So, You Want to Be a Cyber Threat Analyst,

eh?Twitter: @cubed_wombatwww.cubedwombat.com

http://www.aaanything.net/wp-content/uploads/2012/07/cute_wombat.jpg

Disclaimer• The following is the opinion of the

author and is not a reflection of the author’s current, past, future employers, or academic institutions. He is a big giant dumb dumb head.

Overview• This presentation provides key theories and concepts required for the

Cyber Threat Analyst profession. • For beginners to Cyber Threat Analysis, it is a potential road-map or

checklist. • For experienced analysts, this can be a cross-pollination of ideas

which has worked for me and which you may find useful.

Once upon a time…• “This is WireShark, there are the pcaps and I have NO clue what

“that” is… you should figure it out. It might be bad or completely legit.”• Good News! I had mentors and there were these theories• Lockheed Martin Kill Chain, EC Council phases of attack• Diamond Model of Intrusion Analysis

• Bad News! They were still working it all out too…• Looking back 8+ years later – not much has changed for a new analyst• Hence this presentation

If I had to do it again… This is what I wish someone told me…• Figure out your environment• Communicate and organize like a business• Pick a risk analysis model and stick with it. • Choose your own attack phases: The Lockheed Martin Kill Chain & EC counsel phases of attack• Mitigation and understanding how to use defense in-depth concepts • If you only remember one thing from this talk: The Diamond Model of Intrusion Analysis• The Pyramid of Pain..and you! If we have time:• Tips on collaboration and avoiding being Alice in Wonderland (common analytic pivoting pitfalls

to avoid)• How to support a SOC and play match-maker on the security team• Recommend courses, certifications, reading and means to break into the industry

Cyber Threat What???• No “set” definition by industry – getting closer every day…just please stop saying “hunt operations”..• Lack of formal training and training pipelines in the discipline

• Comptia CSA+ (New – available February 2017)• SANS FOR578 (you DO have $6k-7k right?)• McAfee CCII CCIP • University offerings??• Advanced – good luck! Try a different job?!?

• Published literature is sparse• “Cyber WARFARE!!!!” type• “Cyber Intelligence is super kala-scholar-ific” type• “Information Assurance ….sorry I already fell asleep” type• Hidden in one-two pages of other discipline books

• Growing & in demand - Bureau of Labor and Statistics• Information Security Analyst SOC 15-1122• est 18% growth 2014-2024. Baseline avg is 8%, IT is 12%• Median income (Nation-wide) $90k – doesn’t require a degree

Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, 2016-17 Edition, Information Security Analysts, on the Internet at https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm (visited February 10, 2017).

HOPE!• There are tools that sometimes help - and they look pretty so

management buys them• Cyber Threat Intelligence and Analysis isn’t going away• Opportunities exists to further the field• CTA’s are generally really helpful, like to share and are by nature

curious • Several key theories exist – and they WORK!

Recommended definition of CTA• KISS = Keep It Simple Stupid

• A Cyber Threat Analyst is someone who gathers data and information to compare against the known-knowns of an organization or entity to provide situational awareness of a given threat. Situational awareness is sometimes known as “intelligence” or specifically “cyber threat intelligence”

• Don’t overthink it…

Who are you?• Porter's Five Forces Model• Originally a business model to identify

profitability of a company• Keep a positive outlook, not negative

• Apply it to the CTA cell or group• Helps to organize and identify those who

influence the CTA cell or group.

• THEN apply it to who the org or entity • What and who is actually important for your

company to be successful

Porter, Michael E. (1985). Competitive Advantage: Creating and Sustaining Superior Performance. New York.: Simon and Schuster. Retrieved 9 September 2013.https://en.wikipedia.org/wiki/Porter's_five_forces_analysis#cite_note-2

Why? I am not a manager• Knowing who supplies your data feeds will ensure you keep those

data feeds. • Knowing your and similar groups swim lanes prevents

“misunderstandings”. It can also save you a lot of work. • Knowing where your overall organization resides identifies who and

what is likely to be targeted and who you should share with. • If your organization builds ice cream pops and your major supplier of little

wooden sticks isn’t able to deliver, who is going to be hurting…? • Perhaps you should share threat intelligence with them• Perhaps you really were the intended target

Communicate, work and organize like a business• CTAs produce situational awareness of a given threat aka

“intelligence”. • So, use business models for production• Porter’s value chain:• Break down individual functions and processes • Treat primary activities equally!• Highlights where automation can help and pretty tools fit

(pew-pew maps are in marketing)• Graphically depicts all of the required phases • Speak Business so that business leaders understand

