SlideShare a Scribd company logo
NEED FOR THREAT
INTELLIGENCE
&
HOW TO
OPERATIONALIZE IT
FOR YOUR
ORGANIZATION
ADITYA MUKHERJEE
ATTRIBUTION
• 12 YRS. & COUNTING…
• C|CISO, CISM,
SANS - FOR508 & FOR578,
CIPR, CPISI, CCNA, C|HFI, C|EH)
• LOVE TO EXPLORE WRITING &
SPEAKING ENGAGEMENTS
• AN ASPIRING CISO
• MOVIE BUFF & PART-TIME
COD/PUBG ENTHUSIAST
https://www.linkedin.com/in/adityaitsecurityconsultant/
https://twitter.com/AspiringCISO
Disclaimer: *All Views, Statements expressed are Personal.*
“KNOW YOUR ENEMY AND KNOW YOURSELF, AND IN 100 BATTLES YOU WILL NOT KNOW DEFEAT.”
— SUN TZU, SUN ZI BINGFA
Need for Threat Intelligence & How to Operationalize it for your Organisation.
NEED FOR THREAT INTELLIGENCE & HOW TO
OPERATIONALIZE IT FOR YOUR ORGANIZATION
• THE INFORMATION SECURITY INDUSTRY IS A FAST-PACED EVER-TRANSFORMING FIELD, WHICH IN THE PAST COUPLE OF YEARS
WITH THE INFLUX OF OFF-THE-SHELF MALWARE, ADVANCE EXPLOIT KITS AND PAID DDOS SERVICES HAS SEEN AN INCREASE IN
THE IMPORTANCE OF TIMELY, PROACTIVE RESPONSE. TO ENABLE THE ORGANIZATION TO SUCCESSFULLY MOUNT AN IMPREGNABLE
DEFENSE, THE NEED OF THE HOUR IS TO CAPTURE, ANALYZE AND PROVIDE ACTIONABLE INFORMATION THAT CAN BE USED TO
SAFEGUARD THE ORGANIZATION. ENTER ‘CYBER THREAT INTELLIGENCE’.
• CYBER THREAT INTELLIGENCE IS A NEW YET MASSIVELY EVOLVING DOMAIN IN INFORMATION SECURITY TODAY. SINCE THE
BEGINNING OF TIME, INFORMATION (KNOWLEDGE) HAS ALWAYS BEEN REGARDED AS A CRITICAL FORM OF AN ADVANTAGE IN ANY
STRATEGY-MAKING PROCESS. CTI OVER THE YEARS HAS ROLLED FROM A PREVIOUSLY PERCEIVED SET OF SKILLS AND TECHNIQUES
TO A WELL-DEFINED FRAMEWORK WITH THE NEW INFUSED MARKET REQUIREMENTS SPAWNING FROM THE RECENT THREAT
ACTIVITIES IN THE EVER-CHANGING IT LANDSCAPE WHICH HAS BOUGHT SOPHISTICATED ATTACKS SUCH AS STATE-SPONSORED
CYBER-ATTACKS, RANSOMWARE, APT’S, ZERO-DAYS AND HACKTIVISM THAT IS NOW AT THE VERY DOORSTEP OF GOVERNMENT,
BIG & SMALL CORPORATIONS ALIKE.
CYBER THREAT INTELLIGENCE
ACCORDING TO CERT-UK, CYBER THREAT INTELLIGENCE (CTI) IS AN "ELUSIVE" CONCEPT.
WHILE CYBERSECURITY COMPRISES THE RECRUITMENT OF IT SECURITY EXPERTS AND THE
DEPLOYMENT OF TECHNICAL MEANS TO PROTECT AN ORGANIZATION'S CRITICAL
INFRASTRUCTURE OR INTELLECTUAL PROPERTY, CTI IS BASED ON THE COLLECTION OF
INTELLIGENCE USING OPEN SOURCE INTELLIGENCE (OSINT), SOCIAL MEDIA INTELLIGENCE
(SOCMINT), HUMAN INTELLIGENCE (HUMINT), TECHNICAL INTELLIGENCE OR
INTELLIGENCE FROM THE DEEP AND DARK WEB. CTI'S KEY MISSION IS TO RESEARCH AND
ANALYZE TRENDS AND TECHNICAL DEVELOPMENTS IN THREE AREAS:
1. CYBERCRIME
2. HACTIVISM
3. CYBERESPIONAGE (ADVANCED PERSISTENT THREAT, APT OR CYBER SPYING)
THREAT ATTRIBUTES
• POLITICAL - ENVIRONMENT AT BOTH A MACRO & MICRO LEVEL
• LEGAL - AND REGULATORY ENVIRONMENT, INCLUDING COMPLIANCE (EG
REPORTING) REQUIREMENTS
• ECONOMIC - ENVIRONMENT & INDICATORS
• SOCIO-CULTURAL - INCLUDING THE IMPORTANT PEOPLE ASPECT
• TECHNICAL - ENVIRONMENT (EG LOGGING)
• PHYSICAL - ENVIRONMENT & LOCATION
CLASSIFICATION OF THREAT INTELLIGENCE
Tactical: attacker methodologies, tools,
and tactics - relies on enough
resources and involves certain actions
to go against potentially dangerous
actors trying to do infiltration
Technical: indicators of specific
malware
Operational: details of the specific
incoming attack, assess an
organisation's ability in determining
future cyber-threats
Strategic: high-level information on
changing risk (strategic shifts) -
senior leadership is requiredfor
thorough determination to critically
assess threats
WHY IS IT IMPORTANT?
