Using CTI to Improve Security Awareness and Training
Transcript
.svg){kind=icon}
Hi, everyone.
Marco here, head of content marketing at Misti.
Want to thank you for joining us for this presentation that's part of our Security Awareness Esummit titled Using CTI to Improve Security Awareness and Training, sponsored by Anomaly.
Now leading today's discussion is Bryan Geraldo, senior director of professional services and customer success at anomaly.
Bryan has more than 22 years of experience in the IT space and he has a strong understanding of various areas in IT security, including SCADA and process control environments, threat intelligence, and malware analysis.
Today we're going to be lucky enough to tap into his expertise during the presentation, and for that he'll be discussing the use of cyber threat intelligence as a means to help identify potential future threats, based on actor profiles and tactics.
He'll also examine scenarios and provide examples where CTI can be used to potentially increase the efficiency and effectiveness of security training programs.
Just a couple housekeeping notes.
Remember, keep in mind that slides are available to download via the blue files button.
Just select files in the lower left hand corner of the screen.
And if you have any questions at all, remember to use the green Q&A button.
That being said, Bryan, over to you.
So thanks for that introduction.
So this talk is about, as mentioned, using CTI to improve security awareness and training.
As already mentioned, my name's Bryan Geraldo.
I'll just kick things off and start with the first slide.
Just go through the agenda.
So the agenda that I have a-- [INAUDIBLE] look at security issues we have seen in the past.
We want to really understand the goal of the presentation, the primer of what is cyber threat intelligence, and highlight how it is used in practice and how it can be leverage for security awareness and then just the summary.
And please be aware that we'll keep-- we'll have questions at the end.
So what we've seen in the field, so often clients have-- what we see is called the single point of failure.
That one point of failure leads to the toppling of the security infrastructure.
We've seen this time and again in my 22 years.
Predominantly, I did quite a lot of work in ethical hacking and penetration testing before I went on the defensive side and worked on intelligence.
And so, you know, any single point of failure can really affect what's going on within the environment and these are some of the more sort of well-known ones.
And so this is what we see out in the field, and so we're trying to stem that.
We're trying to make sure that we are minimizing that single point of failure as much as possible.
And so that's where cyber threat intelligence comes in practice as a way to help in minimizing those issues.
And the goal for today is to provide you with some simple examples of how threat intelligence can be used to both alter your security awareness and training program.
As previously mentioned and in the other slide, what we're seeing in the field, the single points of failure.
One of the big ones are just following processes and the humans behind those processes and those technologies.
And so security awareness is a very, very important component of addressing these single points of failure.
And so the focus is to talk about how we can use cyber threat intelligence to empower, to fix the security awareness program within an organization.
So let's start off by understanding intelligence, sort of the classic definition of intelligence, right?
You know, it really, and I'm not going to go and read all of this, but essentially, it really informs decision making efforts.
That's sort of what we're there for.
If you understand five different pieces of information, you can understand, potentially what activity is occurring.
A classic example is somebody that is-- if you're using a classic intelligence analyst example-- there's a religious holiday of a certain type, there's a religious subgroup of a certain type, there you find out that somebody has purchased some type of kit of some kind, that can be used in some unfortunately malicious fashion.
And you've heard chatter that they're known actors of malicious intent that are talking weeks before this activity.
So hey, we need to at least inform some of these people about this activity, and that informs the decision right?
whether or not you actually inform them, how you inform them, what you do about it.
That's sort of our classic idea of intelligence.
And so it's something that when you're looking about it, or when you're thinking about it from our tools perspective, it's information that will help you and your tools make better decisions for cyber threats.
I also wanted to point out some essential classic characteristic of threat intelligence it's always a support function.
It's never the main event.
It's never the main reason why you're doing something.
It's always providing the underpinnings of the decision making process.
You always want it to be proactive, you want to move from being from a reactive position for your threat intelligence, to it being a very proactive effort.
