connecting the dots between your threat tntelligence tradecraft and business operations
TRANSCRIPT
![Page 1: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/1.jpg)
1
Connecting the Dots Between Your Threat Intelligence Tradecraft and Business Operations
John Pescatore, SANSAdam Meyer, SurfWatch Labs
![Page 2: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/2.jpg)
2
Obligatory Agenda Slide
• Housekeeping info• Here’s what we will do○ 1:05 – 1:15 Overview – John Pescatore○ 1:15 – 1:45 Threat Intelligence – Adam Meyer○ 1:45 – 2:00 – Q&A
Thanks to our sponsor:
![Page 3: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/3.jpg)
3
Q & A
•Please use GoToWebinar’s
Questions tool to submit
questions to our panel.
• Send to “Organizers”
and tell us if it’s for
a specific speaker.
![Page 4: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/4.jpg)
4
Making Security Advances During Turbulent Times
Threats aren’t standing still Business/technology demands aren’t, either Prevent more, detect faster, resolve with less disruption
![Page 5: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/5.jpg)
5
Which Industries Are Most at Risk?
Source: Symantec 2016
![Page 6: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/6.jpg)
6
Or Are These Industries Most at Risk?
Source: Fireye 2016
![Page 7: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/7.jpg)
7
Or Maybe These?
Source: Fireye 2016
![Page 8: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/8.jpg)
8
Lifecycle of a Unicorn (CVE-2014-6332)
Source: Microsoft Security Intelligence Report, 2015
![Page 9: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/9.jpg)
9
Shifting Strategies
Source: Intel Security 2016
![Page 10: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/10.jpg)
10
Shield
Eliminate Root Cause
Monitor/Report
Policy Assess Risk
Baseline Vuln Assessment/Pen TestSecurity Configuration
Mitigate
• FW/IPS• Anti-malware• NAC
• Patch Management• Config Management• Change Management
• Software Vuln Test• Training• Network Arch• Privilege Mgmt
Discovery/Inventory
• SIEM• Security Analytics• Incident Response
ThreatsRegulationsRequirementsOTT Dictates
Continuous Processes
![Page 11: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/11.jpg)
11
Defining Situational Awareness
• Pre-flight: plan safest route• In flight: Decreasing reaction time so that mission gets
accomplished, pilot returns safely• Post-flight: do better next time
![Page 12: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/12.jpg)
12
Plenty of Data
• Threat feeds• Security Controls status/configuration• Log Monitoring• Asset Status○ Network Scanning○ Passive Discovery○ Credentialed Access○ Local agent drill-down
![Page 13: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/13.jpg)
13
From Data to Action
Bus. Intelligence Big Data
Security Big Data
Fraud/TransactionBig Data
Threat Analytics
Situational Awareness
Security Controls Analytics
Action!
![Page 14: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/14.jpg)
14
Focus/Force Multiplication
• Need to focus limited resources on the highest payback areas.• Turn floods of data into harvests of information.• False positives are not the problem – wasting time on them is.• Situational awareness vs. information/event management.• Action – prevent more, detect faster, resolve more surgically• Intelligence vs. voyeurism…
![Page 15: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/15.jpg)
Connecting the Dots Between Your Threat Intelligence
Tradecraft and Business Operations
![Page 16: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/16.jpg)
Today’s Speaker
2
Adam MeyerChief Security StrategistSurfWatch Labs
![Page 17: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/17.jpg)
Gaining Visibility of Cyber Risks is Critical to the Viability of Your Business
• A majority of attacks compromise defenses within minutes, but detecting the breach takes on average 200+ days
• Leaders are struggling to align security strategies with real-world business strategies
- 14% of corporations report that the Board is actively involved in cybersecurity preparedness
- 52% report minimal involvement
• Supply chain represents significant risk - 57% of breaches originate from partners and suppliers (PwC)
17
![Page 18: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/18.jpg)
18
Cybercriminals shift tactics to hit targets that are:
“Attractive” and “Soft”
The Threat Balloon
![Page 19: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/19.jpg)
19
There’s an Intel Gap Between Cyber Security and the Business
![Page 20: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/20.jpg)
20
Source: http://ryanstillions.blogspot.com/2014/04/on-ttps.html
Cyber Threat Intelligence Stack
![Page 21: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/21.jpg)
21
Intelligence is regularly defined as information that can be acted upon to change outcomes.
1. Move from “unknown unknowns” to “known unknowns” by discovering the existence of threats, and then …
2. Shifting “known unknowns” to “known knowns”, where the threat is well understood and mitigated.
Defining “Intelligence”
While this is the norm for defenders, it’s not normal for decision makers.
