Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Threat Intelligence (Program): Plan It, Make It, Share It

Tazz
January 12, 2018

Threat Intelligence (Program): Plan It, Make It, Share It

Audience: anyone who wants a threat intelligence program

This slide deck was designed for a Q&A setting and to facilitate discussions around designing a threat intelligence programs. It offers candid wisdom with both Do's and Don'ts.

This presentation was first presented on Jan 12, 2018 to a private audience and later publicly at Blue Ridge (Security) Conference in May 2018.

Tazz

January 12, 2018
Tweet

More Decks by Tazz

Other Decks in Business

Transcript

  1. OVERVIEW • ABOUT TAZZ • HOW DO YOU FIND THREAT

    INTELLIGENCE? • THREAT INTELLIGENCE PHASES & PROCESSES OF A THREAT INTELLIGENCE PROGRAM • PLAN IT → MAKE IT → SHARE IT • WHO NEEDS THREAT INTELLIGENCE? • QUESTIONS 2
  2. ABOUT TAZZ • IOC MONKEY • SOC ANALYST - EXCEL

    MONKEY • DASHBOARD STALKER • THREAT RESEARCHER - SPLUNK SLAVE • FIREFIGHTER • FIRE STARTER • ALTERNATIVE FACTS INTERPRETER • FIELD SOFTWARE (BREAKER/FIXER) ENGINEER • SYSTEM ADMINISTRATOR OF CHAOS • IA HOODLUM / COMPLIANCE SORCERESS • INFORMATION SECURITY CAT HERDER • SECURITY ARCHITECT - QUEEN OF YES BUT NO! • THREAT NEUTRALIZER / PEOPLE ERASER 3
  3. THREAT INTELLIGENCE IS DEVELOPED NOT FOUND PLAN IT • What

    matters? • Storage & Access • People MAKE IT • Collect • Process & Analyze • Evaluate & Tune SHARE IT • Internal • External • Feedback 5
  4. THREAT INTELLIGENCE PHASES & PROCESS • PHASE1: PLAN IT •

    PLANNING AND GOVERNANCE • PHASE 2: MAKE IT • COLLECTION → PROCESSING → ANALYSIS → EVALUATION → TUNING • RINSE & REPEAT • PHASE 3: SHARE IT • REPORTING AND DISSEMINATION • ACTION & FEEDBACK 7
  5. “ ” BY FAILING TO PREPARE, YOU ARE PREPARING TO

    FAIL. BENJAMIN FRANKLIN PHASE 1: PLANNING AND GOVERNANCE 8
  6. 9

  7. “ ” IF YOU DON’T KNOW WHERE YOU ARE GOING,

    YOU’LL END UP SOMEPLACE ELSE. YOGI BERRA THREAT INTELLIGENCE OBJECTIVES, DRIVE THE THREAT INTELLIGENCE PLAN. THEY SHOULD ALIGN WITH THE ORGANIZATION’S BUSINESS OBJECTIVES. 10
  8. COMMON THREAT INTELLIGENCE OBJECTIVES • Limit threat actor capabilities /

    reduce their attack options • Disrupt adversary’s plans – stop undetected activities or allowing them to operate without sharing what we learn with other defenders • Delay the actor’s timeline or ability to launch an attack • Divert any resources the actor might use, render them unavailable to the actor • Destroy their infrastructure, organic existence • Damage their forces (ex: shutting down some/all of a botnet) • DO NOT INTEPRET ANY OF THE ABOVE AS ENDORSEMENT OF ILLEGAL OR HACK-BACK ACTION 11
  9. PLAN IT – WHAT MATTERS? • What is it that

    your organization actually DOES? • What assets do you need to do it? (These are the bad guy’s target list) • What must you ABSOLUTELY PREVENT (or die trying)? • DON’T… • …EXCEED 5 CRITICAL ASSETS • …FORGET THAT THE PEOPLE THAT BUILD IT ARE TARGETS TOO • …FORGET ABOUT 3RD PARTIES 13
  10. PLAN IT – WHAT ARE WE HUNTING AGAIN? • Receive

    and analyze requirements from leadership • Ensure intelligence objectives support business objectives • Don’t… • …Be afraid to push back when requirements are too broad • …Get tunnel vision! Threats go from physical to digital quickly: socioeconomic (hacktivists), civil unrest (website defacement), natural disaster (ransomware for medicine) 14
  11. PLAN IT – PRIORITY INTELLIGENCE REQUIREMENTS • AKA PIRS =

