The Business Use Case for Cyber Threat Intelligence (CTI)

Gary HayslipVP, CISO Webroot Inc.

2

Cyber Threat Intel, a growing need

Why do I need Threat Intel?• Business environment constantly evolving, threat space evolving even

faster. Challenging climate, numerous new attack surfaces.• CISOs must make contextual decisions to reduce organizations exposure to

risks that previously were unknown• In the 2016 SANS Threat Intelligence Survey

• 73% of the 200+ security professionals surveyed believed they made better informed decisions through the use of threat intelligence

• 58% believed it actually assisted their teams in providing a faster more accurate response to security incidents

• Large portions of the security industry & corporations focused on zero days, APT, and ransomware

• Forgetting one of the rules of cyber hygiene – do the basics first, do them correctly, and do them consistently

• We will look at business cases for “contextual” cyber threat intelligence• Three Categories:

• IT/InfoSec Operations• Incident Response• Strategic Management of Assets

3

Cyber Threat Intel, a strategic asset

What is Threat Intel?• Organized, analyzed and refined information about potential and current attacks,

targeted generally or specifically at your organization or industry

• Value: Inform you about the current threats that you should focus on, how to recognize them, how to prepare for them, and how to defend against them

• Specific tools and the techniques used to exploit targeted vulnerabilities• Value: You and your defensive systems can immediately use this intel to

prevent or mitigate these threats

• Threat intel can also include specifics about the adversaries (who are posing the threat) and the victims (who are being targeted)

• Good threat intel should be actionable and contextualized; • Need to know what the adversaries want to do• What they are targeting• Does it apply organization

• This implies that you know what assets you have that are susceptible to any threat

4

Cyber Threat Intel, context is key

What Do We Mean By “Contextualized” Threat Intelligence• Threat intelligence (TI) must be actionable. To use it effectively, it’s key to consider

your organization’s unique context as it relates to the following:

• Industry• Business Culture• Business Processes• Core Applications• Core Infrastructure• Key Vendors

• Use data flow diagrams (DFDs) and an expansive view of threat modeling to refine your threat intelligence

• Understand how data flows through the organization• Where it is stored, accessed, backed up• Insight into 3rd party access and how it is used• Visibility into types of data that is leaving the organizations• Finally, understanding of data that is critical to the business and most likely will be

targeted

5

Cyber Threat Intel, context brings value

Context - Bringing it all together

• Context is critical to threat intelligence. Use the sources of context described in this presentation to fine-tune your threat intelligence program

• Know your industry, the nuance of your business and processes, your core applications and infrastructure and your material vendors

• Your threat intelligence program should provide insight into the above crucial components of your business

• Your organization should receive threat feeds that are specific to your specific environment (this improves fidelity)?

6

Cyber Threat Intel, lets get started

Need to answer some questions• What industry is your organization competing in?

• The industry in which your organization operates has a material impact on your overall security program and the associated threat landscape

• Certain industries are more enticing than others from a threat perspective(Defense, Healthcare, Financial etc.)

• The Culture of Your Organization• The dynamics of your organization have an important role in determining how

threat intelligence should be used• Social profiles of the Executive Team and Board of Directors• The organization’s current status:

• Growing business w/M&A• Shrinking business w/mounting losses• Morale of employees • International Competition• Sources of income• Client profiles

7

Threat Intel, more homework

Other questions you need to answer

• Do you know your application portfolio?• Applications should be readily mapped back to their supporting business

processes• Inventory applications and clearly highlight linkages to business processes

• This is key for “threat modeling”

• Do you know your core infrastructure?• Infrastructure should be mapped to applications • Determine the status of the underlying infrastructure supporting material

applications• Database• Operating System• Hypervisor• Servers, Storage, Networks & Backups• Security Infrastructure

• Is organization receiving current security updates & intelligence from vendors

8

Threat Intel, last note on homework

Your partners and vendors matter

• Your threat landscape is influenced by your vendors. •

• Inventory material vendors • Are your vendors being targeted by criminal actors?• Determine if there are threat-sharing relationships established with these

vendors• Some vendors are willing to share information with partners• Enables the organization to better understand its technology

infrastructure and the risks associated with it,• Do the vendors themselves represent a potential exploit or threat vector?

9

So where do I get Cyber Threat Intelligence?

Two types of Threat Intelligence• To use threat intelligence, decide which sources to use

• Internal - information within the organization• Information that an organizations security and operations teams have from

previous experiences• Vulnerabilities• Malware incidents• Data breaches

• Provides insight on compromises, track analytics over time • External - threat intelligence sources available from multiple sources

• Sources can be feeds that are subscription (Cost) or open source (free)• Feeds can be consumed directly by your deployed security appliances

• Typically a fee you subscribe to have it turned on • Feeds can be reports via email or access to a threat portal• Feeds can be external threat intelligence feed (Industry Specific)

• Example - FS-ISAC, MS-ISAC, IT-ISAC• Last external threat intelligence feed is feeds provided by law

enforcement or government entities (FBI or DHS)• DHS Enhanced Cybersecurity Services (ECS) for more information

https://www.dhs.gov/enhanced-cybersecurity-services

References at end of presentation

10

Business Cases for IT/InfoSec Operations

• Network & Security Operations – cyber threat intelligence (CTI) improves installed technologies effectiveness of blocking malicious traffic

• Firewalls, (NGFW), (IDS/IPS) and Secure web gateways (SWG)• Apply rules to thwart malicious activities, threat indicators to block malware and

network traffic • Issue: Quality of threat indicators poor, staff turns it off to avoid cutting off legitimate

traffic• CTI: validate threat indicators, malware signatures, domain reputations, can

reduce false positives • Resolution: Provide staff with analysis of threat actors, complex attacks & details about

malicious tools and tactics. Help fine-tune rules used by firewalls, IPSs, and similar systems (Streaming, real-time)

• Patch Management• Patching very time-consuming, teams find themselves with a backlog of patches

and difficult choices about which to apply first• (CVSS) ratings - unrealistic “high” ratings. Vendors “critical/important/moderate/low”

ratings not reliable guides• CTI helps teams prioritize patches based on information about vulnerabilities

• Contextual information on vulnerabilities and their effects, ease of use to exploit, and currently available in the wild

11

Business Cases for IT/InfoSec Operations – con’t

• Security Operations Center – most enterprises generate far more alerts than the SOC and IR teams can investigate

• SOC analysts review divide alerts into (3) categories • Escalate to the incident response (IR) team• Investigate when time permits• Ignore

• CTI enhance event prioritization and situational awareness in two ways:• Attach risk scores to threat indicators, SIEM flag appropriate alerts as high priority• Allow SIEM or analyst to query the threat intelligence knowledge base and correlate

alerts with additional context about attacks

12

Business Cases for Incident Response

• Attack Analysis– CTI help IR teams analyze complex attacks more quickly and more thoroughly

• Attack is detected, need answers questions:• Attribution, do we know who is behind the attack?• What tactics are being used?• How far has the attack progressed, are any systems compromised, and has any data

been accessed?• Steps to halt the attack, and then remediate the effects?

• IR team reacting to indicator that triggered alerts • May be a single malware sample, or a link to a known command and control (C&C) server• Take an analyst days to piece together what happened through disparate sources

• Emails, application logs, network traffic, system configurations, threat analyses etc. • Long time lead gives attackers more time to find and exfiltrate data and perform other

hostile acts• CTI accelerate incident response, provide context to initial alerts

• Query Intelligence knowledge base, answer questions: • Technical characteristics, effects of indicator• Which adversaries have used this technique, what they target, and which

infrastructure and tools they use• (Allow IR team to move from initial alert to find the indicators of compromise)

13

Business Cases for Incident Response – con’t

• Triage & Remediation – CTI help IR & InfoSec teams uncover the effects of attacks and determine how to cleanup its impact

• Adversaries often conduct campaigns that use multiple tools and techniques• IR team use CTI knowledge database of these tactics