Provides context and
relevance to a large
amount of data
Empowers
organizations to
develop a proactive
cybersecurity posture
and to bolster overall
risk management
policies
Informs better
decision-making
during and following
the detection of a
cyber intrusion
Drives momentum
toward a
cybersecurity posture
that is predictive, not
just reactive
Enables improved
detection of advanced
threats
APT & GEO -POLITICS?
Influential geopolitical countries, such as the US,
Russia, China and Iran, use cyberspace as an
extension of their foreign and intelligence
collection policies. To achieve these objectives,
they have formed APT units that primarily
specialize in the following fields:
Collection of sensitive data from business or
government computer systems
Electronic penetration or sabotage of critical
infrastructure computer systems (for example,
read about Stuxnet)
A combination of CTI with political risk analysis,
which includes a deep understanding of current
geopolitical disputes and leadership ulterior
political motives, can help analysts understand
future cyberwarfare patterns.
Need for Threat Intelligence & How to Operationalize it for your Organisation.
Need for Threat Intelligence & How to Operationalize it for your Organisation.
Need for Threat Intelligence & How to Operationalize it for your Organisation.
THREAT INTELLIGENCE
PLATFORM (TIP)?
COLLECT, MANAGE, AND SHARE THREAT INTELLIGENCE
• THREAT INTELLIGENCE PLATFORMS CAN BE DEPLOYED AS A SAAS
OR ON-PREMISE SOLUTION TO FACILITATE THE MANAGEMENT OF
CYBER THREAT INTELLIGENCE AND ASSOCIATED ENTITIES SUCH AS
ACTORS, CAMPAIGNS, INCIDENTS, SIGNATURES, BULLETINS, AND
TTPS. IT IS DEFINED BY ITS CAPABILITY TO PERFORM FOUR KEY
FUNCTIONS:
1. AGGREGATION OF INTELLIGENCE FROM MULTIPLE SOURCES
2. CURATION, NORMALIZATION, ENRICHMENT, AND RISK SCORING
OF DATA
3. INTEGRATIONS WITH EXISTING SECURITY SYSTEMS
4. ANALYSIS AND SHARING OF THREAT INTELLIGENCE
#Ingestion #Enrichment #Analysis #Collaboration #Integration
Image Source: https://www.anomali.com/resources/what-is-a-tip
LEADING ISACS
INFORMATION SECURITY AND ANALYSIS CENTER
• ISACS ARE MEMBER-DRIVEN ORGANIZATIONS, DELIVERING ALL-HAZARDS
THREAT AND MITIGATION INFORMATION TO ASSET OWNERS AND OPERATORS.
• IT IS A COORDINATING BODY DESIGNED TO MAXIMIZE INFORMATION FLOW
ACROSS THE PRIVATE SECTOR CRITICAL INFRASTRUCTURES AND WITH
GOVERNMENT.
• ISACS HAVE DEMONSTRATED SUCCESS IN PROVIDING OPERATIONAL SERVICES -
SUCH AS RISK MITIGATION, INCIDENT RESPONSE, & INFORMATION SHARING -
THAT PROTECT CRITICAL INFRASTRUCTURES. OTHER ISAC SERVICES INCLUDE
ANNUAL MEETINGS, TECHNICAL EXCHANGES, WORKSHOPS, AND WEBINARS.
Image Source: https://www.nationalisacs.org/member-isacs
OPERATIONALIZING
THREAT INTEL.
