SlideShare a Scribd company logo

Threat Intelligence: State-of-the-art and Trends - Secure South West 2015

Andreas Sfakianakis
Andreas Sfakianakis

This is a presentation on Cyber Threat Intelligence state of the art and trends dating back to 2015! The conference was Secure South West 5 (SSW5) in Plymouth on 2nd April 2015. The content is a) introduction to CTI, b) Cyber Threat Management, and c) Threat Intelligence Platforms and other CTI toolset. Good old days :)

1 of 40
Download to read offline
www.ecs.co.uk Threat Intelligence: State-of-the-art and trends Secure South West 5 Andreas Sfakianakis ECS 02/04/2015
ECS - Threat Management Strategy Build a picture of your adversaries. Understand their strategies, objectives, methodologies and attributes. Gain a clear understanding of your own network and systems alongside any weaknesses. Understand your countermeasures and contextual information. Bolster your countermeasures to deny attack channels. Establish and execute business as usual threat intelligence, vulnerability management, monitoring and response procedures. Review and report outcomes, deliverables, value and lessons learnt.
Roadmap • Threat Landscape • What is Threat Intelligence? • Threat Intelligence Management • Threat Intelligence Platforms • Take aways
Roadmap • Threat Landscape • What is Threat Intelligence? • Threat Intelligence Management • Threat Intelligence Platforms • Take aways
The Global Risk Landscape
What about …. Cyber? Number of breaches per threat actor category over time
What about …. Cyber?
Roadmap • Threat Landscape • What is Threat Intelligence? • Threat Intelligence Management • Threat Intelligence Platforms • Take aways
Threat Intelligence • "We don't know what it is, but we need it.” • Intelligence is the application of knowledge to information • Inform business decisions regarding the risks and implications associated with threats. • Data is not information, information is not knowledge, knowledge is not intelligence, intelligence is not wisdom. • Buzzword of 2014!
Information versus Intelligence
Characteristics of Intelligence
Why we need Threat Intelligence? • Dynamic threat landscape • Situational awareness (different sectors have different threats) • Defend better by knowing adversary • From reactive to proactive • Driving better investment strategies • After all it’s all about … context, context and context!
Types of Threat Intelligence Strategic Tactical Created by Humans Machines or humans + machines Consumed by Humans Machines and humans Delivery time frame Days – months Seconds to hours Useful lifespan Long Short (usually) Durability Durable Fragile (*) Ambiguity Possible; hypothesis and leads OK Undesirable; systems don’t tolerate it Focus Planning, decisions Detection, triage, response
Roadmap • Threat Landscape • What is Threat Intelligence? • Threat Intelligence Management • Threat Intelligence Platforms • Take aways
How do we build it? • Fundamental cycle of intelligence processing • Civilian or military intelligence agency / law enforcement • Closed path consisting of repeating nodes.
Pyramid of Pain David Bianco
Embedding Threat Intelligence into the DNA of an organisation
Interrupting the kill chain “Kill Chain” is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks.
Threat Intelligence Sources • Internal • Open source • Commercial • Community/Information sharing
Internally-sourced Threat Intelligence • Detailed analysis of locally caught malware • Detailed analysis of disk images, memory images • Threat actor profiles based on local data • Artifacts shared by other organizations • Fusing local data with shared data • Behavioural analysis
Open Source Threat Intelligence
Open Source Tactical Feeds
Remember! Sean Mason
Threat Intel Providers
What Threat Intel Providers deliver?
Information Sharing
Roadmap • Threat Landscape • What is Threat Intelligence? • Threat Intelligence Management • Threat Intelligence Platforms • Take aways
What is a Threat Intel Platform?
But…
Threat Intelligence Platforms • ThreatConnect • Detica CyberReveal • IBM i2 Analyst Notebook • Lockheed Martin Palisade • Lookingglass ScoutPlatfom • MITRE CRITs • Palantir • ThreatQuotient • ThreatStream • Vorstack • Codenomicon • Soltra • Intelworks • ThreatQuotient • IID • ResilientSystems • Swimlane
Threat Intelligence Platforms • ThreatConnect • Detica CyberReveal • IBM i2 Analyst Notebook • Lockheed Martin Palisade • Lookingglass ScoutPlatfom • MITRE CRITs • Palantir • ThreatQuotient • ThreatStream • Vorstack • Codenomicon • Soltra • Intelworks • ThreatQuotient • IID • ResilientSystems • Swimlane
CRITs (Collaborative Research into Threats)
Soltra Edge
The need for security automation
STIX standard What Activity are we seeing? What Threats should I be looking for and why? Where has this threat been Seen? What does it Do? What weaknesses does this threat Exploit? Why does it do this? Who is responsible for this threat? What can I do? Consider These Questions…..
Structured Threat Information Expression
STIX/TAXII Adoption
Roadmap • Threat Landscape • What is Threat Intelligence? • Threat Intelligence Management • Threat Intelligence Platforms • Take aways
Take aways • Current state of TI is still initial BUT has a great potential • Context is critical (makes everyone’s job easier) • Intelligence-led defense has significant operating costs • Do not blindly invest in intelligence (first think of requirements, DIY vs buy) • Look for upcoming automation/tool developments • Do not forget people and processes!!!!
Thank you for your attention! J Questions? @asfakian