    the teams hunting tasks • No more than 4, preferably 3 • Focus on a specific fact, event, activity etc. • 1 PIR = intelligence for leadership to make one decision • Don’t… • …Write them for the business, but coach them instead • …Forget there are also GENERAL intelligence requirements, these are the “obvious” things you’d almost always have an interest in (ex: new exploit for bluetooth) 15
  12. (GOOD) PIR EXAMPLES • What are the current indicators of

    an organized attack on $location/$asset/$resource • What are the indicators that ($group | $actor) is planning an attack on $product? • Which $utility does $actor use? [utilities: protocols, scripts, scanning, tools] • What are the $actor’s subsequent and fallback $locations (i.e. Service providers), and how could/will they transfer their attack platforms from infrastructure $location-A to location-B? 16
  13. PLAN IT – STORAGE & ACCESS • Where will you

    keep the threat intelligence you collect? • Who should have access to it and what does that access look like? • Don’t… • …Set it up in a pure cloud environment, that’s just someone else’s computer • …Rely on permission groups the threat intel team can’t control (insider threat is real, don’t be dumb) • …Start with an open fist approach – taking away permissions is like un-friending someone on the Facebook or blocking them on Twitter (ohhhh the drama!) 17
  14. PLAN IT - COMMUNICATIONS • DEVELOP THREAT SCENARIOS/TOPICS AND HAVE

    INCIDENT RESPONSE PLANS FOR THEM. • HOW WILL YOU SHARE UNCONFIRMED/CONFIRMED THREAT INFORMATION INTERNALLY VS EXTERNALLY? • WHO IS GOING TO TELL THE KING HE’S NAKED, BECAUSE HE *IS* NAKED? • DON’T… • …BE A COWBOY OR CREATE RESPONSE PLANS THAT DO NOT INCLUDE INFOSEC, OPS, MARKETING, & LEGAL • …BE STINGY WITH THREAT INFO, WE ALL NEED SOMEONE’S INPUT/HELP/KNOWLEDGE (INTERNALLY AND EXTERNALLY) 18
  15. PLAN IT – STAFFING, RESOURCES & STRUCTURE • PEOPLE: DEDICATED

    DEVELOPER, TACTICAL ANALYST(S) *AND* STRATEGIC ANALYST(S) • PEOPLE: THREAT INTELLIGENCE LIAISONS IN OTHER DEPARTMENTS • TOOLS: ABC’S = ACQUIRE, BUY, CREATE • DATA SOURCES: OSINT, PAID, CONFERENCES, PAPERS, PEERS, MAILING LISTS, ETC • TIME: DO YOU WANT REPORTS OR DO YOU WANT ANALYSIS? CRITICAL THINKING & SOLID RESEARCH = TIME • PLACE THE TEAM IN THE ORG AT AN *ENTERPRISE* LEVEL • DON’T… • …TRY TO SHOVE 100LBS OF $PROFANITY IN A 50LB BAG OR YOU JUST GET REPORTS • …STOVE PIPE THE TEAM’S SCOPE, DON’T FORGET THEY CAN PROVIDE VALUE TO EVERY DEPARTMENT 19
  16. 20

  17. SHARE IT – INTERNALLY AND EXTERNALLY • Remember your planning?

    • How and What you share will vary greatly and communication plans need to be well documented • Remember 9-11? “Need-to-know” principles don’t work so well do they? • Don’t… • …List points of contact ONLY by name/email/phone, processes are based on job functions → consider role specific emails instead of individual, builds flexibility • …Be naive, you are NOT the only person/org/team who needs to know • …Assume everyone already knows, nobody can collect and analyze all available information… not even the NSA 24
  18. SHARE IT – CRITICAL INTERNAL COMMS PLANS • If you

    THINK it could be classified information, ALWAYS tell your facilities security officer (FSO) • Imminent attack on customer, partner, employee, or peer? Pick up the phone! • And, and, and, and…. • Don’t… • …Assume because it is on the internet that it is “public” or not classified • …Assume because a data dump is available, you can/should have a copy of it so you can mine it (think of it like possessing something you know is stolen property) 25
  19. SHARE IT !! WHO NEEDS THREAT INTELLIGENCE? C-Suite Marketing Physical

    Security Sales & Ops Legal InfoSec Human Resources Threat Intel 26