This talk is about identifying the characteristics of a mature cyber threat intelligence program and how it can be measured. Traditionally intelligence has been about providing decision support to executives whilst the field of cyber threat intelligence supports this customer type plus also network defenders which have different requirements. By using the intelligence cycle, this talk will seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their cyber threat intelligence program to the next level.
This talk in detail will cover:
The traditional definition of intelligence. How traditional intelligence programs are built to serve consumers who are executives/decision makers. An introduction to cyber threat intelligence in that there are now two consumer types. How both consumer types need intelligence to support their jobs but that both have different things they need. Introduction to the intelligence cycle. Finish off the talk with a summary and checkboxes of things which make up a mature intelligence program.Additional information on the presentation:1.) The traditional definition of intelligence. 2.) How traditional intelligence programs are built to serve consumers who are executives/decision makers. 3.) An introduction to cyber threat intelligence in that there are now two consumer types: Traditional intelligence consumers (executives/decision makers) and Network defenders (SOC/NOC guys).4.) How both consumer types need intelligence to support their jobs but that both have different things they need. Network defenders are drowning in alerts and need help prioritizing and responding to these. What should they be looking at first? They find some indicators of comprom ...
Bohemia Ballroom Borderless Cyber Conference and Technical Symposium / 6-8 Dec 2017 / Prague events@oasis-open.orgThis talk is about identifying the characteristics of a mature cyber threat intelligence program and how it can be measured. Traditionally intelligence has been about providing decision support to executives whilst the field of cyber threat intelligence supports this customer type plus also network defenders which have different requirements. By using the intelligence cycle, this talk will seek to help attendees understand how they can identify what a mature intelligence program looks like and the steps to take their cyber threat intelligence program to the next level.
This talk in detail will cover:
- The traditional definition of intelligence.
- How traditional intelligence programs are built to serve consumers who are executives/decision makers.
- An introduction to cyber threat intelligence in that there are now two consumer types.
- How both consumer types need intelligence to support their jobs but that both have different things they need.
- Introduction to the intelligence cycle.
- Finish off the talk with a summary and checkboxes of things which make up a mature intelligence program.
Additional information on the presentation:
1.) The traditional definition of intelligence.
2.) How traditional intelligence programs are built to serve consumers who are executives/decision makers.
3.) An introduction to cyber threat intelligence in that there are now two consumer types: Traditional intelligence consumers (executives/decision makers) and Network defenders (SOC/NOC guys).
4.) How both consumer types need intelligence to support their jobs but that both have different things they need. Network defenders are drowning in alerts and need help prioritizing and responding to these. What should they be looking at first? They find some indicators of compromise and is it significant? What technology changes can they make to help prevent/detect high impact events?
Executives need to understand the business impact that cyber threat actors can cause and decisions they could make to reduce risk to the business. What policy or investment decisions can they make that will reduce risk (probability or impact) to their business?
5.) Introduction to the intelligence cycle. Talk about each element of the intelligence cycle briefly before covering the following depth:
o Requirements: Walk through a few examples of doing the requirements part of the intelligence cycle. Mentioned that a key part of an intelligence program is having a single prioritized requirements list that reflects your organization’s business risks. These should be strategic goals and updated bi-annually. RFIs/taskings should be sub-sets of these requirements and a key identifier of inadequate requirements is RFIs that fall outside the established requirements.Tie requirements to the intelligence consumer that would need it so when an intelligence report is disseminated, it goes to the correct person or area. Production requirements - What is needed to be delivered to the intelligence customer (the end consumer of the intelligence), for example: What vulnerabilities are being exploited in the world that we can't defend against or detect? Intelligence requirements - What we need to collect to be able to meet our production requirements, for example: What vulnerabilities are currently being exploited in the wild? Collection requirements - The observables/data inputs we need to answer the intelligence requirement, for example: Open source feeds of malicious URLs, exploit packs, etc mapped to vulnerability/vulnerabilities being exploited.
o Collection: Mentioned various intelligence collection sources: open sources, ISACs, security industry mailing lists etc. Mention linking collection sources with pricing/internal resource needs to collection requirements so ultimately an organization can understand the costs associated with fulfilling an intelligence requirement. How to grade intelligence collection, refer to NATO’s admiralty code as a system to evaluating intelligence collection reliability and credibility.
o Processing and Exploitation: Refers to collation of intelligence collection (i.e. in a threat intelligence platform/TIP), automated linking etc.
o Analysis: Talk about intelligence analysis and how this isn’t about reporting facts. Intelligence analysis is about assessing incomplete and disparate pieces of information information to identify patterns that can lead to assessments of what is likely, not likely etc to happen. Introduce words for estimating probability (Kent’s Words of Estimative Probability):
· Certain - 100% - Give or take 0%
· Almost Certain- 93% - Give or take about 6%
· Probable - 75% - Give or take about 12%
· Chances About Even - 50% - Give or take about 10%
· Probably Not - 30% - Give or take about 10%
· Almost Certainly Not- 7% - Give or take about 5%
· Impossible - 0 - Give or take 0%
Ask people if their organizations have intelligence reports that have these words in it? Are they analysing raw collection themselves or copy and pasting reports from intelligence providers? Copying and pasting intelligence reports means you aren’t doing analysis and you are relying on the external vendor to be correct on their assessment and you might not know what collection supported their assessment (unless they provided it). Do you have an intelligence analysis guide for your company? It should cover templates for intelligence reports, style of writing, words to use etc. Also when performing analysis, what information gaps do you have? Identifying these gaps is important so collection can be focused telp fill these.
o Dissemination: Intelligence report is delivered to the intelligence customers. Do you receive feedback from the consumer? Was the report timely? Was it accurate? Was it relevant? What requirements did it meet? Are there any outstanding questions? Feedback is very important as it gives a qualitative metric on the intelligence program. Combined quantitative (i.e. number of intelligence report) and qualitative (consumer feedback) provides the key performance indicators for the intelligence program. Link intelligence reports to the intelligence collection that was used in it so you can effectively identify which sources are valuable and relevant to you and which aren’t.
(6.) Finish off the talk with a summary and checkboxes of things which make up a mature intelligence program, i.e: A single prioritized requirements list that accurately reflects the organization’s ranked risks. Intelligence collection sources mapped to the requirements they are meeting and their cost. Actual intelligence analysis. Are you producing intelligence or simply consuming others intelligence reporting and pasting it? Is feedback received from intelligence consumers?