Over time by doing that, what you do is you allow for the-- instead of it being, OK, we're responding to an incident.
What you're doing is you've identified activity based on somebody else reporting it, based on the environment we have, based on activity that we've seen from the factor, and as a result of that, we're going to put these measures in place to potentially stop the activity from even occurring before it happens.
And so those are some of the things that threat intelligence is meant to do, it's meant to be proactive as opposed to reactive.
Reactive is fine but proactive is better obviously.
And then it needs to be relevant, it needs to be relevant to consuming the information.
As mentioned, if it's something that's not tied to your organization why would you want to consume that information and look for it.
Why would you want to look for a certain type of activity against your environment if you don't even own that operating system or application?
This slide is a very- in my mind there's a lot of things going on here so I'm going to point out some of the things that I think are very important.
Threat intelligence in practice as mentioned, there is the reactive side of the house.
And this is where you have a lot of things like IOC's, the tactical level activity where you're getting indicators of compromise or things that are being observed, observables and you're pushing that into your tools and you're seeing activity, and you are then reacting to that as a stock analyst or as an [INAUDIBLE] responder.
But what you're trying to do is, you're actually trying to create what we call temporal distance.
The temporal distance, or space, is where you have the opportunity to interrupt an adversary before the attack progresses.
As an example, you are using a product that lets you know about homoglyphic domain patterns, and homoglyphic domain patterns are things like typosquatting, or using a Greek character A, as opposed to a Roman character A, to then bypass your existing security controls to send a phishing email.
If you know about this activity based on knowing it in advance that this could occur, you can then take steps to actually mitigate the attack.
And so what you're doing is you're again, building that temporal distance between you and when the attack occurs.
And so that means you're moving from reactive, to proactive.
That means that you're also spending a lot of time focused on doing research for your environment and your organization and getting the information from your internal teams to drive that research as well as the external data that's available, to filter out the signal from the noise and really give the organization valuable information on how to address some activity.
Part of the effort It really is, are groups like security awareness.
Think about how you can use security awareness as a means to leverage threat intelligence, or use security awareness as a means to actually get information from people on the ground.
So that if somebody hears of some phishing attack, or you get something strange on your laptop, you provide that to the right teams, they should bubble that up to whoever is doing cyber threat intelligence.
And they can go and start taking a look and see, OK, is there a broader pattern of activity?
What's the canvas of this attack, how far are we on this?
And so this will help in doing that.
Obviously security awareness I'm using it from-- you using security awareness as a way to actually help provide information to threat intelligence as part of the internal information that you send up to the organization.
But there's also obviously other groups that are providing that information as well, so just keep that in mind.
I'm going to just go over some classic examples of how an organization can use cyber threat intelligence to affect their security awareness program.
You can take advantage of CTI, and the way you can do that is if for instance, there's activity that's occurring, and this example is a classic phishing example, the cyber threat intelligence team finds phishing emails in domain and reports it to IT security staff.
And the IT security staff can send out security awareness email to all staff of this real world activity, and what to do about it.
So what you're doing is, based on using the temporal distance that you've built, you are providing awareness, security awareness to the staff on the ground.
And that staff on the ground can then let you know about whether or not maybe that activity has already occurred, or is in the process of occurring, or hasn't occurred but either way, you're letting them know of this activity and they can then take the necessary steps to make the right decision as a result of the information you've provided.
So now you've gone from just providing information from CTI to somebody else in the security department, to the entire organization.
And that's pretty powerful.
When you're having discussions with how you use cyber threat intelligence, consider including cyber threat intelligence not only for the classic relationship that's available with security practitioners, but also disseminating that down to staff in an appropriate way so that the staff know about the activity and can take the right types of actions.
So that's one way that security awareness can be effective and can be used and leveraged with CTI for an organization.
The second way is leveraging CTI for tactics, techniques, and procedures, or vulnerability example.
If your organization is-- and your CTI team finds that there is some type of seedy activity, some threat, and reports it to IT security staff because you know that you have this within your environment, there's an attack that's occurring against-- you have a SAP system that's running on a version of Windows that has this type of database, and has this type of web front end, for these types of activities and you know that there's a big vulnerability out there.
And part of this is available externally because you have partners or vendors that are using this as part of some effort-- an invoicing system-- I don't know what it could be, but that does occur on a regular basis.
Then CTI finding this and reporting it to security, that will force the IT security team to then provide and send out messages to everybody in the organization, hey, you should be aware that there's this type of activity that's occurring and as a result of that, we're going to be implementing a patch.
And it will incentivize the staff on the ground-- again security awareness-- that they should patch the system if they haven't, especially if they're traveling.
Sometimes patches are-- there's going to be people that are at varying stages of patching their system.
But again they're taking and leveraging the information that cyber threat intelligence is creating and you're using that as a means to then provide a message to the rest of the organization on 1, security awareness, so if some activity occurs and it's against the type of system, and it could be just a standard Windows laptop of a certain flavor with a certain type of application on it.
That will at least let them know of this activity and they can then take steps to say, OK well, I think something's going on that's really strange here based on the security awareness email that came out, I think that my system was compromised.
And so at least you'll have more people aware and understanding of that.
And then second, is that this allows for a more-- and I think this is important-- security awareness sometimes feels like it's being done using use case examples that are not real world.
And so sometimes what happens is by using real world examples that are tied to CTI, you're actually making it so it becomes more-- it gains an additional level of interest that you can hook people more on it, because it is actual true activity that's occurring.
They're going to pay attention to it more.
And so that could potentially lead to increased awareness in the security awareness program, which obviously is what you want to achieve as part of this part of this effort.
So there's an ancillary benefit as well.
In summary the cyber threat intelligence initiatives within your organization, based on the examples that I was showing you and what I mentioned, can be used to effectively enhance security awareness.
And they can do so in a very concrete way, by providing real world examples of activity which will help your organization, because that means the staff is actually going to be paying I think they would certainly pay attention if it was some type of real world activity that is affecting them.
And so obviously as an ancillary benefit, it would help your security awareness program to have staff be more focused and mindful of the activities that are occurring and what they need to do as a result of any type of potentially nefarious or malicious activity.
It is meant to be proactive and help empower decision making, and not just by the classic IT and IT security staff.
It should be used to empower all levels of the organization, especially this type of security awareness.
And it also can be used to empower staff that are on the ground providing information that can be used by CTI to then get that right type of information to then do the right types of research.
And this can fall into areas like vulnerabilities and phishing and I included web drive-by-- in the past I used web drive-by quite a bit in my activity with clients.
I would choose a restaurant that staff like and I would potentially send an email that looked like that restaurant's website with the menu that had been changed and included some type of some dropper, that would then execute persistence and then send it activity back to a system that I had.
And sometimes the clients would say, well how were you able to get in?
And then they see that I mimicked-- one time I did it by mimicking a free raffle for getting tickets to a football game.
And so web drive-bys are important, all of these things are important.
But without having knowledge of them, hard and fast knowledge and letting everybody know about it, you're never going to be able to fully empower your staff without not only just security awareness, but I think giving them security awareness tied with threat intelligence would get them even one step closer.
So with that, are there any questions that anybody had?
Thanks for that great information Brian.
Now we're going to be taking some questions from the audience here.
First one we have is, we're new to threat intelligence, where should we start?
Open source feeds or somewhere else?
Yeah, that's a great first question.
So really I think from an organizational standpoint you need to understand, what are your goals and objectives, and your success criteria?
You should try to understand first, why are we doing this?
As an example, a good question to pose the organization is, you ask management, you ask IT staff, and maybe the staff that is tied to cyber threat intelligence, or what we call CTI, what's our primary goals and objectives, and why are we doing this?
Well, a lot of times the focus should be on making better decisions about threats.
And making better decisions about threats, have a lot of different outcomes including, extending the life of your tools so you're augmenting the existing tool base that you have, potentially reducing some of the efforts that your team has.
By having threat intelligence information the team may be able to reduce their decision-- the time that it takes them to make a decision on some activity and how they need to then take any follow-on steps like triaging within the organization.
And then that also lead them to doing things like understanding who consumes intelligence and why.
So why are the teams consuming intelligence?
What's important to them?
By understanding those basic fundamental components then you can identify the types of and sources of data that you need, and why you need those sources of data.
And then finally, that should roll up into some type of what we call prioritize intelligence requirement, that are the requirements that your organization has and it's a living set of requirements about what are things are important to you.
If you're an organization that's in a certain country and you're in the telecom industry or in the oil and gas industry and you have certain types of systems, you want to distill down the things that you're looking at based on, OK I'm a company in this country, that is in this space industry space, and I have these types of systems, which means that you can narrow down the focus of the types of attacks that are occurring against you and how you respond to those.
All right, we have another great question right here, you've made a great case for using CTI for security awareness.
So what are the inhibitors that hold organizations back from deploying CTI effectively, and how do you overcome those obstacles?
Another very good question.
Some of the inhibitors that hold back organizations 1 again it goes back to understanding your goals and really understanding what cyber threat intelligence CTI does for the organization.
I've been at numerous different client sites where their idea of cyber threat intelligence is one where, they're using it essentially as, hey this is a new threat that's coming out today.
Is it valuable?
Is it providing some type of action?
Is it timely to activity that's occurring within my environment?
If it doesn't fall in to some of these categories, what you're doing is you end up creating a program that really is somewhat in a vacuum, and so you want to not do that because then CTI becomes less powerful for the organization.
And it really becomes potentially something like spam.
And we've seen that happen and we want to move everybody that we can to using it in the right fashion.
So should it be your raison d'etre for your entire organization?
No.
But should it be a key component of how you tie-in with the rest of the security department and how you are able to affect change?
Absolutely.
And so the inhibitors are one where it's really sort of that drive where you're headed towards, that focus, that's one inhibitor.
And then a couple of other inhibitors are, getting some of the right tools in place to make an impact.
So you want to have tools that will help in this process.
it's an overwhelming amount of data, it's an overwhelming amount of systems that need to be connected, and there needs to be-- cyber threat intelligence is a very collaborative effort.
There's a lot of feedback that comes, somebody creates the data, or enriches the data, you push that down to somewhere else and that other group then has to tell you, was that data valuable to them, did it helps?
And you need to have well-defined metrics and key performance indicators around that.
Those are some of the inhibitors and I think just really getting management behind you.
If management isn't fully behind the initiative then it's going to eventually fall flat on its face.
If you don't have the budget, revenue, and staff to actually make threat intelligence something important to your organization-- and by tying it to different things like security awareness, you can show the different, distinct types of value that are both direct and indirect that can be tied to cyber threat intelligence that organizations should be using.
Sometimes they just don't see the forest from the trees and that's why they talk to us and ask us to help them.
All right, this next one we have here is, where do most organizations gather and derive their CTI information from, and do you consider that the best source for the CTI information?
Again another great question from the audience.
A lot of times most organizations see that CTI is derived from external sources.
The classic way a threat intelligence works is, somebody sees some activity and identifies indicators of compromise the activity in Germany.
They then share that information to a large body of other organizations in the world maybe of similar size, similar types, similar industry, or maybe they're just a friendship that's been built based off of people that work in different organizations.
And they share that information, and suddenly you see that you know of that activity before it may get your organization.
One of the big things about threat intelligence is, threat intelligence is helping you identify known knowns, what are known knowns, things that are known and they've been recorded to you and you know about them, as well as unknown knowns.
Another organization has information about something that they've identified that you don't know about yet.
So threat intelligence is there as a means to be able to share that information from different organizations.
There's also the vendors that are doing research and providing this organization to everybody else and that's also helpful as well.
