Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Threat Intelligence Program Primer

Similar presentations


Presentation on theme: "Cyber Threat Intelligence Program Primer"— Presentation transcript:

1 Cyber Threat Intelligence Program Primer
CU Day August 29, 2016 Columbus, OH

2 CU Industry Challenge Growing small business attacks
Shifting attack vectors/ttps can sidestep traditional countermeasures (i.e. virus, malware utilities.) Need for cost effective solutions insights.sei.cmu.edu

3 CAT Domain 2 Baseline Domain Declarative Statement Comment
2: Threat Intelligence & Collaboration The institution belongs or subscribes to a threat and vulnerability information sharing source(s) that provides information on threats (e.g., Financial Services Information Sharing and Analysis Center [FS-ISAC], U.S. Computer Emergency Readiness Team [US-CERT]). (FFIEC E- Banking Work Program, page 28) Increasingly, situational awareness of current and emerging threats is considered foundational to effective cybersecurity risk management. As a result, financial institutions should subscribe to information sharing resources that include threat and vulnerability information for situational awareness. There are many sources of information such as US-CERT, critical infrastructure sector ISACs, industry associations, vendors, and federal briefings. There are 19 public and private information-sharing ISACs for critical infrastructure, set up for the purpose of sharing information with their constituents, between themselves, and government. US-CERT offers a free subscription service for vulnerability alerts along with weekly summaries. Threat information is used to monitor threats and vulnerabilities. (FFIEC Information Security Booklet, page 83) Threats and vulnerabilities that are considered important to the financial institution are monitored via identified information resources. Financial institutions can monitor threats and vulnerabilities by visiting information sharing resources on a regular basis and/or by subscribing to alerts, warnings and RSS feeds of threat and vulnerability information from the information sharing resources. Threat information is used to enhance internal risk management and controls. (FFIEC Information Security Booklet, page 4) The financial institution associates threats based on the targeted vulnerabilities and motivations, with the parts of the organization most likely to be targeted. Stakeholders for threat and vulnerability information are identified and involved. Examples of control enhancements could include actions taken to mitigate activity or patterns of activity associated with elevated fraud risk for electronic banking systems or plastic cards (i.e. debit or credit cards). Audit log records and other security event logs are reviewed and retained in a secure manner. (FFIEC Information Security Booklet, page 79) Logging is enabled and a retention process is in place for assets or systems that generate important security-related event logs. Perpetrators often seek to delete audit or security logs to eliminate evidence of a computer intrusion and theft of customer or financial institution information or funds.

4 CAT Domain 2 Baseline Domain Declarative Statement Comment
2: Threat Intelligence & Collaboration Computer event logs are used for investigations once an event has occurred. (FFIEC Information Security Booklet, page 83) Logs from security technologies, endpoints, and network devices provide incident responders with crucial evidence for investigations into attack activity. Logs from network devices such as switches and wireless access points, and from programs such as network monitoring software, might record data that could be of use in computer security or other information technology (IT) initiatives, such as operations and audits, as well as in demonstrating compliance with regulations. However, for computer security these logs are generally used on an as-needed basis as supplementary sources of information. Organizations should consider the value of each potential source of computer security log data when designing and implementing a log management infrastructure. (NIST ) Information security threats are gathered and shared with applicable internal employees. (FFIEC Information Security Booklet, page 83) Threat information is collected and provided to applicable individuals and/or business units. For example, social engineering is a major threat vector that requires security awareness throughout the institution. Contact information for law enforcement and the regulator(s) is maintained and updated regularly. (FFIEC Business Continuity Planning Work Program, Objective I: 5-1) Maintaining law enforcement contact information is an initial step towards effective information sharing and can facilitate more rapid incident response. Information about threats is shared with law enforcement and regulators when required or prompted. (FFIEC Information Security Booklet, page 84) Regulator notice is required for customer data breaches under the GLBA Safeguarding Guidelines (NCUA RR Part 748 Appendix B). Responsibility for cybersecurity reporting obligations should be assigned to appropriate personnel (e.g., internal reporting, US-CERT, law enforcement).

