Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat Hunting - Thinking About Tomorrow

839fc2503083a6d6bff4aebdf87a5e1d?s=47 Tazz
April 30, 2017

Threat Hunting - Thinking About Tomorrow

Presented at BsidesCharm 2017. Discusses the difference between strategic and tactical "cyber" threat intelligence, and explores a variety of domains with suggestions of potential targets from an attacker's perspective versus internal.



April 30, 2017


  1. Threat Hunting: Thinking About Tomorrow Never underestimate the creativity or

    determination of your enemy. ↔ If you can’t think of it, how can you defend against it? Twitter: @GRC_Ninja
  2. Can you imagine the motives, goals, structure, organization, & methods

    of your adversary(ies)?
  3. The Conversation Plan (aka Agenda) • Reading Recommendations • Talk

    Objectives • The Differences Between Tactical & Strategic Digital Threat Intelligence • Target Development – Potential Long Game Targets • Questions
  4. Reading Recommendation

  5. MUST READ The State of Strategic Intelligence The Intelligence Community's

    Neglect of Strategic Intelligence by: John G. Heidenrich
  6. MUST READ Effective Threat Intelligence Building and running and intel

    team for your organization by: James Dietel
  7. Objectives

  8. Objectives 1. Challenge Your Current Thinking 2. Encourage Critical Thinking

    If you can’t THINK of it how can you DEFEND against it?
  9. Tactical vs Strategic Digital Threat Intelligence

  10. Tactical vs Strategic “Cyb3r” Intelligence

  11. Cyb3r Threat Intelligence Strategic • Timely • Connections • Long

    Range Deep Analysis • Pays exponentially in the long run • Indicators of Attack Tactical • Current / Now • Context • BLUF • Pays immediate dividends • Indicators of Compromise
  12. Strategic Threat “Thinking” What we’re doing What need to start

    doing David Bianco 2013-present James Dietel, Effective Threat Intelligence ©2016
  13. Strategic Threat “Thinking”: Dominos • Before a breach/malware • What

    do you have that is critical input to someone else? • What serious vetting have you done about 3rd party vendors? • After a breach • What was taken/accessed that was NOT PII? Why would they want that?
  14. Before the Compromise: Target Development

  15. Can you comprehend the motives, goals, structure, organization, & methods

    of your adversary(ies)?
  16. Economics • THREAT SCENARIO IDEAS • Currency – Physical &

    Virtual • Trade Agreements – Friends and Foe (South China Seas) • Social & Institutional movements • Industrialization, access to education and information • STRATEGIC TARGETS • What tech affects your operation or monitoring of trucking, shipping, rail? • Exports & Imports - Product Manufacturers • Major players supporting logistics • Industrialization enablers (ex: vendors of tech, software, equipment)
  17. Business • THREAT SCENARIO IDEAS • Acquisitions, Monopolies, Market Competitors

    • Industrialization • STRATEGIC TARGETS • Suppliers who made the tech in your equipment • Suppliers: Purchase orders revealing your capabilities • Intellectual Property • Small business – parts & core component manufacturers • Anyone who’s the “only one” that does X (your org’s SMEs) • Mom & Pop shops (small business) with a computer (your cleaning team) • “Strategic Partner” Lists / Calendars
  18. Military • THREAT SCENARIO IDEAS • Promotion/Demotion/Removal from power •

    “Unexpected” Deaths (the engine just happened to explode killing….) • STRATEGIC TARGETS • Key Leaders, their family, IoT in the home/car • Military Bases, critical infrastructure, natural water sources • Contracted companies providing critical support/services/manpower • Reserve resources
  19. Diplomatic • THREAT SCENARIO IDEAS • Laws on: wages, privacy,

    decentralizing markets • Private & government funding • Elections (Don’t go there...just leave it alone) • Extremists, dissenting opinions, radicals, terrorists • STRATEGIC TARGETS • Law makers & support staff • “High Rollers”, friends & family, frequented businesses • Persons in opposition to current government • Research orgs focused on food, technology, weapons, weaponizing $things do not kidnap or torture him, just hack a scientists…kill a town, district, country?
  20. Infrastructure • THREAT SCENARIO IDEAS • Weather / Topography •

    Transportation, Communication • STRATEGIC TARGETS • Traffic control systems – air, ground, rail, subway, water • Communications – tropospheric, satellite, cellular, fiber/cable, xsmn tech • ICS for power plants, dams, water treatment, landfills, pipelines, mines, ports • Conferences where multiple critical infrastructure vendors are gathered • Individuals who work from home or have Admin/Security/Engineering level permissions
  21. Technology • THREAT SCENARIO IDEAS • Research into anything faster

    • Industrial tech increasing production rates • Anything packing more stuff into smaller spaces • Anything improving lethality • Centralization of communications/schematics/blueprints • STRATEGIC TARGETS • Anything with a power button/switch = The Internet of Sh!7 (Things) • Operating/Control Systems old enough to Drink & Vote • Who hosts your chat platform? • How many shared service providers does your org use?
  22. Cultural/Professional • THREAT SCENARIO IDEAS • Motivational Speakers • “Man

    of the people” – respected iconic persons • STRATEGIC TARGETS • Cultural celebrations & holidays – vendors & facilities • Sporting & Entertainment Events – vendors & facilities • Industry-centric conferences • Anything that’s “sacred” to or unites the people • Membership rosters Bowling League, Softball Team: Did you give your real name, DOB, address? How’s their OPSEC and InfoSec? Are the game schedules/teams/stats on the Internet?
  23. Religious • THREAT SCENARIO IDEAS • Death of a Religious

    Leader • Values / Morals – right & wrong • STRATEGIC TARGETS • Religious buildings / icons / memorials • Facilities hosting/supporting large-scale religious holiday activities
  24. “Finding” Strategic Intel

  25. Where to Find Strategic Intelligence • You don’t FIND it

    – you DEVELOP it through ANALYSIS • Threat Modeling / Adversary Recon Scenario Development • Careful reading – words & people (magic 8 balls?) • Knowing your surroundings • Maintaining a healthy level of paranoia • Being observant of world events • Staying abreast of PROPOSED legislation • History • Offline • Socializing: meet-up groups, conferences, golf courses • Historical books, journals, newspapers etc.
  26. The Strategic Analyst

  27. THE ANALYST MUST HAVE... •Critical & Creative thinking • Objectivity

    • Effective writing • Diverse & specialized knowledge sets • OSINT skills • Offline investigative skills • Perspective
  28. Final Notes to Leaders asking for Strategic Digital Threat Intel…..

  29. Do you understand the motives, goals, structure, organization, & methods

    of your adversary(ies)?
  30. The supreme art of war is to subdue the enemy

    without fighting. -Sun Tzu