• RATIONALIZE THREAT INTELLIGENCE PROGRAMS
• ESTABLISH THREAT INTELLIGENCE QUALITY
METRICS
• EVALUATE THREAT INTELLIGENCE INPUTS AND
OUTPUT
• BUILD A REALISTIC PLAN FOR THREAT
INTELLIGENCE SHARING
Image Source: https://azeria-labs.com/iocs-vs-ttps/
THREAT INTEL – IOC
HXXP://170.238.117.187:8082
HXXP://186.10.243.70:8082
MD5: 12B48CC6F250033D83A0D76742F4DA27
MD5: 5E5500DC369D9EDD423CE3E1CD748BF9
HXXPS://SECURE.BANKOFAMERICA.COM/MYACCOUNTS/DETAILS/CARD
HXXPS://*.AMERICANEXPRESS.COM/*LOGONHANDLER
THREAT INTEL – TTP
INFORMATION
TO ACTIONABLE
INTELLIGENCE
Threat Data - Attribution, Tactics,
Hash, Exploited CVEs, IP, Domain,
Industry, Vertical, Device Types
Collection Points – Public Resources,
TI Feeds, Internal Triage & Analysis
Extraction, Validation, Enrichment,
Association
The Key is to measure your TI
with respect to:
• Confidence
• Relevance
• Severity
• Context
THREAT INTELLIGENCE
RELEVANCE ACROSS SECURITY DOMAINS
IDENTIFICATION –
Inform about new &
existing risks
1
PROTECTION – Prioritize
proactive controls and
mitigations
2
DETECTION – Deliver
actionable & relevant
indicators
3
RESPONSE – Support
incident analysis &
response
4
APPLYING THREAT
INTELLIGENCE TO THE
DIAMOND MODEL OF
INTRUSION ANALYSIS
• PIECE TOGETHER A MORE COHESIVE PICTURE OF THE THREAT & HOW IT OPERATES
• RELEVANCY IS HARD
• TACTICAL, OPERATIONAL, STRATEGIC INPUTS
• THERE IS NO SILVER BULLET
Image Source: https://www.recordedfuture.com/diamond-model-intrusion-analysis//
http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
DIAMOND MODEL OF INTRUSION ANALYSIS –
ACTIVITY-ATTACK GRAPH
Image Source: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
ATT&CK MATRIX
ATT&CK MATRIX
BEST PRACTICE’S
• CONDUCT (POST) INCIDENT ANALYSIS AND IDENTIFY GAPS IN INTELLIGENCE CAPABILITY.
• MEASURE AND TRACK – MTD, MTR. IDENTIFY PAIN POINTS & ANALYZE HOW TI CAN HELP.
• MAKE A BUSINESS CASE AND MEASURE ROI.
• CYCLIC EVALUATION OF INTEL SOURCES FOR CONFIDENCE AND QUALITY.
• EVALUATE FOR IMPROVEMENTS (SPEED/CONTEXT) & AUTOMATE.
• CREATE YOUR OWN INTELLIGENCE & LOOK FOR NEW SOURCES.
• CULTIVATE BRAND MONITORING & THREAT HUNTING.
• MAKE A GOOD TEAM.
KEY TAKEAWAY’S
• IMPLEMENT A THREAT INTELLIGENCE PROGRAM.
• IDENTIFY YOU CJ’S, HVT’S & ATTACK SCENARIOS.
• UNDERSTAND WHO YOUR ADVERSARIES ARE AND THE THREATS THAT YOU FACE. (VERTICAL/GEO)
• COLLABORATE WITH CERT & ISAC.
• TARGETED THREAT INTELLIGENCE?
• SHARE…SHARE…SHARE
RESOURCES :
• HTTP://WWW.ACTIVERESPONSE.ORG/THE-DIAMOND-MODEL/
• HTTPS://WWW.SANS.ORG/CYBER-SECURITY-SUMMIT/ARCHIVES/FILE/SUMMIT-ARCHIVE-1492183422.PDF
• @RICKHHOLLAND & @LIKETHECOINS
• HTTPS://ATTACK.MITRE.ORG/RESOURCES/GETTING-STARTED/
• HTTP://WWW.ACTIVERESPONSE.ORG/WP-CONTENT/UPLOADS/2013/07/DIAMOND.PDF
• HTTPS://MEDIUM.COM/@THECTIGUY/ATTRIBUTION-VERSUS-ACTOR-CENTRIC-THREAT-INTELLIGENCE-
8ED722A7D4AA
• HTTPS://MEDIUM.COM/MITRE-ATTACK/GETTING-STARTED-WITH-ATTACK-CTI-4EB205BE4B2F
• HTTPS://WWW.RECORDEDFUTURE.COM/EFFECTIVE-INTELLIGENCE-REQUIREMENTS/
• HTTPS://WWW.BROOKCOURTSOLUTIONS.COM/WP-CONTENT/UPLOADS/2017/07/BROOKCOURT-APPLYING-
THREAT-INTELLIGENCE.PDF
THANK YOU
QUESTIONS ?

More Related Content

PPTX
Cyber threat intelligence: maturity and metrics
PPTX
Practical and Actionable Threat Intelligence Collection
PDF
Building an Effective Cyber Intelligence Program
PPTX
6 Steps for Operationalizing Threat Intelligence
PPTX
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
PPTX
Cyber Threat Intelligence | Information to Insight
PPTX
Crowd-Sourced Threat Intelligence
PDF
Cyber Threat Intelligence - It's not just about the feeds
Cyber threat intelligence: maturity and metrics
Practical and Actionable Threat Intelligence Collection
Building an Effective Cyber Intelligence Program
6 Steps for Operationalizing Threat Intelligence
Cyber threat Intelligence and Incident Response by:-Sandeep Singh
Cyber Threat Intelligence | Information to Insight
Crowd-Sourced Threat Intelligence
Cyber Threat Intelligence - It's not just about the feeds

What's hot (20)

PPTX
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
PDF
Cyber Threat Intelligence
PPTX
Cyber Threat Intelligence: Building and maturing an intelligence program that...
