KPMG cyber maturity assessment: the cyber threat to your business
Cyber threat intelligence: maturity and metrics
-
Upload
mark-arena -
Category
Technology
-
view
4.033 -
download
0
Transcript of Cyber threat intelligence: maturity and metrics
![Page 1: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/1.jpg)
INTEL 471Cyber Threat Intelligence:
Maturity and Metrics
By Mark Arena, CEOIntel 471
http://intel471.com
![Page 2: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/2.jpg)
Intelligence definition
“… intelligence is information that has been analyzed and refined so that it is useful to policymakers in making decisions—specifically, decisions about potential threats …”
https://www.fbi.gov/about-us/intelligence/defined
![Page 3: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/3.jpg)
![Page 4: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/4.jpg)
I have IOCs!Everything is targeted at me and unique to me! Cant share!IOCs or not actionable!IP blocked!Only able to consume tactical intelligence products
![Page 5: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/5.jpg)
I have IOCs with grouping and some context!This is China APT - Ugly Panda!I mostly copy content from vendor threat intel reportsHave some pre-determined requirements documentedIt’s not relevant unless it hits us!
![Page 6: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/6.jpg)
I have prioritized intelligence requirementsI produce unique, timely and relevant intelligence products to different internal consumersI look at threats to my vertical/sector, not just my orgMy intelligence program is expensive!
![Page 7: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/7.jpg)
We see everything!No one fliesWe can jump a lot though
![Page 8: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/8.jpg)
Cyber threat intelligence
Two main customer/consumer intelligence product types: Executives/decision makers Network defenders Others (i.e. fraud teams)
Different intelligence products (deliverables) needed
Current market focus?
![Page 9: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/9.jpg)
Relevance
Relevance: does this intelligence (collection) satisfy one or more of my intelligence requirements
If I don’t have intelligence requirements (you should), does this impact me or my sector/vertical
![Page 10: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/10.jpg)
Giving tactical intelligence products with IOCs to your C level
![Page 11: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/11.jpg)
![Page 12: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/12.jpg)
Your intelligence program’s maturity is
based on your ability to do each part of the intelligence cycle
![Page 13: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/13.jpg)
Input into the intelligence cycle
Prioritized business risks
![Page 14: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/14.jpg)
Output of the intelligence cycle
Decrease of probability or impact of a business risk
occurring
![Page 15: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/15.jpg)
Incident Centric Intelligence
Incident• IOCs TTPs/
CampaignActor• Attribution• Motivation/Goal
![Page 16: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/16.jpg)
Actor Centric Intelligence
Actor• Attribution• Motivation/Goal
TTPs/Campaign IOCs
![Page 17: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/17.jpg)
Planning, Direction, Needs, Requirements
Three requirements lists to build and maintain: Production requirements – What will be delivered to
the intelligence customer/consumer.
Intelligence requirements – What we need to collect to meet our production requirements.
Collection requirements – The observables/data inputs we need to answer our intelligence requirements.
![Page 18: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/18.jpg)
Production requirements
• What is needed to be delivered to the intelligence customer (the end consumer of the intelligence).
Intelligence requirements
• What we need to collect to be able to meet our production requirements.
![Page 19: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/19.jpg)
Production requirement
Intelligence requirements
What vulnerabilities are being exploited in the world that we can't defend against or detect?
- What vulnerabilities are currently being exploited in the wild?
- What exploited vulnerabilities can my organization defend?
- What exploited vulnerabilities can my organization detect?
- What vulnerabilities are being researched by cyber threat actors?
![Page 20: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/20.jpg)
Intelligence requirements
• What we need to collect to be able to meet our production requirements.
Collection requirements
• The observables/data inputs we need to answer the intelligence requirement.
![Page 21: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/21.jpg)
Intelligence requirements
Collection requirements
What vulnerabilities are currently being exploited in the wild?
- Liaison with other organizations in the same market sector.
- Liaison with other members of the information security industry.
- Open source feeds of malicious URLs, exploit packs, etc mapped to vulnerability/vulnerabilities being exploited.
- Online forum monitoring where exploitation of vulnerabilities are discussed/sold/etc.
![Page 22: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/22.jpg)
Intelligence requirements
Collection requirements
What vulnerabilities are being researched by cyber threat actors?
- Online forum monitoring.
- Social network monitoring.
