Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat Intelligence Establishing a Common Language

Tazz
March 08, 2018

Threat Intelligence Establishing a Common Language

This talk highlights establishing a common vocabulary for an organization and provides a small walk through of how threat intelligence teams profile threats using a consistent scoring system. Users will learn some do's and don'ts for developing a threat intelligence program and receive a very high level summary of the different phases that make up the threat intelligence cycle. (Note: There are 2 additional slides in this deck that were not in the original presentation, 31 & 37 were added for users who cannot stream the video)

Tazz

March 08, 2018
Tweet

More Decks by Tazz

Other Decks in Business

Transcript

  1. DISCUSSION PLAN • Introduction • Documentation • Vocabulary • Objectives

    (Business –vs- Threat Intelligence) • Intelligence Requirements • Threat Actor Profiles/Attributes • Threat Intelligence Cycle
  2. INTRODUCTION • Tazz • Twitter: @GRC_ninja • Blog: http://osint.fail •

    Slides: speakerdeck.com/grcninja • OSINT • Divine Intel
  3. DOCUMENTATION • Threat Intelligence Program • Based on threat intelligence

    phases • Dynamic Documentation (Wiki) • Vocabulary • Communication Plans • Tools • Sources: used/unused metadata
  4. VOCABULARY • Threat • Vulnerability • Risk • Severity vs

    Impact • Probability vs Likelihood • Intelligence Requirement
  5. THREAT • Noun: person, place or thing • $Noun that

    will or seeks to: • Disrupt • Delay • Divert • Damage • Destroy • Will be documented with a consistent profile • quantitative + qualitative
  6. VULNERABILITY • CVSS • Weakness? • Flaw | Bug •

    Limitation: Human, Technical, Resource • Blindspot: Known Unknown; Unknown Unknown • Inevitable
  7. RISK BUSINESS • What puts me at risk? • What

    are my risk factors? THREAT INTEL TEAM • What makes us a target? • Where would someone attack us?
  8. SEVERITY VS IMPACT • Severity • 1 tequila shot vs

    1 bottle of tequila • Thunderstorm vs Hurricane • Impact • Hangover vs hospitalization • 1 day clean up vs 6 months
  9. PROBABILITY VS LIKELIHOOD • Probability of Drunkenness = Quantitative •

    working: 2 out of 7 nights in a week 28.57% • vacation: 6-7 out of 7 nights = 85% - 100% • Likelihood of Drunkenness = Qualitative • low | moderate likelihood • moderate | high | extreme likelihood
  10. BUSINESS OBJECTIVES • Reduce risk by identifying threats in their

    pre-attack phases • Reduce cost by reducing the time, money, and manpower spent on incident response and management because threats are found and addressed in advance • Consistently provide reliable, decision-enhancing information for leaders • Add value to customers by providing threat intelligence that allows them to make well-informed business decisions
  11. THREAT INTELLIGENCE OBJECTIVES • Limit threat actor capabilities / reduce

    their attack options • Disrupt adversary’s plans – stop undetected activities or allowing them to operate without sharing what we learn with other defenders • Delay the actor’s time line or ability to launch an attack • Divert any resources the actor might use, render them unavailable to the actor • Destroy their infrastructure, organic existence • Damage their forces (ex: shutting down a portion of a botnet) • THE ABOVE IS NOT ENDORSEMENT OF ILLEGAL OR HACK-BACK ACTION
  12. PRIORITY INTELLIGENCE REQUIREMENTS • No more than 4, preferably 3

    • Focus on a specific fact, event, activity • 1 PIR = intelligence for leadership to make ONE DECISION • DON’T… • …write them for the business, coach them instead • …forget there are also GENERAL intelligence requirements, these are the “obvious” things you’d almost always have an interest in (ex: new exploit for Bluetooth)
  13. (GOOD) PIR EXAMPLES • What are the current indicators of

    an organized cyber- attack on $location/$asset • What are the indicators that $groupA or $actorB is planning an attack on $pink_widgets? • Which tools does $actorZ use (protocols, scripts, scanning, tools?) • What are the $actor’s subsequent and fallback locations (i.e. service providers), and how could/will they transfer their attack platforms from infrastructure $locationA to $locationB?
  14. THREAT ACTOR PROFILES/ATTRIBUTES • BE CONSISTENT • Determination • Motivation

