If it bleeds we can kill it

© 2012 Forrester Research, Inc. Reproduction Prohibited 1 “If it
bleeds we can kill it” Leveraging CTI to take the fight to the adversary Rick Holland, Senior Analyst March 22, 2013 @rickhholland

© 2012 Forrester Research, Inc. Reproduction Prohibited 2 2013 has
been rough so far we’ve been hit hard

© 2012 Forrester Research, Inc. Reproduction Prohibited 4 Our tactics
are not effective

© 2012 Forrester Research, Inc. Reproduction Prohibited 5 Check out
our tools! M134 Mini Gun

© 2012 Forrester Research, Inc. Reproduction Prohibited 6 Advanced malware?
No problem!! M134 Mini Gun

© 2012 Forrester Research, Inc. Reproduction Prohibited 7 If it
bleeds we can kill it

© 2012 Forrester Research, Inc. Reproduction Prohibited 8 Time for
a new approach

© 2012 Forrester Research, Inc. Reproduction Prohibited Introducing Cyber Threat
Intelligence (CTI) Intelligence about external threat actors and active external threats 9

© 2012 Forrester Research, Inc. Reproduction Prohibited Intelligence Disciplines Open
Source Intelligence - OSINT is "the discipline that pertains to intelligence produced from publicly available information . . . ." This information is provided "without the expectation of privacy," and could be "lawfully seen or heard by any casual observer."

© 2012 Forrester Research, Inc. Reproduction Prohibited Intelligence Disciplines Human
Intelligence - HUMINT is "the collection by a trained human intelligence collector of foreign information from people and multimedia to identify elements, intentions, composition, strength, dispositions, tactics, equipment, and capabilities.”

© 2012 Forrester Research, Inc. Reproduction Prohibited Intelligence Disciplines Counter
Intelligence - CI is "information gathered and activities performed to identify, deceive, exploit, disrupt, or protect against espionage, other intelligence activities, sabotage, or assassinations performed for or on behalf of foreign powers, organizations, or persons, or their agents, or international terrorist organizations or activities."

© 2012 Forrester Research, Inc. Reproduction Prohibited Attribution •  CTI
is more than just attribution •  Many enterprises discount attribution, “Why do I need to know who is attacking me?” •  Attribution isn’t easy, it takes time •  Observing attacker Tactics, Techniques and Procedures enables attribution •  Alternative analysis required - Question your judgment and assumptions •  Apply high level of rigor to your analysis

© 2012 Forrester Research, Inc. Reproduction Prohibited Offensive Security /
Hacking Back •  Could violate the statutes of the Computer Fraud and Abuse Act •  How confident are you in your attribution? Will you strike back at innocent victims? •  Are you prepared for potential adversary escalation after striking back? •  Leave offensive security to the professionals: 3 letter agencies & their government contractors

© 2012 Forrester Research, Inc. Reproduction Prohibited Why You Might
Not Be Ready For CTI 19

Do you know what assets / people you need to
protect?

Do you have mature Incident Response capabilities?

Process for global password change, including local admin?

Process to block C&C sources?

Process to enable IR teams autonomy to make critical decisions?

© 2012 Forrester Research, Inc. Reproduction Prohibited Establish Buy-in Garner
support from non-technical business leaders by: •  Using intelligence to communicate risk •  Determining the true scope and severity of attacks •  Demonstrate the ROI on previous investments •  Until the CTI program is mature, maintaining buy-in will be an ongoing process

© 2012 Forrester Research, Inc. Reproduction Prohibited Staff The Team
•  Analysis is the differentiator, invest appropriately •  Career pathing •  Diverse skillsets strengthen the team •  Cultural/geopolitical knowledge •  Business unit knowledge •  Incident handling •  Pen testing •  Scripting/programming •  Recruit former intelligence analysts and officers

© 2012 Forrester Research, Inc. Reproduction Prohibited Collective Intelligence Framework
•  Parses public and private feeds, normalizes the data so you can query against it •  Do we have hosts on these lists? •  What is the threat from our business partners who have extranet connections? •  Feed our detective/preventive controls

