This is a presentation on Cyber Threat Intelligence state of the art and trends dating back to 2015! The conference was Secure South West 5 (SSW5) in Plymouth on 2nd April 2015. The content is a) introduction to CTI, b) Cyber Threat Management, and c) Threat Intelligence Platforms and other CTI toolset. Good old days :)
2. ECS - Threat Management Strategy
Build a picture of your adversaries. Understand
their strategies, objectives, methodologies and
attributes.
Gain a clear understanding of your own network
and systems alongside any weaknesses.
Understand your countermeasures and
contextual information. Bolster your
countermeasures to deny attack channels.
Establish and execute business as usual threat
intelligence, vulnerability management,
monitoring and response procedures.
Review and report outcomes, deliverables, value
and lessons learnt.
3. Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
4. Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
8. Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
9. Threat Intelligence
• "We don't know what it is, but we need it.”
• Intelligence is the application of knowledge to
information
• Inform business decisions regarding the risks and
implications associated with threats.
• Data is not information, information is not
knowledge, knowledge is not intelligence,
intelligence is not wisdom.
• Buzzword of 2014!
12. Why we need Threat Intelligence?
• Dynamic threat landscape
• Situational awareness (different sectors have
different threats)
• Defend better by knowing adversary
• From reactive to proactive
• Driving better investment strategies
• After all it’s all about … context, context and
context!
13. Types of Threat Intelligence
Strategic Tactical
Created by Humans Machines or humans + machines
Consumed by Humans Machines and humans
Delivery time frame Days – months Seconds to hours
Useful lifespan Long Short (usually)
Durability Durable Fragile (*)
Ambiguity Possible; hypothesis and leads OK Undesirable; systems don’t tolerate it
Focus Planning, decisions Detection, triage, response
14. Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
15. How do we build it?
• Fundamental cycle of
intelligence processing
• Civilian or military intelligence
agency / law enforcement
• Closed path consisting of
repeating nodes.
18. Interrupting the kill chain
“Kill Chain” is a phase-based model to describe
the stages of an attack, which also helps inform
ways to prevent such attacks.
20. Internally-sourced Threat Intelligence
• Detailed analysis of locally caught malware
• Detailed analysis of disk images, memory
images
• Threat actor profiles based on local data
• Artifacts shared by other organizations
• Fusing local data with shared data
• Behavioural analysis
35. STIX standard
What Activity are
we seeing?
What Threats
should I be
looking for and
why?
Where has this
threat been Seen?
What does it Do?
What weaknesses
does this threat
Exploit?
Why does it do
this?
Who is
responsible for
this threat?
What can I do?
Consider These Questions…..
38. Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
39. Take aways
• Current state of TI is still initial BUT has a great
potential
• Context is critical (makes everyone’s job easier)
• Intelligence-led defense has significant operating
costs
• Do not blindly invest in intelligence (first think of
requirements, DIY vs buy)
• Look for upcoming automation/tool
developments
• Do not forget people and processes!!!!
40. Thank you for your attention! J
Questions?
@asfakian