Threat Intelligence Plan

Cyber Intelligence

Date: August 28, 2017

Executive Summary

Over the past 10 years, Company X has gone through a big digital transformation by moving applications and work-loads from Physical to Virtual and now to the Cloud and Internet of Things (IoT). These combinations of changes have led to an increased reliance on the inter-connected information technology and inter-dependencies of more complex ecosystem that required real-time data correlation and collaboration in decision-makings to successfully respond to the organization’s business and technology landscape. As these information technologies evolved to support Company X’s vision, strategy and its ecosystem, it is increasingly important that security solutions keep pace with these technological advances and their related vulnerabilities, advanced malware threats, ransomwares, phishing, distributed denial of services or other cyber-attacks that could lead to the compromised of Company X’s information assets.

As we have seen in some of the recent ransomware attacks such as Petya, WannaCry or Dyne DDoS attacks, the adversaries had become more proficient in exploiting these new attack surfaces and threat vectors. According to Trend Micro, “2016 was the year of on-line extortion to enterprise customers” and the companies have seen an ‘increase of new ransomware families spiked to 752% compare to the previous year.’ And “The top attack vector is from email through the form of malicious spam and phishing downloaded via social engineering.” Also in 2016, Trend Micro mentioned its products, services and customers had blocked over 81 Billion threats. In addition, Business Email Compromised (BEC) have caused an average of $140,000 in losses per incident for companies world-wide from these types of attacks. (1,4) For example, WannaCry attacks shut down 16 United Kingdom Hospitals, making medical records unavailable to employees, doctors and nurses to perform basic medical care for patients. This same attack also affected as many as 45,000 computers across 74 countries, including a number of energy companies in Spain. (2) Another ransomware that affected more than 250,000 PC world-wide is the Crypto Locker and the US and UK were the worst hit by this ransomware. Ransomware attacks also affected auto assembly plants in France, Romania, the UK, and Japan. (3).

As we all know, the threat landscape and adversaries continue to evolve in seeking to gain access to Company X information assets. To keep pace with this continually changing threat landscape and adversaries, Company X has to develop a comprehensive, risk-based Threat Intelligence Framework and look at security from a holistic view as part of our overall Information Security Strategy. Then within this information security framework, we need to identify critical areas to address, including the understanding of the threat landscape, the adversary, the attack surface and vector that could allow the organization to be compromised and critical assets and data stolen, which we identified as the Threat Intelligence Framework. With this Threat Intelligence Framework, our organization will be in a better position to identify, prevent, detect, respond, recover and predict the threats of today and tomorrow.

To implement such an effective and cost-efficient Threat Intelligence Framework for cyber security requires Company X to develop an improved and systematic process and to leverage technologies to streamline implementation and improve effectiveness of security controls. And in this cost-constrained environment, Company X’s leadership needs to balance and prioritize security activities based on risks and how to increase the odd of meeting our vision and strategy.

This Threat Intelligence Framework is an addition to our existing Information Security Framework, The Risk Management Framework and Threat Life Cycle Management Frame work. By completing this fourth component framework, it should provide Company X a comprehensive security strategy that will help our company achieve our business goals and objectives.

Finally, our organization needs to have an Incident Respond (IR) team that will have domain expertise to analyze and respond to any cyber-attack (before and after) through the “Cyber Kill Chain”, so we can continue to enhance the security policy, security controls and education of the organization – knowing the when, who, what, why and how such an attack take place will be a critical part of our information security and IT organization’s post mortem.

Threat Evolution

The threat environment has evolved over the years. All of these threats still exist out there but new and more damaging threats are being developed each year. Now, we are dealing with ransomware, targeted attacks, advanced persistent threats and creative mobile attacks that take advantage of new vulnerabilities, social engineering and mobile proximity.

They are stealthy and are designed to fly under the radar, undetected, and to steal your valuable data. And your data is everywhere--in the cloud, on virtualized servers, and on mobile devices. It needs to be protected, without slowing you down.

