Threat Intelligence-Driven Security

Building Successful Threat Intelligence Programs

Allan Thomson, LookingGlass CTOJune 2017

© 2017 LookingGlass™. All Rights Reserved. 2

Intelligence-Driven Security

“Threat Intelligence” – evidence-based knowledge – including context, mechanisms,

indicators, implications and actionable advice – about an existing or emerging menace

or hazard to IT or information assets. It can be used to inform decisions regarding

the subject’s response to that menace or hazard.1

1Market Guide for Security Threat Intelligence Services – Gartner –14 October 2014

“Threat Mitigation” – the elimination or reduction of the frequency, magnitude, or

severity of exposure to risks, or minimization of the potential impact of a threat or

warning.2 2http://security.stackexchange.com/questions/tagged/threat-mitigation

Informs

Reduces

“Risk” – the possibility that something bad or unpleasant (such as an injury or a loss)

will happen.3 3 Webster's Dictionary

© 2017 LookingGlass™. All Rights Reserved. 3

The Threat Landscape…

Threat Sophistication

Technical (not

people)

People who are not

good at computers

People who are

good at computers

People who are good at

computers, organized &

experienced

People who are good

at computers,

organized,

experienced & kinetic

* Courtesy - Google Keynote Presentation FIRST 2017

Which threat level do

you face?

© 2017 LookingGlass™. All Rights Reserved. 4

Define Needs With Organization

Configure Collection

Management System

Review and Fine Tune

System Tasking

Sort, Filter, Vet & Prioritize DataAnalyze Relevant Data

Draft and Deliver to Intelligence

Product Organization

Discuss Impact, Manage

Follow Up Actions

Assess changes to requirements

Intelligence Lifecycle

© 2017 LookingGlass™. All Rights Reserved. 5

Intelligence Efforts Focus

• Identify intelligence efforts that protect the

following

• Priority #1: Self

• Priority #2: Third Party & Supply Chain

• Priority #3: Indirectly Connected

Indirectly Connected

Third Party & Supply Chain

Self

© 2017 LookingGlass™. All Rights Reserved. 6

Use Case

The Need For Cyber Assessment…

https://www.forbes.com/sites/thomasbrewster/2017/05/12/nsa-exploit-used-by-wannacry-ransomware-in-global-explosion/#445543fde599

http://fortune.com/2016/03/24/verizon-enterprise-data-breach/

http://fortune.com/2016/11/28/muni-hack-san-francisco/

“Hackers Threaten to Release 30GB of Stolen Data From San Francisco’s

Municipal Railway”

“Verizon’s Data Breach Fighter Gets Hit With, Well, a Data Breach”

“An NSA Cyber Weapon Might Be Behind A Massive

Global Ransomware Outbreak”

© 2017 LookingGlass™. All Rights Reserved. 7

Threat Intelligence Program Framework

7 Parts

Requirements - What you need

Roles - Who you need

Team - How they’re organized

Process - How the program works

Systems – What the program uses

Metrics & Reporting – How its measured

Connections – What & How it delivers

© 2017 LookingGlass™. All Rights Reserved. 8

Intelligence Program Part 1

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 9

Intelligence Program Part 1 Continued

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

Phishing Examples

Brand Protection Examples

Copyrighted Image

Search

Logos and Visual

Marks

Impostor Social

Media AccountsClaimed

Relationships

Takedown Services Examples

Phone EmailImposters Confidential Files PhishingMalware

Honeypots, spam email,

and links

Customer Abuse Box

Feed/Monitoring

Phone/SMS

messages

Org Web Logs Domain Name

Registrations and “Go

Live” Alerts

Phishing Sites

Detection

System

Phish

© 2017 LookingGlass™. All Rights Reserved. 10

Use Case

Cyber Assessment: Requirements

• Provide to security executives, assessment on either self or Third Party &

Supply Chain systems and assets

• Build program to continuously assess and report

• Areas to consider

▪ Network Footprint

▪ System Compromises & Infections

▪ Account Compromises

▪ External Facing Vulnerabilities

▪ Domain & Spear-Phishing Risk

▪ Intelligence Indications & Warnings

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 11

Intelligence Program Part 2

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

• Tip: Focused On Specific Deliverables

• Program

- Planning

- Architecture

- Strategy

• Security Subject Matter Experts (SME)

- Cyber Analysts

- Social Analysts

- Phishing Analysts

- Malware / Forensic Specialists

- Incident Response Specialists

- Brand Protection Analysts

- Rogue Applications

- Third Party Risk Analysts

- Physical Security Analysts

- Language & Translation Specialists

• Network System SMEs

- Network Security Operations

- Network Integration Specialists

• Systems Development SMEs

- Software developers

- Data processing

- Data analytics

- Data visualization

© 2017 LookingGlass™. All Rights Reserved. 12

Use Case

• Roles required

- Planning

- Architect

- Manager

- Cyber Analyst

- Social Analyst

- Third Party Risk Analyst

- Software developers covering

▪ Data processing

▪ Data analytics

▪ Data visualization

Cyber Assessment: Roles

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 13

• Tip: Consider Tiered Structure

- Support 24x7 Operations

• Structure

- Manager

- Tier 1 Cyber Threat Analysts (junior)

