Threat Intelligence for Executives, Senior Leaders, and Security Practitioners

839fc2503083a6d6bff4aebdf87a5e1d?s=47 Tazz
May 24, 2019

Threat Intelligence for Executives, Senior Leaders, and Security Practitioners

This presentation provides a milestone approach packed with do's and dont's on how to properly build, implement, manage and leverage a threat intelligence program. If you think threat intelligence is a function of information security, or defending against malware, a feed, or something you buy then you should review this slide deck carefully. These were updated and presented at the Infosec Summit 2019 in Columbus, Ohio.

839fc2503083a6d6bff4aebdf87a5e1d?s=128

Tazz

May 24, 2019
Tweet

Transcript

  1. None
  2. OVERVIEW • ABOUT TAZZ • WHO, WHERE AND HOW OF

    THREAT INTELLIGENCE • THREAT INTELLIGENCE PROGRAM PHASES AND PROCESSES • PLAN IT → MAKE IT → SHARE IT • SUMMARY • QUESTIONS 2
  3. ABOUT TAZZ • IOC MONKEY • SOC ANALYST - EXCEL

    MONKEY • DASHBOARD STALKER • THREAT RESEARCHER - SPLUNK SLAVE • FIREFIGHTER • FIRE STARTER • ALTERNATIVE FACTS INTERPRETER • FIELD SOFTWARE (BREAKER/FIXER) ENGINEER • SYSTEM ADMINISTRATOR OF CHAOS • IA HOODLUM / COMPLIANCE SORCERESS • INFORMATION SECURITY CAT HERDER • SECURITY ARCHITECT - QUEEN OF YES BUT NO! • THREAT NEUTRALIZER / PEOPLE ERASER 3
  4. WHO? 4

  5. WHO NEEDS THREAT INTELLIGENCE? 5 C-Suite Marketing Physical Security Sales

    & Ops Legal InfoSec Human Resources Threat Intel
  6. WHERE? 6

  7. CEO CSO Threat Intel InfoSec PhySec Mktg Legal $Dept WHERE

    DOES THREAT INTEL “FIT”? AT THE ENTERPRISE LEVEL IT SERVES UP: CEO IT SERVES ACROSS: OTHER DEPTS IT SERVES DOWN: BLUE TEAM OPS 7
  8. HOW? 8

  9. THREAT INTELLIGENCE IS DEVELOPED NOT FOUND PLAN IT • What

    matters? • Storage & Access • People MAKE IT • Collect • Process & Analyze • Evaluate & Tune SHARE IT • Internal • External • Feedback 9
  10. THREAT INTELLIGENCE PHASES AND PROCESSES 10

  11. THREAT INTELLIGENCE PHASES & PROCESS • PHASE1: PLAN IT •

    PLANNING AND GOVERNANCE • PHASE 2: MAKE IT • COLLECTION → PROCESSING → ANALYSIS → EVALUATION → TUNING • RINSE & REPEAT • PHASE 3: SHARE IT • REPORTING AND DISSEMINATION • ACTION & FEEDBACK 11
  12. PHASE 1: PLAN IT 12

  13. “ ” BY FAILING TO PREPARE, YOU ARE PREPARING TO

    FAIL [BADLY]. BENJAMIN FRANKLIN PHASE 1: DOCUMENTATION, PLANNING AND GOVERNANCE 13
  14. TASK 1: MISSION, VISION, OBJECTIVES IF YOU DON’T WRITE IT

    DOWN – IT DOESN’T EXIST 14
  15. COMMON THREAT INTELLIGENCE OBJECTIVES • Limit threat actor capabilities /

    reduce their attack options • Disrupt adversary’s plans – stop undetected activities or allowing them to operate without sharing what we learn with other defenders • Delay the actor’s timeline or ability to launch an attack • Divert any resources the actor might use, render them unavailable to the actor • Destroy their infrastructure, organic existence • Damage their forces (ex: shutting down some/all of a botnet) • DO NOT INTEPRET ANY OF THE ABOVE AS ENDORSEMENT OF ILLEGAL OR HACK-BACK ACTION 15
  16. TASK 2: IDENTIFY WHAT WE ARE PROTECTING IF EVERYTHING IS

