threat intelligence fair dinkum or dog's breakfast? · threat intelligence fair dinkum or...

Threat Intelligence

Fair dinkum or

dog's breakfast?

James Nunn-Price &

Puneet Kukreja

23rd and 25th February 2016

1

Simplifying the market noise

Where should threat intelligence be positioned?

What does good look like?

Improving operating effectiveness using situational awareness

Contents

2

Simplifying the

market noise

Image for illustrative purposes only.

To replace the image 'right click' and

select 'Format Background', click 'Picture

or texture fill' and then 'Insert from file'.

Select your image and click 'insert'. This

will ensure the image is placed behind all

slide elements.

Deloitte Touche Tohmatsu © 2016 - Threat Intelligence - Fair dinkum or dog's breakfast?

Threat landscape

It’s complex and confusing

4

Distributed Denial of Service

(DDoS)

Application Layer Attacks

Brute Force Attacks

Network Protocol Attacks

Known Vulnerability Exploitation

Zero Day Exploitation

Phishing

Rogue Update Attacks

Watering Hole Attacks

Types of

Cyber

Attacks


Threat landscape

A bit late for some many!

5


The big data problem

(aka dog’s breakfast…)

6

Data

Information

Knowledge

Intelligence

• Data is raw and it’s abundant.

• It simply exists and has no significance beyond its existence.

• Information is data that has been given meaning by way of relational connections.

• The bulk of commodity intelligence providers today are providing information feeds.

• Knowledge is the appropriate collection of information, such that its intent is to be useful.

• Very few providers and internal security functions get this far.

• Intelligence is the ability to acquire and apply knowledge and skills to meet an objective.

• Due to information overload and limited resources, rarely is this achieved.


• Intelligence is about understanding

something. This can only effectively

be developed over time. Intelligence

is not about the sources or the raw

information. Intelligence is about

what you can do with it.

Several types of intel

Example sources

7

Threat actors

Eco

no

mic

al

Exp

ensi

ve

Intelligence sources

Open source Intelligence

Technical Intelligence

Secret Intelligence

Underground Intelligence

Easy

to

det

ect

Har

d t

o

det

ect

Human Intelligence (HUMINT)

• Intelligence gathered through the use of people. HUMINT employs overt and clandestine operations e.g. SPYING.

• Gathering should be done under an assumed identity.

Signals Intelligence (SIGINT)

• Intelligence gathered through the use of interception or listening technologies.

• Example: Wired/Wireless Sniffer TAP devices

Imagery Intelligence (IMINT)

• Intelligence gathered through recorded imagery such as photographs and satellite images.

• Cross over between IMINT and OSINT if it extends to Google Earth and its equivalents

Open-Source Intelligence (OSINT)

• Intelligence gathered through freely available information, such as that presented in the media, available in libraries or the Internet.

Opportunists

Nation States

Corporations

Terrorist Organisations

Botnets

Script Kiddies

Hacktivists

Established Criminal Networks

Where should

threat intelligence

be positioned?

Image for illustrative purposes only.

To replace the image 'right click' and

select 'Format Background', click 'Picture

or texture fill' and then 'Insert from file'.

Select your image and click 'insert'. This

will ensure the image is placed behind all

slide elements.


“There is nothing more necessary than good intelligence to frustrate a designing enemy and nothing

requires greater pains to obtain” George Washington

High expectations?

A shift in thinking

Source: Gartner Definition – Threat Intelligence

Ga

rtn

er

STRATEGIC TACTICAL OPERATIONAL TECHNICAL

TYPES OF THREAT INTELLIGENCE

SOURCE: Centre for the Protection of National Infrastructure – UK Government


Position threat intelligence by consumer?

Helps to meet expectations and reduce negative experiences

SOURCE: Centre for the Protection of National Infrastructure – UK Government


In-house and threat intelligence provider analysis

A raft of providers/in-house teams but rarely are they categorised

by the end consumer but by industry buzzwords

13

Vendor Type Mobile Apps

Executive Brief

Threat Brief

Phishing/ Takedown

Data Disclosure

Malware Intel

Malware Analysis

Social media

Cyber Attacks

Vuln. Mapping

Incident Response Etc

A Boutique Yes Yes Yes Yes/Yes Yes Yes No Yes Yes No No ..