PPTX
The Cybercriminal Underground: Understanding and categorising criminal market...
PPTX
Cyber Threat Intelligence
PPT
Mark Arena - Cyber Threat Intelligence #uisgcon9
PDF
Threat Intelligence 101 - Steve Lodin - Submitted
PPTX
How to build a cyber threat intelligence program
PPTX
Cyber Threat Intelligence
PDF
Careers in Cyber Security
PPTX
2016 ISSA Conference Threat Intelligence Keynote philA
PDF
Welcome to the world of Cyber Threat Intelligence
PDF
Global Cyber Threat Intelligence
PPTX
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
PPTX
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
PPSX
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
PPTX
The Cybercriminal Underground: Understanding and categorising criminal market...
PDF
Threat Intelligence Workshop
PPTX
The Cyber Threat Intelligence Matrix
PDF
Threat Intelligence with Open Source Tools - Cornerstones of Trust 2014
Cyber Threat Intelligence
Cyber Threat Intelligence: Building and maturing an intelligence program that...
The Cybercriminal Underground: Understanding and categorising criminal market...
Cyber Threat Intelligence
Mark Arena - Cyber Threat Intelligence #uisgcon9
Threat Intelligence 101 - Steve Lodin - Submitted
How to build a cyber threat intelligence program
Cyber Threat Intelligence
Careers in Cyber Security
2016 ISSA Conference Threat Intelligence Keynote philA
Welcome to the world of Cyber Threat Intelligence
Global Cyber Threat Intelligence
Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
How to Normalize Threat Intelligence Data from Multiple Sources - Tech Talk T...
Cyber Threat Intelligence: What do we Want? The Incident Response and Technol...
The Cybercriminal Underground: Understanding and categorising criminal market...
Threat Intelligence Workshop
The Cyber Threat Intelligence Matrix
Ad

Similar to Need for Threat Intelligence & How to Operationalize it for your Organisation. (20)

PDF
Critical Infrastructure Protection from Terrorist Attacks
PPTX
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, Doha
PDF
Threat intelligence minority report
PDF
Empowering Cyber Threat Intelligence with AI
PDF
A Study on Honeypots and Deceiving Attacker using Modern Honeypot Network
PPTX
Cyber security with ai
PDF
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
PDF
IRJET- Ethical Hacking
PPTX
Cyber Threat Intelligence.pptx
PDF
Ethical Hacking
PDF
SOCRadar's 2024 Cyber Threat Intelligence Solution
DOCX
61370436 main-case-study
PDF
Ethical hacking at warp speed
PDF
Noah Maina: Computer Emergency Response Team (CERT)
PDF
Icit analysis-signature-based-malware-detection-is-dead
PDF
Top Cyber News Magazine Daniel Ehrenreich
PDF
2021. Top Cyber News MAGAZINE Daniel Ehrenreich October 2021
PDF
Cyber threat intelligence ppt
PDF
distinguishing-threat-actors-vectors-and-intelligence-sources-slides.pdf
PDF
AI: The New Player in Cybersecurity (Nov. 08, 2023)
Critical Infrastructure Protection from Terrorist Attacks
GCC Operational Technology Security Forum & Exhibition, 21-23 March 2017, Doha
Threat intelligence minority report
Empowering Cyber Threat Intelligence with AI
A Study on Honeypots and Deceiving Attacker using Modern Honeypot Network
Cyber security with ai
INFORMATION SECURITY MANAGEMENT - Critique the employment of ethical hacking ...
IRJET- Ethical Hacking
Cyber Threat Intelligence.pptx
Ethical Hacking
SOCRadar's 2024 Cyber Threat Intelligence Solution
61370436 main-case-study
Ethical hacking at warp speed
Noah Maina: Computer Emergency Response Team (CERT)
Icit analysis-signature-based-malware-detection-is-dead
Top Cyber News Magazine Daniel Ehrenreich
2021. Top Cyber News MAGAZINE Daniel Ehrenreich October 2021
Cyber threat intelligence ppt
distinguishing-threat-actors-vectors-and-intelligence-sources-slides.pdf
AI: The New Player in Cybersecurity (Nov. 08, 2023)
Ad

Recently uploaded (20)

PDF
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
PDF
CIFDAQ's Market Insight: SEC Turns Pro Crypto
PPT
“AI and Expert System Decision Support & Business Intelligence Systems”
PDF
Empathic Computing: Creating Shared Understanding
PDF
Machine learning based COVID-19 study performance prediction
PDF
Modernizing your data center with Dell and AMD
PDF
Advanced IT Governance
PDF
Spectral efficient network and resource selection model in 5G networks
PPTX
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
PDF
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
PDF
Chapter 3 Spatial Domain Image Processing.pdf
PDF
KodekX | Application Modernization Development
PDF
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
PDF
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
PDF
cuic standard and advanced reporting.pdf
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
PDF
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf
GDG Cloud Iasi [PUBLIC] Florian Blaga - Unveiling the Evolution of Cybersecur...