    IMPORTANT, THEN NOTHING IS IMPORTANT YOUR TEAM HAS FINITE RESOURCES – LEVERAGE THEM WISELY 16
  17. PLAN IT - WHAT MATTERS? • What is *THE THING*

    that your organization actually DOES|MAKES? • What assets do you need to do|make it? (These are the bad guy’s target list) • Hint: Disaster Recovery Plan • What event must you ABSOLUTELY PREVENT (or die trying)? • DON’T… • …EXCEED 5 CRITICAL ASSETS • …FORGET PEOPLE ARE TARGETS TOO (DEVS, ENGINEERS, ARCHITECTS ETC) • …FORGET ABOUT 3RD PARTIES 17
  18. TASK 3: IDENTIFY SPECIFIC INTEL REQUIREMENTS 18

  19. PLAN IT - PRIORITY INTELLIGENCE REQUIREMENTS • AKA PIRS =

    the teams hunting tasks ~ CEO/COO Critical Information Requirement (CCIR) • No more than 4, preferably 3 • Focus on a specific fact, event, activity etc. • 1 PIR = intelligence for leadership to make one decision • Reviewed && Revised regularly (biannually | annually) • Don’t… • …Write them for the business, but coach them instead • …Forget to DOCUMENT THEM 19
  20. PLAN IT – WHAT ARE WE HUNTING AGAIN? • Receive

    and analyze requirements from leadership • Ensure intelligence objectives support business objectives • Don’t… • …Be afraid to push back when requirements are too broad • …Get tunnel vision! Threats go from physical to digital quickly: socioeconomic (hacktivists), civil unrest (website defacement), natural disaster (ransomware for medicine) 20
  21. (GOOD) PIR EXAMPLES • What are the current indicators of

    an organized attack on $location/$asset/$resource • What are the indicators that ($group | $actor) is planning an attack on $product? • Which $utility does $actor use? [utilities: protocols, scripts, scanning, tools] • What are the $actor’s subsequent and fallback $locations (i.e. Service providers), and how could/will they transfer their attack platforms from infrastructure $location-A to location-B? 21
  22. TASK 4: IDENTIFY DATA STORAGE, SECURITY & ACCESS REQUIREMENTS SINGLE

    POINT OF FAILURE? GROWTH? THE CLOUD?????? YOU CAN’T UN-RING A BELL 22
  23. STORAGE, SECURITY & ACCESS • RAW data you collect –

    VS – processed, aggregated, analyzed, and formal report? • WHERE do you keep it? • HOW do you secure it? • Who should have access to it and what does that access look like? • Don’t… • …Set it up in a pure cloud environment, that’s just someone else’s computer • …Rely on permission groups the threat intel team can’t control (insider threat is real, don’t be dumb) • …Start with an open fist approach – taking away permissions is like un-friending someone on the Facebook or blocking them on Twitter (ohhhh the drama!) 23
  24. TASK 5: IDENTIFY RESOURCE NEEDS BECAUSE AUTOMAGIC! 24

  25. PLAN IT - STAFFING, RESOURCES & STRUCTURE • PEOPLE: DEDICATED

    DEVELOPER, TACTICAL ANALYST(S) *AND* STRATEGIC ANALYST(S) • PEOPLE: THREAT INTELLIGENCE LIAISONS IN OTHER DEPARTMENTS • TOOLS: ABC’S = ACQUIRE, BUY, CREATE • DATA SOURCES: OSINT, PAID, CONFERENCES, PAPERS, PEERS, MAILING LISTS, ETC • TIME: DO YOU WANT REPORTS OR DO YOU WANT ANALYSIS? CRITICAL THINKING & SOLID RESEARCH = TIME • PLACE THE TEAM IN THE ORG AT AN *ENTERPRISE* LEVEL • DON’T… • …FORGET – QUANTITIES ARE EASY – QUALITY IS USEFUL • …STOVE PIPE THE TEAM’S SCOPE, DON’T FORGET THEY CAN PROVIDE VALUE TO EVERY DEPARTMENT 25
  26. TASK 6: DOCUMENT COMMUNICATIONS PLANS CALL? TEXT? EMAIL? IRC? FACE-TO-FACE?