![Page 22: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/22.jpg)
Put Cyber Threat Intelligence into Terms the Business Can Understand
22
Organization
Business Unit
Products and Services
Tools in Support of the Product/Service
Infrastructure to Support the Tools
Data in Support of the Business
• Be Defendable
• Executive Communications (Non-Technical)• Is the Business Unit “Well Positioned” Against Threats? Why Not?
• What the Business Cares About• What is the Threat Surface?• What Investments are Needed?
• Needs of the User Community• User Point of Presence• Public Facing / Adversary Exposure
• IT Pain Points• Decentralized Oversight (Shadow IT, Disconnected IT Teams)
• Adversary’s Target• Liability and Regulatory Impact
![Page 23: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/23.jpg)
Put Cyber Threat Intelligence into Terms the Business Can Understand
23
Strategic• For Senior Leaders• Used to measure cyber risk and make investments
Operational
Tactical
• Bridges the broad, non-technical, strategic needs with the narrow, technical inputs
• Focuses on the immediate operating environment
• Where On-the-Network actions take place• The efforts to Detect and Respond to on the wire events
Decision
Output
Output
![Page 24: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/24.jpg)
Internal vs. External Threat Intelligence
24
Internal• Necessary for tactical defense
- Prevention- Detection- Incident Response- Information Exchange
External• Necessary for managing overall
organizational risk- Industry threat activity- Fraud/Extortion- Brand & Reputation- Targeting
![Page 25: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/25.jpg)
25
• Start Simple– Good business managers run things on a foundation of the evaluated
intelligence – it’s the thing you know.
• Make Risks Learnable– Learnable risks are the ones we could make less uncertain if we took
the time and resources to learn more about them.
– Random risks are defined as those that had no analysis.
– Separating learnable risks from random ones in business decisions for causes or drivers can make them less uncertain.
– Tie Learnable risks to any characteristics that makes you “you”.
Measuring Cyber Threat Intelligence
![Page 26: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/26.jpg)
26
• Enable Good Analysis – If an intelligent human is conducting an attack, intelligent humans
must be directing the defense.*
– All operations in cyberspace begin with a human being.**
• Ensure You are Defendable– Against malicious individuals and groups
– In court and against regulatory action
– Your brand, both personal and organizational
* Defendable Architectures Lockheed Martin Achieving Cyber Security by Designing for Intelligence Driven Defense** Intelligence and National Security Alliance (INSA)
Measuring Cyber Threat Intelligence
![Page 27: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/27.jpg)
The CISO’s Tug of War
27
Source: EMC
Intelligence Operations (Tracking Threats) vs. Network Defense (Stop the Bleeding)
![Page 28: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/28.jpg)
How a CISO Can Leverage Threat Intelligence to Mitigate Risk
• Intelligence provides critical insights on ACTIVE threats to your business and can be applied to different areas of the business
- Threat intelligence teams – know threat actors and their motivations to improve your defenses
- Fraud teams – understand what commodities are being monetized so you can minimize fraud
- Partners and Suppliers – understand the “presence” your vendors have to complement supply chain risk management
- Breach Response – instead of waiting to “get the call” from law enforcement, get ahead of the curve
28
![Page 29: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/29.jpg)
Mitigating Risk with a Practical Intelligence Operation
• Co-Managed Intel – Complement your intel and facilitate faster, more effective risk management decisions
• Focus on Analysis – It’s less about getting more data and more about enabling sound analysis
• Link Intel to Business Impact – Avoid alert fatigue by worrying about threats specific to your business
• People, Process, Technology – Good intelligence leverages automation, expert human analysis and a process for using the intel
29
![Page 30: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/30.jpg)
30
SurfWatch Labs Bridges the Intelligence Gap
![Page 31: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/31.jpg)
Additional SurfWatch Labs Resources
SurfWatch Cyber Advisor:www.surfwatchlabs.com/cyber-advisor
Dark Web Surveillance: www.surfwatchlabs.com/dark-web-intelligence
Request a Demonstration:
• Personal Demo: info.surfwatchlabs.com/request-demo
• Demo Webinar: info.surfwatchlabs.com/Webcast/Threat-Intel-Live-Demo-Series
Connecting Your Intelligence Tradecraft to Business Operations
31
![Page 32: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/32.jpg)
32
![Page 33: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/33.jpg)
33
Resources
• SANS : https://www.sans.org/webcasts/archive/2016• SANSFire– https://
www.sans.org/event/sansfire-2016• SurfWatch Labs: https://www.surfwatchlabs.com• Questions: [email protected]• @John_Pescatore
![Page 34: Connecting the Dots Between Your Threat Tntelligence Tradecraft and Business Operations](https://reader031.vdocuments.mx/reader031/viewer/2022030305/58743cf11a28ab0e6c8b5c87/html5/thumbnails/34.jpg)
34
Acknowledgements
Thanks to our sponsor:
And also to our speakers and to our attendees:
Thank you for joining us today
© 2016 The SANS™ Institute – www.sans.org