And finally, there's the OSINT, the open source intelligence information, which is just people out there that are trying to help the community by providing information to everybody about activity.
It may come in the form of a blog post or it may come in the form of somebody who has more of a formalized process that they share information to everybody and maybe some type of standard body like NIST or Something, or some organization that they're using, I'm just using NIST as an example.
So there's that process as well.
Now this is where our threat intelligence report people classically sees threat intelligence from these avenues.
Are they the best sources of intelligence?
Maybe, But the actual best source of intelligence which is what we tell our clients is-- so you have an organization, you have existing tools, you have existing teams-- some of the best source of threat intelligence come from within your own organization.
I mean, it should actually-- the way you foster external research is by using internal research from your teams and your environment, to really help you understand, and the requirements that you've built to understand what external research, or what things you should be keying in on.
If your organization as an example, if we look at it from a technical perspective, your organization is running Windows 2012 server.
And you're only a server environment, and then there's an attack that occurs against your industry.
But it's a certain type of attack that's actually focused against some type of Unix or Linux distribution, and you don't have that in your environment.
Do you really care?
Is that really important to your organization?
That's sort of one classic example of how you source-- where you get your best sources.
The other one is feedback from the teams is really important.
So if there's a good feedback mechanism you have staff from your soc or from instant response that are telling you about activity that they've seen and that way you can expand on that activity.
You can do what we call indicator expansion, where you're looking at indicators and then you tie that information back into the organization and you see that the information they provide back to me, would that provide greater coverage?
Did that help us move the needle in terms of identifying these threats?
So the best sources really start with your internal organization and marrying that with the corpus of external data as well as the corpus of data that you're housing in a solution.
Because if you have an attack that's already occurred on numerous occasions, if you have some information on that already stored somewhere, and you have a historical body of information that you can use to lean against.
If, for instance, you're a level goes on vacation, somebody can look at that information and see some patterns of activity and say, OK well this is [INAUDIBLE] so these types of actions that can take.
And that's what threat intelligence is for, it's to help alleviate some of those pressures by helping with the decision making process and making and expediting that where possible.
All right this next one we have here is, can you share any recommendations for common tools to use for the management of CTI?
Well I mean obviously I don't know if you want-- it's a little bit of a softball question because I'm a vendor so can say my tools, so our tools.
That's one of the things I would recommend, at least recommending a threat intelligence platform of some kind.
A threat intelligence platform that'll allow you to 1, store information that you're building, manage that information, enrich that information.
When I mean enrich, it's provide additional context around that information.
Does this IP address file hash, is it tied to a type of actor?
Building a corpus of information around that, so that you know these are the types of actors that are attacking my environment and know the TTP's potentially that are around them, so that you start moving from being reactive, to then understanding these type of attackers are using these types of techniques, and as a result of that I need to be aware of this right.
So as a very quick example, recently we've got some clients that have asked us about some type of activity.
We were able to determine certain malware families and we were able to determine potential actors that are tied to those malware families so that we can let them know about that activity, the TTP's tied around them, and what things they should be looking for.
That mean that we've taken them from a reactive position to potentially being proactive and looking for that in their environment before they actually get attacked.
As well as turning all the data that you have, from your existing threat intelligence tools, into the type of data that can be disseminated into your security products 1.
Because that extends the life of your security products.
Good storage of that data is very important.
And then 3, being able to have some way to actually make association.
Tools that allow you to actually associate all this information in a very sort of clear way, so that you can say, OK well these associations makes sense because of this and as a result of that these are the things that we should be looking at.
So I mean does that help answer your question?
It certainly does.
Those are some great recommendations Bryan.
Thank you so much for answering all those questions and for providing all that great information during the presentation.
Right now we do want to welcome everyone to visit the virtual expo hall, where you can visit the anomaly booth, you can chat with our sponsors, and network with other attendees as well.
I want to say many thanks to Brian and Anomali for joining us today and sharing all that great information and of course, thanks to all of you for tuning in.