Tactical threat intelligence gotcha down? There is a better way.

Slide 1

Slide 1 text

Tactical threat intelligence gotcha down? There is a better way. Rick Holland, VP Strategy @rickhholland

Slide 2

Slide 2 text

2 Are you ready for some football!

Slide 3

Slide 3 text

Masters of espionage 3

Slide 4

Slide 4 text

Masters of OSINT 4

Slide 5

Slide 5 text

Countermeasures 5 “At least five teams have swept their hotels, locker rooms or coaches’ booths in New England for listening devices, sometimes hiring outside professionals.”

Slide 6

Slide 6 text

Looking back over the past 4+ years 6

Slide 7

Slide 7 text

7 Long form intelligence reporting

Slide 8

Slide 8 text

8 Self licking ice cream cones

Slide 9

Slide 9 text

9 Difficult to operationalize

Slide 10

Slide 10 text

10 Ain’t nobody got time for that!

Slide 11

Slide 11 text

Slide 12

Slide 12 text

12 Expense in Depth

Slide 13

Slide 13 text

13 Consumption focused

Slide 14

Slide 14 text

Indicators of Exhaustion (IOEs) 14 There’s too many of them!

Slide 15

Slide 15 text

Relevancy? 15   My vertical?   My geography?   My threat model?

Slide 16

Slide 16 text

Uncle Rico threat intelligence (unrealistic) 16

Slide 17

Slide 17 text

17 Getting strategic with intelligence 1.  People 2.  Process 3.  Tradecraft @rickhholland

Slide 18

Slide 18 text

18 Analysts

Slide 19

Slide 19 text

19 Build?

Slide 20

Slide 20 text

20 Or buy?

Slide 21

Slide 21 text

21 6 year $114.5M contract

Slide 22

Slide 22 text

6th round pick 22

Slide 23

Slide 23 text

23 Better grow your own analysts

Slide 24

Slide 24 text

Growing your own analysts 24   Join advisory boards to guide university programs   Expect 2-3 years out of entry level analysts   A well understood career path is critical   Complement your junior staff with seasoned analysts

Slide 25

Slide 25 text

Recruit in San Antonio 25   Air Force cyber   Air Force intelligence   NSA Central Security Service   University of Texas San Antonio

Slide 26

Slide 26 text

Recruit in Augusta 26   Military Intelligence   NSA Central Security Service   ARCYBER relocation

Slide 27

Slide 27 text

27 Getting strategic with intelligence 1.  People 2.  Process 3.  Tradecraft @rickhholland

Slide 28

Slide 28 text

Intelligence cycle 28 Source: JP 2-01, Joint and NaBonal Intelligence Support to Military OperaBons

Slide 29

Slide 29 text

Coach Bear Bryant 29 “It’s not the will to win but the will to prepare to win that makes the difference”

Slide 30

Slide 30 text

Planning and Direction 30 “The determination of intelligence requirements, development of appropriate intelligence architecture, preparation of a collection plan, and issuance of orders and requests to information collection agencies.” Source: JP 2-01, Joint and NaBonal Intelligence Support to Military OperaBons

Slide 31

Slide 31 text

Intelligence requirements 31 “Any subject, general or specific, upon which there is a need for the collection of information or the production of intelligence.” Source: JP 2-01, Joint and NaBonal Intelligence Support to Military OperaBons

Slide 32

Slide 32 text

Slide 33

Slide 33 text

Sample requirements 33   Who has targeted our organization in the past? _  How can we get indications and warnings of future attacks? _  How can we get evidence of previous attacks?   Who are the actors that target our vertical?   What TTPs do our adversaries employ?

Slide 34

Slide 34 text

Sample requirements continued 34   Which adversary campaigns affect us/our vertical?   Which global events could impact our business/vertical?   What critical business activities must we protect?

