Secure your cyber battlefield

leveraging cyber threat intelligence

Bucharest
October 26th, 2018
_whoami

_Cristi Calita # SecureWorks Cyber Threat Intelligence Advisor

# Former Information Risk Analyst @banking

# GCTI, OSCP, SSCP

# driven by curiosity

# https://www.linkedin.com/in/cristicalita/
_main objectives
Present CTI in the current context – bring
this security field into the spotlight.

Tell why CTI is a powerful weapon.

Provide free of charge tips on how to

build and manage a CTI program.
_what do I mean by cyber battlefield

Cyber battlefield – field of cyber

operations, the virtual perimeter in
which we “fight” with our
adversaries.

The cyber battlefield represents the

operational environment where the
organization is present.

It includes:
 The organization’s internal network.

 Environments outside network.

 _sample representation of the cyber battlefield

Idea from presentations of Rob Dartnall Director of Intelligence, Security Alliance Ltd - Intelligence Preparation of the Cyber Environment
_what do I mean by threat
For an event to be considered a threat, the
following should exist:

Capabilities: does the threat actor have the

means (e.g. the malicious software, the
infrastructure, the time, the knowledge, etc.) to
successfully perform the event?

Intent: is there a possibility that your organization

is on the threat actor’s list?

Opportunity: does your organization presents the

factors that would allow the threat actor to
harm/perturb it’s assets?
_what CTI actually means

Threat intelligence is the collecting and

processing of information related to adversary
who have intent, opportunity and capabilities to
do you harm.

With the goal of enabling the organization to

correctly understand, predict and adapt to the
behavior of the threat actors, no matter who
they are.
_why would you consider using CTI
• (noun) - an unpleasant emotion caused by
Fear the threat of danger, pain, or harm.

• In corporate environments the notion of

Risk fear translate to “Risk”.

Risk of • A risk approach regarding the

losing threat of danger, pain or
harm.
something
 _risk approach
Risk of financial/reputational loss due to cyber
threat materialization caused by lack of a task Avoid
force to centrally manage cyber threats.
Accept
Transfer

Control

Source: Benchmark research sponsored by IBM Security Independently conducted by Ponemon Institute LLC
 _CTI consumers
Board/Senior
Management

Board/Senior Management
 High level forecasts, trends, reports, presentations on
threats applicable to the organization. Vulnerability
SOC Staff
Network/Endpoint Security Teams Management Team
 Network/endpoint IOC’s, firewall rules, malware
signatures, detection rules (e.g. Yara).
Vulnerability Team Threat Intelligence
 Vulnerability prioritization, exploit POCs, workarounds, Team
etc.
SOC Staff
 Context on alerts, related IOC’s, details on threat actors
Endpoint/Network Incident Response
and TTP’s, etc. Security Teams Team
Incident Response Team
 Context on artifacts, IOC’s, behavioral TTP’s, etc.
Information Risk Team Information Risk
 Data about how likely may be an attack, about an attack Team
cost, etc.
_threat intelligence types

Strategic

Operational

Tactical
_common challenges that CTI can help with
• Internal data is not sufficient for management decisions
#1

• Inconsistent understanding of threats within organization

#2
• Alert fatigue - to many alerts, to many indicators and no
context (SOC consumer)
#3

• Reactivity in Incident Response (IM consumers)

#4

• Prioritization in Vulnerability Management (VM consumer)

#5
_internal data is not sufficient for
management decisions

The information gathered internally from known

incidents, audits, risk assessments, etc. is not enough
to provide senior management the comprehensive
context needed for defining a suitable security
strategy.

Without verifying your risks within your industry

threat landscape and without researching for
emerging and unforeseen threats your security
program is likely to fail.

By analyzing both external and internal data, threat

intelligence can help the senior management in
understanding which are the most pressing threats, in
assessing the value of that threats and in the end in
providing the context needed for making risk-based
decisions.
_inconsistent understanding of “threat”

Often, within an organization the threat notion is

misunderstood or is improperly used.

Common cases:

 Threat != Risk

 Threat != Vulnerability

 Threat != Malware

Threat Intelligence is acting like a bridge between

various security teams and standardize the concept.
_alert fatigue in SOC/monitoring
To many alerts, to many indicators, no
time and no context.

Context is the king! TI can respond

questions as:
 WHO is attacking us?
 HOW the attack works?
 What should I do? CoA.
 How severe is the attack?
 What’s the impact?
 What is likely to happen next?
_reactivity in Incident Response
The incident response team is usually involved
after the intrusion occurred and was identified
– without an alert from SIEM, EDR, etc. the
incident response process is not triggered.

And once is triggered, “the time” factor enters

the scene!

Threat intelligence can:

 Help in prioritizing the intrusions
 Reduce the response time in the incident
response
 Help identifying malicious activities for
which security systems does not raise alerts.

Again, context is the king!

_prioritization in Vulnerability Management

0-Days do not always means high prioritization.