• Hunt for additional breaches these adversaries might have engineered • (Malware troop transport story)

• CTI helps with remediation, knowledge of the tools and tactics used in attacks • Help determine which systems on the network may have been compromised

• Context makes it easier to locate and remove the attacker’s footprints • Change security controls to protect against same and/or similar tactics in the future

14

Business Cases for Strategic Management of Assets

• Effective Investing – CTI help identify which threats to prioritize, enables CISO & CIO to explain threats in business terms and have productive discussions with senior executives and board members

• CTI helps IT and Security to understand challenges such as:• New adversaries, emerging threats targeting their industry• New tactics and techniques exploiting weaknesses in current security defenses• New “attack surfaces” such as mobile devices, cloud, IoT, and social networks

• Information allows CISOs and IT managers to invest budget and staff • Focus on most likely attackers and threats, not react to headlines• Deprioritization - determining which threats are not likely, focus on the threats that are

important• Improve Communications – CISOs find it difficult to hold meaningful

discussions with executives about attacks and technologies to acquire• CTI helps put a face on adversaries

• Explain their motives in human terms: • Political activists who want to embarrass the company• Foreign competitor trying to unearth business plans• Cybercriminal group trying to make money on ransomware

• Helps describe security issues in terms of risks to the business• Potential loss of revenue from online sales• Impact on regulatory compliance• Inability to deploy a new mobile application for the sales force this year

16

Cyber Threat Intel References

Organization How to ContactDHS-designated Fusion Centers and contact information

Under the auspices of the Office of Intelligence and Analysis

https://www.dhs.gov/fusion-center-locations-and-contact-information

InfraGard InfraGard is a partnership between the FBI and the private sector. It is an association of persons who represent businesses, academic institutions, state and local law enforcement agencies, and other participants dedicated to sharing information and intelligence to prevent hostile acts against the United States.

Visit: https://www.infragard.org

Information Sharing and Analysis Centers (ISACs)

ISACs are member-driven organizations, delivering all-hazards threat and mitigation information to asset owners and operators.

http://www.isaccouncil.org/

National Fusion Center Association - NFCA

THE MISSION:To represent the interests of state and major urban area fusion centers, as well as associated interests of states, tribal nations, and units of local government, to promote the development and sustainment of fusion centers to enhance public safety; encourage effective, efficient, ethical, lawful, and professional intelligence and information sharing; and prevent and reduce the harmful effects of crime and terrorism on victims, individuals, and communities.

https://nfcausa.org/

Law Enforcement Intelligence Units (LEIUs)

http://leiu.org/

17

Cyber Threat Intel References

Organization and Key Points of Contact What to Report?U.S. Department of Homeland Security (DHS)National Protection and Programs Directorate (NPPD)National Cybersecurity and Communications Integration Center (NCCIC) (http://www.dhs.gov/about-national-cybersecuritycommunications-integration-center) NCCIC@hq.dhs.gov or (888) 282-0870

Suspected or confirmed cyber incidents that may impact critical infrastructure and require technical response and mitigation assistance

United States Secret ServiceSecret Service Field Offices (http://www.secretservice.gov/field_offices.shtml) Electronic Crimes Task Forces (ECTFs) (http://www.secretservice.gov/ectf.shtml)

Cybercrime, including computer intrusions or attacks, transmission of malicious code, password trafficking, or theft of payment card or other financial payment information

Immigration and Customs Enforcement Homeland Security Investigations (ICE HSI)ICE HSI Field Offices (http://www.ice.gov/contact/inv/) ICE HSI Cyber Crimes Center (http://www.ice.gov/cyber-crimes/)

Cyber-based domestic or international cross-border crime, including child exploitation, money laundering, smuggling, and violations of intellectual property rights

U.S. Department of Justice (DOJ) Federal Bureau of Investigation (FBI)FBI Field Offices (http://www.fbi.gov/contact-us/field) Cyber Task Forces (http://www.fbi.gov/about-us/investigate/ cyber/cyber-task-forces-building-alliances-to-improve-thenations-cybersecurity-1) Law Enforcement Online Portal (https://www.cjis.gov/CJISEAI/EAIController) or (888) 334-4536

