Tactical threat intelligence gotcha down? There is a better way.

Transcript

1. Tactical threat intelligence gotcha down? There is a better way.

   Rick Holland, VP Strategy @rickhholland

2. 2 Are you ready for some football!

3. Masters of espionage 3

4. Masters of OSINT 4

5. Countermeasures 5 “At least five teams have swept their hotels,

   locker rooms or coaches’ booths in New England for listening devices, sometimes hiring outside professionals.”

6. Looking back over the past 4+ years 6

7. 7 Long form intelligence reporting

8. 8 Self licking ice cream cones

9. 9 Difficult to operationalize

10. 10 Ain’t nobody got time for that!

11. 11

12. 12 Expense in Depth

13. 13 Consumption focused

14. Indicators of Exhaustion (IOEs) 14 There’s too many of them!

15. Relevancy? 15   My vertical?   My geography?   My

    threat model?

16. Uncle Rico threat intelligence (unrealistic) 16

17. 17 Getting strategic with intelligence 1.  People 2.  Process 3. 

    Tradecraft @rickhholland

18. 18 Analysts

19. 19 Build?

20. 20 Or buy?

21. 21 6 year $114.5M contract

22. 6th round pick 22

23. 23 Better grow your own analysts

24. Growing your own analysts 24   Join advisory boards to

    guide university programs   Expect 2-3 years out of entry level analysts   A well understood career path is critical   Complement your junior staff with seasoned analysts

25. Recruit in San Antonio 25   Air Force cyber  

    Air Force intelligence   NSA Central Security Service   University of Texas San Antonio

26. Recruit in Augusta 26   Military Intelligence   NSA Central

    Security Service   ARCYBER relocation

27. 27 Getting strategic with intelligence 1.  People 2.  Process 3. 

    Tradecraft @rickhholland

28. Intelligence cycle 28 Source: JP 2-01, Joint and NaBonal Intelligence

    Support to Military OperaBons

29. Coach Bear Bryant 29 “It’s not the will to win

    but the will to prepare to win that makes the difference”

30. Planning and Direction 30 “The determination of intelligence requirements, development

    of appropriate intelligence architecture, preparation of a collection plan, and issuance of orders and requests to information collection agencies.” Source: JP 2-01, Joint and NaBonal Intelligence Support to Military OperaBons

31. Intelligence requirements 31 “Any subject, general or specific, upon which

    there is a need for the collection of information or the production of intelligence.” Source: JP 2-01, Joint and NaBonal Intelligence Support to Military OperaBons

32. 32

33. Sample requirements 33   Who has targeted our organization in

    the past? _  How can we get indications and warnings of future attacks? _  How can we get evidence of previous attacks?   Who are the actors that target our vertical?   What TTPs do our adversaries employ?

34. Sample requirements continued 34   Which adversary campaigns affect us/our

    vertical?   Which global events could impact our business/vertical?   What critical business activities must we protect?

35. 35 Collection

36. Collection activities 36   Identify ability to address requirements  

    Identify gaps in collection capabilities   Internally or externally source capabilities   Measure collection results against ability to answer requirement

37. 37 Who has targeted our organizaBon in the past?

38. Who has targeted our organization in the past? 38  

    Nothing more relevant that your own intrusions   Build dossiers on your intrusions   Key for your collection strategy Source: The Diamond Model of Intrusion Analysis: hLp://www.acBveresponse.org/wp- content/uploads/2013/07/diamond.pdf

39. 39 Which criBcal business acBviBes must we protect?

40. 40

41. 41 Maintain a relevant and reliable experience

42. 42 Significant disruption in our computer systems

43. 43 Protect the security of information

44. 44 Interruptions in our supply chain

45. What is the digital footprint for these risks? 45  

    Application   End user   Network   Server   3rd party   Internal and external

46. Which entities are associated with these risks? 46   Administrative

    staff   Business owners   End users   3rd party business partners

47. 47 Collection What situational awareness do you have into these

    risks?

48. 48 Planning for 2017?

49. 49 What does your business have planned for 2017?

50. 50 Getting strategic with intelligence 1.  People 2.  Process 3. 

    Tradecraft @rickhholland

51. 51 Tradecraft fails with weak analysis

52. Tony Romo 52

53. This year 53

54. Tony Romo 54 “I feel good about the fact that

    was probably as tough of a hit I've taken on the back as I've had in the last five years. From that regard, I feel very lucky that it can hold up and I can keep going."

55. Homer Sports Fan 55 A cognitive bias that results in

    a tendency to hold one’s favorite sports team in irrational high regard regardless of legitimate ability to deliver and win games. It typically wanes as a season progresses.

56. Old School Confirmation Bias 56

57. Be Careful: New School Confirmation Bias 57

58. Absence of Evidence 58   “Intelligence analysts should be able

    to recognize what relevant evidence is lacking and factor this into their calculations.”   “Consider whether the absence of information is normal or is itself an indicator of unusual activity or inactivity.” Source: hLps://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publicaBons/books-and-monographs/psychology-of- intelligence-analysis/PsychofIntelNew.pdf

59. Recommended Reading 59

60. Structured Analytic Techniques for Improving Intelligence Analysis 60 Source: hLps://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publicaBons/books-and-monographs/TradecraU%20Primer-

    apr09.pdf

61. Analysis of Competing Hypotheses Tool 61 Source: hLp://www2.parc.com/istl/projects/ach/ach.html ACH doesn’t

    seek to prove hypotheses; it instead disproves them

62. 62 Strategic Intelligence ProducBon

63. 63

64. 64 Must be tailored in terms leadership cares about ($$$)

65. Formalize an Intelligence Product Portfolio 65   Continue with operational

    products _  E.g.: Dossiers, Technical analysis Daily threat summaries   Create tailored ad hoc summaries for relevant threats

66. Formalize an Intelligence Product Portfolio 66   Create your own

    version of Verizon DBIR   Forecasts: _  Regional threats in new areas of operations _  Threats to specific product launches

67. Do Now 67   Apply significant effort to developing and

    retaining talent   Include structured analytic techniques in your assessments   Create intelligence products that are tied back to critical business risks

68. Go Cowboys! 68 Twitter: @rickhholland Speaker Deck: https://speakerdeck.com/ rick_holland Blog:

    https:// www.digitalshadows.com/ blog-and-research/profile/ rick-holland/