Threat Intelligence Establishing a Common Language

Transcript

1. THREAT INTELLIGENCE: ESTABLISHING A COMMON LANGUAGE

2. DISCUSSION PLAN • Introduction • Documentation • Vocabulary • Objectives

   (Business –vs- Threat Intelligence) • Intelligence Requirements • Threat Actor Profiles/Attributes • Threat Intelligence Cycle

3. INTRODUCTION • Tazz • Twitter: @GRC_ninja • Blog: http://osint.fail •

   Slides: speakerdeck.com/grcninja • OSINT • Divine Intel

4. DOCUMENTATION • Threat Intelligence Program • Based on threat intelligence

   phases • Dynamic Documentation (Wiki) • Vocabulary • Communication Plans • Tools • Sources: used/unused metadata

5. VOCABULARY WORDS MATTER

6. VOCABULARY • Threat • Vulnerability • Risk • Severity vs

   Impact • Probability vs Likelihood • Intelligence Requirement

7. THREAT • Noun: person, place or thing • $Noun that

   will or seeks to: • Disrupt • Delay • Divert • Damage • Destroy • Will be documented with a consistent profile • quantitative + qualitative

8. VULNERABILITY • CVSS • Weakness? • Flaw | Bug •

   Limitation: Human, Technical, Resource • Blindspot: Known Unknown; Unknown Unknown • Inevitable

9. RISK BUSINESS • What puts me at risk? • What

   are my risk factors? THREAT INTEL TEAM • What makes us a target? • Where would someone attack us?

10. SEVERITY VS IMPACT • Severity • 1 tequila shot vs

    1 bottle of tequila • Thunderstorm vs Hurricane • Impact • Hangover vs hospitalization • 1 day clean up vs 6 months

11. PROBABILITY VS LIKELIHOOD • Probability of Drunkenness = Quantitative •

    working: 2 out of 7 nights in a week 28.57% • vacation: 6-7 out of 7 nights = 85% - 100% • Likelihood of Drunkenness = Qualitative • low | moderate likelihood • moderate | high | extreme likelihood

12. OBJECTIVES BUSINESS –VS– THREAT INTELLIGENCE

13. BUSINESS OBJECTIVES • Reduce risk by identifying threats in their

    pre-attack phases • Reduce cost by reducing the time, money, and manpower spent on incident response and management because threats are found and addressed in advance • Consistently provide reliable, decision-enhancing information for leaders • Add value to customers by providing threat intelligence that allows them to make well-informed business decisions

14. THREAT INTELLIGENCE OBJECTIVES • Limit threat actor capabilities / reduce

    their attack options • Disrupt adversary’s plans – stop undetected activities or allowing them to operate without sharing what we learn with other defenders • Delay the actor’s time line or ability to launch an attack • Divert any resources the actor might use, render them unavailable to the actor • Destroy their infrastructure, organic existence • Damage their forces (ex: shutting down a portion of a botnet) • THE ABOVE IS NOT ENDORSEMENT OF ILLEGAL OR HACK-BACK ACTION

15. INTELLIGENCE REQUIREMENTS

16. INTELLIGENCE REQUIREMENT • General: always want to know • Priority:

    specific, “regularly” revised, 1:1

17. PRIORITY INTELLIGENCE REQUIREMENTS • No more than 4, preferably 3

    • Focus on a specific fact, event, activity • 1 PIR = intelligence for leadership to make ONE DECISION • DON’T… • …write them for the business, coach them instead • …forget there are also GENERAL intelligence requirements, these are the “obvious” things you’d almost always have an interest in (ex: new exploit for Bluetooth)

18. (GOOD) PIR EXAMPLES • What are the current indicators of

    an organized cyber- attack on $location/$asset • What are the indicators that $groupA or $actorB is planning an attack on $pink_widgets? • Which tools does $actorZ use (protocols, scripts, scanning, tools?) • What are the $actor’s subsequent and fallback locations (i.e. service providers), and how could/will they transfer their attack platforms from infrastructure $locationA to $locationB?