Cybercrime, including computer intrusions or attacks, fraud, intellectual property theft, identity theft, theft of trade secrets, criminal hacking, terrorist activity, espionage, sabotage, or other foreign intelligence activity

18

Cyber Threat Intel References

Sources – these are typically lists of information whether in spreadsheet, API format or formats specific to deployed hardware/software within the users environment

C&C Tracker - feed of known, active and non-sinkholed C&C IP addressesCymon – good aggregated website of threats, feeds and intelligence ExploitAlert – listing of the latest exploits releasedSpamhaus Project - contains multiple threatlists associated with spam and malware activityVirusShare - repository of malware samples to provide security researchers, incident responders, and forensic analysts access to samples of malicious code

Threat Feed Formats – formats for sharing threat intelligence data, typically for indicators of compromise (IoC) data

• CAPEC - comprehensive dictionary and classification taxonomy of known attacks that can be used by analysts to advance community understanding and enhance defenses

• MAEC – project on Mitre aimed at creating and providing a standardized language for sharing structured information about malware

• OpenPhish – site to identify zero-day phishing sites and provide comprehensive, actionable, real-time threat intelligence

• STIX – now managed by OASIS, standardized language used to represent cyber threat information

• TAXII - now managed by OASIS, TAXII defines concepts, protocols, and message exchanges to exchange cyber threat information for the detection, prevention, and mitigation of cyber threats

• VERIS - set of metrics designed to provide a common language for describing security incidents in a structured and repeatable manner

19

Cyber Threat Intel References

Frameworks/Platforms – solutions used to collect, analyze, create and share threat intelligence

• AIS - Department of Homeland Security’s (DHS) free Automated Indicator Sharing (AIS) capability enables the exchange of cyber threat indicators between the Federal Government and the private sector

• ATT&CK - model and framework for describing the actions an adversary may take while operating within an enterprise network

• MindMeld - An extensible Threat Intelligence processing framework that can be used to manipulate lists of indicators and transform and/or aggregate them for consumption by third party enforcement infrastructure

• MISP - open source software solution for collecting, storing, distributing and sharing cyber security indicators and malware analysis

• OTX - open access to a global community of threat researchers and security professionals. It delivers community-generated threat data, enables collaborative research, and automates the process of updating your security infrastructure with threat data from any source – there are costs

• Threat Crowd – browser designed for the finding and researching artifacts relating to cyber threats

20

Cyber Threat Intel References

Tools – tools are either sites that can be used to analyze information or actual software that can be used by an analyst parse, create, edit or publish threat intelligence data

• Automater - tool to do analysis of IP Addresses, URLs, and Hashes • Combine – tool to gather threat intelligence feeds from publically available sources • Cuckoo Sandbox - open source automated malware analysis system • Loki - LOKI is a free and simple IOC scanner • Machinae - tool for collecting intelligence from public sites/feeds about various security-

related pieces of data: IP addresses, domain names, URLs, email addresses, file hashes and SSL fingerprints

• Malwr – site is a free malware analysis service and community • OSTIP – a threat data platform project • Virus Total - free service that analyzes suspicious files and URLs and facilitates the quick

detection of viruses, worms, Trojans, and all kinds of malwareResearch, References or Books - reading material about threat intelligence including research and whitepapers.

• CAR - Cyber Analytics Repository, a knowledge base of analytics based on the Adversary Tactics, Techniques, and Common Knowledge (ATT&CK™) threat model

• Definitive Guide to CTI – document describes the elements of cyber threat intelligence, discusses how it is collected, analyzed, and used

• NIST SP 800-150 – NIST document for exchanging cyber threat information within a sharing community.

• MWR Threat Intelligence – white paper discusses the processes of requirements elicitation, collection, analysis, production and evaluation of threat intelligence. (Chismon & Ruks, 2015)