Threat Intelligence Establishing a Common Language

839fc2503083a6d6bff4aebdf87a5e1d?s=47 Tazz
March 08, 2018

Threat Intelligence Establishing a Common Language

This talk highlights establishing a common vocabulary for an organization and provides a small walk through of how threat intelligence teams profile threats using a consistent scoring system. Users will learn some do's and don'ts for developing a threat intelligence program and receive a very high level summary of the different phases that make up the threat intelligence cycle. (Note: There are 2 additional slides in this deck that were not in the original presentation, 31 & 37 were added for users who cannot stream the video)

839fc2503083a6d6bff4aebdf87a5e1d?s=128

Tazz

March 08, 2018
Tweet

Transcript

  1. THREAT INTELLIGENCE: ESTABLISHING A COMMON LANGUAGE

  2. DISCUSSION PLAN • Introduction • Documentation • Vocabulary • Objectives

    (Business –vs- Threat Intelligence) • Intelligence Requirements • Threat Actor Profiles/Attributes • Threat Intelligence Cycle
  3. INTRODUCTION • Tazz • Twitter: @GRC_ninja • Blog: http://osint.fail •

    Slides: speakerdeck.com/grcninja • OSINT • Divine Intel
  4. DOCUMENTATION • Threat Intelligence Program • Based on threat intelligence

    phases • Dynamic Documentation (Wiki) • Vocabulary • Communication Plans • Tools • Sources: used/unused metadata
  5. VOCABULARY WORDS MATTER

  6. VOCABULARY • Threat • Vulnerability • Risk • Severity vs

    Impact • Probability vs Likelihood • Intelligence Requirement
  7. THREAT • Noun: person, place or thing • $Noun that

    will or seeks to: • Disrupt • Delay • Divert • Damage • Destroy • Will be documented with a consistent profile • quantitative + qualitative
  8. VULNERABILITY • CVSS • Weakness? • Flaw | Bug •

    Limitation: Human, Technical, Resource • Blindspot: Known Unknown; Unknown Unknown • Inevitable
  9. RISK BUSINESS • What puts me at risk? • What

    are my risk factors? THREAT INTEL TEAM • What makes us a target? • Where would someone attack us?
  10. SEVERITY VS IMPACT • Severity • 1 tequila shot vs

    1 bottle of tequila • Thunderstorm vs Hurricane • Impact • Hangover vs hospitalization • 1 day clean up vs 6 months
  11. PROBABILITY VS LIKELIHOOD • Probability of Drunkenness = Quantitative •

    working: 2 out of 7 nights in a week 28.57% • vacation: 6-7 out of 7 nights = 85% - 100% • Likelihood of Drunkenness = Qualitative • low | moderate likelihood • moderate | high | extreme likelihood
  12. OBJECTIVES BUSINESS –VS– THREAT INTELLIGENCE

  13. BUSINESS OBJECTIVES • Reduce risk by identifying threats in their

    pre-attack phases • Reduce cost by reducing the time, money, and manpower spent on incident response and management because threats are found and addressed in advance • Consistently provide reliable, decision-enhancing information for leaders • Add value to customers by providing threat intelligence that allows them to make well-informed business decisions
  14. THREAT INTELLIGENCE OBJECTIVES • Limit threat actor capabilities / reduce

    their attack options • Disrupt adversary’s plans – stop undetected activities or allowing them to operate without sharing what we learn with other defenders • Delay the actor’s time line or ability to launch an attack • Divert any resources the actor might use, render them unavailable to the actor • Destroy their infrastructure, organic existence • Damage their forces (ex: shutting down a portion of a botnet) • THE ABOVE IS NOT ENDORSEMENT OF ILLEGAL OR HACK-BACK ACTION
  15. INTELLIGENCE REQUIREMENTS

  16. INTELLIGENCE REQUIREMENT • General: always want to know • Priority:

    specific, “regularly” revised, 1:1
  17. PRIORITY INTELLIGENCE REQUIREMENTS • No more than 4, preferably 3

    • Focus on a specific fact, event, activity • 1 PIR = intelligence for leadership to make ONE DECISION • DON’T… • …write them for the business, coach them instead • …forget there are also GENERAL intelligence requirements, these are the “obvious” things you’d almost always have an interest in (ex: new exploit for Bluetooth)
  18. (GOOD) PIR EXAMPLES • What are the current indicators of

    an organized cyber- attack on $location/$asset • What are the indicators that $groupA or $actorB is planning an attack on $pink_widgets? • Which tools does $actorZ use (protocols, scripts, scanning, tools?) • What are the $actor’s subsequent and fallback locations (i.e. service providers), and how could/will they transfer their attack platforms from infrastructure $locationA to $locationB?
  19. THREAT ACTOR PROFILING THIS IS GOING TO GO VERY FAST….

