Artwork

Contenuto fornito da Nisos, Inc.. Tutti i contenuti dei podcast, inclusi episodi, grafica e descrizioni dei podcast, vengono caricati e forniti direttamente da Nisos, Inc. o dal partner della piattaforma podcast. Se ritieni che qualcuno stia utilizzando la tua opera protetta da copyright senza la tua autorizzazione, puoi seguire la procedura descritta qui https://it.player.fm/legal.
Player FM - App Podcast
Vai offline con l'app Player FM !

Defining Metrics for Attribution in Cyber Threat Intelligence and Investigations

31:10
 
Condividi
 

Manage episode 323720291 series 3331602
Contenuto fornito da Nisos, Inc.. Tutti i contenuti dei podcast, inclusi episodi, grafica e descrizioni dei podcast, vengono caricati e forniti direttamente da Nisos, Inc. o dal partner della piattaforma podcast. Se ritieni che qualcuno stia utilizzando la tua opera protetta da copyright senza la tua autorizzazione, puoi seguire la procedura descritta qui https://it.player.fm/legal.

In episode 63 of The Cyber5, we are again joined by Sean O’Connor, Head of Global Cyber Threat Intelligence for Equinix.

We discuss attribution in the cyber threat intelligence and investigation space, and what the private sector can learn from public sector intelligence programs. We also discuss different levels of attribution, the outcomes, and the disruption campaigns that are needed to make an impact on cybercriminals around the world. We define the impact of attribution with different stakeholders throughout the business and how the intelligence discipline will likely evolve over the next five to 10 years.

Five Key Takeaways:

  • Lessons For Private Sector Intelligence Teams from Public Sector National Security Apparatus (Intelligence Life Cycle, MITRE ATT&CK, Cyber Kill Chain)

Many cybersecurity best practices and frameworks originate from the US public sector:

  • Intelligence life cycle: Defining priorities and communicating intelligence to stakeholders
  • Lockheed Martin Cyber Kill Chain: Defining broad malicious actions in IT networks
  • MITRE ATT&CK Framework: Identifying more specific malicious movements in IT networks
  • Structured analytical techniques by CIA analysts, such as Richard Kerr.

2) Attribution is Critical in Cybersecurity to Warrant an Action

Attribution to cyber threat actors by industry is still important as a starting point to derive appropriate controls for the SOC and the CERT within a large organization. How these threats pose a risk of monetary loss are important elements of context when providing these threats to business executives. Here are two typical starting points:

  • Review phishing telemetry for common TTPs and create rule-based detections based on phishing infrastructure used by actors.
  • External threat landscape assessment for TTPs resulting in targeted threat hunts for most notorious ransomware gangs. Creating custom detections is typically the outcome until the appropriate disruptions can be put in place.

3) Disruption Campaigns Happen with Successful Information Sharing

Successful disruption campaigns come from non-public information sharing between vendors, enterprises, and public sector institutions like CISA or the FBI. They typically do not originate from marketing blog posts.

4) Threat Intelligence is a Service-Based Role that Goes Beyond the SOC

Success in cybersecurity (SOC and CERT) is keeping security incidents limited to “events” and ensuring they do not escalate into breaches. This occurs from multiple stakeholders having the proper visibility to ensure network telemetry is complete, accurate, and truthful. However, due to the services nature of intelligence work, it goes beyond just the SOC.

5) Threat Intelligence Should be a Floating Team to the Business

Threat intelligence should be a floating team that can operate outside of the SOC and is an asset to the overall business, not just limited to combating cyber threats. Often executives want intelligence on mergers and acquisitions and market entry in a given geopolitical area, and threat analysis needs to be tailored to different customers. A Chief Intelligence Officer may be more widely accepted in the future as the needs of the business expand and diversify.

  continue reading

91 episodi

Artwork
iconCondividi
 
Manage episode 323720291 series 3331602
Contenuto fornito da Nisos, Inc.. Tutti i contenuti dei podcast, inclusi episodi, grafica e descrizioni dei podcast, vengono caricati e forniti direttamente da Nisos, Inc. o dal partner della piattaforma podcast. Se ritieni che qualcuno stia utilizzando la tua opera protetta da copyright senza la tua autorizzazione, puoi seguire la procedura descritta qui https://it.player.fm/legal.

In episode 63 of The Cyber5, we are again joined by Sean O’Connor, Head of Global Cyber Threat Intelligence for Equinix.

We discuss attribution in the cyber threat intelligence and investigation space, and what the private sector can learn from public sector intelligence programs. We also discuss different levels of attribution, the outcomes, and the disruption campaigns that are needed to make an impact on cybercriminals around the world. We define the impact of attribution with different stakeholders throughout the business and how the intelligence discipline will likely evolve over the next five to 10 years.

Five Key Takeaways:

  • Lessons For Private Sector Intelligence Teams from Public Sector National Security Apparatus (Intelligence Life Cycle, MITRE ATT&CK, Cyber Kill Chain)

Many cybersecurity best practices and frameworks originate from the US public sector:

  • Intelligence life cycle: Defining priorities and communicating intelligence to stakeholders
  • Lockheed Martin Cyber Kill Chain: Defining broad malicious actions in IT networks
  • MITRE ATT&CK Framework: Identifying more specific malicious movements in IT networks
  • Structured analytical techniques by CIA analysts, such as Richard Kerr.

2) Attribution is Critical in Cybersecurity to Warrant an Action

Attribution to cyber threat actors by industry is still important as a starting point to derive appropriate controls for the SOC and the CERT within a large organization. How these threats pose a risk of monetary loss are important elements of context when providing these threats to business executives. Here are two typical starting points:

  • Review phishing telemetry for common TTPs and create rule-based detections based on phishing infrastructure used by actors.
  • External threat landscape assessment for TTPs resulting in targeted threat hunts for most notorious ransomware gangs. Creating custom detections is typically the outcome until the appropriate disruptions can be put in place.

3) Disruption Campaigns Happen with Successful Information Sharing

Successful disruption campaigns come from non-public information sharing between vendors, enterprises, and public sector institutions like CISA or the FBI. They typically do not originate from marketing blog posts.

4) Threat Intelligence is a Service-Based Role that Goes Beyond the SOC

Success in cybersecurity (SOC and CERT) is keeping security incidents limited to “events” and ensuring they do not escalate into breaches. This occurs from multiple stakeholders having the proper visibility to ensure network telemetry is complete, accurate, and truthful. However, due to the services nature of intelligence work, it goes beyond just the SOC.

5) Threat Intelligence Should be a Floating Team to the Business

Threat intelligence should be a floating team that can operate outside of the SOC and is an asset to the overall business, not just limited to combating cyber threats. Often executives want intelligence on mergers and acquisitions and market entry in a given geopolitical area, and threat analysis needs to be tailored to different customers. A Chief Intelligence Officer may be more widely accepted in the future as the needs of the business expand and diversify.

  continue reading

91 episodi

Wszystkie odcinki

×
 
Loading …

Benvenuto su Player FM!

Player FM ricerca sul web podcast di alta qualità che tu possa goderti adesso. È la migliore app di podcast e funziona su Android, iPhone e web. Registrati per sincronizzare le iscrizioni su tutti i tuoi dispositivi.

 

Guida rapida