© 2012 Forrester Research, Inc. Reproduction Prohibited Maltego •  Maltego
is an open source intelligence and forensics application •  Used to determine the relationships and real world links between: •  People, Groups, Companies, Web sites, Domains, DNS Names, Netblocks, IPs, Phrases, Affiliations, Documents & Files •  Visually demonstrates interconnected links between searched items •  Palantir is a big data analytics platform used for similar purposes

© 2012 Forrester Research, Inc. Reproduction Prohibited Building versus Buying
40

© 2012 Forrester Research, Inc. Reproduction Prohibited Build Versus Buy
•  Defense industrial base, financial services and some technology companies have mature in house CTI capabilities •  Forrester sees oil & gas, and pharmaceutical moving in this direction •  Many organizations will not build out robust CTI teams; economics and operations issues •  For many organizations a “threat feed” or CTIaaS will be the extent of their CTI capability •  MSSP clients will add the CTI offering to their services

© 2012 Forrester Research, Inc. Reproduction Prohibited OPSEC & Intel
Sharing 42

© 2012 Forrester Research, Inc. Reproduction Prohibited OpenIOC •  Open
Indicators of Compromise •  Characteristics of threat, methodology, or other evidence of compromise •  Host indicator focus •  Standardized xml format for sharing •  Free tools (IOC Editor, IOC Finder, Redline) •  FireEye & Pal Alto integrations recently announced

© 2012 Forrester Research, Inc. Reproduction Prohibited MITRE CybOX • 
Cyber Observable eXpression •  “A measurable event or stateful property in the cyber domain” •  Very large schema •  Wide range of objects, events, & actions •  OpenIOCs are a subset of observables •  Relies on STIX to describing campaigns

© 2012 Forrester Research, Inc. Reproduction Prohibited MITRE STIX • 
Structured Threat Information eXpression •  Being tested by US CERT & FS-ISAC •  Leverages CybOX •  Seeks to enable more robust sharing of indicators that include rich context the “full spectrum of cyber threat info” •  Sean Barnum presented at Blackhat & RSAC this year

© 2012 Forrester Research, Inc. Reproduction Prohibited IODEF •  Incident
Object Description Exchange Format •  Developed by members of the Internet Engineering Task Force •  Defines a data representation that provides a framework for sharing information commonly exchanged by CSIRTs about computer security incidents •  Currently being updated

© 2012 Forrester Research, Inc. Reproduction Prohibited APT1 Report &
Actionable Intelligence •  “What is an IOC?” •  “There’s an appendix?” •  “What do I do with it?” •  Intelligence needs to be consumed in an automated manner •  Vendors are very picky eaters when it comes to consuming intelligence •  We suffer from vendor intelligence ecosystem lockdown

© 2012 Forrester Research, Inc. Reproduction Prohibited “Nothing but a
couple of guys running around out there and we gotta take them down!” Nonbelievers

© 2012 Forrester Research, Inc. Reproduction Prohibited Recommendations •  You
don’t have to be the NSA or DOD to leverage intelligence •  CTI is a marathon not a sprint •  Monitor, then block commodity threats •  Share, share, share and share some more •  Use the tools that meet your unique needs but don’t get wrapped up in technology; remember people, process and oversight •  Develop your own company specific threat reports/ infographics

© 2012 Forrester Research, Inc. Reproduction Prohibited 2013 Planned Research
•  Seven Habits of Highly Effective Incident Response Teams •  Proactive Defense: Operational and Management Implications •  Market Overview: Threat Intelligence Services •  Wave: Managed Service Provider Threat Intelligence Services

© 2012 Forrester Research, Inc. Reproduction Prohibited 63 Rick Holland
[email protected] http://blogs.forrester.com/ rick_holland @rickhholland Thank you

If it bleeds we can kill it

If it bleeds we can kill it

More Decks by Rick Holland

Other Decks in Technology

Featured

Transcript