Presented at BsidesCharm 2017. Discusses the difference between strategic and tactical "cyber" threat intelligence, and explores a variety of domains with suggestions of potential targets from an attacker's perspective versus internal.
Range Deep Analysis • Pays exponentially in the long run • Indicators of Attack Tactical • Current / Now • Context • BLUF • Pays immediate dividends • Indicators of Compromise
do you have that is critical input to someone else? • What serious vetting have you done about 3rd party vendors? • After a breach • What was taken/accessed that was NOT PII? Why would they want that?
Virtual • Trade Agreements – Friends and Foe (South China Seas) • Social & Institutional movements • Industrialization, access to education and information • STRATEGIC TARGETS • What tech affects your operation or monitoring of trucking, shipping, rail? • Exports & Imports - Product Manufacturers • Major players supporting logistics • Industrialization enablers (ex: vendors of tech, software, equipment)
• Industrialization • STRATEGIC TARGETS • Suppliers who made the tech in your equipment • Suppliers: Purchase orders revealing your capabilities • Intellectual Property • Small business – parts & core component manufacturers • Anyone who’s the “only one” that does X (your org’s SMEs) • Mom & Pop shops (small business) with a computer (your cleaning team) • “Strategic Partner” Lists / Calendars
“Unexpected” Deaths (the engine just happened to explode killing….) • STRATEGIC TARGETS • Key Leaders, their family, IoT in the home/car • Military Bases, critical infrastructure, natural water sources • Contracted companies providing critical support/services/manpower • Reserve resources
decentralizing markets • Private & government funding • Elections (Don’t go there...just leave it alone) • Extremists, dissenting opinions, radicals, terrorists • STRATEGIC TARGETS • Law makers & support staff • “High Rollers”, friends & family, frequented businesses • Persons in opposition to current government • Research orgs focused on food, technology, weapons, weaponizing $things do not kidnap or torture him, just hack a scientists…kill a town, district, country?
Transportation, Communication • STRATEGIC TARGETS • Traffic control systems – air, ground, rail, subway, water • Communications – tropospheric, satellite, cellular, fiber/cable, xsmn tech • ICS for power plants, dams, water treatment, landfills, pipelines, mines, ports • Conferences where multiple critical infrastructure vendors are gathered • Individuals who work from home or have Admin/Security/Engineering level permissions
• Industrial tech increasing production rates • Anything packing more stuff into smaller spaces • Anything improving lethality • Centralization of communications/schematics/blueprints • STRATEGIC TARGETS • Anything with a power button/switch = The Internet of Sh!7 (Things) • Operating/Control Systems old enough to Drink & Vote • Who hosts your chat platform? • How many shared service providers does your org use?
of the people” – respected iconic persons • STRATEGIC TARGETS • Cultural celebrations & holidays – vendors & facilities • Sporting & Entertainment Events – vendors & facilities • Industry-centric conferences • Anything that’s “sacred” to or unites the people • Membership rosters Bowling League, Softball Team: Did you give your real name, DOB, address? How’s their OPSEC and InfoSec? Are the game schedules/teams/stats on the Internet?
– you DEVELOP it through ANALYSIS • Threat Modeling / Adversary Recon Scenario Development • Careful reading – words & people (magic 8 balls?) • Knowing your surroundings • Maintaining a healthy level of paranoia • Being observant of world events • Staying abreast of PROPOSED legislation • History • Offline • Socializing: meet-up groups, conferences, golf courses • Historical books, journals, newspapers etc.