SlideShare a Scribd company logo
Welcome to the world of
Cyber Threat Intelligence!
Andreas Sfakianakis - Guest Lecture at DTU - 27/04/2021
Image:
EclecticIQ
whoami
CTI Lead EMEA @ S&P Global
CTI @ Financial and Oil & Gas
sectors
ENISA, FIRST.org, SANS, European
Commission
Twitter: @asfakian Website:
www.threatintel.eu
Outline
• Intro to CTI
• A view at the Threat
Landscape
• CTI Analyst Skillset
References for this lecture can be found here:
https://threatintelblog.files.wordpress.com/2021/04/dtu_cti_101_andreas_sfakianakis_references.pdf
Intro to Cyber Threat Intelligence
Image:
Katie Nickels
How old is
Cyber Threat Intelligence?
When everything started in CTI!
From Intelligence to Cyber Threat Intelligence
Reference:
CTI, IR and SecOps
CYBER THREAT
INTELLIGENCE
INCIDENT RESPONSE
SECURITY
OPERATIONS
Adoption Early adoption phase
Mainstream since
~2010
Mainstream since
~2005
Focus
External threat
monitoring
Security incidents
and risk escalation
Notable security
event monitoring
Best practices
Evolving best
practices
Mature best
practices
Mature best
practices
Technology
enablement
Evolving technology
enablement
Mature technology
enablement
Mature
technology
enablement
Reference:
EclecticIQ
Timeline of important events in CTI history
1989
Cuckoo’s
Egg
2009
Operation
Aurora
2010
Stuxnet
2011
LM Kill
Chain
2013
APT1
Report
2013
Pyramid of
Pain
2013
Snowden
Leaks
2014
Heart
Bleed
2015
ATT&CK
2016
The
Shadow
Brokers /
US
Elections
2017
Wanna Cry
/
Petya
APT Becomes Mainstream
Wider CTI Adoption
CTI Hype Cycle
Reference:
We are here!
How would you
consume or generate
(cyber threat) intelligence?
Reference:
Joe Slowik
Repeat after me
Let me introduce you to the intelligence cycle
All models are wrong, but some are useful (especially within corporate environments)
Intelligence Direction
We are here !
Questions to be answered
• How do you identify which threats are relevant to your organisation?
• How do you prioritize to which threats to spend time on?
• Has your CTI team identified and connected with its stakeholders?
• How does your analysis bring value to the CyberDefence and your
organisation?
“CTI teams should not do intelligence for intelligence’s sake; it costs money and time”
Intelligence Requirements
• Intelligence requirements are enduring questions that consumers of
intelligence need answers to.
• Answer critical questions intelligence customers care about
(not what YOU care about).
Reference: Sergio Caltagirone
CONFIDENTIAL
CTI Focus and Stakeholders
Tactical
Intelligence
Security Engineering
SOC Team
Operational
Intelligence
Incident Responders
Threat Hunters
Vulnerability Management
Red Team
Fraud Team
Sys Admins
IT Managers
Strategic
Intelligence
C-Suite /
Executives
Group Security
Risk Managers
Business Stakeholders
Regional Stakeholders
IT Architects
https://www.youtube.com/watch?v=kGqnCR6XOhQ
CONFIDENTIAL
Reference:
Katie Nickels
A Simple Threat Model
Reference:
SANS
Intelligence Collection
We are here !
Where would you go to collect data
for cyber threat intelligence?
Intelligence Collection Sources
• Internal Security Incident Data
• (Listen to your enemy, for God is talking. ~ Jewish Proverb)
• Internal Log Data Lake
• Internal Stakeholders
• Corporate Security/Business
• Vendor Reports
• Sharing Communities, ISACs
• Governmental Sources
• OSINT
• IOC Feeds
Reference:
Scott J Roberts
https://medium.com/@sroberts/intelligence-collection-priorities-a80fa3ed73cd
Intelligence Processing
We are here !
Data versus Intelligence
• Data is a piece of information, a
fact, or a statistic.
Data is something that describes
something that is.
• Intelligence is derived from a
process of collecting, processing,
and analyzing data.
• The difference between data
and true intelligence is analysis.
Reference:
Joint Publication 2-0
Threat Intelligence Platforms
2012
MISP
2012
CIF
2014
CRITs
2015
Threat Note
2016
MineMeld
2017
Yeti
2018
OpenCTI
2012
MISP
2012
AlienVault OTX
2015 Micro Focus
Threat Central
2015
IBM X-Force
Exchange
2015
Facebook Threat
Exchange
2013
ThreatConnect
2013
Anomali
2014
EclecticIQ
2015
ThreatQuotient
2016
TruSTAR
2016
Cyware
2018
Analyst1
Open Source Commercial Community Exchange Platforms
The Analyst’s Dream: Data Into Buckets
Intrusion Analysis
Frameworks 101
• Kill Chain
• Diamond Model
• ATT&CK Framework
Welcome to the world of Cyber Threat Intelligence
Diamond
Model of
Intrusion
Analysis
Malware
TTPs
Domains
IP addresses
Email addresses
Systems targeted
People targeted
Sectors targeted
Personas
Human fingerprints
Welcome to the world of Cyber Threat Intelligence
Intelligence Analysis
We are here !