CIFDAQ's Market Insight: SEC Turns Pro Crypto
“AI and Expert System Decision Support & Business Intelligence Systems”
Empathic Computing: Creating Shared Understanding
Machine learning based COVID-19 study performance prediction
Modernizing your data center with Dell and AMD
Advanced IT Governance
Spectral efficient network and resource selection model in 5G networks
breach-and-attack-simulation-cybersecurity-india-chennai-defenderrabbit-2025....
Shreyas Phanse Resume: Experienced Backend Engineer | Java • Spring Boot • Ka...
Chapter 3 Spatial Domain Image Processing.pdf
KodekX | Application Modernization Development
Blue Purple Modern Animated Computer Science Presentation.pdf.pdf
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
solutions_manual_-_materials___processing_in_manufacturing__demargo_.pdf
cuic standard and advanced reporting.pdf
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Reach Out and Touch Someone: Haptics and Empathic Computing
Dropbox Q2 2025 Financial Results & Investor Presentation
[발표본] 너의 과제는 클라우드에 있어_KTDS_김동현_20250524.pdf

Need for Threat Intelligence & How to Operationalize it for your Organisation.

  • 1. NEED FOR THREAT INTELLIGENCE & HOW TO OPERATIONALIZE IT FOR YOUR ORGANIZATION ADITYA MUKHERJEE
  • 2. ATTRIBUTION • 12 YRS. & COUNTING… • C|CISO, CISM, SANS - FOR508 & FOR578, CIPR, CPISI, CCNA, C|HFI, C|EH) • LOVE TO EXPLORE WRITING & SPEAKING ENGAGEMENTS • AN ASPIRING CISO • MOVIE BUFF & PART-TIME COD/PUBG ENTHUSIAST https://www.linkedin.com/in/adityaitsecurityconsultant/ https://twitter.com/AspiringCISO Disclaimer: *All Views, Statements expressed are Personal.*
  • 3. “KNOW YOUR ENEMY AND KNOW YOURSELF, AND IN 100 BATTLES YOU WILL NOT KNOW DEFEAT.” — SUN TZU, SUN ZI BINGFA
  • 5. NEED FOR THREAT INTELLIGENCE & HOW TO OPERATIONALIZE IT FOR YOUR ORGANIZATION • THE INFORMATION SECURITY INDUSTRY IS A FAST-PACED EVER-TRANSFORMING FIELD, WHICH IN THE PAST COUPLE OF YEARS WITH THE INFLUX OF OFF-THE-SHELF MALWARE, ADVANCE EXPLOIT KITS AND PAID DDOS SERVICES HAS SEEN AN INCREASE IN THE IMPORTANCE OF TIMELY, PROACTIVE RESPONSE. TO ENABLE THE ORGANIZATION TO SUCCESSFULLY MOUNT AN IMPREGNABLE DEFENSE, THE NEED OF THE HOUR IS TO CAPTURE, ANALYZE AND PROVIDE ACTIONABLE INFORMATION THAT CAN BE USED TO SAFEGUARD THE ORGANIZATION. ENTER ‘CYBER THREAT INTELLIGENCE’. • CYBER THREAT INTELLIGENCE IS A NEW YET MASSIVELY EVOLVING DOMAIN IN INFORMATION SECURITY TODAY. SINCE THE BEGINNING OF TIME, INFORMATION (KNOWLEDGE) HAS ALWAYS BEEN REGARDED AS A CRITICAL FORM OF AN ADVANTAGE IN ANY STRATEGY-MAKING PROCESS. CTI OVER THE YEARS HAS ROLLED FROM A PREVIOUSLY PERCEIVED SET OF SKILLS AND TECHNIQUES TO A WELL-DEFINED FRAMEWORK WITH THE NEW INFUSED MARKET REQUIREMENTS SPAWNING FROM THE RECENT THREAT ACTIVITIES IN THE EVER-CHANGING IT LANDSCAPE WHICH HAS BOUGHT SOPHISTICATED ATTACKS SUCH AS STATE-SPONSORED CYBER-ATTACKS, RANSOMWARE, APT’S, ZERO-DAYS AND HACKTIVISM THAT IS NOW AT THE VERY DOORSTEP OF GOVERNMENT, BIG & SMALL CORPORATIONS ALIKE.