• Combine Five Forces model with the value chain

Inbound Logistics Operations Outbound Logistics

Marketing & Sales Services

Porter, Michael E. (1985). Competitive Advantage: Creating and Sustaining Superior Performance. New York.: Simon and Schuster. Retrieved 9 September 2013.https://en.wikipedia.org/wiki/Value_chain

Pick a risk analysis model and stick with it!• Doesn’t matter which, just implement one!! Stick with it and ensure

whomever is getting the SA understands how it works.• Situational awareness – (quantitative risk + potential steps to

minimize) = ?????????? Pure Confusion ?????????• My fav:

Risk rating Likelihood of detection

Requirements to impact

Potentially Vulnerable

High Low Low High

Medium Medium Medium Medium

Low High High Low

Choose your own attack description• Two major concepts

• EC Counsel phases of attack• Lockheed Martin Cyber Kill Chain

• NOT a 1:1• Descriptions of the stages of an attack that “have to occur” =

CTA foundational knowledge• The map in relative “time” of where data/information could

be obtained and evaluated• The real reason you need ALL of that data. From malware

databases and Sysmon to twitter, they feed different phases• EG: An orgs firewall log isn’t going to catch hacker shmuck-a-

telli writing a phishing email in grandma’s basement. During a different phase, some indication of when it is received should show up.

• Full coverage of both is far outside of this presentation – read and understand both

LM EC

Reconnaissance Reconnaissance

Weaponization Scanning

Delivery Gaining Access

Exploitation

Installation Maintaining Access

Command and Control

Actions or Objectives Clearing Tracks

Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D. Lockheed Martin Corporation http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdfEC Council five phases of attack. http://www.techrepublic.com/blog/it-security/the-five-phases-of-a-successful-network-penetration

If you only remember one thing from this talk• The Diamond Model of Intrusion Analysis• FOUNDATION model of the Cyber Threat Analysis discipline as we know it – because it works.. • Proves that “The whole is greater than the sum of its parts.” – Aristotle• EG: Phases of an attack are just that, an attack. The Diamond Model explains how to get to the

whole. As well as why and what to do when breaking down attack data/information by phase and the totality of the attack.

• Divides a given phase into four related constants: Victim, Actor, Infrastructure and Capability. (there is the whole cloverleaf of technology and socio/political ellipses but… those are the big 4)

• The focus on ONE constant to identify more constants will keep a CTA’s sanity intact. Not only when mining for information inside of that phase at the CTA’s org but across time and space.

• There are other useful concepts in the paper for use of the model. Seriously, check it out

The Diamond Model of Intrusion Analysis Sergio Caltagirone Andrew Pendergast Christopher Betz www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

Mitigation and Defense-in-Depth• Mitigation are potential steps to lower the risk to an organization from a given activity.

Lower the risk, lower the threat. It is what CTAs recommend.• Defense-in-Depth recommends multiple layers of defensive measures for an organization

and is considered a “best practice” in the industry.• Made up of three major elements located in an organization: “People”, “Technology” and

“Operations”. • Meaning: CTAs MUST

• Use the current overall mitigation strategy in mind when evaluating risk• Recommend mitigation steps which encompass multiple options to lower the risk and the overall threat.

• Break mitigations into “control” sections such as: Network, Host based, Organizational Policy, O&M, and Training & Awareness. • Bonus points for cross-references with the Cyber Threat Matrix

NSA IAD Defense in Depth: https://www.iad.gov/iad/customcf/openAttachment.cfm?FilePath=/iad/library/ia-guidance/archive/assets/public/upload/Defense-in-Depth.pdf&WpKes=aF6woL7fQp3dJiQ646DSkgBDfzSWnCscTeevka

The Pyramid of pain and you• Pyramid of pain:“… shows the relationship between the types of indicators you might use to detect an adversary's activities and how much pain it will cause them when

you are able to deny those indicators to them. ”• Meaning: these are the Indicators of Compromise (IOC) you’re looking for. • The pyramid is a double edged sword in mitigationimplementation. IP/domain blocks are simple and easy to put in. Configuration changes & teaching a userto change their TTP and resist clicking a link is tough!

The Pyramid of Pain David Bianco http://detect-respond.blogspot.com.au/2013/03/the-pyramid-of-pain.html

Dance break to summarize• CTA’s evaluate Data and Information from cyber intrusions aka activity-chains. With a focus on those

chains which are similar or could impact their organization. The attacks can be broken down into their phases. Each phase has at least one diamond composed of four constants: Actor, Victim, Infrastructure and Capability.

