justice IT Sales OpportunitiesimmixGroup
 
Managing Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial InstitutionsManaging Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial InstitutionsMark Curphey
 
ITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AIITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AIITCamp
 
Why I Am a Software Engineer
Why I Am a Software EngineerWhy I Am a Software Engineer
Why I Am a Software EngineerCraig Saunders
 
Webinar - How to Become a Cyber-threat Intelligence Analyst
Webinar - How to Become a Cyber-threat Intelligence AnalystWebinar - How to Become a Cyber-threat Intelligence Analyst
Webinar - How to Become a Cyber-threat Intelligence AnalystTuan Yang
 
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...Enterprise Management Associates
 

Ähnlich wie SANS CTI Summit 2020: Developing CTI Skills and Effective Communication (20)

Cybersecurity Threats - NI Business Continuity Forum
Cybersecurity Threats - NI Business Continuity ForumCybersecurity Threats - NI Business Continuity Forum
Cybersecurity Threats - NI Business Continuity Forum
 
IT Risk Management
IT Risk ManagementIT Risk Management
IT Risk Management
 
Leading in a digital world for MIT Research School Comfer
Leading in a digital world for MIT Research School ComferLeading in a digital world for MIT Research School Comfer
Leading in a digital world for MIT Research School Comfer
 
The Sky’s the Limit – The Rise of Machine Learnin
The Sky’s the Limit – The Rise of Machine LearninThe Sky’s the Limit – The Rise of Machine Learnin
The Sky’s the Limit – The Rise of Machine Learnin
 
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
From Microfilm to Big Data - How Can One Brain Handle This Much Change Withou...
 
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat ThreatsUsing Digital Threat Intelligence Management (DTIM) to Combat Threats
Using Digital Threat Intelligence Management (DTIM) to Combat Threats
 
How AI is revolutionizing the world
How AI is revolutionizing the worldHow AI is revolutionizing the world
How AI is revolutionizing the world
 
IoT and 5G: Future Career
IoT and 5G: Future CareerIoT and 5G: Future Career
IoT and 5G: Future Career
 
Finely Chair talk: Every company is an AI company - and why Universities sho...
Finely Chair talk: Every company is an AI company - and why Universities sho...Finely Chair talk: Every company is an AI company - and why Universities sho...
Finely Chair talk: Every company is an AI company - and why Universities sho...
 
4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady4th Digital Finance Forum, Simon Brady
4th Digital Finance Forum, Simon Brady
 
The role of the COO in the age of AI
The role of the COO in the age of AI The role of the COO in the age of AI
The role of the COO in the age of AI
 
Artificial intelligence events and presentations
Artificial intelligence events and presentationsArtificial intelligence events and presentations
Artificial intelligence events and presentations
 
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyondCompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
CompTIA Cyber Career Pathway: Developing skills for 2020 and beyond
 
Department of Justice IT Sales Opportunities
Department of Justice IT Sales OpportunitiesDepartment of Justice IT Sales Opportunities
Department of Justice IT Sales Opportunities
 
Managing Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial InstitutionsManaging Corporate Information Security Risk in Financial Institutions
Managing Corporate Information Security Risk in Financial Institutions
 
ITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AIITCamp 2019 - Andy Cross - Business Outcomes from AI
ITCamp 2019 - Andy Cross - Business Outcomes from AI
 
AI-SDV Meeting in Nice
AI-SDV Meeting in NiceAI-SDV Meeting in Nice
AI-SDV Meeting in Nice
 
Why I Am a Software Engineer
Why I Am a Software EngineerWhy I Am a Software Engineer
Why I Am a Software Engineer
 
Webinar - How to Become a Cyber-threat Intelligence Analyst
Webinar - How to Become a Cyber-threat Intelligence AnalystWebinar - How to Become a Cyber-threat Intelligence Analyst
Webinar - How to Become a Cyber-threat Intelligence Analyst
 
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
Investing in Digital Threat Intelligence Management to Protect Your Assets ou...
 

Kürzlich hochgeladen

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 

Kürzlich hochgeladen (20)