Welcome to the world of Cyber Threat Intelligence
Cognitive Biases
Overcoming Biases
Intelligence Dissemination
We are here !
Collection
Analysis
?
ACTION
Reference:
Christian Paredes
Reference:
Amy Bejtlich
Words of Estimative Probability
TLP (Traffic Light Protocol)
Intelligence Feedback
We are here !
Wrapping
up
From intelligence to CTI
Intelligence cycle
Basic CTI concepts and
frameworks
End of the 1st part of the presentation
Questions?
A view at the Threat Landscape
Welcome to the world of Cyber Threat Intelligence
The human behind the keyboard
Welcome to the world of Cyber Threat Intelligence
Ransomware
Ransomware Trends
• Target is the whole organisation
• Data exfiltration before ransomware
payload
• Public shaming sites
• Cold-calling victims
• Ransomware cartels
• Interconnected cybercrime ecosystem
• The role of insurance companies
• OFAC guidance on ransom payment
How much is the average
ransom payment?
Welcome to the world of Cyber Threat Intelligence
Welcome to the world of Cyber Threat Intelligence
How long does it take to get
ransomwared?
Reference:
DFIRReport
As a network defender, how can you
detect and respond to ransomware?
State Sponsored Threat Groups
What does the term APT mean?
Reference: Recorded Future
• Advanced
• Persistent
• Threat
APT
2010
APT goes mainstream
When everything started! (version 2)
External Threat Intelligence Services Q4 2020
Source:
Forrester
I SEE threat intelligence Reports
Threat intelligence REPORTS EVERYWHERE
Bears, Pandas, Kittens and the rest
FireEye APT Groups
• FireEye’s list of sophisticated actors and naming conventions looks like
this:
• APT0-27, 30/31, 40/41 = China
• APT28/29 = Russia
• APT32 = Vietnam
• APT33/34/35/39 = Iran
• APT36 = Pakistan
• APT37/38 = North Korea
>2k UNCs threat groups
CrowdStrike APT Groups
*Adversary map from 2014
Welcome to the world of Cyber Threat Intelligence
Reference:
Joe Slowik
How do states do attribution?
What sources do they use?
Welcome to the world of Cyber Threat Intelligence
On attribution
• Type of attribution
• Person? Organisation?
Country? Threat group?
• Technology enablement
• False flags
• Usage of open-source offensive tools
APT Research
Geopolitics and Cyber
• Adversary intent
• Geopolitical signaling
• Geopolitical shaping
Wrapping
up
Ransomware threat
State sponsored threats
Threat group tracking
CTI Analyst Skillset
Welcome to the world of Cyber Threat Intelligence
Reference:
Henry Jiang
CTI Analyst Skillset
Reference:
Cyber Threat Intel Analyst Tradecraft
Reference:
Threat Intelligence Paths
Reference:
Amy Bejtlich
Law
Enforcement
National
Security
Military
Intelligence
Journalism Data Science Cybersecurity
Maintaining
External
Situational
Awareness
RSS Aggregator (e.g., Feedly, Inoreader)
Twitter (plus Twitter lists)
Nuzzel
Reddit
Podcasts (e.g., CyberWire)
Newsletter Team (e.g., TC Dragon News Bytes)
Strategic sources (e.g., Economist, CFR, etc.)
Weekly Summaries (e.g., This Week in 4n6)
Threat Intelligence Reports
ISACs
Trust Groups (e.g., Slack channels, mailing lists)
Threat Intelligence vendors
Maintaining
Internal
Situational
Awareness
Incident ticketing system
Phishing campaigns
Signature hits and alerts
Failed intrusions
Hunting/red team findings
Critical vulnerabilities
Business strategy and updates
Internal events
Continuous
Education
Self-initiated
CTFs
Academic programs
Certifications
Online training material
Conferences
Books
Audiobooks
If you gonna read
2 articles…
• A Cyber Threat Intelligence
Self-Study Plan: Part 1
• FAQs on Getting Started in
Cyber Threat Intelligence
https://medium.com/@likethecoins
Wrapping
up
Lifelong learner
Communication skills are critical
Be part of the community
Try different CTI perspectives
Final Thoughts
•Remember the process of the intelligence cycle
•Discussion on the evolving cyber threat landscape:
major cybercrime and state sponsored threats
•Diverse skillset of the CTI analyst
Thank you!
Andreas Sfakianakis
@asfakian
threatintel.eu
References for this lecture can be found here:
https://threatintelblog.files.wordpress.com/2021/04/dtu_cti_101_andreas_sfakianakis_references.pdf

More Related Content

Welcome to the world of Cyber Threat Intelligence