Upload
doanminh
View
240
Download
1
Embed Size (px)
Citation preview
Cyber Threat Intelligence: Integrating the Intelligence Cycle
Elias Fox and Michael Norkus, Cyber Threat Intelligence Analysts
January 2017
22
Network
Domain
The Global Domain
CLASSIFICATION MARKS
CLASSIFICATION MARKS
The internet offers global connectivity to all the good things contained therein…and to all the bad things, as well.
33
Situational Awareness
Risk and opportunity management is a core function of every organization. Situational awareness is key to improved business decisions.
44
The Value of Cyber Threat Intelligence
CLASSIFICATION MARKS
CLASSIFICATION MARKS
Proper CTI should extend our vision and allow us to take steps that normally we would not.
55
Noblis Definition and Vision
Our vision incorporates network defense data and all-source intelligence to provide a holistic cyber threat picture.
CLASSIFICATION MARKS
CLASSIFICATION MARKS
Proactively Diminish Threats
Requirements-Driven Methodology
Holistic Cyber Threat Picture
Traditional and Non-Traditional Intelligence Techniques
Tactical
Technical Expertise
Timely
Operational Strategic
Analytic Tradecraft
Accurate
66
The Three Levels of Threat Intelligence
CLASSIFICATION MARKS
CLASSIFICATION MARKS
“tactics are concerned with ‘doing the job right,’ and higher levels of strategy are concerned with ‘doing the right job’.” (Drew and Snow, 2006)
TIMEFRAME IMMEDIATETACTICAL
OPERATIONAL
STRATEGIC
SHORT-TERM TRENDS
LONG-TERM TRENDS
77
Cyber Threat Intelligence: A Holistic Picture
Tactical Operational Strategic
Focused on
Today/Tomorrow
Feeds and IoCs
Focused on Next
Week/Month
Adversary TTP
Focused on Years
Ahead
Planning and Risk
Reactive
88
Man in the Middle
DDoS
Social EngineeringProactive Defense Measures!
Risk Mitigation:What do we have that they
want?How do we protect our data?
99
Requirements and Planning
Collection
Processing and ExploitationAnalysis and Production
Dissemination
Monitoring and Response
Incorporating the Traditional Intelligence Cycle
Incorporating the traditional Intelligence Cycle into analysts’ workflow will expand the
precision with which we can identify, defend against, and prevent cyber threats.
1010
NETFLOW Industrial
Attacks
1111
Monitoring and Response Integration
Integrating CTI, network operations and security, and business operations enables more
effective decisions to balance risk, response, and allocation of resources.
1212
1313
IdealWorks: Risk Assessment
1414
Requirements and Planning
Collection
Processing and ExploitationAnalysis and Production
Dissemination
Monitoring and Response
Incorporating the Traditional Intelligence Cycle
Incorporating the Intelligence Cycle into analysts’ workflow allows the company to
proactively identify threats and intelligence gaps.
1515
Leaps in R&D
NETFLOW
Traffic
Job
Applications
Industrial
Attacks
Economic
Opportunity
TTP
Market
Access
Agreements
Military
Modernization
Leaps in R&D
NETFLOW
Traffic
Job
Applications
Gaps
Industrial
Attacks
Economic
Opportunity
TTP
Market
Access
Agreements
Military
Modernization
1616
Requirements and Planning
Collection
Processing and ExploitationAnalysis and Production
Dissemination
Monitoring and Response
Incorporating the Traditional Intelligence Cycle
Incorporating the Intelligence Cycle into analysts’ workflow allows the company to
proactively identify threats and intelligence gaps.
1717
Monitoring and Response Integration
A Monitoring and Response framework links the organization’s intelligence support with its
network operations division – and drives information flow.
1818
Cyber Threat Intelligence: A Holistic Picture
Tactical Operational Strategic
Focused on
Today/Tomorrow
Feeds and IoCs
Focused on Next
Week/Month
Adversary TTP
Focused on Years
Ahead
Planning and Risk
Reactive Proactive
1919
Benefits of Integrating People and Tools
2020
Knowledge, Skills, and Abilities: Integrating People
CLASSIFICATION MARKS
CLASSIFICATION MARKS
Just as people and tools are behind these threats, people and tools are required to resolve
these threats – automation and machine learning provide only half of the solution.
CND Analyst
(Technical Track)
Open Source Analyst
(Analytical Track)
Cyber Threat Intelligence Analyst
(Foundational Skills)
2121
Knowledge, Skills, and Abilities: Integrating People
CLASSIFICATION MARKS
CLASSIFICATION MARKS
Just as people and tools are behind these threats, people and tools are required to resolve
these threats – automation and machine learning provide only half of the solution.
Open Source Analyst
(Analytical Track)
Cyber Threat Intelligence Analyst
(Foundational Skills)CND Analyst
(Technical Track)
Open Source Analyst
(Analytical Track)
Cyber Threat Intelligence Analyst
(Foundational Skills)
2222
Now
remember,
Proactive
Man says: