Reinhold Wochner, MSc., MBARaiffeisen Bank International

Cyber Threat Intelligence

Who are we?

2

No Kangaroo

Austria

3

History (last 30 years)

Golden Age after

the fall of the Iron Curtain (1989)

Expansion Policy 1986 - 2011

Risk Map 2016

4https://riskmap.controlrisks.com

Implications

Maydan Nov.2013

CrimeaFeb. 2014

Donbass March

2014

Implications to theCyber World

Cyber Implications

Maydan Nov.2013

CrimeaFeb. 2014

Donbass March

2014

Ivano-Frankivsk

Dec 2015

23 December 2015

Cyberattacks

Attacks against the Ukrainian ICS (industrial control system)

networks

Attack in Ukraine started to spread

to other sectors

Hijacking of CCTV

Take over of electronicbillboards

Dos & DDOSUkrainian Members of Parliament have had their mobile phones disabled due to IP-based attacks

Multiple Distributed Denial of Service attacks by Ukrainian hackers, are directed at Central Bank of Russia

DDoS attacks against governmental infrastructure

Logical attacks on ATMs in this area

Logical attacks on ATMs are on the rise in Russia and Ukraine

14http://krebsonsecurity.com/wp-content/uploads/2014/10/ncrmalware.png/

Cyber arms race has started

A lot of Cybersecurity knowledge is created in this region

15

http://www.tripwire.com/state-of-security/government/32-people-charged-for-one-of-the-largest-computer-hacking-and-securities-fraud-schemes-in-history/

Security Start up

companies International providers of CTI services create branches in this

region to make use of the talents with

professional skillsNew attackmethods

+New Threat

actors

-

16

How canCyber Threat Intelligence

help your company?

17

• Implementation new controls (people, process, technology)

• Bolster protection, detection, and response capabilities

20152014 2016

April 1, 2014Intel-

134332

November 11, 2014Intel-

1344337

November 25, 2014Intel-

1495303

April 22, 2015Intel-

1549023

January 4, 2016

Intel-1712383

May 30, 2016Intel-

127504

June 15, 2016Intel-

1877630

Junly 30, 2015Intel-

1575086

…Mexican actors modify POS terminals, installed in La Paz stores…

(April 1, 2014Intel-134332)

…French actors arrested for possession of skimming equipment… (November 11,

201113443377)

…Actors selling skimming software targeting POS malware… (November 25,

2014Intel-1495303)

…POS malware with

RAM scraping functionality advertised in underground markets… (May

30, 2016Intel- 127504)

• Communicate “over the horizon” threats with business BoD&business executives

• Continued monitoring of new cyber crime threat tactics

• Access existing controls v.new POS related Tactics, Techniques & procedures (TTPs)

• Build plan, develop budget• Make budget request to match

new threat reality

• Attack hits the Bank,

• Security starts mitigating

Early warning Preparation Inflection Point

CTI provider

warnings

Bank actions

…Actor advertising POS terminal manipulation software…(April 22, 2015 Intel-1549023)

…Observed increases in POS malware use in Australia… (Junly 30,

2015 Intel-1575086)

…CTI provider suggests actors turning to POS malware over

skimmers because it can increase profitability and security… (January 4,

2016 Intel-171238)

Time to react improves with CTI

*) Real examples but date/threat actor names/locations have been changed

Cyber Threat Intelligence in action - example POS

18

20152014 2016

April 1, 2014Intel-

134332

November 11, 2014Intel-

1344337

November 25, 2014Intel-

1495303

April 22, 2015Intel-

1549023

January 4, 2016

Intel-1712383

May 30, 2016Intel-

127504

June 15, 2016Intel-

1877630

Junly 30, 2015Intel-

1575086

• Attack hits the Bank,

• Security starts mitigating

Early warning Preparation Inflection Point

CTI provider

warnings

Bank actions

*) Real examples but date/threat actor names/locations have been changed

Cyber Threat Intelligence in action - example POS

Time to react improves with CTI

Black Energy attack – time line

Still Investigating / Low chance of finding

2007 for BE-12012 for BE-22014 for BE-3

April 2015 October 24-25: Media

December 2015: Energy

https://socprime.com/en/blog/dismantling-blackenergy-part-3-all-aboard/

General CTI goals – Improve detection gap!Have we been breached?