Slide 35

Slide 35 text

35 Collection

Slide 36

Slide 36 text

Collection activities 36   Identify ability to address requirements   Identify gaps in collection capabilities   Internally or externally source capabilities   Measure collection results against ability to answer requirement

Slide 37

Slide 37 text

37 Who has targeted our organizaBon in the past?

Slide 38

Slide 38 text

Who has targeted our organization in the past? 38   Nothing more relevant that your own intrusions   Build dossiers on your intrusions   Key for your collection strategy Source: The Diamond Model of Intrusion Analysis: hLp://www.acBveresponse.org/wp- content/uploads/2013/07/diamond.pdf

Slide 39

Slide 39 text

39 Which criBcal business acBviBes must we protect?

Slide 40

Slide 40 text

Slide 41

Slide 41 text

41 Maintain a relevant and reliable experience

Slide 42

Slide 42 text

42 Significant disruption in our computer systems

Slide 43

Slide 43 text

43 Protect the security of information

Slide 44

Slide 44 text

44 Interruptions in our supply chain

Slide 45

Slide 45 text

What is the digital footprint for these risks? 45   Application   End user   Network   Server   3rd party   Internal and external

Slide 46

Slide 46 text

Which entities are associated with these risks? 46   Administrative staff   Business owners   End users   3rd party business partners

Slide 47

Slide 47 text

47 Collection What situational awareness do you have into these risks?

Slide 48

Slide 48 text

48 Planning for 2017?

Slide 49

Slide 49 text

49 What does your business have planned for 2017?

Slide 50

Slide 50 text

50 Getting strategic with intelligence 1.  People 2.  Process 3.  Tradecraft @rickhholland

Slide 51

Slide 51 text

51 Tradecraft fails with weak analysis

Slide 52

Slide 52 text

Tony Romo 52

Slide 53

Slide 53 text

This year 53

Slide 54

Slide 54 text

Tony Romo 54 “I feel good about the fact that was probably as tough of a hit I've taken on the back as I've had in the last five years. From that regard, I feel very lucky that it can hold up and I can keep going."

Slide 55

Slide 55 text

Homer Sports Fan 55 A cognitive bias that results in a tendency to hold one’s favorite sports team in irrational high regard regardless of legitimate ability to deliver and win games. It typically wanes as a season progresses.

Slide 56

Slide 56 text

Old School Confirmation Bias 56

Slide 57

Slide 57 text

Be Careful: New School Confirmation Bias 57

Slide 58

Slide 58 text

Absence of Evidence 58   “Intelligence analysts should be able to recognize what relevant evidence is lacking and factor this into their calculations.”   “Consider whether the absence of information is normal or is itself an indicator of unusual activity or inactivity.” Source: hLps://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publicaBons/books-and-monographs/psychology-of- intelligence-analysis/PsychofIntelNew.pdf

Slide 59

Slide 59 text

Slide 60

Slide 60 text

Structured Analytic Techniques for Improving Intelligence Analysis 60 Source: hLps://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publicaBons/books-and-monographs/TradecraU%20Primer- apr09.pdf

Slide 61

Slide 61 text

Analysis of Competing Hypotheses Tool 61 Source: hLp://www2.parc.com/istl/projects/ach/ach.html ACH doesn’t seek to prove hypotheses; it instead disproves them

Slide 62

Slide 62 text

62 Strategic Intelligence ProducBon

Slide 63

Slide 63 text

Slide 64

Slide 64 text

64 Must be tailored in terms leadership cares about ($$$)

Slide 65

Slide 65 text

Formalize an Intelligence Product Portfolio 65   Continue with operational products _  E.g.: Dossiers, Technical analysis Daily threat summaries   Create tailored ad hoc summaries for relevant threats

Slide 66

Slide 66 text

Formalize an Intelligence Product Portfolio 66   Create your own version of Verizon DBIR   Forecasts: _  Regional threats in new areas of operations _  Threats to specific product launches

Slide 67

Slide 67 text

Do Now 67   Apply significant effort to developing and retaining talent   Include structured analytic techniques in your assessments   Create intelligence products that are tied back to critical business risks

Slide 68

Slide 68 text

Go Cowboys! 68 Twitter: @rickhholland Speaker Deck: https://speakerdeck.com/ rick_holland Blog: https:// www.digitalshadows.com/ blog-and-research/profile/ rick-holland/