As our lives, and for that matter, the entire global economy, have become increasingly dependent on Web-based systems and interconnectivity to operate smoothly, cyber-attacks have emerged to stalk us nearly every step of the way. In fact, they’ve grown so complex and varied that traditional IT system defenses such as antivirus (AV) software and intrusion prevention systems (IPSs) are not enough on their own.

Most recently in 2016, we saw the rise of Business Email Compromise (BEC), which the US FBI estimates has led to over $3B in losses globally over the past 2 years. The ROI for threat actors also led to this rise of BEC. According to the FBI, the average loss from this threat is $140K while ransomware is approximately $30K on the high end. (5)

As these threats evolve, it is clear that traditional techniques won’t be able to prevent all threats. Additional layered security and specialized Threat Intelligence and Visibility into these attacks are needed.

Reference. (6,7)

Reference (8,9,10)

The Threat Actors

To better help our organization develop a Threat Intelligence Framework, let’s first try to understand who are the threat actors and the type of attack vectors they are using to compromise most organizations. Below is a list of some key threat actors and the type of activities they typically participate in.

Criminals Cybercrime has overtaken the drug trade to become the most profitable illegal industry. Most criminals operate through phishing campaigns, using emails to get recipients to open attachments which then activate malware. A variation of phishing is “whaling” – emails purporting to come from a company executive directing a staff member to wire money to a foreign account.

Hacktivists Individuals or groups who target websites to damage an organization’s reputation. Their objective may be to steal incriminating or embarrassing information, or simply vandalism. They do this through distributed denial of service attacks using controlled computer networks (botnets).

State sponsored attackers

These attacks are aimed at stealing or manipulating an organization’s data by gaining sustained access to IT infrastructure. These “advanced persistent threats” take a long time to detect – average time is about five months.

Insiders They may be rouge employees out for revenge or profit. Others may simply be careless about cyber security. In all cases, they put confidential information at risk.

Individual A specific person or group acting on their own and not a member of any other actor threat category. This could be a kid at school bringing down school networks for fun. Group of people that deface sites in hopes of impressing someone (not political).

Cyber Terrorist Actor carries out an attack designed to cause alarm or panic with ideological or political goals. Alternatively, if the actor is a party to a known terrorist organization.

Information Security

Includes organizations or persons from, or whose actions affect, the Information Security sector. These are security researchers, computer scientists, antivirus vendors, CERTs, threat intelligence (non-state-sponsored).

Hacker A person who uses computers to gain unauthorized access to data. Using computer program like key logger, malicious malware program etc.

Malware writer These are script kiddies who never grow out their virus writing experience when they are a kid and continued to write malware that can be used and sold to organization criminals to compromise organizations for financial gains. They typical remain secretive and underground and they are some of the best malware writers that write viruses to spread and infect computers around the world.

References. (11)

Threat Vector

Threat vectors are the routes that malicious adversary used to get past your cyber security defenses and infiltrate your network.  There are many different threat vectors and here are some of the most critical ones that we have to pay attention to.

Network – The perimeter of your network, usually protected by something like a firewall.  Email – Phishing attacks and malicious attachments target the email threat vector. Web Application – SQL Injection and Cross-Site Scripting are just two of the many attacks that

take advantage of an inadequately protected Web Application threat vector. Remote Access – A corporate device using an unsecured wireless hotspot can be compromised

and passed on to the corporate network. Mobile – Smart phones, tablets, and other mobile devices can be used as devices to pass malware

and other attacks on to the corporate network.  Additionally, mobile malware may be used to steal useful data from the mobile device.

Key components of our Company X Security Strategy.

For our organization to be successful in addressing cyber threats, we need to have the following key frameworks and they are: The Information Security Framework, Risk Management Framework, Cyber Threat Life Cycle Management Framework and Comprehensive Threat Intelligence Framework. I will briefly talk about each of them and how they integrated together to provide the comprehensive security plan for our organization.

What is an Information Security Framework?