  • 6. CYBER THREAT INTELLIGENCE ACCORDING TO CERT-UK, CYBER THREAT INTELLIGENCE (CTI) IS AN "ELUSIVE" CONCEPT. WHILE CYBERSECURITY COMPRISES THE RECRUITMENT OF IT SECURITY EXPERTS AND THE DEPLOYMENT OF TECHNICAL MEANS TO PROTECT AN ORGANIZATION'S CRITICAL INFRASTRUCTURE OR INTELLECTUAL PROPERTY, CTI IS BASED ON THE COLLECTION OF INTELLIGENCE USING OPEN SOURCE INTELLIGENCE (OSINT), SOCIAL MEDIA INTELLIGENCE (SOCMINT), HUMAN INTELLIGENCE (HUMINT), TECHNICAL INTELLIGENCE OR INTELLIGENCE FROM THE DEEP AND DARK WEB. CTI'S KEY MISSION IS TO RESEARCH AND ANALYZE TRENDS AND TECHNICAL DEVELOPMENTS IN THREE AREAS: 1. CYBERCRIME 2. HACTIVISM 3. CYBERESPIONAGE (ADVANCED PERSISTENT THREAT, APT OR CYBER SPYING) THREAT ATTRIBUTES • POLITICAL - ENVIRONMENT AT BOTH A MACRO & MICRO LEVEL • LEGAL - AND REGULATORY ENVIRONMENT, INCLUDING COMPLIANCE (EG REPORTING) REQUIREMENTS • ECONOMIC - ENVIRONMENT & INDICATORS • SOCIO-CULTURAL - INCLUDING THE IMPORTANT PEOPLE ASPECT • TECHNICAL - ENVIRONMENT (EG LOGGING) • PHYSICAL - ENVIRONMENT & LOCATION
  • 7. CLASSIFICATION OF THREAT INTELLIGENCE Tactical: attacker methodologies, tools, and tactics - relies on enough resources and involves certain actions to go against potentially dangerous actors trying to do infiltration Technical: indicators of specific malware Operational: details of the specific incoming attack, assess an organisation's ability in determining future cyber-threats Strategic: high-level information on changing risk (strategic shifts) - senior leadership is requiredfor thorough determination to critically assess threats
  • 8. WHY IS IT IMPORTANT? Provides context and relevance to a large amount of data Empowers organizations to develop a proactive cybersecurity posture and to bolster overall risk management policies Informs better decision-making during and following the detection of a cyber intrusion Drives momentum toward a cybersecurity posture that is predictive, not just reactive Enables improved detection of advanced threats
  • 9. APT & GEO -POLITICS? Influential geopolitical countries, such as the US, Russia, China and Iran, use cyberspace as an extension of their foreign and intelligence collection policies. To achieve these objectives, they have formed APT units that primarily specialize in the following fields: Collection of sensitive data from business or government computer systems Electronic penetration or sabotage of critical infrastructure computer systems (for example, read about Stuxnet) A combination of CTI with political risk analysis, which includes a deep understanding of current geopolitical disputes and leadership ulterior political motives, can help analysts understand future cyberwarfare patterns.
  • 13. THREAT INTELLIGENCE PLATFORM (TIP)? COLLECT, MANAGE, AND SHARE THREAT INTELLIGENCE • THREAT INTELLIGENCE PLATFORMS CAN BE DEPLOYED AS A SAAS OR ON-PREMISE SOLUTION TO FACILITATE THE MANAGEMENT OF CYBER THREAT INTELLIGENCE AND ASSOCIATED ENTITIES SUCH AS ACTORS, CAMPAIGNS, INCIDENTS, SIGNATURES, BULLETINS, AND TTPS. IT IS DEFINED BY ITS CAPABILITY TO PERFORM FOUR KEY FUNCTIONS: 1. AGGREGATION OF INTELLIGENCE FROM MULTIPLE SOURCES 2. CURATION, NORMALIZATION, ENRICHMENT, AND RISK SCORING OF DATA 3. INTEGRATIONS WITH EXISTING SECURITY SYSTEMS 4. ANALYSIS AND SHARING OF THREAT INTELLIGENCE #Ingestion #Enrichment #Analysis #Collaboration #Integration Image Source: https://www.anomali.com/resources/what-is-a-tip