More Related Content

Threat Intelligence: State-of-the-art and Trends - Secure South West 2015

  • 1. www.ecs.co.uk Threat Intelligence: State-of-the-art and trends Secure South West 5 Andreas Sfakianakis ECS 02/04/2015
  • 2. ECS - Threat Management Strategy Build a picture of your adversaries. Understand their strategies, objectives, methodologies and attributes. Gain a clear understanding of your own network and systems alongside any weaknesses. Understand your countermeasures and contextual information. Bolster your countermeasures to deny attack channels. Establish and execute business as usual threat intelligence, vulnerability management, monitoring and response procedures. Review and report outcomes, deliverables, value and lessons learnt.
  • 3. Roadmap • Threat Landscape • What is Threat Intelligence? • Threat Intelligence Management • Threat Intelligence Platforms • Take aways
  • 4. Roadmap • Threat Landscape • What is Threat Intelligence? • Threat Intelligence Management • Threat Intelligence Platforms • Take aways
  • 5. The Global Risk Landscape
  • 6. What about …. Cyber? Number of breaches per threat actor category over time
  • 8. Roadmap • Threat Landscape • What is Threat Intelligence? • Threat Intelligence Management • Threat Intelligence Platforms • Take aways
  • 9. Threat Intelligence • "We don't know what it is, but we need it.” • Intelligence is the application of knowledge to information • Inform business decisions regarding the risks and implications associated with threats. • Data is not information, information is not knowledge, knowledge is not intelligence, intelligence is not wisdom. • Buzzword of 2014!
  • 12. Why we need Threat Intelligence? • Dynamic threat landscape • Situational awareness (different sectors have different threats) • Defend better by knowing adversary • From reactive to proactive • Driving better investment strategies • After all it’s all about … context, context and context!
  • 13. Types of Threat Intelligence Strategic Tactical Created by Humans Machines or humans + machines Consumed by Humans Machines and humans Delivery time frame Days – months Seconds to hours Useful lifespan Long Short (usually) Durability Durable Fragile (*) Ambiguity Possible; hypothesis and leads OK Undesirable; systems don’t tolerate it Focus Planning, decisions Detection, triage, response
  • 14. Roadmap • Threat Landscape • What is Threat Intelligence? • Threat Intelligence Management • Threat Intelligence Platforms • Take aways
  • 15. How do we build it? • Fundamental cycle of intelligence processing • Civilian or military intelligence agency / law enforcement • Closed path consisting of repeating nodes.
  • 17. Embedding Threat Intelligence into the DNA of an organisation
  • 18. Interrupting the kill chain “Kill Chain” is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks.
  • 19. Threat Intelligence Sources • Internal • Open source • Commercial • Community/Information sharing
  • 20. Internally-sourced Threat Intelligence • Detailed analysis of locally caught malware • Detailed analysis of disk images, memory images • Threat actor profiles based on local data • Artifacts shared by other organizations • Fusing local data with shared data • Behavioural analysis
  • 21. Open Source Threat Intelligence
  • 25. What Threat Intel Providers deliver?
  • 27. Roadmap • Threat Landscape • What is Threat Intelligence? • Threat Intelligence Management • Threat Intelligence Platforms • Take aways
  • 28. What is a Threat Intel Platform?
  • 30. Threat Intelligence Platforms • ThreatConnect • Detica CyberReveal • IBM i2 Analyst Notebook • Lockheed Martin Palisade • Lookingglass ScoutPlatfom • MITRE CRITs • Palantir • ThreatQuotient • ThreatStream • Vorstack • Codenomicon • Soltra • Intelworks • ThreatQuotient • IID • ResilientSystems • Swimlane
  • 31. Threat Intelligence Platforms • ThreatConnect • Detica CyberReveal • IBM i2 Analyst Notebook • Lockheed Martin Palisade • Lookingglass ScoutPlatfom • MITRE CRITs • Palantir • ThreatQuotient • ThreatStream • Vorstack • Codenomicon • Soltra • Intelworks • ThreatQuotient • IID • ResilientSystems • Swimlane
  • 34. The need for security automation
  • 35. STIX standard What Activity are we seeing? What Threats should I be looking for and why? Where has this threat been Seen? What does it Do? What weaknesses does this threat Exploit? Why does it do this? Who is responsible for this threat? What can I do? Consider These Questions…..
  • 38. Roadmap • Threat Landscape • What is Threat Intelligence? • Threat Intelligence Management • Threat Intelligence Platforms • Take aways
  • 39. Take aways • Current state of TI is still initial BUT has a great potential • Context is critical (makes everyone’s job easier) • Intelligence-led defense has significant operating costs • Do not blindly invest in intelligence (first think of requirements, DIY vs buy) • Look for upcoming automation/tool developments • Do not forget people and processes!!!!
  • 40. Thank you for your attention! J Questions? @asfakian