An information security framework is a series of documented processes that are used to define policies and procedures around the implementation and ongoing management of information security controls in an enterprise environment. Today Company X has implemented the information security framework across the organization to ensure the confidentiality, availability and integrity of our information systems.

Risk Management Framework

Managing risk in any organization is a complex, multifaceted activity that requires the involvement of the entire organization—from senior leaders/executives providing the strategic vision and top-level goals and objectives for the organization; to mid-level leaders planning, executing, and managing projects; to individuals on the front lines, operating the information systems supporting the organization’s missions/business functions. Risk management is a comprehensive process that requires organizations to frame, assess, respond and monitor the risk on an on-going basis using communication and feedback loop to continuously improve the organization’s risk. Risk management is carried out as a holistic, organization- wide activity that addresses risk from the strategic level to the tactical level, ensuring that risk- based decision making is integrated into every aspect of the organization.

The slide below described the overall risk management process and steps that we have implemented inside Company X today.

Reference (12)

Cyber Threat Life Cycle Management Frame-work

The diagram below shows the six phases of our organization Cyber Threat Life Cycle Management Framework that we believe it is applicable to organizations as we currently have such a framework in place.

Diagram: Cyber Threat Life Cycle Management Framework (8)

Core Components of Cyber Threat Life Cycle Management FrameworkIdentify Identify and understand the cyber threat and risk to systems, assets, data and its

capabilitiesPrevent Ensure the critical system are safeguarded against threats and are kept continually

availableDetect Identify the attack incidentRespond Plan of action needed to respond to the incidentRecover Plan to maintain and stay resilient against the threatPredict Plan to identify and predict the threat from the intelligence

Identify

Prevention

Detection

Response

Recover

Predictive

Company X Threat Intelligence Framework

To be successful in implementing security strategy, we need to develop a good and well-designed Intelligence framework such as a plan to help our organization to predict and understand the risks and threats of today and tomorrow, including intelligence on the threat actors, where and what country the attacks are coming from, what industry is the threat actors targeting and what are the threat vectors and damage it can do to an organization. Then using these threat intelligence, the organization can be prepared and plan to defend itself from these attacks to minimize damage.

As we all know, in a world of cyber security, there is no silver bullet. What an organization can do is try to minimize, be vigilant and proactive in their defense against the adversary by putting a good intelligence plan in place to help them get ahead of the adversary.

What is Threat Intelligence?

The definition of intelligence is very broad and it may be defined differently by different type of industries and areas of focus. So, for Company X, we will define threat intelligence as “the process of planning, collecting, analyzing, production, dissemination and taking action on.... intellectual property attacks”.

What is a Threat Intelligence Framework?

A Threat Intelligence Framework is defined as the process of collecting, analyzing and distributing of cyber threat information to help executives, managers, IT and Security professionals to develop strategies and plans to prevent and protect the organization from critical infrastructure and intellectual property attacks.

Below is the threat intelligence framework and process we will be implementing across Company X. This intelligence process will be implemented across all levels of the organization, at the leadership level, the operational level and the tactical level.

Planning process – This process focuses on the strategy and objective of the threat intelligence, where it is coming from and is the data credible and timely to help our organization make decisions.

Collection Process – Focusing on the assess-ability and availability of the data on a timely basis. And is the data up to date and relevant to the organization goals and objectives? For examples,

Source feeds and formats, RSS feeds, Syslog, SIEM log, Application logs, Security logs (Firewall/IDS/IPS), different security groups and blog posts.

Analysis Process – This process focuses on taking all the data collected and centralized into one location so it can be validated, correlated, normalized and categorized to allow for the decision making.

Production Process - Focusing on reviewing the data that have been normalized across the organization and see if the organization is flexible to deal with such intelligence and take action on the intelligence.

Dissemination Process – This process focuses on how to communicate the normalized data to the executive/business (business-line manager) and technical (security team) stake holders to take action.

