Switched-on security Protecting networks through effective threat intelligence 1010000100101101010101010001111010100101000101010101010101011 1010000100101101010101010001111010100101000101010101010101011 1010000100101101000101000101010101010101011010010101010001111 0101000111101010010100010101010101010101101001010000100101101 0101101010101010001111010100101000101010101010101011010010100 1 USE YOUR RADAR Threat intelligence can allow targeted defence What is intelligence What is threat intelligence Information that can aid decisions with the aim of preventing an attack or decreasing the time taken to discover an attack A new field Applies traditional intelligence to cyber threats Targets defences increases threat awareness and improves responses to potential attacks 2 THE 4 TIER MODEL OF THREAT INTELLIGENCE Short term Long term The four types of threat intelligence Strategic Tactical High level information on changing risk Attacker methodologies tools and tactics Operational Technical Details of a specific incoming attack Indicators of specific malware Low level High level Tactical threat intelligence Strategic threat intelligence Consumed by board and senior staff Consumed by architects and sysadmins Form often written or verbal such as reports briefings or conversations Gained by reading white papers or the technical press communication with peers in other organisaitons purchasing from an intelligence provider Example reports on financial impact of cyber activity or attack trends that might impact on high-level business decisions Example it is discovered that attackers are using tools to obtain cleartext credentials and then replaying those credentials through PsExec Technical threat intelligence Operational threat intelligence Consumed by defenders responders Consumed by SOC staff IR It will be difficult for a private company to legally acquire operational intelligence on many groups However some public groups are easier Form data or information normally consumed through technical means Often has a short lifetime Example a feed of IP addresses suspected of being malicious or implicated as command and control servers Example regular attacks in response to news coverage can be used to predict future attacks 3 TAILORED INTELLIGENCE Focus on your organisation’s specific threat intelligence requirements 1 10 0 0 10 010 101 01 101 010 0 0 00 0101 10101 10 1 10 00 010 1 1010000101 0 1 10000101 010 1010000100 010 10 1 01 01 0101 0 0101010 11 01 10 010110101010 101 0 01010 0010 Ask the right questions Effective threat intelligence focuses on the questions that an organisation wants answered rather than simply attempting to collect process and act on vast quantities of data Don't just buy cool sounding products Not all threat intelligence products are useful The most useful sources of threat intelligence – for example personal contacts in other organisations – are not necessarily the most expensive 4 START SMART Threat intelligence first steps that work – even with minimal staff and budget Organisational Identify where threat intelligence processes might be taking place unofficially and assess how they could be better supported Strategic Tactical 1 Identify whether current 1 Extract key tactical indicators 2 Liaise with industry peers to determine whether there are other threats 2 Determine changes needed to make your organisation less susceptible 3 List all actors who would benefit from access to your sensitive data – or your inability to function effectively 3 Identify planned refreshes of technologies or systems Feed tactical intelligence into those refreshes to mitigate attacks perceived cyber threats have been realised in the past from incident reports and white papers on threat groups 10100001001011010101010100011110101001010001010101010101 10100001001011010101010100011110101001010001010101010101 10100001001011010001010001010101010101010110100101010100 01010001111010100101000101010101010101011010010100001001 010110101010101000111101010010100010101010101010101101001 10100001001011010101001010001010101010101010110100101010 10101001010001010101010101010110100101000010010110101010 Operational Technical 1 List people to contact if your 1 Obtain access to the daily C2 list organisation receives notice of an impending attack from CiSP or other free feeds and place the IP addresses in an ‘alert’ list on the primary firewall or IDS 2 Google your organisation’s name for dates immediately before DDOS attacks to determine whether negative coverage is leading to them 2 Review regularly to determine whether outbound connections are being made from within your organisation 3 If not attempt to identify other potential trigger factors 3 If so initiate incident response 5 TWO HEADS BETTER One-to-one human contacts can be among the best information sources Forums Discuss threat intelligence in forums The CiSP allow organisations to share information securely Organisations Meet with appropriate peers in similar organisations to discuss your joint perception of existing threats Focus on relationships where there is already some trust and develop further trust The Cyber-security Information Sharing Partnership CiSP is a joint industry government initiative to share cyber threat and vulnerability information in order to increase overall situational awareness of the cyber threat and therefore reduce the impact on UK business This Infographic presents one perspective on the topic of Threat Intelligence For more information on the topic www cpni gov uk advice cyber Threat-Intelligence © Crown Copyright 2015