Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Tactical threat intelligence gotcha down? There is a better way.

Rick Holland
September 12, 2016

Tactical threat intelligence gotcha down? There is a better way.

Presented at Anomali Detect conference. https://www.anomali.com/anomali-detect Many organizations are taking the wrong approach when it comes to their threat intelligence programs. Indiscriminate investment has yielded anything but actionable intelligence and Indicators of Exhaustion (IOEs) are overwhelming us all. In this talk, former Forrester analyst Rick Holland will discuss shifting from the consumption of “tacticool” intelligence to the production of your own meaningful threat intelligence. Rick will focus on critical people, process, and tradecraft components required to elevate you threat intelligence program maturity.

Rick Holland

September 12, 2016

More Decks by Rick Holland

Other Decks in Technology


  1. Countermeasures 5 “At least five teams have swept their hotels,

    locker rooms or coaches’ booths in New England for listening devices, sometimes hiring outside professionals.”
  2. 11

  3. Growing your own analysts 24   Join advisory boards to

    guide university programs   Expect 2-3 years out of entry level analysts   A well understood career path is critical   Complement your junior staff with seasoned analysts
  4. Recruit in San Antonio 25   Air Force cyber  

    Air Force intelligence   NSA Central Security Service   University of Texas San Antonio
  5. Recruit in Augusta 26   Military Intelligence   NSA Central

    Security Service   ARCYBER relocation
  6. Coach Bear Bryant 29 “It’s not the will to win

    but the will to prepare to win that makes the difference”
  7. Planning and Direction 30 “The determination of intelligence requirements, development

    of appropriate intelligence architecture, preparation of a collection plan, and issuance of orders and requests to information collection agencies.” Source: JP 2-01, Joint and NaBonal Intelligence Support to Military OperaBons
  8. Intelligence requirements 31 “Any subject, general or specific, upon which

    there is a need for the collection of information or the production of intelligence.” Source: JP 2-01, Joint and NaBonal Intelligence Support to Military OperaBons
  9. 32

  10. Sample requirements 33   Who has targeted our organization in

    the past? _  How can we get indications and warnings of future attacks? _  How can we get evidence of previous attacks?   Who are the actors that target our vertical?   What TTPs do our adversaries employ?
  11. Sample requirements continued 34   Which adversary campaigns affect us/our

    vertical?   Which global events could impact our business/vertical?   What critical business activities must we protect?
  12. Collection activities 36   Identify ability to address requirements  

    Identify gaps in collection capabilities   Internally or externally source capabilities   Measure collection results against ability to answer requirement
  13. Who has targeted our organization in the past? 38  

    Nothing more relevant that your own intrusions   Build dossiers on your intrusions   Key for your collection strategy Source: The Diamond Model of Intrusion Analysis: hLp://www.acBveresponse.org/wp- content/uploads/2013/07/diamond.pdf
  14. 40

  15. What is the digital footprint for these risks? 45  

    Application   End user   Network   Server   3rd party   Internal and external
  16. Which entities are associated with these risks? 46   Administrative

    staff   Business owners   End users   3rd party business partners
  17. Tony Romo 54 “I feel good about the fact that

    was probably as tough of a hit I've taken on the back as I've had in the last five years. From that regard, I feel very lucky that it can hold up and I can keep going."
  18. Homer Sports Fan 55 A cognitive bias that results in

    a tendency to hold one’s favorite sports team in irrational high regard regardless of legitimate ability to deliver and win games. It typically wanes as a season progresses.
  19. Absence of Evidence 58   “Intelligence analysts should be able

    to recognize what relevant evidence is lacking and factor this into their calculations.”   “Consider whether the absence of information is normal or is itself an indicator of unusual activity or inactivity.” Source: hLps://www.cia.gov/library/center-for-the-study-of-intelligence/csi-publicaBons/books-and-monographs/psychology-of- intelligence-analysis/PsychofIntelNew.pdf
  20. 63

  21. Formalize an Intelligence Product Portfolio 65   Continue with operational

    products _  E.g.: Dossiers, Technical analysis Daily threat summaries   Create tailored ad hoc summaries for relevant threats
  22. Formalize an Intelligence Product Portfolio 66   Create your own

    version of Verizon DBIR   Forecasts: _  Regional threats in new areas of operations _  Threats to specific product launches
  23. Do Now 67   Apply significant effort to developing and

    retaining talent   Include structured analytic techniques in your assessments   Create intelligence products that are tied back to critical business risks
  24. Go Cowboys! 68 Twitter: @rickhholland Speaker Deck: https://speakerdeck.com/ rick_holland Blog:

    https:// www.digitalshadows.com/ blog-and-research/profile/ rick-holland/