Action Process - This process focuses (business and technical teams) on the plans and activities that the organization needs to perform based on the threat intelligence findings. Threat intelligence findings to include things such as regular risk assessment, pre-emptive preparation and mitigation, Enhanced monitoring and security control and response to the threat as well as external and internal communication in the event that the organization is being attack. (8)

Once the Threat Intelligence Framework is defined, we can leverage some of the Operational Tools and Technologies available in the market to help us move quickly without a long development cycle. For examples, SIEM Tools, Endpoint Detection and Response Tools, Firewall, IDS/IPS logs and Log Analysis Tools.

Understanding the Threat Intelligence Tools

The Threat Intelligence tool(s) we select must be easy to use and understand. It has to be customizable to meet Company X’s objectives and ensure it addresses four key critical areas for our organization. These areas are:

1. Identify threat intelligence by aggregating all the threat intelligence from external trusted source and internal sources to ensure the accuracy of the information and reduce false positive for better decision making.

2. Provide the ability to analyze, manage, coordinate and prioritize the organization’s entire security operations identification, prevention and response effort into a single dashboard view.

3. Provide an automated orchestrated work-flow and threat database to create an effective and efficient process in prioritizing the threat and then integrating with the IT systems (including other security products) to better respond to the threat proactively.

4. Provide a single consolidate view of the entire organization threat intelligence to allow for easy decision making and actionable.

5. The tool must provide good return on investment and decrease the overall total cost of ownership over time.

Understanding the Threat Cyber Kill Chain

To enhance and improve our company’s security policy and security controls, we need to have a good understanding of the “Threat Cyber Kill Chain” and implement it as part of our overall Threat Life Cycle Management Framework. Currently, our organization does not utilize a Threat Cyber Kill Chain as part of our continually security improvement plan.

There are many Threat Cyber Kill Chain available and documented in the internet, therefore, we can just follow one. The most common and simple one is the Lockheed Martin “Cyber Kill Chain”.

The Threat Cyber Kill chain is referring to the different stage of a cyber-attack on an organization – from early reconnaissance to the goal of ex-filtrating data out of an organization. And for the organization, it is a way of assessing, managing of security controls to enhance their security posture and ensure the adversary cannot penetrate the network. For a cyber-attack to be successful, the adversary much go through a number of phases. These phases are as follow:

Kill Chain Phase Activities Reconnaissance Adversary assessing the target for any vulnerabilities in the network.

Open source assessment, performing port scanning etc.Weaponization Adversary creates a remote access control malware program such as

worm, virus, advance persistent threat, target for the found vulnerabilities.

Delivery The delivery of the malware or weapon to the target via email phishing attachment or web drive-by or US drive.

Exploitation Malware program executed and run its malicious code to take action on the target exploit vulnerability.

Installation The malware installed into the compromised system and open up a back-door to the adversary.

Command and Control Malware program allowing the adversary full access and control to the compromised system.

Actions on Objective The adversary takes action to achieve its goals and objectives. Example. Data exfiltration, data encryption use for ransom, data destruction

Reference: Lockheed Martin “Cyber Kill Chain”.

Post Mortem (Understanding the When, Who, What, Why and How of an Attack)

For our organization to be successful in improving our security policy and security controls, we need to understand how such an attack happened during such an incident. To ensure this is successful, we need to implement process and procedures for the incident respond team to follow and perform their root cause analysis. Such a root cause analysis needs to include the following key areas:

When such an attack happens? Who is the attacker? Why the attacker chose our company to attack? What type of information is the attacker trying to gain access or control of? How did the attack take place?

By understanding these key elements, our organization can continue to enhance our security policy, security controls and improve the response and recovery process.

Interdiction Point and Low Hanging Fruit Improvement

The interdiction point in the cyber kill chain is a critical area that our organization needs to understand so we can enhance the security policy and security controls to prevent today and future attacks. To ensure success in the interdiction stage, it requires a good Threat Intelligence and understanding of the Cyber Kill Chain (™).

Based on our current security strategy and our comprehensive frameworks discussed above, there are some of the recommend improvement hat we need to do to enhance the security posture of the organization so it can be prepared to respond to attacks.

