Cyber Threat Intelligence
Integration
Ken Dunham, Senior Director, Technical Cyber Threat Intelligence
MTE, CISSP, GCFA Gold, GCIH Gold, GSEC, GREM Gold, GCIA, CISM
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
AGENDA
01 | What is Cyber Threat Intelligence (CTI)?
02 | Are you ready?
03 | Guidance for Success
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Cyber Threat Intelligence
•
www.optiv.com/resources/blog
•
Hint: How does information differ from intelligence (Intel)?
•
Hint: How is an indicator of compromise (IOC) different
from Intel?
•
Hint: Think HOW you’ll get there and WHAT you want to
do…ACTION
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
OPTIV DEFINITION OF CTI
CTI is an ecosystem supportive of the decision making process
derived from the collection, analysis, dissemination and integration
of threats and vulnerabilities to an organization and its people and
assets.
Optiv recommends considering four essential attributes of threat
agents mapped back to a security posture, as well as six
essentials courses of action, known as threat modeling, in order to
properly produce, consume and act upon CTI.
https://www.optiv.com/blog/operationalizing-a-cyber-threat-intelligence-solution
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Contextualize Into Risk Management
What am I trying to protect?
Have you identified your
crown jewels and how they
are both protected and at risk?
Do you know
who/what you are
protecting it from?
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Do you have a plan for
protecting your assets from
actors or risk identified?
Threat Agents
Non-Hostile
• Reckless employee
• Untrained employee
• Partners
Hostile
• eCrime
• Nation-state cyber warrior
• Industrial espionage
• …
Intent: theft, disruption, reputation …
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Threat Agent Attributes
•
Composition and Strength:
individual or group/association?
•
Tactics: historical or expected course
of action?
•
Logistics: infrastructure,
architecture, operations
•
Effectiveness: how effective are their
attacks; in the future?
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Threat Agent Courses of Action
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Timely
Relevant and Specific
Actionability
Not just a buzz word.
Within CTI it must be:
Actionable
Lower or Mitigate Risk
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Real World Example: Email Found on DarkWeb
[email protected]
•
•
•
•
Date & Time?
Where and who had this on the DarkWeb?
Captured for spam?
Stolen credentials?
• Universal Credentials?
• Targeted campaign?
• Without any context what will you do?
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Real World Example: Suspect IP
8.8.8.8
• Collected from global blacklist?
• One time use?
• Bad data (Google DNS) not qualified?
• Date & Time?
• Related to what threat vector or threat?
• IPs can host a large number of domains…
• With so little to go on what will you do?
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Real World Example: Dedicated Espionage Domain
nato.nshq[.]in
• Collected from a global blacklist?
• One time use, abused, or persistent?
• Bad data (Google DNS) not qualified?
• Date & Time?
• Related to what threat vector or threat?
• IPs can host a large number of domains…
• With so little to go on what will you do?
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Real World Example: what you’re NOT capturing
?.?.?.?
• Downloader Trojan detected and removed.
• Other undetected variants?
• What does it download? What Campaign?
• IOCs related to the kill chain and campaign?
• Targeted with ongoing comprehensive risk?
• If you’re not looking how can you protect with
assurance?
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Are You Ready for CTI?
•
Why do you think you’re ready for CTI?
•
If you have already started a CTI program, what is
your perspective now?
•
Do you have any idea of what lies ahead as you
develop a CTI program?
•
Do you have any seasoned veterans in CTI working
for you?
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Oregon Trail Priorities
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
What Are Your Priorities?
Collect global IOCs to supplement
your software and solutions?
Mistake: TTPs often include one
time use of domains and IPs or
abuse of legitimate websites. How
does global IOC data aid in fighting
against these types of threats?
Useful but should not be the focus.
Manage Internally SIEM/SOC
operations and optimize?
Mistake: Internal resources are best
spent on advanced analysis and
integrated risk management. Most
mature organizations use third-party
providers for low skill high volume roles
such as this. There are few too many
trained and experienced experts; use
them wisely.
Efficiently and effectively LOWER RISK against crown jewels!
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Bi-Direction Intelligence Enablement
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Matured Understanding of Global Threats
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
You NEED community and sharing within your
sector, even with friendenemies.
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Leadership Is Your Most Important Priority
This Guy?
Or This Guy?
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Most people fail not
because they aim
too high and miss,
but because they
aim too low and hit.
– Les Brown
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Questions
Ken Dunham
Senior Director
Technical Cyber Threat Intelligence
MTE, CISSP, GCFA Gold, GCIH Gold, GSEC, GREM
Gold, GCIA, CISM
[email protected]
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.
Proprietary and Confidential. Do Not Distribute. © 2016 Optiv Inc. All Rights Reserved.