Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat Intelligence for Executives, Senior Lead...

Tazz
May 24, 2019

Threat Intelligence for Executives, Senior Leaders, and Security Practitioners

This presentation provides a milestone approach packed with do's and dont's on how to properly build, implement, manage and leverage a threat intelligence program. If you think threat intelligence is a function of information security, or defending against malware, a feed, or something you buy then you should review this slide deck carefully. These were updated and presented at the Infosec Summit 2019 in Columbus, Ohio.

Tazz

May 24, 2019
Tweet

More Decks by Tazz

Other Decks in Business

Transcript

  1. OVERVIEW • ABOUT TAZZ • WHO, WHERE AND HOW OF

    THREAT INTELLIGENCE • THREAT INTELLIGENCE PROGRAM PHASES AND PROCESSES • PLAN IT → MAKE IT → SHARE IT • SUMMARY • QUESTIONS 2
  2. ABOUT TAZZ • IOC MONKEY • SOC ANALYST - EXCEL

    MONKEY • DASHBOARD STALKER • THREAT RESEARCHER - SPLUNK SLAVE • FIREFIGHTER • FIRE STARTER • ALTERNATIVE FACTS INTERPRETER • FIELD SOFTWARE (BREAKER/FIXER) ENGINEER • SYSTEM ADMINISTRATOR OF CHAOS • IA HOODLUM / COMPLIANCE SORCERESS • INFORMATION SECURITY CAT HERDER • SECURITY ARCHITECT - QUEEN OF YES BUT NO! • THREAT NEUTRALIZER / PEOPLE ERASER 3
  3. WHO NEEDS THREAT INTELLIGENCE? 5 C-Suite Marketing Physical Security Sales

    & Ops Legal InfoSec Human Resources Threat Intel
  4. CEO CSO Threat Intel InfoSec PhySec Mktg Legal $Dept WHERE

    DOES THREAT INTEL “FIT”? AT THE ENTERPRISE LEVEL IT SERVES UP: CEO IT SERVES ACROSS: OTHER DEPTS IT SERVES DOWN: BLUE TEAM OPS 7
  5. THREAT INTELLIGENCE IS DEVELOPED NOT FOUND PLAN IT • What

    matters? • Storage & Access • People MAKE IT • Collect • Process & Analyze • Evaluate & Tune SHARE IT • Internal • External • Feedback 9
  6. THREAT INTELLIGENCE PHASES & PROCESS • PHASE1: PLAN IT •

    PLANNING AND GOVERNANCE • PHASE 2: MAKE IT • COLLECTION → PROCESSING → ANALYSIS → EVALUATION → TUNING • RINSE & REPEAT • PHASE 3: SHARE IT • REPORTING AND DISSEMINATION • ACTION & FEEDBACK 11
  7. “ ” BY FAILING TO PREPARE, YOU ARE PREPARING TO

    FAIL [BADLY]. BENJAMIN FRANKLIN PHASE 1: DOCUMENTATION, PLANNING AND GOVERNANCE 13
  8. COMMON THREAT INTELLIGENCE OBJECTIVES • Limit threat actor capabilities /

    reduce their attack options • Disrupt adversary’s plans – stop undetected activities or allowing them to operate without sharing what we learn with other defenders • Delay the actor’s timeline or ability to launch an attack • Divert any resources the actor might use, render them unavailable to the actor • Destroy their infrastructure, organic existence • Damage their forces (ex: shutting down some/all of a botnet) • DO NOT INTEPRET ANY OF THE ABOVE AS ENDORSEMENT OF ILLEGAL OR HACK-BACK ACTION 15
  9. TASK 2: IDENTIFY WHAT WE ARE PROTECTING IF EVERYTHING IS

    IMPORTANT, THEN NOTHING IS IMPORTANT YOUR TEAM HAS FINITE RESOURCES – LEVERAGE THEM WISELY 16
  10. PLAN IT - WHAT MATTERS? • What is *THE THING*

    that your organization actually DOES|MAKES? • What assets do you need to do|make it? (These are the bad guy’s target list) • Hint: Disaster Recovery Plan • What event must you ABSOLUTELY PREVENT (or die trying)? • DON’T… • …EXCEED 5 CRITICAL ASSETS • …FORGET PEOPLE ARE TARGETS TOO (DEVS, ENGINEERS, ARCHITECTS ETC) • …FORGET ABOUT 3RD PARTIES 17
  11. PLAN IT - PRIORITY INTELLIGENCE REQUIREMENTS • AKA PIRS =

    the teams hunting tasks ~ CEO/COO Critical Information Requirement (CCIR) • No more than 4, preferably 3 • Focus on a specific fact, event, activity etc. • 1 PIR = intelligence for leadership to make one decision • Reviewed && Revised regularly (biannually | annually) • Don’t… • …Write them for the business, but coach them instead • …Forget to DOCUMENT THEM 19
  12. PLAN IT – WHAT ARE WE HUNTING AGAIN? • Receive

    and analyze requirements from leadership • Ensure intelligence objectives support business objectives • Don’t… • …Be afraid to push back when requirements are too broad • …Get tunnel vision! Threats go from physical to digital quickly: socioeconomic (hacktivists), civil unrest (website defacement), natural disaster (ransomware for medicine) 20
  13. (GOOD) PIR EXAMPLES • What are the current indicators of

    an organized attack on $location/$asset/$resource • What are the indicators that ($group | $actor) is planning an attack on $product? • Which $utility does $actor use? [utilities: protocols, scripts, scanning, tools] • What are the $actor’s subsequent and fallback $locations (i.e. Service providers), and how could/will they transfer their attack platforms from infrastructure $location-A to location-B? 21
  14. TASK 4: IDENTIFY DATA STORAGE, SECURITY & ACCESS REQUIREMENTS SINGLE

