Embed Size (px)
Citation preview
State of the Art Threat Intelligence // philA
*Based on The Cyber Shafarat - Treadstone 71
2
We are in a confused state…
3
Functions don’t follow standard intelligence tradecraft - Programs support only a fraction of the intelligence needs- Stakeholders hold unrealistic expectations
Most programs are poorly conceived- Follow inaccurate definitions of threat intelligence
Focus on Technology repeats the historical problems of infosec- See, Detect, and Arrest Paradigm
Threat intelligence vendors are driving the market- Communicate definitions supporting their offerings- Propagate fallacy they solve numerous security problems
The State of Cyber Threat Intelligence
Source: Treadstone 71
4
Mistakes being made in threat intelligence
- Many reports aren’t written in analytic form or format- Many don’t provide confidence levels- Many don’t cite sources, provide reliability of sources, or provide credibility of the information
Many take these reports for face value
Source: Treadstone 71
5
Thre
at In
tellig
ence
Cyber Threat Intelligence
6
What is Intelligence?
What is Risk?
TaxonomiesDefinitions
7
The Intelligence Cycle is the process by which information is acquired, converted into intelligence, and made available to policymakers.
Information is raw data from any source, data that may be fragmentary, contradictory, unreliable, ambiguous, deceptive, or wrong.
Intelligence is information that has been collected, integrated, evaluated, analyzed, and interpreted.
Finished intelligence is the final product of the Intelligence Cycle ready to be delivered to the policymaker.
(CIA World Fact Book, 2016) A1
Definitions
8
The three types of finished intelligence :
Basic intelligence provides the fundamental and factual reference material on a country or issue.
Current intelligence reports on new developments.
Estimative intelligence judges probable outcomes.
The three are mutually supportive: basic intelligence is the foundation on which the other two are constructed; current intelligence continually updates the inventory of knowledge; and estimative intelligence revises overall interpretations of country and issue prospects for guidance of basic and current intelligence. The World Factbook, The President's Daily Brief, and the National Intelligence Estimates are examples of the three types of finished intelligence.
(CIA World Fact Book, 2016) A1
9
What is Threat Intelligence?
Source: MWR InfoSecurity Model of Threat Intelligence
Based on consumption, strategic, operational,tactical, and technical. (InfoSecurity, 2015) B3
10
Problem…Ex
clusiv
e Fo
cus T
hrea
t In
tellig
ence
Thre
at In
tellig
ence
is a
su
bset
of I
ntel
ligen
ce
Lacks scope, depth, breadth, and is deficient in tradecraft
Basic
Foundational
Research
Competitive
Estimative
Warning
11
What is Tradecraft?
Spy Stuff…
Military Secretive
12
Intelligence Tradecraft rooted in CIA capabilities - Honed over years of trial, error, mistakes, and triumphs
Sherman Kent- Father of intelligence analysis- Defined methods of intelligence analysis used today- Analytic standards, doctrines, and practices need to be applied today within cyber threat intelligence functions. (Davis, 2007) A1
Richards J. Heuer Jr.- 45 year CIA veteran- Documented issues with critical thinking, cognitive bias, and structured analytic techniques used today
+Both offer approaches directly applicable to information security efforts to create threat intelligence +Enable organizations to see beyond the limited view of ‘see, detect, and arrest’ paradigm+Progress to data collection, analysis, and intelligence creation use to prevent and eventually predict adversary actions
Tradecraft is the underlying framework for intelligence upon which military and non-military programs should be built
Source: Treadstone 71
13
Infosec: Intelligence is a whole other discipline
14
Intelligence analysts endure rigor, structure, focused training that specializes in the craft of intelligence analysis.
Core function of any intelligence organization:They learn how to think, write, and brief. They study analytic tools, counterintelligence issues, denial and deception, analysis, and warning skills. (Agency, 2007) A1
Source: Treadstone 71
15
Well-built intelligence programs are top-down as opposed to technically oriented from the bottom-up
Know:
16
Your adversaries are already inside your network and must be removed. Organizations need to do this for proper hygiene.
Know:
17
Recognize the latest focus on ‘hunt and detect’ is merely an enhancement to the failed attempts at event correlation in SIEMs.
Know:
18
Log aggregation and then analysis of the content for tactics, techniques, and procedures is but an improved method of finding adversaries and malware already in your environment. This is not proactive. This is not preventive. It is necessary, but not new.
Know:
19
Intelligence is not the same as incident response or a core component of the security operations center.
Know:
20
Hire intelligence professionals and/or train those with the aptitude for intelligence skills.
Recommendation:
21
Build your intelligence program from the top-down.
Recommendation:
22
Develop goals and outcomes that you want out of your intelligence program.
Recommendation:
23
Treat each vendor report as nothing more than another source of data. Evaluate each for credibility, reliability, and relevance.
Consider using the NATO Admiralty Code which helps organizations evaluate sources of data and the credibility of the information provided by that source.
Evaluate each vendor report using this coding method while documenting ease of data extraction, relevance to your organizational issues, type of intelligence (strategic, operational, tactical, and technical), and value in solving your security problems.
Recommendation:
24
Find a balance between long-term analysis and short-term reporting.
Don’t get stuck in the reporting hamster wheel—gathering current data, serialized reporting, reporting rollups, and fighting daily issues.
Recommendation:
Self-Inflicted Punishment
Never have the time to analyze data based on historical collection—intelligence-type work.
25
Give intelligence functions direct access to organizational stakeholders.
Don’t bury the function in a SOC.
Recommendation:
26
Focus on the right People, the right Process, and then the right Technology.
Recommendation:
27
Know:
28
We live in a time where: > Information is vulnerable. > Everyone is being watched. > Anyone can be compromised.
philA Society
Know:
29To be forewarned is to be fore-armed
Information Sharing
A nonprofit private sector initiative formed in 1999Designed/developed/owned by financial services industry Mitigate cybercrime, hactivist, nation state activityProcess thousands of threat indicators per month2004: 68 members; 2015: 6000+ members Sharing information globally
Mission: Sharing Timely, Relevant, Actionable Cyber and Physical Security Information & Analysis
30
You can do this!
