Threat intelligence has long existed but is now recognized as a distinct discipline. Tradecraft and technology in threat intelligence are rapidly maturing, along with industry expectations. Choosing how to invest in threat intelligence programs should be driven by business risk, though any organization can be targeted. Providing context increases the value of threat intelligence, and the strongest programs understand the return on investment of sharing intelligence externally.

1. EMBRACING THREAT INTELLIGENCE:
… AND FINDING ROI IN YOUR DECISION
STEVE MANCINI | SENIOR DIRECTOR OF SECURITY
CYLANCE PUBLIC

2. Introduction
New Jersey to Oregon
Scarlet Night / Boilermaker
Support Desk to Security Architect
RAPIER
Police Reserve Specialist
Capture the Flag to ICASI
Founder: Bay Area APT SIG
Cylance – but not a sales guy
Favorites:
• Tempranillo
• Barolo
• Malbec
• Lot No. 1

3. Agenda
Embracing Threat Intelligence
• Clarity
• Expectation
• Adoption
• Recognition
Finding ROI in your Decision
• Beginning
• Scope
• Effort
• Context
• Questions
• Skee Ball
• Value
• Sharing
ENJOY YOUR BREAKFAST; I AM NOT HERE TO SELL YOU ANYTHING

4. EMBRACING THREAT
INTELLIGENCE

5. What are we talking about?
§ Threat Intelligence vs. Threat Data
§ IOAs à IOCs à TTPs
§ Colliding Nomenclatures: Numbers/ Zoos/ Elements!
§ Build vs. Buy: analysis, platforms, integration, sharing
§ People: Who can benefit from it? What skillsets?
§ Process: How do you use it? What Orgs/ Depts/ Programs?
§ Technology: What can you consume, use, create, share?
THREAT INTELLIGENCE
WHEN YOU GET PAST THE HYPE,
TRADECRAFT AND TECHNOLOGY ARE MATURING RAPIDLY

6. GROWING COMMUNITY SUPPORT
63% 51% 48% 56%
64% 75% 76%
CTI Improves Visibility
Into Attacks
Faster More Accurate
Detection/ Response
Reduction in
Incidents
Use Vendor Feeds to
Augment CTI Program
Feel CTI is Important
to Security
Have Dedicated Resources
to a CTI Program
Actively Gather
Threat Intelligence
COMPELLING RESULTS
DRIVE INDUSTRY EXPECTATIONS
Source: https://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767

7. § NIST CSF
§ NIST 800-53
§ NIST 800-39
§ PCI-DSS 3.0
§ Shared Assessment (SIG)
§ Shared Assessment (AUP)
§ SOC 2
§ BSIMM
§ C2M2
§ NIST 800-150
INDUSTRY STANDARDS
CTI WILL BECOME AN EXPECTED CONTROL
IN MORE STANDARDS OVER TIME
“… if the company had
acted faster. ...”

8. THREAT INTELLIGENCE HAS ALWAYS BEEN PRESENT
JUST NOT RECOGNIZED AS A STAND ALONE DISCIPLINE
Example: NIST SP 800-39
Assess
Frame
RespondMonitor
Frame Establishes Context &
Strategy
Sources & Methods for
Acquiring CTI
Assess Analysis & Determination
of Risk
CTI Delivers Relevance
for Threats/ Vulns.
Respond Evaluation/ Implement
Course(s) of Action
CTI TTPs can Focus
Evaluation/ Efficacy
Monitor Verifying Implementation,
Measuring Effectiveness
CTI Monitors External
Factors Affecting
Effectiveness

9. FINDING ROI IN YOUR
DECISION

10. • Establish information-sharing goals and objectives that
support business processes and security policies.
• Identify existing internal sources of cyber threat information.
• Specify the scope of information-sharing activities.
• Establish information-sharing rules.
• Join and participate in information-sharing efforts.
• Actively seek to enrich indicators by providing additional
context, corrections, or suggested improvements.
• Use secure, automated workflows to publish, consume,
analyze, and act upon cyber threat information.
• Proactively establish cyber threat-sharing agreements.
• Protect the security and privacy of sensitive information.
• Provide ongoing support for information-sharing activities.
STARTING YOUR OWN PROGRAM
NIST 800-150

11. § Identify your TI Champion/ Owner/ Support
§ Inventory your Environment: What can you benefit from?
What can you potentially share? Your SNC?
§ Conceptual Architecture: Integrate & Automate
§ Gain Management (and Legal!) Support
§ Baseline the Efficacy (Metrics) of Existing Controls.
§ Select your Sources: OSINT, Vendors, Peers
§ Onboard Sources
§ Respond/ Refine/ Resource
STARTING YOUR OWN PROGRAM (2)
MOST PROGRAMS ARE A PROCESS OF EVOLUTION;
MOST OUT OF THE BOX SOLUTIONS ARE TOOL CENTRIC

