Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
-
Upload
priyanka-aash -
Category
Technology
-
view
512 -
download
1
Transcript of Security Strategy and Tactic with Cyber Threat Intelligence (CTI)
3
History (last 30 years)
Golden Age after
the fall of the Iron Curtain (1989)
Expansion Policy 1986 - 2011
Dos & DDOSUkrainian Members of Parliament have had their mobile phones disabled due to IP-based attacks
Multiple Distributed Denial of Service attacks by Ukrainian hackers, are directed at Central Bank of Russia
DDoS attacks against governmental infrastructure
Logical attacks on ATMs in this area
Logical attacks on ATMs are on the rise in Russia and Ukraine
14http://krebsonsecurity.com/wp-content/uploads/2014/10/ncrmalware.png/
Cyber arms race has started
A lot of Cybersecurity knowledge is created in this region
15
http://www.tripwire.com/state-of-security/government/32-people-charged-for-one-of-the-largest-computer-hacking-and-securities-fraud-schemes-in-history/
Security Start up
companies International providers of CTI services create branches in this
region to make use of the talents with
professional skillsNew attackmethods
+New Threat
actors
-
17
• Implementation new controls (people, process, technology)
• Bolster protection, detection, and response capabilities
20152014 2016
April 1, 2014Intel-
134332
November 11, 2014Intel-
1344337
November 25, 2014Intel-
1495303
April 22, 2015Intel-
1549023
January 4, 2016
Intel-1712383
May 30, 2016Intel-
127504
June 15, 2016Intel-
1877630
Junly 30, 2015Intel-
1575086
…Mexican actors modify POS terminals, installed in La Paz stores…
(April 1, 2014Intel-134332)
…French actors arrested for possession of skimming equipment… (November 11,
201113443377)
…Actors selling skimming software targeting POS malware… (November 25,
2014Intel-1495303)
…POS malware with
RAM scraping functionality advertised in underground markets… (May
30, 2016Intel- 127504)
• Communicate “over the horizon” threats with business BoD&business executives
• Continued monitoring of new cyber crime threat tactics
• Access existing controls v.new POS related Tactics, Techniques & procedures (TTPs)
• Build plan, develop budget• Make budget request to match
new threat reality
• Attack hits the Bank,
• Security starts mitigating
Early warning Preparation Inflection Point
CTI provider
warnings
Bank actions
…Actor advertising POS terminal manipulation software…(April 22, 2015 Intel-1549023)
…Observed increases in POS malware use in Australia… (Junly 30,
2015 Intel-1575086)
…CTI provider suggests actors turning to POS malware over
skimmers because it can increase profitability and security… (January 4,
2016 Intel-171238)
Time to react improves with CTI
*) Real examples but date/threat actor names/locations have been changed
Cyber Threat Intelligence in action - example POS
18
20152014 2016
April 1, 2014Intel-
134332
November 11, 2014Intel-
1344337
November 25, 2014Intel-
1495303
April 22, 2015Intel-
1549023
January 4, 2016
Intel-1712383
May 30, 2016Intel-
127504
June 15, 2016Intel-
1877630
Junly 30, 2015Intel-
1575086
• Attack hits the Bank,
• Security starts mitigating
Early warning Preparation Inflection Point
CTI provider
warnings
Bank actions
*) Real examples but date/threat actor names/locations have been changed
Cyber Threat Intelligence in action - example POS
Time to react improves with CTI
Black Energy attack – time line
Still Investigating / Low chance of finding
2007 for BE-12012 for BE-22014 for BE-3
April 2015 October 24-25: Media
December 2015: Energy
https://socprime.com/en/blog/dismantling-blackenergy-part-3-all-aboard/
Subtypes of Cyber Threat Intelligence
Strategic
High level reports on changing riskUnderstand tendencies and new threats
Management Decision makers
(CEO, COO, CRO, CSO, CISO, CIO, CFO, etc.)
Deliverables Why we need it Targeted at
Subtypes of Cyber Threat Intelligence
Strategic
Quality of strategic CTI reports: look at example reports and check if they add value
to update your security strategy Optimize your security budget planning and priorization
Can the CTI provider customize the report to you business needs? Are there strategic CTI reports on special security topics (e.g. ATM or POS?) What preparation time does the analyst need? What is the quality of the analyst access? Can he speak financial language?
Subtypes of Cyber Threat Intelligence Tactical
Attacker methodologies, tools, tactics, techniques and procedures (TTPs)Malware analysis Incident reports
React to the exact threat
COO,CSO, CISO Architects Sysadmins
Deliverables
Why we need it
Targeted at
Tactical What are the criteria's to determine the cyber threat level? Can the provider map his
criticality classes to your classification? During the POC: Could the historical data warned for breaches of customer data or
internal documents? How is the information processed and analyzed? Is it really intelligence that you get?
Feedback
Detection dataPublic Source dataCommercial data
OperationalEnvironment Data Information Intelligence
Sources validated for credibility of relevance
Alternatives considered
ActionDissemination
Stakeholder value
Collaboration
Leadership focusedUsable/ActionableCredibleClearConciseComplete RelevantTimely Accurate
Gaps understood
CollectionQuallityassurance
Accuratetarget Group
Subtypes of Cyber Threat Intelligence Operationa
l
Deliverables Why we need it Targeted at
Actionable information on specific incoming attack from news sources, social media, chat rooms, business contacts, official sources, data breach notifications
Adapt risk analysisReact to the exat threat
Security officers
Security Architects
Operational
Can you easily change the CTI provider?
Does the CTI provider support secure M2M communication for sensitive information exchange (both directions)?
Can you integrate the information exchange in your Security Management System?
CTI Provider ACTI Provider BCTI Provider C
Subtypes of Cyber Threat Intelligence
Technical
Attacker methodologies, tools, tactics, techniques and procedures (TTPs)Malware analysis Incident reports
React to the exact threat
CISO Architects Sysadmins
Deliverables Why we need it Targeted at
Technical
What is the quality of the information provided Data feeds (e.g. IOCs): are important fields in standard formats
missing or the information is in the wrong field? Information is outdated or already publicly known
Is your SIEM system capable to consume the CTI data coming from the CTI Provider?
Is there a possibility for information enrichment? Is there a content based image recognition to protect the
companies brands?
32
Project Outcome: Creation of a CTI Competence Center
CTI Competence Center in our Ukraine bank for RBI Group
Improve maturity level in CTI in the
group
Maintain awareness of RBI NWUs about new and sophisticated targeted attacks
and threats
Support RBI NWUs in
integrating CTI feeds to security
systems (IOC Hub) Central overview
of Cyber Threat Intelligence in the
RBI Group
Develop and establish CTI
service governance
process
CTI seen from the C-SUITE1. Protect the company brands2. Prioritize real threats relevant to
the enterprise3. Influence right budgeting and staffing4. Prevent and predict evolving cyber threats5. Effective cyber risk communictions with top
executives and board members by Security6. Better focus for the CISO (more time to tackle the
problems from a strategic and not from a reactive perspective)
Secu
rity
Mat
urity
Mod
el
Ad HocOpportunistic
RepeatableManaged
OptimizedPredictions
&Prioritizations
enabledbyCTI