how do you predict the threat landscape?

HOW DO YOU PREDICT THE THREAT LANDSCAPE?

Janne Pirttilahti

Director, New Services, F-Secure Cyber Security Services

2

Holistic cyber security

Definitions

Why predictive capabilities matter

Predictive approach to cyber threats

Threat intelligence

Recommendations

AGENDA

CYBER SECURITY IS A PROCESS

3

Understand your risk, know your attack surface,

uncover weak spots

React to breaches,mitigate the damage,

analyze and learn

Minimize attack surface, prevent incidents

Recognize incidents and threats, isolate and

contain them

CYBER SECURITY IS A PROCESS

4

Understand your risk, know your attack surface,

uncover weak spots

React to breaches,mitigate the damage,

analyze and learn

Minimize attack surface, prevent incidents

Recognize incidents and threats, isolate and

contain them

PREDICT\Pri-`dikt\

To declare or indicate in advance; especially : foretell on the basis of observation, experience, or scientific reason

Source: Merriam Webster

5

6

Top three behaviors that impact us?

What do future attacks look like?

Where to invest next?

How to train our people?

How to prepare oneself and for what?

PREDICTIVE CAPABILITIES ARE NEEDED TO ANSWER MANY QUESTIONS

PRIORITIZE.BE PREPARED.

7

MARSH & MCLENNAN CYBER HANDBOOK:

MOST ORGANIZATIONS NOT ADEQUATELY PREPARED FOR

CYBER ATTACK

8

9

10

11

12 Source: www.databreaches.net

13

October

14

October

November

PREDICTIVE APPROACH TO CYBER THREATS

15

2) ACTIONABLE THREAT INTELLIGENCE

PROACTIVELY ANTICIPATE NEW ATTACKS

1) ASSET & VULNERABILITY MANAGEMENT

UNDERSTAND THE CURRENT STATE OF YOUR SYSTEMS

THE FOUNDATION OF ACTIONABLE INTELLIGENCE IS TO KNOW YOUR OWN

SYSTEMS

16

THREAT INTELLIGENCE:FOREWARNED IS

FOREARMED

17

18

“Threat intelligence is evidence-based knowledge (e.g. context, mechanisms, indicators, implications

and action-oriented advice) about existing or emerging menaces or hazards to assets.

CISOs should plan for current threats, as well as those that could emerge in the long term (e.g. in three

years).”

Gartner, February 2016

19

CDN

STIXTAXII

OSINT

HUMINT

TLP

IOC

CTI

IOA

DGA

MD5 MRTI

ISAC

ISAO CTIIC

NCCIC

TTPTAP

SHA1

OTX

SIEM

CISAIODEF OPENIOC

CYBOX

YARA

Technical Intel

Adversary Intel

Vulnerability Intel

Breach Monitoring

TIP

Strategic Intel

Data Enrichment

20

STRATEGIC / EXECUTIVE LEVEL

THE DIFFERENT LEVELS OF THREAT INTELLIGENCE

– Strategic, high level information of changing risk– Geopolitics, Foreign Markets, Cultural Background– Vision timeframe: years

21

OPERATIONAL / TACTICAL

STRATEGIC / EXECUTIVE LEVEL

THE DIFFERENT LEVELS OF THREAT INTELLIGENCE

– Strategic, high level information of changing risk– Geopolitics, Foreign Markets, Cultural Background– Vision timeframe: years

– Details of specific incoming risk: who, what, when? – Attacker’s methods, tools and tactics, their modus operandi – Early warnings of incoming attacks– Vision timeframe: months, weeks, hours

22

OPERATIONAL / TACTICAL

STRATEGIC / EXECUTIVE LEVEL

TECHNICAL

THE DIFFERENT LEVELS OF THREAT INTELLIGENCE

– Strategic, high level information of changing risk– Geopolitics, Foreign Markets, Cultural Background– Vision timeframe: years

– Details of specific incoming risk: who, what, when? – Attacker’s methods, tools and tactics, their modus operandi – Early warnings of incoming attacks– Vision timeframe: months, weeks, hours

– Specific IOCs (for SIEM, FW, etc. integration)– More data, less intel– Automated processing is paramount – Vision timeframe: hours, minutes (but also long lasting)

MANY ORGANIZATIONS START WITH FREE SOLUTIONS.

23

24

25

NOTHING BEATS AN EXPERT.

26

PROCURING STRATEGICALLY RELEVANT INTELLIGENCE IS

EXTRAVAGANT.

27

STRATEGICALLY RELEVANT DATA IS UNIQUE TO EACH COMPANY

28

All threat data:Vulnerability feeds

Exploit kit feedsMalicious software feeds

Indicators of compromise feedsBad IP address feeds

Botnet activities feedsDNS changes feeds

Reputation feeds (URL & content)Known threat actor behavior data

All ”breadcrumb” data from company personnel

…Global

landscape

Business area landscape

Possibly relevant data

Strategically important data

EVEN ACTIONABLE INTELLIGENCE IS

ONLY WORTH IT WITH PROCESSES IN PLACE TO EFFECTIVELY ACT ON IT.

29

CYBER SECURITY IS A PROCESS

30

Understand your risk, know your attack surface,

uncover weak spots

React to breaches,mitigate the damage,

analyze and learn

Minimize attack surface, prevent incidents

Recognize incidents and threats, isolate and

contain them

Understanding your own environment is the foundation

31

CLOSING WORDS

Understanding your own environment is the foundation

There are both commercial and free options available

32

CLOSING WORDS

Understanding your own environment is the foundation

There are both commercial and free options available

Start from figuring out what benefits you the most

33

CLOSING WORDS

Understanding your own environment is the foundation

There are both commercial and free options available

Start from figuring out what benefits you the most

Threat Intelligence can strengthen your security posture

34

CLOSING WORDS

QUESTIONS & ANSWERS

35

f-secure.com