1. Re-assess our Security Framework – Security Policy, Security Controls, Training and Education on cyber threats and make sure it is kept updated with the latest Threat Intelligence.

2. Re-assess our Cyber Threat Life Cycle Management (Framework) to ensure that every stage of the process gets reviewed and improve.

3. Implement a quarterly cyber security education and training program for all levels of the organization to ensure employees understand the importance of a good security practices and sharing of threat intelligence.

4. Implement a good back-up and recovery plan across the organization.

Strategic Threat Intelligence Improvement

For the Threat Intelligence Framework to be implemented successfully and improve the security posture of our organization, there are five key strategic areas that the organization have to understand.

1. The leadership team in our organization needs to recognize the importance of threat intelligence and its contribution to the overall business success. And by having threat intelligence available at that level, the leadership team can prioritize critical security requirements into their strategic business planning process and ensure all levels of the organization understand the importance of the initiative, therefore, resulting in an easier implementation of the plan.

2. From a Strategic plan perspective, there should be some corporate level to collect, analyze and distribute all the latest Cyber Threat Intelligence and trends across the entire organization so all employees can be up-to-date with the latest technologies and threat trends and anything that the executives and managers need to make decisions on.

3. From an operational level, such as the IT and Information Security team, they need to implement and improve the threat intelligence knowledge so it can help them on the day to day tactical decisions making process on cyber-attacks, including where and how to prioritize the organization’s technical resources. This threat knowledge can include information such as the threat landscape, new threat vector, new attack surface, new type of cyber threats and the level of sophistication and techniques it is using being applied by the adversary.

4. And finally, at the tactical level, cyber intelligence can be collected directly from the adversary, research information in the dark web, or through any form of real-time analysis and monitoring threat intelligence tools that can help the organization make decisions on the potential threat.

5. We all know that there is not a 100% guaranteed (silver bullet when it comes to cyber-attack) that an organization cannot be compromised, therefore, one other very important component of a threat intelligence is to have a very clear plan of communication to the media, customers and partners if we are breached. This will create confidence to our customers, partners and the public

that the organization has done everything we can to provide confidential information from being compromised.

Reference (13)

References:

1. Threat landscape; https://documents.trendmicro.com/assets/rpt-2016-annual-security-roundup-a-record-year-for-enterprise-threats.pdf

2. UK Hospital hit with massive ransomware attack;https://www.theverge.com/2017/5/12/15630354/nhs-hospitals-ransomware-hack-wannacry-bitcoin

3. Cryptor Locker ransomware has infected 250,000 PCs; http://www.bbc.com/news/technology-25506020

4. A record year for Enterprise Threats; https://www.trendmicro.com/vinfo/us/security/research-and-analysis/threat-reports/roundup

5. Threat landscape; https://documents.trendmicro.com/assets/rpt-2016-annual-security-roundup-a-record-year-for-enterprise-threats.pdf

6. Ransomware took in $1 billion in 2016 - http://www.csoonline.com/article/3154714/security/ransomware-took-in-1-billion-in-2016-improved-defenses-may-not-be-enough-to-stem-the-tide.html

7. Threat landscape; https://documents.trendmicro.com/assets/rpt-2016-annual-security-roundup-a-record-year-for-enterprise-threats.pdf

8. UK Hospital hit with massive ransomware attack;https://www.theverge.com/2017/5/12/15630354/nhs-hospitals-ransomware-hack-wannacry-bitcoin

9. Petya Ransomware Outbreak Goes Global; https://krebsonsecurity.com/2017/06/petya-ransomware-outbreak-goes-global/

10. Block;https://www.symantec.com/connect/blogs/what-you-need-know-about-wannacry-ransomware

11. The Beacon Group of Company; Four types of threat actors and how to combate them; http://www.thebeacongrp.com/2016/09/four-types-of-cyber-threat-actors-and-how-to-combat-them/

12. Source: NIST; http://csrc.nist.gov/publications/nistpubs/800-37-rev1/sp800-37-rev1-final.pdf13. The Cyber Threat and Introduction to Intelligence Studies