19. THREAT ACTOR PROFILING THIS IS GOING TO GO VERY FAST….

    PLEASE HOLD YOUR QUESTIONS

20. THREAT ACTOR PROFILES/ATTRIBUTES • BE CONSISTENT • Determination • Motivation

    • Resources • Technical • Intelligence • Financial • People (Team Size) • Skills & Experience • Time Undetected • Time for Malice

21. DETERMINATION • How easily do they scare: • 1 =

    Very Easily, runs away forever • 2 = Easily, plays hide and seek • 3 = Not so Easily, will engage digitally, passively • 4 = Aggressive, in your face • 5 = Hostile, draw down

22. MOTIVATION • What is their end game? • 1 =

    Bragging rights • 2 = Coerced / Incentives / Blackmailed / Bribed • 3 = Personal Income $ • 4 = Hero Complex - save the world • 5 = God Complex - burn the world

23. RESOURCES • Technical • Intelligence • Financial • People (Team

    Size)

24. RESOURCES: TECHNICAL • 1 = Free • 2 = Free

    + Cheap • 3 = Paid + Customizable • 4 = Invite Only + In-house • 5 = 100% Proprietary / Restricted Development

25. RESOURCES: INTELLIGENCE • 1 = Open Source Only • 2

    = Internal Company, Tactical | User level • 3 = Internal Company, Operational | Power User • 4 = Internal Company, Strategic | Domain Admin / root • 5 = Internal Proprietary | Government (Bios | kernel)

26. RESOURCES: FINANCIAL • 1) X < $2K • 2) $2K

    < X <=$10K • 3) $10K < X <= $50K • 4) $50K < X <= $2M • 5) $2M < X

27. RESOURCES: PEOPLE (TEAM SIZE) • People or purely numbers? •

    Hybrids? numbers, skills, experience, & time for malice • Factors: • # of tech-savvy or not • # of full-time / part-time • organization? structure?

28. SKILLS & EXPERIENCE • 1 = Probably never done this

    • 2 = Done this a couple times, but lots of footprints • 3 = Pretty good at this, cover their tracks a little • 4 = Could teach classes, almost missed them • 5 = SMEs, quiet, no footprints

29. TIME UNDETECTED • Do you care what the "industry average"

    is? • 1) X < 1 hour • 2) 1 hour < X <= 30 days • 3) 30 < X <= 180 days • 4) 180 < X <= 365 days • 5) 365 < X

30. TIME FOR MALICE • 1 = Weekender • 2 =

    Evenings only • 3 = Part time job • 4 = Full time job • 5 = 24/7 ops

31. THREAT ACTOR PROFILE SCORE • Determination = 4 • Motivation

    = 3 • Resources • Technical = 2 • Intelligence = 1 • Financial = 2 • People (Team Size) = 3 • Skills & Experience = 3 • Time Undetected = 4 • Time for Malice = 3 • Added up = 25, now divide by 45 possible points = .55556 • .55556 multiply by 10 to keep with the base 10 system of CVSS = 10 x .5556 = 5.56 Threat Actor Profile Score

32. THREAT INTELLIGENCE CYCLE INTELLIGENCE IS DEVELOPED, NOT FOUND, NOT A

    FEED

33. THREAT INTELLIGENCE PROCESS • Plan It • Planning & Governance

    • Make It • Collection • Processing • Analysis & Evaluation • Share It • Reporting & Dissemination • Action & Feedback
34. None

35. MAKE IT – ONE SOURCE AT A TIME Collect Process

    Analyze Evaluate Tune

36. SHARE IT – INTERNALLY AND EXTERNALLY • Remember your planning?

    • How and What you share will vary greatly and communications plans must be well documented • DON’T… • …list points of contact ONLY by name/email/phone; processes are based on job functions  consider role specific emails instead of individual, builds flexibility • …be naive, you are NOT the only person/org/team who needs to know • …assume everyone already knows; nobody can collect and analyze all available information… not even the NSA

37. RESOURCES 1. Threat Scoring Matrix: https://github.com/grcninja/Blog_Docs/blob/master/ THREAT%20ACTOR%20IMPACT%20SCORING.pdf 2. Risk Management

    and Threat Scoring Blog: https://www.osint.fail/2017/12/24/threat_scoring/ 3. How to Build a Threat Intel Program Blog: https://www.osint.fail/2017/04/24/outlining-a-threat- intel-program/

38. QUESTIONS Thank you for joining me. You may reach me

    here for private questions: Twitter: @GRC_ninja