- Tier 2 Cyber Threat Analysts (senior)

• Typical Work Schedule

- 12 hour shifts 4on/4off with relief support

• Tiered Structure Essential

- Tier 1 Example: 24 full-time Cyber Analysts

- Tier 2 Example: One full-time Senior Cyber Threat Analyst and Three full-time Cyber Threat Analysts

• Backup/Resiliency

- Have permanent remote team members as geographic backup and resiliency support

Intelligence Program Part 3

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 14

Use Case

• Structure

- Manager

- Cyber/Social/Third Party

Analysts

- Software Development

• Work schedule

- On demand

- 9-to-5

Cyber Assessment: Team

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 15

Intelligence Program Part 4

• Tips:

- Functional Area Specific

- Keep It Current

- Invest in Technology Improvements

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 16

Intelligence Program Part 4: High Level Process

Tier 1: Rapid Alerting Tier 2: Contextual Alerting

Third Party Data

Local Org Data

Global Actor Data

Industry Data

Local Telemetry

Global Cyber Data

Feed Vetting/Noise Reduction

Data Tagging

Review Criteria Relevancy

Additional Capture

(e.g Screenshots)

Alert

Average alert 1 to 3 min after collection

Data Verification

Adding Context – 5Ws

Additional Tagging for Data

Lake/Threat Landscape

Quality Review

Hotline

Response 10 to 30 min after collection

24x7 Real-Time Intelligence Processing

Relevancy

Feedback

Quality

Feedback

EscalationIngest

Organization Threat Response & Reporting SMTP SMS VOIP …

© 2017 LookingGlass™. All Rights Reserved. 17

Intelligence Program Part 4: Phishing Detection Specific Workflow

Start

Assign Ownership

Site Review

End

Close Incident

Action Needed

Update Status

Create Action

Initiate Action

Determine Action

Type Required

Status Options

Not Reviewed

Under Review

Call - Waiting for Response

Email - Waiting for Response

C&D - Waiting for Response

No action needed

Monitor

Closed

Incident Target Issues

Claimed Relationship

Domain Name Violation

Image Use

Multi-Issue

Objectionable Content

Traffic Diversion

Threat

Yes

System

SOC Manager

SOC Analyst

Analyst

Manager

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 18

Use Case

• Gather

- Domains & Systems

- User Accounts

- Applications

• Assess

- Network Footprint

- System Compromises & Infections

- Account Compromises

- External Facing Vulnerabilities

- Domain & Spear-Phishing Risk

- Intelligence Indications & Warnings

• Report

Cyber Assessment: Process

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 19

Intelligence Program Part 5• Tips

- Identify system based on functional requirements

- Best-in-class focus

• Systems to support process include

- Threat Intelligence Platform

- Response Management

- Cyber Intel Workflow

- Phishing Workflow

- Social Media Intel Workflow

- Help Desk

- Time Management

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

INTEL

© 2017 LookingGlass™. All Rights Reserved. 20

Use Case

Intelligence Program Part 5

• Custom Web Application for Analysts

- Enter profile data

- Monitor and review status of automated pipeline

- Connects set of collection systems

• Systems Used

- Vulnerability Scanner

- Both Open Source and Commercial Network Footprinting

- Domain Analysis

- Dark and Surface Web Crawlers

- Database and Spreadsheets

- Threat Intelligence Platform (and aggregated MRTI)

- Internet Intelligence

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 21

Use Case

Intelligence Program Part 5

System Process

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

Infection Records Compromises Network Intelligence Open Source Vulnerability Scan

acme

acmegrp

access.acme

acme

Acme Group

acme

acme

acme

acme

acme

acme

acme

acme

acmeacmeacme

acme

acme

x.x.x.xx

x.x.x.xx

x.x.x.xx

x.x.xx.xxx

© 2017 LookingGlass™. All Rights Reserved. 22

Intelligence Program Part 6

• Tips:

- Who are reports for

- Expected outcomes of reports

• Including

- Daily/Weekly Metrics Reporting

- Threshold Alerting

- Event Notifications

- Visual and Electronic Event Triggers

- Workflow/Time analysis

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 23

Intelligence Program Part 6

• Reports

- Specific

- Segmented

- Actionable

- Business

Relevant

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

Brand Abuse Detection Report

Good Afternoon,

This is the Brand Abuse Detection Report for the week of [Date]. Cyveillance has identified seven incidents

that infringe on the [Brand Name] Brand. A list of these infringements consist of:

One Domain Violation

Two Impersonation Pages

One Claimed Relationship

Three Logo Violations

The data we collected for the week is reflected in the charts below:

Threat Types Incidents By Source

Imposter Social Media Accounts

A quick summary of how the page is impersonating your brand will go here.

A quick summary of how the page is impersonating your brand will go here.