The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 

SANS CTI Summit 2020: Developing CTI Skills and Effective Communication

  • 1. SANS CTI Summit 2020 Andreas Sfakianakis CTI Professional
  • 2. § CTI and IR in Financial and Oil & Gas sectors § ENISA CTI, FIRST.org CTI, European Commission § Twitter: @asfakian § Website: www.threatintel.eu tilting at windmills
  • 3. §Original authors are referenced within the slide deck §References for this presentation http://bit.ly/ctisummit2020 §Views are my own
  • 4. § Setting the scene § Lesson #1 § Lesson #2 § Lesson #3 § Final Remarks Image from hp-comic.com
  • 10. §Stakeholders and their pain points §Operational landscape §Business processes and risk reduction “CTI teams should not do intelligence for intelligence’s sake, it costs money and time” - Lauren Zabierek
  • 11. Tactical Intelligence Security Engineers SOC Team Operational Intelligence Incident Responders Threat Hunters Vulnerability Management Red Team Fraud Team Sys Admins IT Managers Strategic Intelligence C-Suite / Executives Group Security Risk Managers Business Stakeholders Regional Stakeholders IT Architects
  • 12. § Intelligence requirements are enduring questions that consumers of intelligence need answers to. § Answer critical questions intelligence customers care about (not whatYOU care about). Reference: Sergio Caltagirone
  • 14. § US Military - Joint Publication 2-0 § SANS CTI Summit 2018 - I Can Haz Requirements? - Michael Rea § CTI SquadGoals—Setting Requirements - Scott J Roberts § SANS - Threat Intelligence: Planning and Direction - Brian Kime § SANS - Defining Threat Intelligence Requirements – Pasquale Stirparo § FIRST CTI 2019 -Your requirements are not my requirements – Pasquale Stirparo § SANS CTI Summit 2018 - Intelligence Preparation of the Cyber Environment – Rob Dartnall § ThreatIntel.eu - Intelligence Requirements: the Sancho Panza of CTI References for this presentation: http://bit.ly/ctisummit2020
  • 15. § Identification of relevant stakeholders § Connection with business and enterprise risk management cycles § Identification of operational environment (crown jewels) § Capturing and documenting the intelligence requirements
  • 17. §Importance of CTI reporting §Embedding of intelligence tradecraft (cross-pollination) §Means of dissemination
  • 20. Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template
  • 21. Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template §Style - Style guide document
  • 22. Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template §Style - Style guide document §Tradecraft – IC Analytic Standards (ICD 203)
  • 23. Collection Analysis ? ACTION Reference: Christian Paredes §Intelligence and production requirements §Structure - Report template §Style - Style guide document §Tradecraft – IC Analytic Standards (ICD 203) §Constant feedback loop
  • 24. §Title §Executive Summary (BLUF) § What? § So what? § So what of the so what? What next? § References § Appendix § Indicators (machine readable?) § Tradecraft used Report Structure
  • 25. § Internal Communications / Email marketing application § Store the CTI products in SharePoint
  • 26. Reference: Robert M. Lee Reference:VB – Martijn Grooten Reference: Casey Brooks (2019 Thanksgiving edition)
  • 27. §SANS SEC402 - Cybersecurity Writing: Hack the Reader (Lenny Zeltser) §Effective Information Security Writing (Chris Sanders) §Write it or didn’t happen. Happy reporting! J (Yourself)
  • 28. § Intelligence Community Directive (ICD) 203 - Analytic Standards § CIA - Analytic Thinking and Presenting for Intelligence Producers § CIA - Compendium of Analytic Tradecraft Notes § CIA - Style Manual and Writers' Guide for Intelligence Publications § The Economist Style Guide § SANS CTI Summit 2017 - Pen-To-Paper and The Finished Report:The Key To Generating Threat Intelligence - Christian Paredes § SANS CTI Summit 2019 - Analytic Tradecraft in the Real World - Amy R. Bejtlich § Sergio Caltagirone - 15 Things Wrong with Today’s Threat Intelligence Reporting § Lenny Zeltser - Top 10 Writing Mistakes in Cybersecurity and HowYou Can Avoid Them References for this presentation: http://bit.ly/ctisummit2020
  • 29. § CTI needs to be better communicated to business at a strategic (and operational) level. § Communication competencies are key for CTI teams. § Report writing as a critical CTI skill. § Cross-pollination - Intelligence tradecraft wasn't invented yesterday
  • 31. § CTI skills shortage § SANS CTI Survey 2018:“62% of respondents cited a lack of trained CTI professionals and skills as a major roadblock,an increase of nearly 10 percentage points over 2017 (53%)” § Organizational challenges § Challenges for CTI teams
  • 32. §What is the skillset needed for a CTI team? § “Do I need a reverse engineer for my CTI team?” § “Do I need non-technical analysts in my team?” §How we develop the skillset of (junior) CTI analysts? §How do we streamline day to day CTI work? § “How do I reduce CTI analyst dependency?”
  • 36. § Core CTI curriculum and CTI training roadmap § Documented Standard Operating Procedures § Everyday learning culture § Periodic exercises with your team § Knowing your biases?
  • 37. § INSA - Cyber Intelligence: Preparing Today’s Talent for Tomorrow’s Threats § Sergio Caltagirone - 15 Knowledge Areas and Skills for Cyber Analysts and Operators § EclecticIQ – On the Importance of Standard Operating Procedures in Threat Intelligence § CIA – Fifteen Axioms for Intelligence Analysis § ENISA CTI-EU 2017 - Lessons Learned from Teaching CTI All Over the World - Jess Garcia § ComradeCookie - What is CTI and what makes a good CTI analyst? § Richards J. Heuer - Psychology of Intelligence Analysis § Richards J. Heuer - Structured Analytic Techniques for Intelligence Analysis § NIST - National Initiative for Cybersecurity Education Cybersecurity Workforce Framework § SEI Carnegie Mellon University - Cyber Intelligence Tradecraft Report References for this presentation: http://bit.ly/ctisummit2020
  • 38. § Use a competency-based framework to assess your CTI team’s skill coverage. § Invest on internal/external CTI training opportunities, especially on analysis and thinking. § Streamline BAU CTI tasks, make them repeatable. § Build a working environment for knowledge sharing (sharing is caring, huh?)
  • 39. Dulcinea Watches as Don Quixote Wins Battles For Her Image from elladocomicodedonquijote.wordpress.com
  • 40. §Intelligence direction phase is of utmost importance to your intelligence cycle process. §CTI needs to be better communicated. §Focus on CTI analyst’s skillset.
  • 41. Andreas Sfakianakis @asfakian threatintel.eu References for this presentation: http://bit.ly/ctisummit2020 Sharing is caring