Source Intelligence - OSINT is "the discipline that pertains to intelligence produced from publicly available information . . . ." This information is provided "without the expectation of privacy," and could be "lawfully seen or heard by any casual observer."
Intelligence - HUMINT is "the collection by a trained human intelligence collector of foreign information from people and multimedia to identify elements, intentions, composition, strength, dispositions, tactics, equipment, and capabilities.”
Intelligence - CI is "information gathered and activities performed to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations performed for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities."
is more than just attribution • Many enterprises discount attribution, “Why do I need to know who is attacking me?” • Attribution isn’t easy, it takes time • Observing attacker Tactics, Techniques and Procedures enables attribution • Alternative analysis required - Question your judgment and assumptions • Apply high level of rigor to your analysis
Hacking Back • Could violate the statutes of the Computer Fraud and Abuse Act • How confident are you in your attribution? Will you strike back at innocent victims? • Are you prepared for potential adversary escalation after striking back? • Leave offensive security to the professionals: 3 letter agencies & their government contractors
support from non-technical business leaders by: • Using intelligence to communicate risk • Determining the true scope and severity of attacks • Demonstrate the ROI on previous investments • Until the CTI program is mature, maintaining buy-in will be an ongoing process
• Analysis is the differentiator, invest appropriately • Career pathing • Diverse skillsets strengthen the team • Cultural/geopolitical knowledge • Business unit knowledge • Incident handling • Pen testing • Scripting/programming • Recruit former intelligence analysts and officers
• Parses public and private feeds, normalizes the data so you can query against it • Do we have hosts on these lists? • What is the threat from our business partners who have extranet connections? • Feed our detective/preventive controls
is an open source intelligence and forensics application • Used to determine the relationships and real world links between: • People, Groups, Companies, Web sites, Domains, DNS Names, Netblocks, IPs, Phrases, Affiliations, Documents & Files • Visually demonstrates interconnected links between searched items • Palantir is a big data analytics platform used for similar purposes
• Defense industrial base, financial services and some technology companies have mature in house CTI capabilities • Forrester sees oil & gas, and pharmaceutical moving in this direction • Many organizations will not build out robust CTI teams; economics and operations issues • For many organizations a “threat feed” or CTIaaS will be the extent of their CTI capability • MSSP clients will add the CTI offering to their services
Indicators of Compromise • Characteristics of threat, methodology, or other evidence of compromise • Host indicator focus • Standardized xml format for sharing • Free tools (IOC Editor, IOC Finder, Redline) • FireEye & Pal Alto integrations recently announced
Cyber Observable eXpression • “A measurable event or stateful property in the cyber domain” • Very large schema • Wide range of objects, events, & actions • OpenIOCs are a subset of observables • Relies on STIX to describing campaigns
Structured Threat Information eXpression • Being tested by US CERT & FS-ISAC • Leverages CybOX • Seeks to enable more robust sharing of indicators that include rich context the “full spectrum of cyber threat info” • Sean Barnum presented at Blackhat & RSAC this year
Object Description Exchange Format • Developed by members of the Internet Engineering Task Force • Defines a data representation that provides a framework for sharing information commonly exchanged by CSIRTs about computer security incidents • Currently being updated
Actionable Intelligence • “What is an IOC?” • “There’s an appendix?” • “What do I do with it?” • Intelligence needs to be consumed in an automated manner • Vendors are very picky eaters when it comes to consuming intelligence • We suffer from vendor intelligence ecosystem lockdown
don’t have to be the NSA or DOD to leverage intelligence • CTI is a marathon not a sprint • Monitor, then block commodity threats • Share, share, share and share some more • Use the tools that meet your unique needs but don’t get wrapped up in technology; remember people, process and oversight • Develop your own company specific threat reports/ infographics