![What would you do with intelligence?
Identify Indicators of Compromise (IOCs)[forensic artifacts of an intrusion that can be identified on a host or network]
Create machine consumable information -Notable frameworks OpenIOC, CybOX, IODEF
Perform accurate detection across the enterprise
Conduct a kill-chain based analysis to respond appropriately
Map the findings/possible effects to business priorities/activities
Develop strategic information for the senior leadership and decision makers](https://image.slidesharecdn.com/road-mapforactionablethreatintelligencev2-141021135138-conversion-gate02/85/Road-map-for-actionable-threat-intelligence-8-320.jpg)
Road map for actionable threat intelligence
- 1. Road-map for actionable threat intelligence Making Information Security Smarter AbhiSingh, CISSP, CISA, CRISC, CISM, CCSK
- 2. Tuesday, February 12, 2013 State of the Union Address Wednesday, October 2, 2012 U.S. Cyber Command GEN Keith Alexander Thursday, December 19, 2013 Headline of the day External92% Internal passive4% Internal active2% Unknown2%
- 3. What do I want to demonstrate? What is actionable cyber threat intelligence How does it enable business? Why actionable cyber threat intelligence is not a product? How can you develop a sound framework? What are some capabilities that you would need?
- 4. What is a Cyber Threat and Threat Intelligence? Defense Science Board Task Force on Resilient Military Systems defines Cyber Threat as: “The cyber threat is characterized in terms of three classes of increasing sophistication: those practitioners who rely on others to develop the malicious code, those who can develop their own tools to exploit publically known vulnerabilities as well as discovering new vulnerabilities, and those who have significant resources and can dedicate them to creating vulnerabilitiesin systems.” Threat Intelligence should then provide: Understanding of motivation, intents, and capabilities of attackers; and Detailed specifics on tactics, techniques, and procedures utilized.
- 5. How will Cyber Threat intelligence enable business? Make effective decisions with actionable information Save man-hours with automation –data collection, analysis, and usage Control risk, detect problems, and prioritize remediation supported by reliable data Validate existing policies and controls Demonstrate ROI –align expenses with business objectives
- 6. Where do collect the information from? Internal –SIEM, Helpdesk, Incidents, Business direction and priorities (M&A etc.), monitoring blind spots on network, Honeypots External - OSINT (using Matego, Shodan, metagoofiletc.) Pastebin, Google, Facebook etc. Cyveillance, Dell, iSIGHT, Mandiant, RSA, Verisign, Verizon, At&t, Fox-IT etc. Government Industry Community Public Commercial US-CERT, InfraGard, FBI, DHS FS-ISAC, NH-ISAC, ES- ISAC, REN-ISAC
- 7. What’s the first step after gathering information? Methods and modes Metadata Threat vectors Threat sources IP and hosts Exploit modules Logs Indicators of compromise (IOC)* Geo *Indicators of compromise (IOC) -Forensic artifacts of an intrusion that can be identified on a host or network Learn and Adapt React Human aspect Machine aspect
- 8. What would you do with intelligence? Identify Indicators of Compromise (IOCs)[forensic artifacts of an intrusion that can be identified on a host or network] Create machine consumable information -Notable frameworks OpenIOC, CybOX, IODEF Perform accurate detection across the enterprise Conduct a kill-chain based analysis to respond appropriately Map the findings/possible effects to business priorities/activities Develop strategic information for the senior leadership and decision makers
- 9. Some examples of threat intelligence Host-Based •Mutexes •File names •File hashes •Registry keys Network-Based •IP addresses & address ranges •Internet Domains •AS Numbers Behavioral •Adversary tactics •Attack techniques •Compromise procedures Actor-based •Malicious actors, organizations, and nation states •Cyber attack campaigns React and recover Learn and adapt
- 10. Example of actor based threat intelligence Learn and adapt
- 11. How do you put actionable intelligence (OpenIOC) to use? IOC Editor Allow users to create IOC’s in XML format Redline Provides host investigative capabilities to users to find signs of malicious activity through memory and file analysis, and the development of a threat assessment profile. Create IOC Deploy IOC Identify potential compromise Preserve evidence Analyze data Network IOC, Host IOC SIEM, IPS, End-point tools Forensic image, System state, Logs Malware analysis, log analysis Investigation process Intelligence Sources
- 12. Therefore threat intelligence should be a business priority because.. Is a capability not a product Builds on a diverse foundation of people, processes, and technology Provides actionable information on tactics, techniques, and procedures (TTP) of adversaries Allow effective response by identifying and analyzing indicators of comprise Enables forward thinking (proactive vs. reactive approach)
- 13. So what are the next steps.. •Make threat intelligence a business priority; allocate budget and resources •Define program objectives •Determine current state of critical capabilities for “build vs. buy” e.g. of critical capabilities –malware analysis, traffic analysis, intrusion detection, legal processes, SIEM etc. •Create traffic and host baselines •Conduct resource training •Identify external sources that you plan to use 1 •Develop framework to consume sources to generate threat intelligence –people, process, technology •Formalize roles and responsibilities •Pilot the framework with select intelligence sources •Decide external and internal information sharing strategy •Modify framework to consume all intelligence sources •Start sharing information across the supply chain •Demonstrate ROI based on the threats averted •Report metrics based on the established baselines 2 3 Develop Foundation (month 0-6) Formalize Course (month 6-12) Road to Maturity (month 12 –24) Government Community Public Commercial
- 14. Thanks Abhi Singh, CISSP, CISA, CRISC, CISM, CCSK abhicrisc@gmail.com