B Security Specialist Yes Yes Yes Yes/Yes No Yes Yes No Yes Yes Yes ..

C Security Specialist No Yes Yes Yes/Yes Yes Yes Yes Yes Yes Yes Yes ..

D Defence Contractor Yes Yes Yes No No Yes Yes No Yes Yes Yes ..

E Boutique No Yes No No Yes No No Yes No Yes No ..

F Boutique Yes Yes No No No No Yes No Yes Yes Yes ..

G Defence Contractor No Yes No No No No Yes No Yes Yes Yes ..

H Vendor No Yes Yes Yes/Yes No Yes Yes No Yes Yes Yes ..

I Network Provider Yes Yes Yes No Yes No Yes No Yes Yes Yes ..

J Boutique No No Yes Yes/No Yes Yes No Yes Yes No No ..

etc etc … … … … … … … … … … … …

What does

good look like?


Threat intelligence goals

Define your intelligence scope through planning

15

What are you trying

to achieve?

What information

do you need?

Who is the information

for?

What is the budget?

What resources

will you need?

How should it be presented?

Monitoring all varieties of intelligence across

regional and topical interests takes huge amounts of

manpower. Prioritise.


• Before reporting on any information found it should be assessed and analysed

Threat intelligence sources

It's about understanding the origin of the information

16

Analyse each source

of information

Who wrote the

information?

Does the author know

about the subject?

Why was it produced?

How did the author

get their information?

Is this relevant to your

objectives?

When was it

produced?

Report on relevant, credible findings

Remember the 5 W’s & H: Who, What, When, Where, Why, and How


Good threat intelligence requires human context

It's about understanding the context of the information

17

Are they acting alone? Do they have

credibility or a history?

What is their

motivation ?

What is their

capability?

What is the

vulnerability ?

What are they saying

?

Are they acting within

a group?

What is the

specificity?

What is their

opportunity?

Outcome Leading questions

Who or what

the actor is

What the

threat is

Likelihood of

the threat

materialising?


Processing the findings

Scoring the information, ensure intel consumers are aware

18

1 Confirmed Confirmed by other independent sources; logical in itself; consistent with other information on the subject

2 Probably true Not confirmed: logical in itself; consistent with other information on the subject;

3 Possibly true Not confirmed: reasonably logical in itself; agrees with some other information on the subject;

4 Doubtfully true Not confirmed: possible but not logical; no other information on the subject

5 Improbable Not confirmed: not logical in itself; contradicted by other information on the subject

6 Misinformation Unintentionally false: not logical in itself; contradicted by other information on the subject; confirmed by other independent sources.

7 Deception Deliberately false: contradicted by other information on the subject; confirmed by other independent sources.

8 Cannot be judged No basis exists for evaluating the validity of the information.

Credibility ratings (In relation to other information)

A Reliable No doubt of authenticity, trustworthiness, or competency, has a history or complete reliability.

B Usually reliable Minor doubt about authenticity, trustworthiness, or competency, has a history of valid information most of the time.

C Fairly reliable Doubt of authenticity, trustworthiness, or competency, but has provided valid information in the past.

D Not usually reliable Significant Doubt about authenticity, trustworthiness, or competency, but has provided valid information in the past.

E Unreliable Lacking authenticity, trustworthiness, or competency; history of invalid information.

F Cannot be judged No basis exists for evaluating the reliability of the source.

Reliability of source ratings

It takes time!

Improving

operating

effectiveness

using situational

awareness


• Are you delivering compelling narratives tailored to the threat intelligence ‘consumer’? or just mirroring

regurgitated facts and news at all ‘consumer’ levels? If the later then the intelligence will be disregarded,

or ignored by decision-makers and you won’t get the investment you need.