- Blog monitoring.
![Page 23: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/23.jpg)
Requirements updates
Update your requirements at least bi-annually
Ad hoc requirements should be a subset of an existing requirement
![Page 24: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/24.jpg)
Once you have your collection requirements
Look at what is feasible. Consider risk/cost/time of doing something in-house versus using an
external provider
Task out individual collection requirements internally or to external providers as guidance.
Track internal team/capability and external provider ability to collect against the assigned guidance.
![Page 25: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/25.jpg)
Collection
Characteristics of intelligence collection: Source of collection or characterization of source
provided Source reliability and information credibility assessed
Some types of intelligence collection: Open source intelligence (OSINT) Human intelligence (HUMINT) Liaison Technical collection
![Page 26: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/26.jpg)
NATO’s admiralty system
Used for evaluating intelligence collection
Reliability of Source Accuracy of DataA - Completely reliableB - Usually reliableC - Fairly reliableD - Not usually reliableE – UnreliableF - Reliability cannot be judged
1 - Confirmed by other sources2 - Probably True3 - Possibly True4 – Doubtful5 – Improbable6 - Truth cannot be judged
https://en.wikipedia.org/wiki/Admiralty_code
![Page 27: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/27.jpg)
Processing / Exploitation
Is your intelligence collection easily consumable? Standards Centralized data/information (not 10 portals to use) APIs
Language issues?
Threat intelligence platforms (TIPs) can help you here
![Page 28: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/28.jpg)
Intelligence analysis
Intelligence style guide Defines format and meanings of specific terms within
your intelligence products
Analysts who are able to deal with incomplete information and predict what has likely occurred and what is likely to happen.
Encourage analysts to suggest multiple hypothesizes.
![Page 29: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/29.jpg)
Not analysis
Dealing with facts only (intelligence analysts aren’t newspaper reporters)
Reporting on the past only, no predictive intelligence
Copy and pasting intelligence reports from vendors You have outsourced your intelligence function
![Page 30: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/30.jpg)
Words of estimative probability
Consistency in words used to estimate probability of things occurring or not occurring, i.e.
100% CertaintyThe General Area of Possibility
93% give or take about 6%
Almost certain
75% give or take about 12%
Probable
50% give or take about 10%
Chances about even
30% give or take about 10%
Probably not
7% give or take about 5%
Almost certainly not
0% Impossibility
Google search for: CIA words of estimative probability
![Page 31: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/31.jpg)
Dissemination
Intelligence products written with each piece of collection used graded and linked to source.
Intelligence products sent to consumers based on topic and requirements met.
What information gaps do we have?
![Page 32: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/32.jpg)
Feedback loop
We need to receive information from our intelligence customers on: Timeliness Relevance What requirements were met?
This will allow identification of intelligence (collection) sources that are supporting your requirements and which aren’t
![Page 33: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/33.jpg)
Intelligence program KPIs
Quantity – How many intelligence reports produced?
Quality – Feedback from intelligence consumers Timeliness, relevance and requirements met
![Page 34: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/34.jpg)
Item Yes/No
Regularly (bi-annually) updated requirements list that maps with your prioritized business risks.Ad hoc requirements meets existing documented intelligence requirementsDocumented production requirements
Documented intelligence requirements
Documented collection requirements
Documented linking of collection requirements to internal teams/capabilities or external providers (guidance)Regular assessment of guidance versus output from internal capabilities and external providers (collection management)
![Page 35: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/35.jpg)
Item Yes/No
Intelligence collection is easily consumable, i.e. in a TIP
Intelligence style guide
Have an intelligence review and editing process
Intelligence produced includes future predictions and doesn’t just report on factsSources used in intelligence products are linked and graded
Knowledge gaps are identified in intelligence products and pushed back into the requirements part of the intelligence cycleFeedback is received from intelligence consumer/customer
![Page 36: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/36.jpg)
Item Yes/No
KPIs are generated for the intelligence program
KPIs are generated for each part of the intelligence cycle including for internal and external sources of intelligence collectionHave an intelligence (collection) management function that handles requirements to assigned guidance
![Page 37: Cyber threat intelligence: maturity and metrics](https://reader035.fdocuments.net/reader035/viewer/2022081414/58776e4c1a28ab5b568b540d/html5/thumbnails/37.jpg)
Questions