5 Research on CTI Benefits
Ponemon Institute 2015

6 CTI Research Ponemon Institute 2015

7 CTI Research Ponemon Institute 2015

8 CTI Research Ponemon Institute 2015

9 CTI Research Ponemon Institute 2015

10 What is Cyber Threat Intelligence?
Cyber Threat Intelligence (CTI) is the acquisition and analysis of information to identify, track, and predict cyber capabilities, intentions, and activities that offer courses of action to enhance decision-making. BAD guys or a BAD thing that wants to and can do bad things to your network or system

11 Cyber Threat? A cyber threat is the possibility of a malicious attempt to damage or disrupt a computer network or system. BAD guys or a BAD thing that wants to and can do bad things to your network or system

12 Intelligence? Intelligence is information that has been analyzed and refined so that it is useful in making decisions. Intelligence is information that has been analyzed and refined so that it is useful to policymakers in making decisions

13 What Intelligence is Not…
data information

14 Relationship very organization has an operational environment. The physical location of the organization, the networked infrastructure they use, the interconnections they have with other networks, and their accessibility to and from the Internet are all portions of their operational environment. This operational environment contains more data than could ever be fully collected. Many organizations have difficulty collecting and retaining packet capture for their environment more than a few days (if at all) let alone all of the data. So collection efforts are often driven by tools that can reach into the operational environment and get data. On limited resources it usually takes analysts understanding where the most critical data is located and to collect it using the best tools available. Tools are required to make the most out of data collection efforts. The data in this form is raw. This raw data is then processed and exploited into a more usable form. As an example, the packet capture that is run against an intrusion detection system generates information in the form of an alert. There should be more data than information. The information may have a sample of the data, such as the portion of the packet capture that matched the alert, and it is made available to the analyst with some context even if only “this packet matched a signature thought to be malicious”. Information can give you a yes or no answer. Another example would be an antivirus match against malware on a system. The raw data, the malware’s code, is matched against a signature in the antivirus system to generate an alert. This alert is information. It answers the question “is malware present on the system”. The answer could be incorrect, maybe the match was a false positive, but it still answered a yes or no question of interest. Tools are not required to make information but it is very inefficient to create information without tools. Most vendor tools that make claims of producing “threat intelligence” are actually producing threat information. It is extremely valuable and necessary for making the most of analysts’ time — but it is not intelligence. Various sources of information that are analyzed together to make an assessment produce intelligence. Intelligence will never answer a yes or no question. The nature of doing intelligence analysis means that there will only be an assessment. As an example, if an intelligence analyst takes a satellite photo and notices tanks on the border of Crimea they can generate information that states that the tanks are on the border. It answers a yes or no question. If the intelligence analyst takes this source of information and combines it with other sources of information such as geopolitical information, statements from political leaders, and more they could then make an assessment that they state with low, medium, or high confidence that an invasion of Crimea is about to take place. It is impossible to know the answer for sure — there cannot be a yes or no — but the analysis created an intelligence product that is useful to decision makers. There should also be far more information than intelligence; intelligence is a refined product and process. In the cyber field we would make intelligence assessments of adversaries, their intent, potential attribution, capabilities they may be seeking, or even factors such as their opportunity and probability of attacking a victim. The intelligence can produce useful knowledge such as the tactics, techniques, and procedures of the adversary. The intelligence can even be used for different audiences which usually gets broken into strategic, operational, or tactical level threat intelligence. But it is important to understand that no tool can produce intelligence. Intelligence is only created by analysts. The analysis of various sources of information requires understanding the intelligence needs, analysis of competing hypotheses, and subject matter expertise. By understanding the difference between data, information, and intelligence security personnel can make informed decisions on what they are actually looking for to help with a problem they face. Do you just want to know if the computer is infected? Threat information is needed. Do you just want raw data related to various threats out there? Threat data is needed. Or do you want a refined product that makes assessments about the threat to satisfy an audience’s defined needs? That requires Threat intelligence. This understanding helps the community identify what tools they should be acquiring and using for those problems. It helps guide collection processes, the types of training needed for security teams, how the security teams are going to respond, and more. U.S. Department of Defense’s Joint Publication 2-0: Joint Intelligence

15 Intelligence-Aspirations
Cyber Threat Intelligence should strive to be… accurate relevant timely actionable

16 Developing a CTI Program
PRIORITIZE critical assets IS.B.12 ENGAGE key stakeholders IDENTIFY personnel IS.B.83 ACQUIRE information sources IS.B.83, EB.B.28 FILTER & ANALYZE the data IS.B.4, IS.B.83 COMMUNICATE results Domain 1 Institutionalize the Process Domain 2

17 Types of Information Sources
Internal IT and Security Infrastructure Employees Enterprise Managed Security Service Providers Business partners External Government Industry Associations and Networks Commercial Sources

18 Government Resources U.S. Computer Emergency Readiness Team (US-CERT)
InfraGard Internet Crime Complaint Center Cyber Information Sharing and Collaboration Program (CISCP) National Security Agency, Information Assurance Division

19 Questions? Christina Saari, Senior Cyber Intelligence Specialist, NCUA
Tim Segerson, Dep. Dir. E&I, NCUA


Download ppt "Cyber Threat Intelligence Program Primer"

Similar presentations


Ads by Google