threat intelligence: state-of-the-art and trends
TRANSCRIPT
![Page 1: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/1.jpg)
www.ecs.co.uk
Threat Intelligence: State-of-the-art and trends
Secure South West 5Andreas SfakianakisECS
02/04/2015
![Page 2: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/2.jpg)
ECS - Threat Management Strategy
Build a picture of your adversaries. Understand their strategies, objectives, methodologies and attributes.
Gain a clear understanding of your own network and systems alongside any weaknesses.Understand your countermeasures and contextual information. Bolster your countermeasures to deny attack channels.
Establish and execute business as usual threat intelligence, vulnerability management, monitoring and response procedures.
Review and report outcomes, deliverables, value and lessons learnt.
![Page 3: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/3.jpg)
Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
![Page 4: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/4.jpg)
Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
![Page 5: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/5.jpg)
The Global Risk Landscape
![Page 6: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/6.jpg)
What about …. Cyber?
Number of breaches per threat actor category over time
![Page 7: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/7.jpg)
What about …. Cyber?
![Page 8: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/8.jpg)
Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
![Page 9: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/9.jpg)
Threat Intelligence
• "We don't know what it is, but we need it.”• Intelligence is the application of knowledge to
information• Inform business decisions regarding the risks and
implications associated with threats.• Data is not information, information is not
knowledge, knowledge is not intelligence, intelligence is not wisdom.
• Buzzword of 2014!
![Page 10: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/10.jpg)
Information versus Intelligence
![Page 11: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/11.jpg)
Characteristics of Intelligence
![Page 12: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/12.jpg)
Why we need Threat Intelligence?
• Dynamic threat landscape• Situational awareness (different sectors have
different threats) • Defend better by knowing adversary• From reactive to proactive• Driving better investment strategies • After all it’s all about … context, context and
context!
![Page 13: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/13.jpg)
Types of Threat Intelligence
Strategic TacticalCreated by Humans Machines or humans + machinesConsumed by Humans Machines and humansDelivery time frame Days – months Seconds to hoursUseful lifespan Long Short (usually)Durability Durable Fragile (*)Ambiguity Possible; hypothesis and leads OK Undesirable; systems don’t tolerate itFocus Planning, decisions Detection, triage, response
![Page 14: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/14.jpg)
Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
![Page 15: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/15.jpg)
How do we build it?
• Fundamental cycle of intelligence processing
• Civilian or military intelligence agency / law enforcement
• Closed path consisting of repeating nodes.
![Page 17: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/17.jpg)
Embedding Threat Intelligence into the DNA of an organisation
![Page 18: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/18.jpg)
Interrupting the kill chain
“Kill Chain” is a phase-based model to describe the stages of an attack, which also helps inform ways to prevent such attacks.
![Page 19: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/19.jpg)
Threat Intelligence Sources
• Internal
• Open source
• Commercial
• Community/Information sharing
![Page 20: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/20.jpg)
Internally-sourced Threat Intelligence
• Detailed analysis of locally caught malware• Detailed analysis of disk images, memory
images• Threat actor profiles based on local data• Artifacts shared by other organizations• Fusing local data with shared data• Behavioural analysis
![Page 21: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/21.jpg)
Open Source Threat Intelligence
![Page 22: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/22.jpg)
Open Source Tactical Feeds
![Page 24: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/24.jpg)
Threat Intel Providers
![Page 25: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/25.jpg)
What Threat Intel Providers deliver?
![Page 26: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/26.jpg)
Information Sharing
![Page 27: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/27.jpg)
Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
![Page 28: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/28.jpg)
What is a Threat Intel Platform?
![Page 29: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/29.jpg)
But…
![Page 30: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/30.jpg)
Threat Intelligence Platforms
• ThreatConnect• Detica CyberReveal• IBM i2 Analyst Notebook• Lockheed Martin Palisade• Lookingglass
ScoutPlatfom• MITRE CRITs• Palantir• ThreatQuotient
• ThreatStream• Vorstack• Codenomicon• Soltra• Intelworks• ThreatQuotient• IID • ResilientSystems• Swimlane
![Page 31: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/31.jpg)
Threat Intelligence Platforms
• ThreatConnect• Detica CyberReveal• IBM i2 Analyst Notebook• Lockheed Martin Palisade• Lookingglass
ScoutPlatfom• MITRE CRITs• Palantir• ThreatQuotient
• ThreatStream• Vorstack• Codenomicon• Soltra• Intelworks• ThreatQuotient• IID • ResilientSystems• Swimlane
![Page 32: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/32.jpg)
CRITs(Collaborative Research into Threats)
![Page 33: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/33.jpg)
Soltra Edge
![Page 34: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/34.jpg)
The need for security automation
![Page 35: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/35.jpg)
STIX standard
What Activity are we seeing?
What Threatsshould I be
looking for and why?
Where has this threat been Seen?
What does it Do?
What weaknesses does this threat
Exploit?
Why does it do this?
Who is responsible for
this threat?
What can I do?
Consider These Questions…..
![Page 36: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/36.jpg)
Structured Threat Information Expression
![Page 37: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/37.jpg)
STIX/TAXII Adoption
![Page 38: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/38.jpg)
Roadmap
• Threat Landscape
• What is Threat Intelligence?
• Threat Intelligence Management
• Threat Intelligence Platforms
• Take aways
![Page 39: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/39.jpg)
Take aways
• Current state of TI is still initial BUT has a great potential
• Context is critical (makes everyone’s job easier)• Intelligence-led defense has significant operating
costs• Do not blindly invest in intelligence (first think of
requirements, DIY vs buy)• Look for upcoming automation/tool
developments• Do not forget people and processes!!!!
![Page 40: Threat Intelligence: State-of-the-art and trends](https://reader031.vdocuments.us/reader031/viewer/2022012416/617095b7442ce2049427e50b/html5/thumbnails/40.jpg)
Thank you for your attention! J
Questions?
@asfakian