    DATA CLASSIFICATION MARKINGS 26
  27. 27 Urgent = Antibiotic -vs- Emergency = Antivenom

  28. PLAN IT - COMMUNICATIONS • WHEN DO YOU WAKE SOMEONE

    UP? • DEVELOP THREAT SCENARIOS/TOPICS AND HAVE COMMUNICATIONS PLANS FOR THEM • HOW WILL YOU SHARE UNCONFIRMED/CONFIRMED THREAT INFORMATION INTERNALLY VS EXTERNALLY? • WHO IS GOING TO TELL THE KING HE’S NAKED, BECAUSE HE *IS* NAKED? • DON’T… • …BE A COWBOY OR CREATE PLANS THAT DO NOT INCLUDE INFOSEC, OPS, MARKETING, & LEGAL • …BE STINGY WITH THREAT INFO, WE ALL NEED SOMEONE’S INPUT/HELP/KNOWLEDGE (INTERNALLY AND EXTERNALLY) 28
  29. 29

  30. PHASE: MAKE IT DEVELOPING THREAT INTELLIGENCE 30

  31. MAKE IT – ONE SOURCE AT A TIME Collect Process

    Analyze Evaluate Tune 31 Observe ACT Orient Decide ?
  32. PHASE 3: SHARE IT ACTING ON AND SHARING THREAT INTELLIGENCE

    32
  33. SHARE IT – INTERNALLY AND EXTERNALLY • Remember your planning?

    • How and What you share will vary greatly and communication plans need to be well documented • Remember 9-11? “Need-to-know” principles don’t work so well do they? • Don’t… • …List points of contact ONLY by name/email/phone, processes are based on job functions → consider role specific emails instead of individual, builds flexibility • …Be naive, you are NOT the only person/org/team who needs to know • …Assume everyone already knows, nobody can collect and analyze all available information… not even the NSA 33
  34. SHARE IT – CRITICAL INTERNAL COMMS PLAN • If you

    THINK it could be classified information, ALWAYS tell your facilities security officer (FSO) • Imminent attack on customer, partner, employee, or peer? Pick up the phone! • And, and, and, and…. • Don’t… • …Assume because it is on the internet that it is “public” or not classified • …Assume because a data dump is available, you can/should have a copy of it so you can mine it (think of it like possessing something you know is stolen property) 34
  35. SHARE IT !! C-Suite Marketing Physical Security Sales & Ops

    Legal InfoSec Human Resources Threat Intel 35
  36. SUMMARY (1/2) • THREAT INTELLIGENCE IS DEVELOPED NOT FOUND •

    THREAT INTELLIGENCE IS AN ENTERPRISE SERVICE 36
  37. SUMMARY (2/2) • MILESTONE 1: MISSION, VISION, OBJECTIVES W R

    I T E T H E M D O W N!! • MILESTONE 2: IDENTIFY WHAT WE ARE PROTECTING (INCLUDING PEOPLE) • MILESTONE 3: IDENTIFY SPECIFIC INTEL REQUIREMENTS (CEO CRITICAL INFORMATION REQUIREMENTS) • MILESTONE 4: IDENTIFY DATA STORAGE, SECURITY & ACCESS REQUIREMENTS • MILESTONE 5: DOCUMENT COMMUNICATIONS PLANS (ANTIBIOTICS VS ANTIVENOM) • MILESTONE 6: IDENTIFY RESOURCE NEEDS (ABC’s, PEOPLE, TOOLS, & DATA SOURCES) 37
  38. “ ” IF YOU DON’T KNOW WHERE YOU ARE GOING,

    YOU’LL END UP SOMEPLACE ELSE. YOGI BERRA THREAT INTELLIGENCE OBJECTIVES, DRIVE THE THREAT INTELLIGENCE PLAN. THEY SHOULD ALIGN WITH THE ORGANIZATION’S BUSINESS OBJECTIVES. 38
  39. QUESTIONS? 39

  40. None