Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence:...

22
Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence Analysts January 2017

Transcript of Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence:...

Page 1: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

Cyber Threat Intelligence: Integrating the Intelligence Cycle

Elias Fox and Michael Norkus, Cyber Threat Intelligence Analysts

January 2017

Page 2: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

22

Network

Domain

The Global Domain

CLASSIFICATION MARKS

CLASSIFICATION MARKS

The internet offers global connectivity to all the good things contained therein…and to all the bad things, as well.

Page 3: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

33

Situational Awareness

Risk and opportunity management is a core function of every organization. Situational awareness is key to improved business decisions.

Page 4: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

44

The Value of Cyber Threat Intelligence

CLASSIFICATION MARKS

CLASSIFICATION MARKS

Proper CTI should extend our vision and allow us to take steps that normally we would not.

Page 5: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

55

Noblis Definition and Vision

Our vision incorporates network defense data and all-source intelligence to provide a holistic cyber threat picture.

CLASSIFICATION MARKS

CLASSIFICATION MARKS

Proactively Diminish Threats

Requirements-Driven Methodology

Holistic Cyber Threat Picture

Traditional and Non-Traditional Intelligence Techniques

Tactical

Technical Expertise

Timely

Operational Strategic

Analytic Tradecraft

Accurate

Page 6: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

66

The Three Levels of Threat Intelligence

CLASSIFICATION MARKS

CLASSIFICATION MARKS

“tactics are concerned with ‘doing the job right,’ and higher levels of strategy are concerned with ‘doing the right job’.” (Drew and Snow, 2006)

TIMEFRAME IMMEDIATETACTICAL

OPERATIONAL

STRATEGIC

SHORT-TERM TRENDS

LONG-TERM TRENDS

Page 7: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

77

Cyber Threat Intelligence: A Holistic Picture

Tactical Operational Strategic

Focused on

Today/Tomorrow

Feeds and IoCs

Focused on Next

Week/Month

Adversary TTP

Focused on Years

Ahead

Planning and Risk

Reactive

Page 8: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

88

Man in the Middle

DDoS

Social EngineeringProactive Defense Measures!

Risk Mitigation:What do we have that they

want?How do we protect our data?

Page 9: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

99

Requirements and Planning

Collection

Processing and ExploitationAnalysis and Production

Dissemination

Monitoring and Response

Incorporating the Traditional Intelligence Cycle

Incorporating the traditional Intelligence Cycle into analysts’ workflow will expand the

precision with which we can identify, defend against, and prevent cyber threats.

Page 10: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

1010

NETFLOW Industrial

Attacks

Page 11: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

1111

Monitoring and Response Integration

Integrating CTI, network operations and security, and business operations enables more

effective decisions to balance risk, response, and allocation of resources.

Page 12: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

1212

Page 13: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

1313

IdealWorks: Risk Assessment

Page 14: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

1414

Requirements and Planning

Collection

Processing and ExploitationAnalysis and Production

Dissemination

Monitoring and Response

Incorporating the Traditional Intelligence Cycle

Incorporating the Intelligence Cycle into analysts’ workflow allows the company to

proactively identify threats and intelligence gaps.

Page 15: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

1515

Leaps in R&D

NETFLOW

Traffic

Job

Applications

Industrial

Attacks

Economic

Opportunity

TTP

Market

Access

Agreements

Military

Modernization

Leaps in R&D

NETFLOW

Traffic

Job

Applications

Gaps

Industrial

Attacks

Economic

Opportunity

TTP

Market

Access

Agreements

Military

Modernization

Page 16: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

1616

Requirements and Planning

Collection

Processing and ExploitationAnalysis and Production

Dissemination

Monitoring and Response

Incorporating the Traditional Intelligence Cycle

Incorporating the Intelligence Cycle into analysts’ workflow allows the company to

proactively identify threats and intelligence gaps.

Page 17: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

1717

Monitoring and Response Integration

A Monitoring and Response framework links the organization’s intelligence support with its

network operations division – and drives information flow.

Page 18: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

1818

Cyber Threat Intelligence: A Holistic Picture

Tactical Operational Strategic

Focused on

Today/Tomorrow

Feeds and IoCs

Focused on Next

Week/Month

Adversary TTP

Focused on Years

Ahead

Planning and Risk

Reactive Proactive

Page 19: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

1919

Benefits of Integrating People and Tools

Page 20: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

2020

Knowledge, Skills, and Abilities: Integrating People

CLASSIFICATION MARKS

CLASSIFICATION MARKS

Just as people and tools are behind these threats, people and tools are required to resolve

these threats – automation and machine learning provide only half of the solution.

CND Analyst

(Technical Track)

Open Source Analyst

(Analytical Track)

Cyber Threat Intelligence Analyst

(Foundational Skills)

Page 21: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

2121

Knowledge, Skills, and Abilities: Integrating People

CLASSIFICATION MARKS

CLASSIFICATION MARKS

Just as people and tools are behind these threats, people and tools are required to resolve

these threats – automation and machine learning provide only half of the solution.

Open Source Analyst

(Analytical Track)

Cyber Threat Intelligence Analyst

(Foundational Skills)CND Analyst

(Technical Track)

Open Source Analyst

(Analytical Track)

Cyber Threat Intelligence Analyst

(Foundational Skills)

Page 22: Cyber Threat Intelligence: Integrating the Intelligence Cycle · Cyber Threat Intelligence: Integrating the Intelligence Cycle Elias Fox and Michael Norkus, Cyber Threat Intelligence

2222

Now

remember,

Proactive

Man says: