Threat Hunting - Thinking About Tomorrow

839fc2503083a6d6bff4aebdf87a5e1d?s=47 Tazz
April 30, 2017

Threat Hunting - Thinking About Tomorrow

Presented at BsidesCharm 2017. Discusses the difference between strategic and tactical "cyber" threat intelligence, and explores a variety of domains with suggestions of potential targets from an attacker's perspective versus internal.

839fc2503083a6d6bff4aebdf87a5e1d?s=128

Tazz

April 30, 2017
Tweet

Transcript

  1. 1.

    Threat Hunting: Thinking About Tomorrow Never underestimate the creativity or

    determination of your enemy. ↔ If you can’t think of it, how can you defend against it? Twitter: @GRC_Ninja
  2. 3.

    The Conversation Plan (aka Agenda) • Reading Recommendations • Talk

    Objectives • The Differences Between Tactical & Strategic Digital Threat Intelligence • Target Development – Potential Long Game Targets • Questions
  3. 5.

    MUST READ The State of Strategic Intelligence The Intelligence Community's

    Neglect of Strategic Intelligence by: John G. Heidenrich
  4. 6.
  5. 8.

    Objectives 1. Challenge Your Current Thinking 2. Encourage Critical Thinking

    If you can’t THINK of it how can you DEFEND against it?
  6. 11.

    Cyb3r Threat Intelligence Strategic • Timely • Connections • Long

    Range Deep Analysis • Pays exponentially in the long run • Indicators of Attack Tactical • Current / Now • Context • BLUF • Pays immediate dividends • Indicators of Compromise
  7. 12.

    Strategic Threat “Thinking” What we’re doing What need to start

    doing David Bianco 2013-present James Dietel, Effective Threat Intelligence ©2016
  8. 13.

    Strategic Threat “Thinking”: Dominos • Before a breach/malware • What

    do you have that is critical input to someone else? • What serious vetting have you done about 3rd party vendors? • After a breach • What was taken/accessed that was NOT PII? Why would they want that?
  9. 16.

    Economics • THREAT SCENARIO IDEAS • Currency – Physical &

    Virtual • Trade Agreements – Friends and Foe (South China Seas) • Social & Institutional movements • Industrialization, access to education and information • STRATEGIC TARGETS • What tech affects your operation or monitoring of trucking, shipping, rail? • Exports & Imports - Product Manufacturers • Major players supporting logistics • Industrialization enablers (ex: vendors of tech, software, equipment)
  10. 17.

    Business • THREAT SCENARIO IDEAS • Acquisitions, Monopolies, Market Competitors

    • Industrialization • STRATEGIC TARGETS • Suppliers who made the tech in your equipment • Suppliers: Purchase orders revealing your capabilities • Intellectual Property • Small business – parts & core component manufacturers • Anyone who’s the “only one” that does X (your org’s SMEs) • Mom & Pop shops (small business) with a computer (your cleaning team) • “Strategic Partner” Lists / Calendars
  11. 18.

    Military • THREAT SCENARIO IDEAS • Promotion/Demotion/Removal from power •

    “Unexpected” Deaths (the engine just happened to explode killing….) • STRATEGIC TARGETS • Key Leaders, their family, IoT in the home/car • Military Bases, critical infrastructure, natural water sources • Contracted companies providing critical support/services/manpower • Reserve resources
  12. 19.

    Diplomatic • THREAT SCENARIO IDEAS • Laws on: wages, privacy,

    decentralizing markets • Private & government funding • Elections (Don’t go there...just leave it alone) • Extremists, dissenting opinions, radicals, terrorists • STRATEGIC TARGETS • Law makers & support staff • “High Rollers”, friends & family, frequented businesses • Persons in opposition to current government • Research orgs focused on food, technology, weapons, weaponizing $things do not kidnap or torture him, just hack a scientists…kill a town, district, country?
  13. 20.

    Infrastructure • THREAT SCENARIO IDEAS • Weather / Topography •

    Transportation, Communication • STRATEGIC TARGETS • Traffic control systems – air, ground, rail, subway, water • Communications – tropospheric, satellite, cellular, fiber/cable, xsmn tech • ICS for power plants, dams, water treatment, landfills, pipelines, mines, ports • Conferences where multiple critical infrastructure vendors are gathered • Individuals who work from home or have Admin/Security/Engineering level permissions
  14. 21.

    Technology • THREAT SCENARIO IDEAS • Research into anything faster

    • Industrial tech increasing production rates • Anything packing more stuff into smaller spaces • Anything improving lethality • Centralization of communications/schematics/blueprints • STRATEGIC TARGETS • Anything with a power button/switch = The Internet of Sh!7 (Things) • Operating/Control Systems old enough to Drink & Vote • Who hosts your chat platform? • How many shared service providers does your org use?
  15. 22.

    Cultural/Professional • THREAT SCENARIO IDEAS • Motivational Speakers • “Man

    of the people” – respected iconic persons • STRATEGIC TARGETS • Cultural celebrations & holidays – vendors & facilities • Sporting & Entertainment Events – vendors & facilities • Industry-centric conferences • Anything that’s “sacred” to or unites the people • Membership rosters Bowling League, Softball Team: Did you give your real name, DOB, address? How’s their OPSEC and InfoSec? Are the game schedules/teams/stats on the Internet?
  16. 23.

    Religious • THREAT SCENARIO IDEAS • Death of a Religious

    Leader • Values / Morals – right & wrong • STRATEGIC TARGETS • Religious buildings / icons / memorials • Facilities hosting/supporting large-scale religious holiday activities
  17. 25.

    Where to Find Strategic Intelligence • You don’t FIND it

    – you DEVELOP it through ANALYSIS • Threat Modeling / Adversary Recon Scenario Development • Careful reading – words & people (magic 8 balls?) • Knowing your surroundings • Maintaining a healthy level of paranoia • Being observant of world events • Staying abreast of PROPOSED legislation • History • Offline • Socializing: meet-up groups, conferences, golf courses • Historical books, journals, newspapers etc.
  18. 27.

    THE ANALYST MUST HAVE... •Critical & Creative thinking • Objectivity

    • Effective writing • Diverse & specialized knowledge sets • OSINT skills • Offline investigative skills • Perspective
  19. 30.