    POINT OF FAILURE? GROWTH? THE CLOUD?????? YOU CAN’T UN-RING A BELL 22
  15. STORAGE, SECURITY & ACCESS • RAW data you collect –

    VS – processed, aggregated, analyzed, and formal report? • WHERE do you keep it? • HOW do you secure it? • Who should have access to it and what does that access look like? • Don’t… • …Set it up in a pure cloud environment, that’s just someone else’s computer • …Rely on permission groups the threat intel team can’t control (insider threat is real, don’t be dumb) • …Start with an open fist approach – taking away permissions is like un-friending someone on the Facebook or blocking them on Twitter (ohhhh the drama!) 23
  16. PLAN IT - STAFFING, RESOURCES & STRUCTURE • PEOPLE: DEDICATED

    DEVELOPER, TACTICAL ANALYST(S) *AND* STRATEGIC ANALYST(S) • PEOPLE: THREAT INTELLIGENCE LIAISONS IN OTHER DEPARTMENTS • TOOLS: ABC’S = ACQUIRE, BUY, CREATE • DATA SOURCES: OSINT, PAID, CONFERENCES, PAPERS, PEERS, MAILING LISTS, ETC • TIME: DO YOU WANT REPORTS OR DO YOU WANT ANALYSIS? CRITICAL THINKING & SOLID RESEARCH = TIME • PLACE THE TEAM IN THE ORG AT AN *ENTERPRISE* LEVEL • DON’T… • …FORGET – QUANTITIES ARE EASY – QUALITY IS USEFUL • …STOVE PIPE THE TEAM’S SCOPE, DON’T FORGET THEY CAN PROVIDE VALUE TO EVERY DEPARTMENT 25
  17. PLAN IT - COMMUNICATIONS • WHEN DO YOU WAKE SOMEONE

    UP? • DEVELOP THREAT SCENARIOS/TOPICS AND HAVE COMMUNICATIONS PLANS FOR THEM • HOW WILL YOU SHARE UNCONFIRMED/CONFIRMED THREAT INFORMATION INTERNALLY VS EXTERNALLY? • WHO IS GOING TO TELL THE KING HE’S NAKED, BECAUSE HE *IS* NAKED? • DON’T… • …BE A COWBOY OR CREATE PLANS THAT DO NOT INCLUDE INFOSEC, OPS, MARKETING, & LEGAL • …BE STINGY WITH THREAT INFO, WE ALL NEED SOMEONE’S INPUT/HELP/KNOWLEDGE (INTERNALLY AND EXTERNALLY) 28
  18. 29

  19. MAKE IT – ONE SOURCE AT A TIME Collect Process

    Analyze Evaluate Tune 31 Observe ACT Orient Decide ?
  20. SHARE IT – INTERNALLY AND EXTERNALLY • Remember your planning?

    • How and What you share will vary greatly and communication plans need to be well documented • Remember 9-11? “Need-to-know” principles don’t work so well do they? • Don’t… • …List points of contact ONLY by name/email/phone, processes are based on job functions → consider role specific emails instead of individual, builds flexibility • …Be naive, you are NOT the only person/org/team who needs to know • …Assume everyone already knows, nobody can collect and analyze all available information… not even the NSA 33
  21. SHARE IT – CRITICAL INTERNAL COMMS PLAN • If you

    THINK it could be classified information, ALWAYS tell your facilities security officer (FSO) • Imminent attack on customer, partner, employee, or peer? Pick up the phone! • And, and, and, and…. • Don’t… • …Assume because it is on the internet that it is “public” or not classified • …Assume because a data dump is available, you can/should have a copy of it so you can mine it (think of it like possessing something you know is stolen property) 34
  22. SHARE IT !! C-Suite Marketing Physical Security Sales & Ops

    Legal InfoSec Human Resources Threat Intel 35
  23. SUMMARY (1/2) • THREAT INTELLIGENCE IS DEVELOPED NOT FOUND •

    THREAT INTELLIGENCE IS AN ENTERPRISE SERVICE 36
  24. SUMMARY (2/2) • MILESTONE 1: MISSION, VISION, OBJECTIVES W R

    I T E T H E M D O W N!! • MILESTONE 2: IDENTIFY WHAT WE ARE PROTECTING (INCLUDING PEOPLE) • MILESTONE 3: IDENTIFY SPECIFIC INTEL REQUIREMENTS (CEO CRITICAL INFORMATION REQUIREMENTS) • MILESTONE 4: IDENTIFY DATA STORAGE, SECURITY & ACCESS REQUIREMENTS • MILESTONE 5: DOCUMENT COMMUNICATIONS PLANS (ANTIBIOTICS VS ANTIVENOM) • MILESTONE 6: IDENTIFY RESOURCE NEEDS (ABC’s, PEOPLE, TOOLS, & DATA SOURCES) 37
  25. “ ” IF YOU DON’T KNOW WHERE YOU ARE GOING,

    YOU’LL END UP SOMEPLACE ELSE. YOGI BERRA THREAT INTELLIGENCE OBJECTIVES, DRIVE THE THREAT INTELLIGENCE PLAN. THEY SHOULD ALIGN WITH THE ORGANIZATION’S BUSINESS OBJECTIVES. 38