In a threat intelligence view, the goal of vulnerability

management should not be to patch all the
vulnerabilities but rather identify and patch in a
timely manner the vulnerabilities that can become
threats to your organization.

To help with this issue, threat intelligence can provide

context on:
 Vulnerabilities exploitability;
 Threat actors using the vulnerability;
 _case study: Equifax data breach
 One of the largest credit
bureaus in the U.S.

 Manage historical data for

800 million individual
consumers

 Manage historical data for

88 million businesses
worldwide

 PII, SSN, CC data

_opportunities to disrupt
CVE-2017-5638 exploitation Direct the right information to

TI action
Event
- Vulnerability assessment the right people.
- US CERT notification
Observe vulnerability
applicability based on the
visibility.
CVE-2017-9805 exploitation
- Vulnerability assessment Understanding of the threat and
- Expired certificate its impact: TI threat evaluation
- Network traffic not monitored and report.
- Keeping all eggs in one basket
(attack a DB get all)
- Unencrypted credentials
_prerequisites for your TI activity
# get your house in order!
#get the stakeholders
engaged
• Without having stakeholder's support your
team may not:
o Have the budget needed to ensure the
people, the tools and the processes needed;
o Be seen as a part of the organization’s
security program;
o Have visibility or clearance to access
important resources in the organization.
#threat intelligence
consumption VS
generation
• Consumption: structure information a format
that can be quickly used by security teams
• Generation: analyze data on past intrusions
and provide intelligence based on results.
• A single TI team should not be doing both!
#decide where to
place team in your
organization
• According your expectations from the TI Team
you can keep it as a standalone team or you
can place it within other teams.
• As a rule of thumb, the TI Team should be on
in the middle of the communications;
• Do not place your TI Team in Vulnerability
Management Team. Vulnerability != Threat.
_intelligence generation VS consumption
_generation
• This is based on the analysis of internal intrusions;
• It is used to discover, analyze and understand campaigns
against your organization;
• It requires a fair amount of data to be collected – the
results will be depend on the collection analyzed;
• It uses models and processes as Intelligence Life Cycle,
Cyber Kill Chain, Diamond Model, etc.
• This is mostly seen at the security service providers level.
_consumption
• This is what the most organizations wants
• The TI team will have to understand the threats and to
know the organization’s cyber battlefield;
• This is based on the internal and external collections;
• The TI analyst will filter huge amounts of data sets, will
analyze it and will extract and direct the useful data to the
right people in the organization (in the write format).
_TI consumption
TI consumption across sliding scale of cyber security:

Source: https://www.sans.org/reading-room/whitepapers/ActiveDefense/sliding-scale-cyber-security-36240
_foundation for your TI activity

Intelligence requirements

Collection management
framework

Threat Model

Heat Map around the

identified/analyzed threats
 _intelligence requirements
Intelligence must satisfy a requirement and the
requirement satisfy a knowledge gap!

Therefore the definition:

 An intelligence requirement is the objective that
analyst aims to satisfy through the threat
intelligence process.

The intelligence requirements should respond to only

one question about a specific fact and to support a
single decision.

The requirements should be defined by the intelligence

consumer, with the help from TI Team.

The requirements need to be in line with the TI Team’s

visibility and capabilities.
_collection management framework
The intelligence requirements cannot be satisfied if the data or information
does not exists to properly fill the knowledge gap.

A TI analyst must understand their data sources an they should be able to

respond to question as:
 How is obtained?
 How is processed?
 How is delivered to me?
 What questions I can answer based on it?

A Collection Management framework is a view of sources of data, what is

available in the data and how that data is processed and exploited.

A CMF is the plan for how you collect data, where you collect it from and what
type of data you collect.
_sample CMF
_a threat model
Definition: a threat model is the organization’s representation of the threats relevant to it
– it formalizes and documents the threats that are likely to impact the organization.

It can show form, structure, relationships or behaviors of the threats.

It helps understanding how the threat actors operate, what data they are after and how
you are likely to identify their actions.

It helps prioritize security efforts and avoid intelligence fatigue.

It helps to identify knowledge gaps and to generate requirements

_a sample threat model
What kind of attacks
Who is likely to target and malware can Your IR HERE:
What is valuable to
you? you for that? they use?

Financial/Card data Cyber criminals Exploit unpatched, IR1

exploit KITS, phishing, IR2
etc.
Intellectual Property …
Nation State Actors
Supply chain attacks,
Your ORG water holing, etc.
System availability
Hacktivists
Confidential DDOS, Ransomware,
information Defacement, Wipers,
etc.
Insider
Data exfiltration
 _a “database” for your activity
No matter that you use a TIP or excel,
document the threats
identified/analyzed.

Make sure you keep all relevant

information about analyzed threats –
the capacity of fulfilling [future]
intelligence requirements might
depend on that.
_ancient cyber wisdom

“ He who is lacking in cyber

hygiene, not even the cyber
threat intelligence can
protect him.”

Sun Cyber Tzu