  • 14. LEADING ISACS INFORMATION SECURITY AND ANALYSIS CENTER • ISACS ARE MEMBER-DRIVEN ORGANIZATIONS, DELIVERING ALL-HAZARDS THREAT AND MITIGATION INFORMATION TO ASSET OWNERS AND OPERATORS. • IT IS A COORDINATING BODY DESIGNED TO MAXIMIZE INFORMATION FLOW ACROSS THE PRIVATE SECTOR CRITICAL INFRASTRUCTURES AND WITH GOVERNMENT. • ISACS HAVE DEMONSTRATED SUCCESS IN PROVIDING OPERATIONAL SERVICES - SUCH AS RISK MITIGATION, INCIDENT RESPONSE, & INFORMATION SHARING - THAT PROTECT CRITICAL INFRASTRUCTURES. OTHER ISAC SERVICES INCLUDE ANNUAL MEETINGS, TECHNICAL EXCHANGES, WORKSHOPS, AND WEBINARS. Image Source: https://www.nationalisacs.org/member-isacs
  • 15. OPERATIONALIZING THREAT INTEL. • RATIONALIZE THREAT INTELLIGENCE PROGRAMS • ESTABLISH THREAT INTELLIGENCE QUALITY METRICS • EVALUATE THREAT INTELLIGENCE INPUTS AND OUTPUT • BUILD A REALISTIC PLAN FOR THREAT INTELLIGENCE SHARING Image Source: https://azeria-labs.com/iocs-vs-ttps/
  • 16. THREAT INTEL – IOC HXXP://170.238.117.187:8082 HXXP://186.10.243.70:8082 MD5: 12B48CC6F250033D83A0D76742F4DA27 MD5: 5E5500DC369D9EDD423CE3E1CD748BF9 HXXPS://SECURE.BANKOFAMERICA.COM/MYACCOUNTS/DETAILS/CARD HXXPS://*.AMERICANEXPRESS.COM/*LOGONHANDLER
  • 18. INFORMATION TO ACTIONABLE INTELLIGENCE Threat Data - Attribution, Tactics, Hash, Exploited CVEs, IP, Domain, Industry, Vertical, Device Types Collection Points – Public Resources, TI Feeds, Internal Triage & Analysis Extraction, Validation, Enrichment, Association The Key is to measure your TI with respect to: • Confidence • Relevance • Severity • Context
  • 19. THREAT INTELLIGENCE RELEVANCE ACROSS SECURITY DOMAINS IDENTIFICATION – Inform about new & existing risks 1 PROTECTION – Prioritize proactive controls and mitigations 2 DETECTION – Deliver actionable & relevant indicators 3 RESPONSE – Support incident analysis & response 4
  • 20. APPLYING THREAT INTELLIGENCE TO THE DIAMOND MODEL OF INTRUSION ANALYSIS • PIECE TOGETHER A MORE COHESIVE PICTURE OF THE THREAT & HOW IT OPERATES • RELEVANCY IS HARD • TACTICAL, OPERATIONAL, STRATEGIC INPUTS • THERE IS NO SILVER BULLET Image Source: https://www.recordedfuture.com/diamond-model-intrusion-analysis// http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
  • 21. DIAMOND MODEL OF INTRUSION ANALYSIS – ACTIVITY-ATTACK GRAPH Image Source: http://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf
  • 24. BEST PRACTICE’S • CONDUCT (POST) INCIDENT ANALYSIS AND IDENTIFY GAPS IN INTELLIGENCE CAPABILITY. • MEASURE AND TRACK – MTD, MTR. IDENTIFY PAIN POINTS & ANALYZE HOW TI CAN HELP. • MAKE A BUSINESS CASE AND MEASURE ROI. • CYCLIC EVALUATION OF INTEL SOURCES FOR CONFIDENCE AND QUALITY. • EVALUATE FOR IMPROVEMENTS (SPEED/CONTEXT) & AUTOMATE. • CREATE YOUR OWN INTELLIGENCE & LOOK FOR NEW SOURCES. • CULTIVATE BRAND MONITORING & THREAT HUNTING. • MAKE A GOOD TEAM.
  • 25. KEY TAKEAWAY’S • IMPLEMENT A THREAT INTELLIGENCE PROGRAM. • IDENTIFY YOU CJ’S, HVT’S & ATTACK SCENARIOS. • UNDERSTAND WHO YOUR ADVERSARIES ARE AND THE THREATS THAT YOU FACE. (VERTICAL/GEO) • COLLABORATE WITH CERT & ISAC. • TARGETED THREAT INTELLIGENCE? • SHARE…SHARE…SHARE
  • 26. RESOURCES : • HTTP://WWW.ACTIVERESPONSE.ORG/THE-DIAMOND-MODEL/ • HTTPS://WWW.SANS.ORG/CYBER-SECURITY-SUMMIT/ARCHIVES/FILE/SUMMIT-ARCHIVE-1492183422.PDF • @RICKHHOLLAND & @LIKETHECOINS • HTTPS://ATTACK.MITRE.ORG/RESOURCES/GETTING-STARTED/ • HTTP://WWW.ACTIVERESPONSE.ORG/WP-CONTENT/UPLOADS/2013/07/DIAMOND.PDF • HTTPS://MEDIUM.COM/@THECTIGUY/ATTRIBUTION-VERSUS-ACTOR-CENTRIC-THREAT-INTELLIGENCE- 8ED722A7D4AA • HTTPS://MEDIUM.COM/MITRE-ATTACK/GETTING-STARTED-WITH-ATTACK-CTI-4EB205BE4B2F • HTTPS://WWW.RECORDEDFUTURE.COM/EFFECTIVE-INTELLIGENCE-REQUIREMENTS/ • HTTPS://WWW.BROOKCOURTSOLUTIONS.COM/WP-CONTENT/UPLOADS/2017/07/BROOKCOURT-APPLYING- THREAT-INTELLIGENCE.PDF

Editor's Notes

  • #4: Threat Intelligence and its associated terms are influenced from military domain, which in turn is inspired from psychology.