General CTI goals – Improve response gap!

How bad is it?

How bad is it?

General CTI goals – Improve prevention gap!

Can we avoid this fromhappening again?

Subtypes of Cyber Threat Intelligence

Strategic

High level reports on changing riskUnderstand tendencies and new threats

Management Decision makers

(CEO, COO, CRO, CSO, CISO, CIO, CFO, etc.)

Deliverables Why we need it Targeted at

Subtypes of Cyber Threat Intelligence

Strategic

Quality of strategic CTI reports: look at example reports and check if they add value

to update your security strategy Optimize your security budget planning and priorization

Can the CTI provider customize the report to you business needs? Are there strategic CTI reports on special security topics (e.g. ATM or POS?) What preparation time does the analyst need? What is the quality of the analyst access? Can he speak financial language?

Subtypes of Cyber Threat Intelligence Tactical

Attacker methodologies, tools, tactics, techniques and procedures (TTPs)Malware analysis Incident reports

React to the exact threat

COO,CSO, CISO Architects Sysadmins

Deliverables

Why we need it

Targeted at

Tactical What are the criteria's to determine the cyber threat level? Can the provider map his

criticality classes to your classification? During the POC: Could the historical data warned for breaches of customer data or

internal documents? How is the information processed and analyzed? Is it really intelligence that you get?

Feedback

Detection dataPublic Source dataCommercial data

OperationalEnvironment Data Information Intelligence

Sources validated for credibility of relevance

Alternatives considered

ActionDissemination

Stakeholder value

Collaboration

Leadership focusedUsable/ActionableCredibleClearConciseComplete RelevantTimely Accurate

Gaps understood

CollectionQuallityassurance

Accuratetarget Group

Tactical Check the quality of tactical reports!

Subtypes of Cyber Threat Intelligence Operationa

l

Deliverables Why we need it Targeted at

Actionable information on specific incoming attack from news sources, social media, chat rooms, business contacts, official sources, data breach notifications

Adapt risk analysisReact to the exat threat

Security officers

Security Architects

Operational

Can you easily change the CTI provider?

Does the CTI provider support secure M2M communication for sensitive information exchange (both directions)?

Can you integrate the information exchange in your Security Management System?

CTI Provider ACTI Provider BCTI Provider C

Subtypes of Cyber Threat Intelligence

Technical

Attacker methodologies, tools, tactics, techniques and procedures (TTPs)Malware analysis Incident reports

React to the exact threat

CISO Architects Sysadmins

Deliverables Why we need it Targeted at

Technical

What is the quality of the information provided Data feeds (e.g. IOCs): are important fields in standard formats

missing or the information is in the wrong field? Information is outdated or already publicly known

Is your SIEM system capable to consume the CTI data coming from the CTI Provider?

Is there a possibility for information enrichment? Is there a content based image recognition to protect the

companies brands?

32

Project Outcome: Creation of a CTI Competence Center

CTI Competence Center in our Ukraine bank for RBI Group

Improve maturity level in CTI in the

group

Maintain awareness of RBI NWUs about new and sophisticated targeted attacks

and threats

Support RBI NWUs in

integrating CTI feeds to security

systems (IOC Hub) Central overview

of Cyber Threat Intelligence in the

RBI Group

Develop and establish CTI

service governance

process

If you are a global organization use local advantages

CTI seen from the C-SUITE1. Protect the company brands2. Prioritize real threats relevant to

the enterprise3. Influence right budgeting and staffing4. Prevent and predict evolving cyber threats5. Effective cyber risk communictions with top

executives and board members by Security6. Better focus for the CISO (more time to tackle the

problems from a strategic and not from a reactive perspective)

Secu

rity

Mat

urity

Mod

el

Ad HocOpportunistic

RepeatableManaged

OptimizedPredictions

&Prioritizations

enabledbyCTI

Reinhold Wochner, MSc., MBACRISC, CRMA, CISM, CGEIT, CISSP, CISA

speaker.wochner@web.de

Thank you