• CTA’s know their environment and current mitigations. Armed with this knowledge, the information from the activity chain can be evaluated to provide Situational Awareness(SA) aka Intelligence.

• SA or Intelligence contains information about the threat along with changes to current mitigations that can be implemented to lower any risk from the threat.

• Those mitigations should be “holistic” and can be broken into Network, Host based, Organizational Policy, O&M, and Training & Awareness categories.

• Some of these mitigations can be easy to implement but are also easily by-passed by an adversary. The difficult mitigations, like those designed to impact Tactics, Techniques and Procedures (TTP) can be hard to implement but are the most hurtful to an adversary.

• Which is why CTAs provide multiple solutions to ensure a defense-in-depth strategy.

Do we have time?• Tips on collaboration and avoiding being Alice in Wonderland

(common analytic pivoting pitfalls to avoid)• How to support a SOC and play match-maker on the security team• Recommend courses, certifications, reading and means to break into

the industry

Tips on collaboration and pivoting• Set time limits on investigating a lead• Automation is no substitute for talking with a fellow analyst• Peer review sanity check your findings, always!• Don’t chase the rabbit!!! Dig into one indicator type at a time (EG:

infrastructure)• Take lots and lots and lots of notes. With links!• Ask questions! Even dumb ones.. you may be surprised

How to play match-maker• “Good fences make good neighbors” – Robert Frost• Management is not your only consumer of intelligence. Don’t stop at

the indicator list, enable those who you are passing information too.• What helps them do their job? In what format?

• Target worker bees.

Recommend reading and breaking into the industryReading:• One everyone knows, one obscure and one forgotten:

• 10 Commandments of Intrusion Analysis – Chris Sanders• http://chrissanders.org/2011/01/the-10-commandments-of-intrusion-analysis/

• Command and Control in the Fifth Domain - Command Five Pty Ltd• https://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf

• US Chairmen of the Joint Chief of Staff Manual: Cyber Incident Handling - CJCSM 6510.01b• http://www.dtic.mil/cjcs_directives/cdata/unlimit/m651001.pdf

Breaking in• You cannot teach curiosity, but you can be tenacious. I hope you’re both…

“Cyber Threat Analysis is the art of taking one metal needle and finding the match in a haystack full of metal needles, inside a warehouse full of haystacks full of needles on a block with warehouses full of haystacks full of needles.” -

Paraphrasing Serge • Serve your country• Internships in the DC Maryland Virginia (DMV) area• Join the security community! – Bsides DC 2016 Micah Hoffman https://www.youtube.com/watch?v=gm4KgWr3A5w

Questions???Contact info:

Twitter: @cubed_wombatwww.cubedwombat.com

References• Diamond model of intrusion analysis: www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf • Porters Vaue Chain Porter, Michael E. (1985). Competitive Advantage: Creating and Sustaining Superior Performance. New York.: Simon and Schuster.

Retrieved 9 September 2013. • Porters Five Forces Model https://commons.wikimedia.org/wiki/Category:Porter%27s_Five_Forces_Model • Operational Risk Management (ORM) https://doni.daps.dla.mil/Directives/03000%20Naval%20Operations%20and%20Readiness/03-500%20Training

%20and%20Readiness%20Services/3500.39C.pdf • Pyramid of pain http://detect-respond.blogspot.com/2013/03/the-pyramid-of-pain.html • LockHeed Martin Kill Chain http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-

Defense.pdf• Defense-in-Depth: https://www.iad.gov/iad/customcf/openAttachment.cfm?FilePath=/iad/library/ia-guidance/archive/assets/public/upload/Defense-in-

Depth.pdf&WpKes=aF6woL7fQp3dJiQ646DSkgBDfzSWnCscTeevka• EC Council five phases of attacker. http://www.techrepublic.com/blog/it-security/the-five-phases-of-a-successful-network-penetration• Bureau of Labor Statistics, U.S. Department of Labor, Occupational Outlook Handbook, 2016-17 Edition, Information Security Analysts, on the Internet at

https://www.bls.gov/ooh/computer-and-information-technology/information-security-analysts.htm (visited February 10, 2017).• 10 Commandments of Intrusion Analysis – Chris Sanders• http://chrissanders.org/2011/01/the-10-commandments-of-intrusion-analysis/• Command and Control in the Fifth Domain - Command Five Pty Ltd• https://www.commandfive.com/papers/C5_APT_C2InTheFifthDomain.pdf• US Chairmen of the Joint Chief of Staff Manual: Cyber Incident Handling - CJCSM 6510.01b• http://www.dtic.mil/cjcs_directives/cdata/unlimit/m651001.pdf