12. § RSA (2011)
§ Bit 9 (2013)
§ Sony (2014)
§ Dark Hotel (2014)
§ Lightspeed
§ Kaspersky
§ Target : Fazio
§ Oracle
§ O2 : Xsplit
YOU CAN BE A TARGET BECAUSE:
• YOU HAVE ACCESS
• YOU HAVE INFORMATION
• PEOPLE REUSE PASSWORDS
SCOPE: YOUR ATTACK SURFACE

13. ABSENT INDUSTRY STANDARDS CHOSING HOW
TO INVEST IS DRIVEN BY BUSINESS RISK
Assess Your Efforts Over Time
Return
Effort
Heroic Ad hoc. Most often this is only Open Source Int.
Results: Context is often lost
Managed Information is collected & managed
Result: Initial skills in tradecraft established
Defined Consistent ways of working defined/ maintained
Results: Emergence of Defensive TTPs
Measured Process becomes a management tool
Results: Mature understanding of CTI forming
Improved Process is at heart of organization
Results: CTI delivers value across orgs.

14. CTI Contribution to Risk / Friction Reduction
Risk
Cost
Automated Manual
Respond
Detect
Prevent
Semi-
Automated
Minimize Vulnerability
Minimize Impact
Source: Managing Risk and Information Security 2nd edition Malcolm Harkins
How you Use CTI
Strategic
Consume / Use Create Strategy
Operational
MATURING CTI CAN REDUCE FRICTION
AND CONSEQUENCE COSTS

15. Context Drives Value
Strategic
Tactical
Operational
§ Training
§ WarGames
§ Strategic Decision Making
§ Risk Assessments
§ Threat Models
§ 3rd Party/ Supply Network Chain
§ Detection
§ Incident Response
§ Forensics

16. Priority Intelligence Requirements
Strategic
Tactical
Operational
Situational Awareness:
§ Am I affected?
§ Are my vendors affected?
Predictive Threat Assessment:
§ Am I Next?
§ Skeeball Heat Map
Controls Assessment:
§ Would I have been affected?

17. APPLY CONTEXT TO OPEN SOURCE THREAT
INTELLIGENCE INCREASES ITS VALUE
THREAT REPORTS & SKEEBALL
Analyzing Published Threat Reports:
50: Realized Risk
40: Supply Network Chain
30: Strategic Partners
20: Same Industry
10: Regional/ Socio-Political
0: “Minority Report”

18. VALIDATING YOUR INVESTMENT
??? ??? ??? ???
??? ??? ???
Faster Understanding
of Attack/ Risk
Faster More Accurate
Detection/ Response?
Reduction in
Incidents
More Value from Threat
Feeds & Vendors?
Management Sentiment
Toward CTI
CTI Program Contributes
to Business Goals?
Thought Leadership
in your Vertical?
MEASURED SUCCESS VALIDATES
INVESTMENT DECISION
Source: https://www.sans.org/reading-room/whitepapers/analyst/cyberthreat-intelligence-how-35767

19. • You are not Alone; Unless You Chose to Be
• A Policy of Isolation & Silence Works Against You
• Breaking Silence: Google & Aurora
• Disrupt, Deny, Degrade, Destroy, or Deceive
• Built on Trust, not Documentation or NDA’s
• Quid Pro Quo
• Valued Partner vs. Lurking Leech
”First they came…”
Martin Niemöller
Ultimate Stage of Maturity
THE STRONGEST MOST EFFECTIVE PROGRAMS
UNDERSTAND THE ROI OF SHARING EXTERNAL TO
THEIR COMPANY/ ORGANIZATION.

20. Summary
THREAT INTELLIGENCE HAS ALWAYS BEEN PRESENT; JUST NOT
RECOGNIZED AS A STAND ALONE DISCIPLINE
TRADECRAFT AND TECHNOLOGY ARE MATURING RAPIDLY; SO IS HYPE
CHOSING HOW TO INVEST SHOULD DRIVEN BY BUSINESS RISK; BUT …
YOU CAN BE A TARGET BECAUSE YOU HAVE ACCESS & INFORMATION
COMPELLING RESULTS DRIVE INDUSTRY EXPECTATIONS FOR ADOPTION
CTI WILL BECOME AN EXPECTED CONTROL IN MORE STANDARDS OVER
TIME
CONTEXT INCREASES THREAT INTELLIGENCE VALUE
THE STRONGEST MOST EFFECTIVE PROGRAMS UNDERSTAND THE ROI OF
SHARING EXTERNAL TO THEIR COMPANY/ ORGANIZATION.

21. QUESTIONS
-------------
Threat
Intelligence