Threat intelligence reporting

Strategic, Tactical, Operational or Technical?

20

• Does the report answer the questions or objectives

raised in the planning phase?

• Is the information relevant to your audience?

• Have you drawn a meaningful conclusion or just

listed facts?

• Wherever possible, deliver and discuss intelligence

face-to-face.

Key Considerations Risks of Poor Reports

• Information will be discarded and credibility is lost.

• The report isn’t relevant and so is ignored.

• The report doesn’t answer the question so it is

disregarded wasting time, money and resources.

• A written report is sent to the wrong person and is

never read.

Does it meet the

Objective?

Relevant to the

stakeholder?

Meaningful

conclusions?

Robust

Analysis


What can I take away

Information is not intelligence and is not one-size fits all

21

Improves visibility &

reporting

Integration is

required across

design, engineering

and operations

Begins with critical

systems and asset

inventory

Do not overlook

security operations

process maturity

Is only as good as

your asset and

threat profile

classification

Vendors are only as

good as “your” use

cases

It’s no Silver

Bullet

Asia Pacific Cyber Risk Leader

Partner, Deloitte Touche Tohmatsu

[email protected]

+61 428 200 542

James Nunn-Price

http://www2.deloitte.com/au/en/pages/risk/articles/protecting-businesses-

cyber-criminals-cyber-attacks.html

Partner, Cyber Risk Services

Deloitte Touche Tohmatsu

[email protected]

+61 403 037 010

Puneet Kukreja

http://www2.deloitte.com/au/en/pages/risk/articles/protecting-businesses-cyber-criminals-cyber-attacks.html











INDIA

UAE

TURKEY ITALY

SPAIN

FRANCE

Deloitte’s global cyber threat intelligence centres offer

local context and tailored business understanding

USA

CANADA

BRAZIL

ARGENTINA

UK

GERMANY

NETHERLANDS

ISRAEL

SOUTH AFRICA

HUNGARY

SINGAPORE

MALAYSIA

AUSTRALIA

HONG KONG, CHINA

JAPAN

Globally over 3500 cyber staff,

in Australia:

• 120+ Dedicated Cyber Risk

professionals

• Ability to cover all states with core

cyber expertise supported by

national Subject Matter Experts

OPERATIONAL

PLANNED

N.B. larger markets have multiple centres

FRANCE

General information only

This presentation contains general information only, and none of Deloitte Touche Tohmatsu Limited, its member firms, or their related entities (collectively the “Deloitte Network”) is, by means of this presentation, rendering professional advice or services. Before making

any decision or taking any action that may affect your finances or your business, you should consult a qualified professional adviser. No entity in the Deloitte Network shall be responsible for any loss whatsoever sustained by any person who relies on this presentation.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee, and its network of member firms, each of which is a legally separate and independent entity. Please see www.deloitte.com/au/about for a detailed

description of the legal structure of Deloitte Touche Tohmatsu Limited and its member firms.

Deloitte provides audit, tax, consulting, and financial advisory services to public and private clients spanning multiple industries. With a globally connected network of member firms in more than 150 countries, Deloitte brings world-class capabilities and high-quality

service to clients, delivering the insights they need to address their most complex business challenges. Deloitte has in the region of 225,000 professionals, all committed to becoming the standard of excellence.

About Deloitte Australia

In Australia, the member firm is the Australian partnership of Deloitte Touche Tohmatsu. As one of Australia’s leading professional services firms. Deloitte Touche Tohmatsu and its affiliates provide audit, tax, consulting, and financial advisory services through

approximately 6,000 people across the country. Focused on the creation of value and growth, and known as an employer of choice for innovative human resources programs, we are dedicated to helping our clients and our people excel. For more information, please

visit our web site at www.deloitte.com.au.

Liability limited by a scheme approved under Professional Standards Legislation.

Member of Deloitte Touche Tohmatsu Limited

© 2016 Deloitte Touche Tohmatsu

threat intelligence fair dinkum or dog's breakfast? · threat intelligence fair dinkum or...

Documents