Domain Name Registration Monitoring

Newly registered domains of interest:

cyveillance.ooo (whois)

cyveillance.io (whois)

cyveillance.finance (whois)

The top TLD('s) registered using the [brand] name for this week are:

.ooo

.finance

.io

New gTLD Launch Updates:

.men (begins July 9)

Sunrise ending this week

.site (ends July 6)

Limited REgistration II starting this week

.taipei (begins July 7)

General Availability starting this week

.love (begins July 7)

.cafe (begins July 8)*

.express (begins July 8)*

.news (begins July 8)

.site (begins July 8)

Please note that * indicates the DONUTS DPML applies.

Weekly Trends

The American Federation of Government Employees filed a class-action lawsuit against the Office of

Personnel Management and KeyPoint Government Solutions over the failure to protect against the major

cybersecurity breach. (Washington Examiner)

The city council in Sao Paulo, South America’s largest metropolis, voted to ban Uber’s ride-sharing service,

marking the latest setback for the company. (Reuters)

In a move designed to create competition against YouTube, Facebook will begin sharing ad revenue with

video creators. (Re/code)

To receive our full Weekly Trends email please send email addresses for interested members of your

organization to Camille Stewart.

Please feel free to contact Camille Stewart (cstewart@cyveillance.com) with any questions or concerns.

Regards,

Cyveillance Security Operations Center (CSOC)

Cyveillance, Inc. (a QinetiQ company)

http://cyveillance.com/

+1 (866) 553-0646 Toll Free U.S.

+1 (703) 351-2400 Direct Intl.

+1 (703) 560-2793 Fax

csoc@cyveillance.com

Keep up with top security news and trends with the Cyveillance blog, or by following us on Twitter

The information transmitted is intended only for the person or entity to which it is addressed and may contain

confidential and/or privileged material. Any review, retransmission, dissemination or other use of, or taking of

any action in reliance upon this information by persons or entities other than the intended recipient is

prohibited. If you received this in error, please contact the sender and delete the material from any computer.

Copyright © Cyveillance 2014 - www.cyveillance.com

These findings are based on items identified in the open sour ce internet and do not constitute actual evidence. The conclusion of fact is

only made when intelligence becomes evidence by vetting and authentication. Intelligence findings do not equate to facts, actus r eus

(guilty acts) or mens rea (intent/knowledge) of the Subject/Person(s) in question.

Company Name

Company Name

© 2017 LookingGlass™. All Rights Reserved. 24

Use Case

Intelligence Program Part 6: Report/System & Account Compromises

• Analysis & Summary on

- Total Records Analyzed

- Recent Breaches Listing

- Unique Users Covered

- Malware Infections Found

- High-Recurrence Users

- Reputation Risks

- Executive Credentials

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 25

Use Case

Intelligence Program Part 6: Report/Vulnerabilities

• Listing sites analyzed

• Assessment of active

vulnerabilities found

• Number of instances

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 26

Use Case

Intelligence Program Part 6: Report/Domain & Spear-Phishing Risk

• Company owned domains

• High risk domainsRoles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 27

Use Case

Intelligence Program Part 6: Report/Intelligence & Warnings

• Aggregated view of threat

intelligence reports

• Context and background to

support analysis

• Analysis and prioritization

• Recommendations on critical

intelligence to act on

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 28

Use Case

Intelligence Program Part 6: Report/Exec Summary

• Provide to security professionals…

• Insight into application vulnerabilities

• Information on potential leaks, theft of sensitive data

• Identify holes in internal security posture to ensure

compliance

• Identify latest data breaches and compromised user

accounts

• Reduce risk of high impact exploits such as

ransomware, website defacements or malicious

injection

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 29

Intelligence Program Part 7• Tip: Empower rapid response to incidents and maintain goodwill

• Internal Systems and Groups

- SecOps/NetOps

- IT, Compliance, Third Party Risk

• Supply Chain

- Infosec/SecOps

• Industry Connections

- Data Feeds (Open, Commercial)

- Technology Learnings

- Trusted Sharing

• Law Enforcement Connections

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

© 2017 LookingGlass™. All Rights Reserved. 30

Use Case

Intelligence Program Part 7

• Final report influences and updates connected teams

Roles

Team

Process

Systems

Metrics &

Reporting

Connections

Requirements

Systems Patched

Vulnerability Mgmt Teams

Policy & Password ChangesIT Team

Supply Chain Updates

Policy and Enforcement

Third Party Risk Team

Security Rules Update

NetOps & SecOps Teams

© 2017 LookingGlass™. All Rights Reserved. 31

Recommendations

Define program across

Requirements

Team

Roles

Process

Systems

Metrics & Reporting

Connections

Justify Threat Intelligence Program to reduce business risk

Justify

Focus intelligence

Self

Third Party

IndirectFo

cus

Protect

Protect business leveraging threat intelligence

Defi

ne

Questions?

www.lookingglasscyber.com

@LG_Cyber @LookingGlassCyber /company/LookingGlass /+LookingGlassCyber