    PLEASE HOLD YOUR QUESTIONS
  20. THREAT ACTOR PROFILES/ATTRIBUTES • BE CONSISTENT • Determination • Motivation

    • Resources • Technical • Intelligence • Financial • People (Team Size) • Skills & Experience • Time Undetected • Time for Malice
  21. DETERMINATION • How easily do they scare: • 1 =

    Very Easily, runs away forever • 2 = Easily, plays hide and seek • 3 = Not so Easily, will engage digitally, passively • 4 = Aggressive, in your face • 5 = Hostile, draw down
  22. MOTIVATION • What is their end game? • 1 =

    Bragging rights • 2 = Coerced / Incentives / Blackmailed / Bribed • 3 = Personal Income $ • 4 = Hero Complex - save the world • 5 = God Complex - burn the world
  23. RESOURCES • Technical • Intelligence • Financial • People (Team

    Size)
  24. RESOURCES: TECHNICAL • 1 = Free • 2 = Free

    + Cheap • 3 = Paid + Customizable • 4 = Invite Only + In-house • 5 = 100% Proprietary / Restricted Development
  25. RESOURCES: INTELLIGENCE • 1 = Open Source Only • 2

    = Internal Company, Tactical | User level • 3 = Internal Company, Operational | Power User • 4 = Internal Company, Strategic | Domain Admin / root • 5 = Internal Proprietary | Government (Bios | kernel)
  26. RESOURCES: FINANCIAL • 1) X < $2K • 2) $2K

    < X <=$10K • 3) $10K < X <= $50K • 4) $50K < X <= $2M • 5) $2M < X
  27. RESOURCES: PEOPLE (TEAM SIZE) • People or purely numbers? •

    Hybrids? numbers, skills, experience, & time for malice • Factors: • # of tech-savvy or not • # of full-time / part-time • organization? structure?
  28. SKILLS & EXPERIENCE • 1 = Probably never done this

    • 2 = Done this a couple times, but lots of footprints • 3 = Pretty good at this, cover their tracks a little • 4 = Could teach classes, almost missed them • 5 = SMEs, quiet, no footprints
  29. TIME UNDETECTED • Do you care what the "industry average"

    is? • 1) X < 1 hour • 2) 1 hour < X <= 30 days • 3) 30 < X <= 180 days • 4) 180 < X <= 365 days • 5) 365 < X
  30. TIME FOR MALICE • 1 = Weekender • 2 =

    Evenings only • 3 = Part time job • 4 = Full time job • 5 = 24/7 ops
  31. THREAT ACTOR PROFILE SCORE • Determination = 4 • Motivation

    = 3 • Resources • Technical = 2 • Intelligence = 1 • Financial = 2 • People (Team Size) = 3 • Skills & Experience = 3 • Time Undetected = 4 • Time for Malice = 3 • Added up = 25, now divide by 45 possible points = .55556 • .55556 multiply by 10 to keep with the base 10 system of CVSS = 10 x .5556 = 5.56 Threat Actor Profile Score
  32. THREAT INTELLIGENCE CYCLE INTELLIGENCE IS DEVELOPED, NOT FOUND, NOT A

    FEED
  33. THREAT INTELLIGENCE PROCESS • Plan It • Planning & Governance

    • Make It • Collection • Processing • Analysis & Evaluation • Share It • Reporting & Dissemination • Action & Feedback
  34. None
  35. MAKE IT – ONE SOURCE AT A TIME Collect Process

    Analyze Evaluate Tune
  36. SHARE IT – INTERNALLY AND EXTERNALLY • Remember your planning?

    • How and What you share will vary greatly and communications plans must be well documented • DON’T… • …list points of contact ONLY by name/email/phone; processes are based on job functions  consider role specific emails instead of individual, builds flexibility • …be naive, you are NOT the only person/org/team who needs to know • …assume everyone already knows; nobody can collect and analyze all available information… not even the NSA
  37. RESOURCES 1. Threat Scoring Matrix: https://github.com/grcninja/Blog_Docs/blob/master/ THREAT%20ACTOR%20IMPACT%20SCORING.pdf 2. Risk Management

    and Threat Scoring Blog: https://www.osint.fail/2017/12/24/threat_scoring/ 3. How to Build a Threat Intel Program Blog: https://www.osint.fail/2017/04/24/outlining-a-threat- intel-program/
  38. QUESTIONS Thank you for joining me. You may reach me

    here for private questions: Twitter: @GRC_ninja