    • Resources • Technical • Intelligence • Financial • People (Team Size) • Skills & Experience • Time Undetected • Time for Malice
  15. DETERMINATION • How easily do they scare: • 1 =

    Very Easily, runs away forever • 2 = Easily, plays hide and seek • 3 = Not so Easily, will engage digitally, passively • 4 = Aggressive, in your face • 5 = Hostile, draw down
  16. MOTIVATION • What is their end game? • 1 =

    Bragging rights • 2 = Coerced / Incentives / Blackmailed / Bribed • 3 = Personal Income $ • 4 = Hero Complex - save the world • 5 = God Complex - burn the world
  17. RESOURCES: TECHNICAL • 1 = Free • 2 = Free

    + Cheap • 3 = Paid + Customizable • 4 = Invite Only + In-house • 5 = 100% Proprietary / Restricted Development
  18. RESOURCES: INTELLIGENCE • 1 = Open Source Only • 2

    = Internal Company, Tactical | User level • 3 = Internal Company, Operational | Power User • 4 = Internal Company, Strategic | Domain Admin / root • 5 = Internal Proprietary | Government (Bios | kernel)
  19. RESOURCES: FINANCIAL • 1) X < $2K • 2) $2K

    < X <=$10K • 3) $10K < X <= $50K • 4) $50K < X <= $2M • 5) $2M < X
  20. RESOURCES: PEOPLE (TEAM SIZE) • People or purely numbers? •

    Hybrids? numbers, skills, experience, & time for malice • Factors: • # of tech-savvy or not • # of full-time / part-time • organization? structure?
  21. SKILLS & EXPERIENCE • 1 = Probably never done this

    • 2 = Done this a couple times, but lots of footprints • 3 = Pretty good at this, cover their tracks a little • 4 = Could teach classes, almost missed them • 5 = SMEs, quiet, no footprints
  22. TIME UNDETECTED • Do you care what the "industry average"

    is? • 1) X < 1 hour • 2) 1 hour < X <= 30 days • 3) 30 < X <= 180 days • 4) 180 < X <= 365 days • 5) 365 < X
  23. TIME FOR MALICE • 1 = Weekender • 2 =

    Evenings only • 3 = Part time job • 4 = Full time job • 5 = 24/7 ops
  24. THREAT ACTOR PROFILE SCORE • Determination = 4 • Motivation

    = 3 • Resources • Technical = 2 • Intelligence = 1 • Financial = 2 • People (Team Size) = 3 • Skills & Experience = 3 • Time Undetected = 4 • Time for Malice = 3 • Added up = 25, now divide by 45 possible points = .55556 • .55556 multiply by 10 to keep with the base 10 system of CVSS = 10 x .5556 = 5.56 Threat Actor Profile Score
  25. THREAT INTELLIGENCE PROCESS • Plan It • Planning & Governance

    • Make It • Collection • Processing • Analysis & Evaluation • Share It • Reporting & Dissemination • Action & Feedback
  26. SHARE IT – INTERNALLY AND EXTERNALLY • Remember your planning?

    • How and What you share will vary greatly and communications plans must be well documented • DON’T… • …list points of contact ONLY by name/email/phone; processes are based on job functions  consider role specific emails instead of individual, builds flexibility • …be naive, you are NOT the only person/org/team who needs to know • …assume everyone already knows; nobody can collect and analyze all available information… not even the NSA
  27. RESOURCES 1. Threat Scoring Matrix: https://github.com/grcninja/Blog_Docs/blob/master/ THREAT%20ACTOR%20IMPACT%20SCORING.pdf 2. Risk Management

    and Threat Scoring Blog: https://www.osint.fail/2017/12/24/threat_scoring/ 3. How to Build a Threat Intel Program Blog: https://www.osint.fail/2017/04/24/outlining-a-threat- intel-program/
  28. QUESTIONS Thank you for joining me. You may reach me

    here for private questions: Twitter: @GRC_ninja