  • #7: Political environment, at both a macro and micro level • Legal and regulatory environment, including compliance (eg reporting) requirements • Economic environment • Socio-cultural, including the important people aspect • Technical environment (eg logging).
  • #14: Identify sources that define and explain the evolving threat landscape & Document how the sources will be used. Enrichment sources: Passive DNS (Farsight) ‣ WHOIS (DomainTools) ‣ Infrastructure (PassiveTotal) ‣ Malware (VirusTotal) ‣ GeoIP (MaxMind) Internal Enrichment: Identity • Asset • Data value • Vulnerabilities
  • #15: US, UK, India, Lux, Israel. – CERT Fundamental driving forces to join or establish : Share knowledge about incidents and threats, Increase your maturity level, Network and develop contacts, Energy Analytic Security Exchange (EASE) | Energy Sector Security Consortium, Inc. (EnergySec) | Financial Services Information Sharing and Analysis Center (FS-ISAC) | Global Resilience Federation | H-ISAC - Health Care and Public Health sector (HPH) | Legal Services Information Sharing and Analysis Organization (LS-ISAO) | Multi-State Information Sharing and Analysis Center® (MS-ISAC®) | UBF-ISAC - UAE Banks Federation | IT-ISAC, NH-ISAC, EI-ISAC, Auto-ISAC, Aviation ISAC, Communications ISAC, DEFENSE INDUSTRIAL BASE ISAC, DOWNSTREAM NATURAL GAS ISAC, EMERGENCY MANAGEMENT AND RESPONSE ISAC, OIL & NATURAL GAS ISAC.
  • #16: Rationalize what they buy and how it is used & centralizing threat intelligence collection and processing. A lot of threat intelligence is nothing more that redundant data on indicators of compromise (IoC) such as malicious IP addresses, URLs and domains. Lot of this available for free on OS platforms, so you don’t need to shell out a huge budget, unless its adding unique value. Alternatively, CISOs must decide on quality metrics for threat intelligence in terms of timeliness, relevance and alignment with their organization’s industry, location, etc. (Context & Relevance is the Key) Just don’t consume, make it actionable. What’s the business outcome, what’s the value proposition. Integrate it into your Security Platforms like SIEM & SOAR. TI should serve as a means to an end—“Threat Hunting” or “Incident Response”. There is an eminent need to Threat sharing, most enterprise organizations are way behind when it comes to real-time ad hoc threat intelligence sharing. CISOs should lead an effort that includes IT, legal and business management to establish a plan for what can be shared and when. How many of us Share our Threat Indicators with CERT-IN ? Often you can find additional data points and artifacts that are not publicly know that CERT can help with. Look at BrightPoint Security(acquired by ServiceNow), ThreatConnect or ThreatQuotient. Who are designed to help with all the steps described above.
  • #19: No threat intel is more relevant than what is occurring within your own environment. Integrated Threat Approach is Crucial to Success – Provides Visibility, Insights, Correlation and Streamlined. Enrichment sources: Passive DNS (Farsight) ‣ WHOIS (DomainTools) ‣ Infrastructure (PassiveTotal) ‣ Malware (VirusTotal) ‣ GeoIP (MaxMind) Internal Enrichment: Identity • Asset • Data value • Vulnerabilities
  • #21: This model emphasizes the relationships and characteristics of four basic components: the adversary, capabilities, infrastructure, and victims. The main axiom of this models states, “For every intrusion event, there exists an adversary taking a step toward an intended goal by using a capability over infrastructure against a victim to produce a result.” This means that an intrusion event is defined as how the attacker demonstrates and uses certain capabilities and techniques over infrastructure against a target.
  • #22: An Activity-Attack Graph example illustrating the integration of knowledge of actual adversary attack paths with the multitude of hypothetical attack paths that could be taken. Using an activity-attack graph highlights the potential paths of an adversary in the future as well as the preferred paths based on current knowledge on the environment.
  • #23: An important aspect of ATT&CK is how it integrates cyber threat intelligence (CTI). Unlike previous ways of digesting CTI that were used primarily for indicators, ATT&CK documents adversary group behavior profiles, such as APT29, based on publicly available reporting to show which groups use what techniques. Usually, individual reports are used to document one particular incident, but this makes it difficult to compare what happened across incidents or groups and come to a conclusion on what types of defenses were most effective. With ATT&CK, analysts can look across groups of activity by focusing on the technique itself. When deciding how to focus defensive resources, analysts might want to start with techniques that have the highest group usage.
  • #24: Find the behavior, Research the behavior, Translate the behavior into a tactic, Figure out what technique applies to the behavior, Compare your results.