Professional Documents
Culture Documents
# driven by curiosity
# https://www.linkedin.com/in/cristicalita/
_main objectives
Present CTI in the current context – bring
this security field into the spotlight.
It includes:
The organization’s internal network.
Idea from presentations of Rob Dartnall Director of Intelligence, Security Alliance Ltd - Intelligence Preparation of the Cyber Environment
_what do I mean by threat
For an event to be considered a threat, the
following should exist:
Control
Source: Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute LLC
_CTI consumers
Board/Senior
Management
Board/Senior Management
High level forecasts, trends, reports, presentations on
threats applicable to the organization. Vulnerability
SOC Staff
Network/Endpoint Security Teams Management Team
Network/endpoint IOC’s, firewall rules, malware
signatures, detection rules (e.g. Yara).
Vulnerability Team Threat Intelligence
Vulnerability prioritization, exploit POCs, workarounds, Team
etc.
SOC Staff
Context on alerts, related IOC’s, details on threat actors
Endpoint/Network Incident Response
and TTP’s, etc. Security Teams Team
Incident Response Team
Context on artifacts, IOC’s, behavioral TTP’s, etc.
Information Risk Team Information Risk
Data about how likely may be an attack, about an attack Team
cost, etc.
_threat intelligence types
Strategic
Operational
Tactical
_common challenges that CTI can help with
• Internal data is not sufficient for management decisions
#1
Common cases:
Threat != Risk
Threat != Vulnerability
Threat != Malware
TI action
Event
- Vulnerability assessment the right people.
- US CERT notification
Observe vulnerability
applicability based on the
visibility.
CVE-2017-9805 exploitation
- Vulnerability assessment Understanding of the threat and
- Expired certificate its impact: TI threat evaluation
- Network traffic not monitored and report.
- Keeping all eggs in one basket
(attack a DB get all)
- Unencrypted credentials
_prerequisites for your TI activity
_generation _consumption
• This is based on the analysis of internal intrusions;
• It is used to discover, analyze and understand campaigns • This is what the most organizations wants
against your organization; • The TI team will have to understand the threats and to
• It requires a fair amount of data to be collected – the know the organization’s cyber battlefield;
results will be depend on the collection analyzed; • This is based on the internal and external collections;
• It uses models and processes as Intelligence Life Cycle, • The TI analyst will filter huge amounts of data sets, will
Cyber Kill Chain, Diamond Model, etc. analyze it and will extract and direct the useful data to the
• This is mostly seen at the security service providers level. right people in the organization (in the write format).
_TI consumption
TI consumption across sliding scale of cyber security:
Source: https://www.sans.org/reading-room/whitepapers/ActiveDefense/sliding-scale-cyber-security-36240
_foundation for your TI activity
Intelligence requirements
Collection management
framework
Threat Model
A CMF is the plan for how you collect data, where you collect it from and what
type of data you collect.
_sample CMF
_a threat model
Definition: a threat model is the organization’s representation of the threats relevant to it
– it formalizes and documents the threats that are likely to impact the organization.
It helps understanding how the threat actors operate, what data they are after and how
you are likely to identify their actions.